ASIC calls on companies to review and renew their whistleblower policy

19 October 2021
Brett Feltham, Partner, Sydney

After having first introduced a corporate whistleblowing regime in 2004 and subsequently expanding that regime in a piecemeal way, the Federal government introduced new whistleblowing laws with effect from 1 July 2019.

In simple terms, under those laws an eligible whistleblower (which includes a current or former officer, employee or contractor, or their relative, dependant or spouse) may make a protected disclosure to an eligible recipient (which includes an officer or senior manager of the entity) or regulator, where they have reasonable grounds to suspect that their information concerns misconduct or an improper state of affairs or circumstances. Where that occurs the whistleblower, who may remain anonymous, will be entitled to various protections. Please see our comprehensive guide to those laws: New whistleblowing laws – are you ready?

In addition, under those laws from 1 January 2020 public companies, large proprietary companies, and corporate trustees of registrable superannuation entities, had to implement a whistleblower policy. Given that almost two years has now elapsed, companies should consider reviewing their policies to ensure that they are fully compliant – the Australian Securities and Investments Commission (ASIC) agrees!

The requirement to have a whistleblower policy

In broad terms the whistleblower policy has to contain information about:

  • the protections available to whistleblowers;
  • how and to whom an individual can make a disclosure;
  • how the company will support and protect whistleblowers from detriment;
  • how investigations into a disclosure will proceed;
  • how the company will ensure fair treatment of employees who are mentioned in whistleblower disclosures; and
  • how the policy will be made available to officers and employees of the company.

Companies limited by guarantee that have revenue (or consolidated revenue) for a financial year of less than $1 million, which will include small not-for-profits or charities, are exempt from this obligation.

ASIC regulatory guidance

In late 2019 ASIC issued Regulatory Guide 270: Whistleblower policies (RG 270), setting out guidance to companies on the matters to be covered by a policy and what ASIC considers to be good practice guide on establishing, implementing and maintaining a policy.

The regulatory guide contains both detail as to how a company can meet its mandatory policy obligations, together with recommendations as to ‘good practice’. Those good practice recommendations are not strictly mandatory, but they provide a clear indication of what ASIC expects from a whistleblower policy, how ASIC will interpret the whistleblower obligations, and the issues ASIC will consider when carrying out its enforcement role in respect of the whistleblower protections.

ASIC sent a letter to the CEOs of entities required to implement a policy

During 2020 ASIC reviewed a sample of whistleblower policies to understand how entities were responding to the whistleblower policy requirements. In undertaking that review ASIC noted that the majority of the policies reviewed did not to include all the information required by the Corporations Act 2001 (Cth) (Corporations Act), including information about the legally enforceable protections available to whistleblowers.

In ASIC’s view, the most prevalent and concerning issues were unclear, incomplete or inaccurate information about how potential whistleblowers can make a qualifying disclosure and about the protections available to them when they did so.

In its letter, ASIC summarised the results of its policy review, including the legally required content, its observations on non-complying policies and some better practice tips. We have expanded on that summary below, including setting out in some detail the ‘musts’ and ‘shoulds’ from RG 270:

How to make a qualifying disclosure, including to whom
Required contentObservations by ASICRequirements and best practice from RG 270
Information about what a reporter needs to do to qualify for protection under the Corporations Act.A number of policies did not summarise the threshold criteria for whistleblowers to qualify for protection under the Corporations Act.It is key that the policy makes clear which persons can potentially qualify for whistleblower protections and what actions should be taken by them to ensure that they qualify for those protections.
Information about who is eligible to be a whistleblower.Some policies omitted some of the categories of individuals who are eligible to make disclosures qualifying for whistleblower protections (i.e. individuals who can meet the legal definition of ‘eligible whistleblower’).The policy must identify all of the different types of disclosers within and outside the entity who can make a disclosure that qualifies for protection (i.e. ‘eligible whistleblowers’).

In practice, the types of disclosers who will be covered will depend on the entity's business operations, practices and organisational structure and set-up.
Indication that reporters can be anonymous or identifiable.Some policies continued to require whistleblowers to identify themselves to qualify for protection, suggesting that not all entities understood that protections now extend to anonymous disclosures, or did not state that anonymous whistleblowers could be protected.

