Whistleblower Policy (Australia)

A Whistleblower Policy in Australia is a legally binding written instrument.

The whistleblower protection reforms that took effect on 1 July 2019 substantially expanded the scope of who is protected, what disclosures are protected, and what remedies are available to people who suffer detriment for making a protected disclosure. Under section 1317AI of the Corporations Act 2001 (Cth), public companies (whether listed or unlisted), large proprietary companies as defined in section 45A of the Act, and proprietary companies that are trustees of registrable superannuation entities are required to have a whistleblower policy and to make it available to their officers and employees. A failure to have a compliant policy is a civil penalty provision.

The regime defines an eligible whistleblower broadly under section 1317AA. The definition includes current and former employees, officers, contractors, suppliers of goods or services, associates of the company, and their relatives and dependants. This wide definition confirms that anyone with genuine knowledge of misconduct — including former employees with knowledge of past events and supply chain workers who observe unsafe or unethical practices — can come forward and receive protection.

A disclosure qualifies for protection under section 1317AA(1) if the eligible whistleblower has reasonable grounds to suspect that the information concerns misconduct, or an improper state of affairs or circumstances, in relation to the company or a related body corporate. Qualifying misconduct includes suspected contraventions of the Corporations Act 2001 (Cth) or the Australian Securities and Investments Commission Act 2001 (Cth), conduct that represents a danger to the public or the financial system, and tax-related misconduct under the Taxation Administration Act 1953 (Cth). The reasonable grounds standard is deliberately set low: the whistleblower does not need to be certain that misconduct has occurred, only that they have a genuine and reasonable basis for their suspicion.

The key legal protections afforded to eligible whistleblowers who make qualifying disclosures are extensive and multi-layered. Confidentiality protection under section 1317AAE makes it a criminal offence to disclose the identity of a whistleblower or information that is likely to lead to the identification of the whistleblower without their consent, except in limited circumstances such as reporting to ASIC or APRA or taking the matter to court. Protection from detriment under section 1317AD prohibits dismissal, demotion, harassment, discrimination, civil or criminal action, or any other adverse treatment because of a disclosure. Civil and criminal immunity under section 1317AB means a whistleblower cannot be sued, prosecuted, or have their employment contract terminated in respect of their disclosure. Compensation rights under section 1317AE provide for damages for any loss, damage, or injury suffered as a result of unlawful detriment.

ASIC has published Regulatory Guide 270 (RG 270) — Whistleblower Policies, which provides detailed guidance on what a compliant policy must contain, how companies should handle and investigate disclosures, and how to support and protect whistleblowers. ASIC's guidance emphasises that policies should be clear, accessible, actively communicated to all employees and officers, and not merely posted on an intranet and forgotten. Tax-related whistleblower protections are separately provided under sections 14ZZC to 14ZZE of the Taxation Administration Act 1953 (Cth), administered by the Australian Taxation Office.

A Whistleblower Policy is legally required for public companies, large proprietary companies, and proprietary companies that are trustees of registrable superannuation entities under section 1317AI of the Corporations Act 2001 (Cth). However, all organisations — including smaller proprietary companies, not-for-profit organisations, government agencies, and other entities — are strongly encouraged to implement a Whistleblower Policy as a matter of good governance, even where there is no strict legal obligation to do so.

For entities subject to the mandatory requirement, the policy must be in place and made available to all officers and employees. The mandatory requirement applies to public companies whether or not they are listed on the Australian Securities Exchange, and to large proprietary companies that meet two or more of the following thresholds: 50 or more employees, $25 million or more in consolidated gross operating revenue, or $12.5 million or more in consolidated gross assets. Proprietary companies that are trustees of APRA-regulated superannuation funds are also required to have a policy regardless of their size. Failure to have a compliant policy is a civil penalty provision under the Corporations Act.

Beyond the mandatory requirement, a Whistleblower Policy is needed whenever an organisation wants to create a genuine culture of integrity, transparency, and accountability. Research consistently shows that early identification of misconduct — through internal reporting — is far less costly to an organisation than having misconduct discovered externally, whether through a regulator, the media, or litigation. An effective Whistleblower Policy encourages people with knowledge of wrongdoing to come forward internally, allowing the organisation to investigate and address the issue before it escalates.

Organisations listed on the Australian Securities Exchange are also subject to the ASX Corporate Governance Principles and Recommendations, which strongly encourage listed entities to have a whistleblower policy as part of their corporate governance framework. Institutional investors and superannuation funds conducting ESG due diligence frequently assess the quality of a company's whistleblower programme as an indicator of broader governance standards.