Some policies did not provide details of an internal reporting mechanism to facilitate anonymous disclosures and, for example, asked whistleblowers to report to eligible recipients by telephone or in person.
The policy:
  • must include a statement advising that disclosures can be made anonymously and still be protected;
  • must state that a discloser can choose to remain anonymous while making a disclosure, over the course of the investigation and after the investigation is finalised;
  • should state that a discloser can refuse to answer questions that they feel could reveal their identity at any time;
  • should include a suggestion that a discloser who wishes to remain anonymous should nonetheless maintain ongoing two-way communication with the entity, so the entity can ask follow-up questions or provide feedback; and
  • must outline the entity’s measures and/or mechanisms for protecting anonymity (e.g. communication through anonymous telephone hotlines and anonymised email addresses, or a discloser may adopt a pseudonym).
Information about who is eligible to receive disclosures qualifying for protection.Many policies did not fully or accurately identify the channels available under the law that whistleblowers may use to make disclosures qualifying for protection. For example, a number of policies only listed the preferred or internal channels available.

Some policies encouraged whistleblowers to first talk to their managers about their concerns. There is no requirement that a whistleblower first report their concerns to a manager who is not an ‘eligible recipient’. In certain circumstances, doing so may place whistleblowers at greater risk of detriment and loss of confidentiality.
The policy must:
  • include information about who can receive disclosures that qualify for protection and how a disclosure can be made;
  • identify the types of people within and outside the entity who can receive disclosures that qualify for protection;
  • include information about how a discloser can obtain additional information (e.g. by contacting the entity’s whistleblower protection officer or a legal adviser);
  • explain the role of ‘eligible recipients’ and that a discloser needs to make a disclosure directly to them to be able to qualify for protection as a whistleblower;
  • highlight that disclosures to a legal practitioner to obtain legal advice or legal representation in relation to the operation of the whistleblower provisions are protected;
  • state that disclosures of information relating to disclosable matters can be made to ASIC, APRA, the ATO or another prescribed Commonwealth body and qualify for protection; and
  • state the public interest and emergency disclosures can be made to a journalist or parliamentarian under certain circumstances and qualify for protection.

The policy must:
  • include information about how to make a disclosure;
  • include a range of internal and external disclosure options, allowing for disclosures to be made anonymously and/or confidentially, securely and outside of business hours; and
  • include information about how to access each option, along with relevant instructions.

The policy may encourage employees and external disclosers to make a disclosure to one of the entity’s internal or external eligible recipients in the first instance.
Information about the types of reportable matters that qualify for protection.Some policies’ descriptions of the types of reportable matters that qualify for whistleblower protections did not align with those listed in the Corporations Act and were incomplete or inaccurate.

Many policies did not explain when disclosures about matters such as personal work-related grievances may be protected under the Corporations Act.
The policy must:
  • include information about the protections that are available to disclosers who qualify for protection as a whistleblower;
  • identify the types of wrongdoing that can be reported under the policy, based on the entity’s business operations and practices;
  • outline the types of matters that are not covered by the policy;
  • state that disclosures that are not about disclosable matters will not qualify for whistleblower protection, but may nonetheless be protected under other legislation such as the Fair Work Act 2009 (Cth);
  • cover the types of disclosures that qualify for protection and include examples of disclosable matters that relate specifically to the entity's business operations and practice;
  • state that disclosable matters may include conduct that may not involve the contravention of a particular law; and
  • state that a discloser can still qualify for protection even if their disclosure turns out to be incorrect, but discourage deliberate false reporting.

The policy must clarify that disclosures relating to personal work-related grievances do not qualify for protection and should explain the meaning of ‘personal work-related grievance’ by including some examples. The policy may make clear how those grievances can nonetheless be raised internally.