Organisations that are subject to the tax-related whistleblower provisions of the Taxation Administration Act 1953 (Cth) — which cover a broad range of entities that collect or pay tax — should also confirm their policy addresses tax misconduct disclosures in addition to the Corporations Act regime. The ATO has published guidance on tax-related disclosures and the protections available to eligible whistleblowers under the taxation legislation.

Financially regulated entities — including Australian Financial Services licence holders, credit licence holders, and banks and insurers regulated by APRA — should review ASIC and APRA guidance on whistleblower frameworks when developing or updating their policies. APRA has published guidance on whistleblower frameworks as part of its broader governance standards for regulated entities, and may take compliance with these frameworks into account in its supervisory activities.

A compliant and effective Australian Whistleblower Policy must address all mandatory content requirements under section 1317AI(3) of the Corporations Act 2001 (Cth), while also incorporating best-practice governance elements that make the policy genuinely effective as a tool for identifying and addressing misconduct.

The first mandatory element is a clear description of who qualifies as an eligible whistleblower under the regime. The policy should explain that current and former employees, officers, contractors, suppliers, associates, relatives, and dependants of employees and officers are all eligible whistleblowers under section 1317AA. Clearly communicating the breadth of who is protected helps confirm that all relevant persons are aware of their right to make a protected disclosure and are not deterred by uncertainty about whether they qualify.

The second mandatory element is a description of the disclosures that qualify for protection. The policy should explain that a disclosure is protected if the eligible whistleblower has reasonable grounds to suspect misconduct or an improper state of affairs in relation to the company, including contraventions of the Corporations Act 2001 (Cth), the ASIC Act 2001 (Cth), or the Taxation Administration Act 1953 (Cth), as well as conduct that presents a danger to the public or the financial system. The policy should also make clear what is not a protected disclosure — for example, a personal employment grievance that does not involve misconduct.

The third mandatory element is a description of how disclosures can be made. The policy must specify the available internal reporting channels, including the designated Whistleblower Protection Officer (typically the company's general counsel, CFO, or a senior HR executive), the Board or Audit Committee, and the company's external auditor. The policy must also reference the external reporting channels available to eligible whistleblowers, including ASIC, APRA, and the ATO for tax-related disclosures, and the option to make a disclosure to a legal practitioner for the purpose of obtaining legal advice.

The fourth mandatory element is a description of how the company will support and protect whistleblowers. This includes confidentiality measures — detailing how the whistleblower's identity will be protected and how information about the disclosure will be controlled — as well as anti-detriment measures and the process by which a whistleblower can report suspected detriment and seek a remedy. The policy should clearly state that the organisation will not tolerate any form of retaliation against a whistleblower and will take disciplinary action against anyone who retaliates.

The fifth mandatory element is a description of the investigation process. The policy should explain how disclosures will be assessed, triaged, and investigated, who has responsibility for investigations, how conflicts of interest will be managed (including where the subject of a disclosure is a senior executive or Board member), how investigation timeframes will be communicated to the whistleblower, and how the outcomes of investigations will be reported to the Board or Audit Committee.

The sixth mandatory element is a description of how the company will confirm the fair treatment of employees who are mentioned in disclosures. The policy should acknowledge that subjects of disclosures are entitled to procedural fairness and that investigations will be conducted in a manner that protects the rights and reputation of all persons involved until a finding is made.

The seventh mandatory element is a description of how the policy will be made available to officers and employees. Best practice, as described in ASIC's Regulatory Guide 270, requires active communication of the policy — including training and induction programmes — rather than simply making it available on an intranet. The policy should identify the Board or a designated Board committee as responsible for overseeing compliance with the whistleblower programme and should require regular Board-level reporting on the number and nature of disclosures received.

Under the Corporations Act 2001 (Cth), the Australian Securities and Investments Commission (ASIC) regulates companies and financial services. Section 127 of the Corporations Act 2001 governs company execution of documents. The Australian Competition and Consumer Commission (ACCC) enforces the Competition and Consumer Act 2010 (Cth). The Australian Taxation Office (ATO) administers the Goods and Services Tax under the A New Tax System (Goods and Services Tax) Act 1999. The Federal Court of Australia and Supreme Courts of each state have jurisdiction over corporate disputes. The forms-legal.com Whistleblower Policy (Australia) template covers the mandatory elements under Corporations Act 2001 (Cth).