The policy must outline when a disclosure about, or including, a personal work-related grievance still qualifies for protection.
The protections available to whistleblowers
Required contentObservations by ASICRequirements and best practice from RG 270
Information about the protections for qualifying disclosures, which are:
  • identity protection (confidentiality);
  • protection from detrimental acts or omissions;
  • compensation and other remedies; and
  • civil, criminal and administrative liability protection.

A small number of policies did not include information about any of the protections, or incorrectly described the protections.

Some policies did not describe all the protections available under the Corporations Act, or did not state that the protections are legal protections.
The policy must include a brief explanation about its purpose, and information about the protections under the Corporations Act that are available to disclosers who qualify for protection as a whistleblower.
Identity protection (confidentiality) – the policy:
  • must explain the obligations to protect a discloser’s identity;
  • must highlight that it is illegal for a person to identify a discloser, or disclose information that is likely to lead to the identification of the discloser, outside stated exceptions;
  • should include information about how a discloser can lodge a complaint with the entity about a breach of confidentiality; and
  • should also state that a discloser may lodge a complaint with a regulator, such as ASIC, APRA or the ATO, for investigation.
Protection from detrimental acts or omissions – the policy:
  • must explain the legal protections for protecting a discloser, or any other person, from detriment in relation to a disclosure;
  • should provide examples of detrimental conduct that are prohibited under the law; and
  • should also provide examples of actions that are not detrimental conduct (e.g. reasonable administrative action designed to protect a discloser, or managing a discloser's unsatisfactory work performance).
Compensation and other remedies – the policy:
  • must outline that a discloser (or any other employee or person) can seek compensation and other remedies through the courts if they suffer loss, damage or injury, and the entity failed to take reasonable precautions and exercise due diligence to prevent the detrimental conduct; and
  • should include a statement encouraging disclosers to seek independent legal advice.
Civil, criminal and administrative liability protection – the policy:
  • must state that a discloser is protected from civil liability (e.g. action for breach of employment contract, duty of confidentiality);
  • must state that a discloser is protected from criminal liability (e.g. prosecution for unlawfully releasing information, or other use of the disclosure against the discloser in a prosecution);
  • must state that a discloser is protected from administrative liability (e.g. disciplinary action for making the disclosure); and
  • should state that the protections do not grant immunity for any misconduct a discloser has engaged in that is revealed in their disclosure.
The entity’s measures to support and protect whistleblowers
Required contentObservations by ASICRequirements and best practice from RG 270
Information about how the entity will support whistleblowers.Some policies only stated that the entity would support and protect whistleblowers without describing how they would do this.
The policy:
  • must include information about how it will support and protect disclosers from detriment; and
  • may refer to or include a link to document(s) outlining the entity’s more detailed processes and procedures.

The policy must provide examples of how the entity will, in practice, protect the confidentiality of a discloser’s identity including:
  • reducing the risk of identification by redacting information, using gender-neutral language, and investigations being conducted by qualified staff; and
  • secure record-keeping and information-sharing processes, including limiting access to information, restricting the number of persons involved in handling and investigating a disclosure, not communicating by accessible email addresses or printers, and reminding relevant staff of confidentiality requirements.
Information about how the entity will protect whistleblowers from detriment.A few policies claimed that support or protection is conditional on whistleblowers making disclosures in good faith. A whistleblower’s motive is not relevant in qualifying for the protections and a whistleblower does not need to satisfy a ‘good faith’ test.The policy:
  • must outline examples of how the entity will, in practice, protect disclosers from detriment; and
  • should state that a discloser may seek independent legal advice or contact regulatory bodies, such as ASIC, APRA or the ATO, if they believe they have suffered detriment.

The policy may refer to measures and mechanisms for protecting disclosers from detrimental acts or omissions including:
  • processes for assessing the risk of detriment;
  • support services (including counselling or other professional or legal services) that are available to disclosers;
  • strategies to help a discloser minimise/manage stress, time or performance impacts, or other challenges;
  • actions for protecting a discloser from risk of detriment (e.g. relocating or re-assigning a discloser, or reassigning or relocating other staff involved in the disclosable matter);
  • processes for ensuring that management are aware of their responsibilities to maintain the confidentiality, to address the risks of isolation or harassment, manage conflicts, and ensure fairness when managing the performance of a discloser;
  • procedures on how a discloser can lodge a complaint if they have suffered detriment, and the actions the entity may take in response (e.g. the complaint could be investigated as a separate matter); and
  • interventions for protecting a discloser if detriment has already occurred (e.g. allow the discloser to take extended leave, develop a career development plan for the discloser that includes new training and career opportunities, or offer compensation or other remedies).
How the entity will investigate whistleblower disclosures and ensure fair treatment of employees mentioned in qualifying disclosures, or to whom such disclosures relate
Required contentObservations by ASICRequirements and best practice from RG 270
Information about how the entity will investigate disclosures that qualify for protection.A small number of policies did not provide even a high-level statement about how the entity would investigate disclosures that qualify for protection.The policy:
  • must outline the key steps involved in investigating a disclosure, including the potential timeframes;
  • should highlight that without the discloser’s consent, the entity cannot disclose information that is likely to lead to the identification of the discloser as part of its investigation process other than in limited circumstances including if it is reasonably necessary for investigating the issues raised in the disclosure;
  • should acknowledge the limitations of the entity’s investigation process (e.g. an investigation may not be able to be conducted if a disclosure is made anonymously and the discloser has refused to provide, or has not provided, a means of contacting them); and
  • must state that a discloser will be provided with regular updates, if the discloser can be contacted.

The policy should clarify that the method for documenting and reporting the findings will depend on the nature of the disclosure, and that there may be circumstances where it may not be appropriate to provide details of the outcome to the discloser.
Information about how the entity will ensure fair treatment of employees mentioned in qualifying disclosures, or to whom such disclosures relate.Some policies stated that the entity would conduct fair assessments and investigations and ensure fair treatment but did not include details of how they would ensure fair treatment of employees who are mentioned in disclosures that qualify for protection, or to whom such disclosures relate.The policy must include information about how the entity will ensure the fair treatment of its employees who are mentioned in a disclosure, including those who are the subject of a disclosure.

Measures and/or mechanisms for ensuring fair treatment of individuals mentioned in a disclosure may include statements in the policy that:
  • disclosures will be handled confidentially, when it is practical and appropriate in the circumstances;
  • each disclosure will be assessed and may be the subject of an investigation;
  • the objective of an investigation is to determine whether there is enough evidence to substantiate or refute the matters reported;
  • when an investigation needs to be undertaken, the process will be objective, fair and independent;
  • an employee who is the subject of a disclosure will be advised about the subject matter of the disclosure as and when required by natural justice and prior to any actions being taken; and
  • an employee who is the subject of a disclosure may contact the entity’s support services (e.g. counselling).
How the entity makes its policy available to officers and employees
Required contentObservations by ASICRequirements and best practice from RG 270
Information about how the entity makes its policy available to officers and employees.Not all policies explained how the entity would make its whistleblower policy available to its officers and employees.

Not all entities made their whistleblower policy publicly available on their websites.
The policy must cover information about how the policy will be made available to the entity’s officers and employees.

The policy may include the methods for making the policy available to officers and employees including:
  • holding staff briefing sessions and/or smaller team meetings;
  • posting the policy on the staff intranet or other communication platform;
  • posting information on staff noticeboards;
  • setting out the policy in the employee handbook; and
  • incorporating the policy in employee induction information packs and training for new starters.

To ensure that disclosers outside an entity can access the policy, the policy should be available on the entity’s external website (with the deletion of internal contact details if appropriate).

Reviewing and updating the policy

It is important for every entity to review its whistleblower policy, processes and procedures on a periodic basis, and to rectify any issues identified in the review in a timely manner. ASIC has itself identified various matters where existing policies do not fully comply or reflect best practice.

In reviewing a policy, an entity should always consider which aspects worked well in relation to any disclosure and which did not work well since a last review. This can of course include seeking feedback from employees about the effectiveness of the whistleblower policy, processes and procedures.

If you require assistance to implement a whistleblower policy, or to review an existing policy in light of the review findings of ASIC and the best practice summary, please contact us.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.


Authored by:

Brett Feltham, Partner

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch