New whistleblower laws finally become reality

Current site :    AU   |   EN
China Hong Kong SAR
United Kingdom
United States

This article was written by Andrew Gray, Daniel Delimihalis and Ed Slattery.

The Federal Parliament has passed the Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018 (Bill) to amend Australia's corporate whistleblower regime. The passing of the new laws follows an extensive period of consultation and debate in the Parliament and implements significant reforms to the current protections available for corporate whistleblowers.

What is the purpose of the new laws?

The new laws simplify the existing complex framework of whistleblower laws and aim to create a framework of strong statutory protections that will encourage whistleblowing. It is hoped this will improve corporate compliance and promote ethical corporate culture.

The new laws aim to achieve this purpose by:

  • simplifying the regime for whistleblower protection;
  • expanding the categories of whistleblowers eligible for protection;
  • expanding the scope of disclosures which qualify for protection to include reports of "misconduct or an improper state of affairs" in a corporate organisation;
  • eliminating the requirement that a disclosure be made in 'good faith' by the discloser, and in its place providing a requirement for the discloser to have 'reasonable grounds' for the disclosure
  • providing protections for anonymous disclosures;
  • enhancing protections of whistleblowers to protect their identity, and provide certain immunities to whistleblowers;
  • expanding the protections and redress for whistleblowers who suffer reprisals or retaliation in relation to a disclosure including through compensation and higher penalties; and
  • requiring public companies and large proprietary company to have a whistleblower policy.


The commencement date of the new laws depends on when the Bill receives Royal Assent. The new laws will commence on 1 July 2019 (if Royal Assent is received prior to the end of March) or most likely 1 October (if Royal Assent is received after the end of March 2019).

Large proprietary companies will be guilty of an offence if they do not have a whistleblower policy by 1 January 2020, or 6 months after a company becomes a large proprietary company. This 1 January 2020 deadline will be moved back if Royal Assent is delayed. 

Key elements

The key elements of the new laws are summarised below:

Key Features


Simplified regime

The new laws consolidate a previously piecemeal approach to whistleblower protection.  Each of the Corporations Act, Banking Act, Insurance Act, Life Insurance Act and Superannuation Industry (Supervision) Act presently have a separate regime.  The new laws introduce a single uniform, simplified framework, contained in the Corporations Act as well as specific protections for whistleblowers who make a disclosure to the Tax Commissioner through introducing a similar regime to the Tax Administration Act.  The provisions also extend the operation of whistleblower laws to entities governed by the National Consumer Credit Protection Act and the Financial Sector (Collection of Data) Act.  It is a helpful and welcome simplification.

Eligible Whistleblowers

The new laws create a class of "eligible whistleblowers" that includes not only current but former employees, officers or suppliers.

Eligible recipients

The list of eligible recipients in the new laws is not a significant extension from the current position under the Corporations Act. The Bill as finally passed does not expand the categories of recipients to managers and supervisors as originally proposed which would have led to real difficulties for organisations in complying with the laws. However, it does protect disclosures to lawyers and provides for emergency and pubic interest disclosures (discussed further below).

Broadening of nature of protected disclosure

The new laws extend the type of information that qualifies for protection as a protected disclosure. Protection will be provided for the disclosure of information concerning 'misconduct or an improper state of affairs' in relation to a "whistleblower regulated entity" (basically all companies and superannuation entities).  This is broader than the current section 1317AA of the Corporations Act which only applies protection for disclosures relating to a contravention of the Corporations legislation.[2]

Without limiting this qualification for a protected disclosure, the new laws specify information relating to the following matters as qualifying as a protected disclosure:

  • conduct that amounts to an offence or contravention of Australia's corporations and financial services legislation, or any other Commonwealth offence that carries a penalty of at least 12 months imprisonment; or
  • conduct that 'represents a danger to the public or financial system'.

It is clear the protection is to apply to information relating to alleged contraventions of legislation (including anti-bribery or AML legislation).  However, the explanatory memorandum does not provide any meaningful guidance regarding the meaning of "misconduct or an improper state of affairs" other than to covey the protection is intended to apply broadly.  The explanatory materials indicate this would include "misconduct by officers and employees of an entity or an improper state of affairs brought about by or contributed to by such individuals" and is also intended to apply to information regarding "emerging forms of misconduct not covered under existing law such as exploitation of a loophole in the law that creates vulnerability in a government program".

Helpfully, the Bill seeks to exclude "personal work-related grievances" from the categories of protected disclosures.  The Bill outlines several broad examples of such grievances:

(a) an interpersonal conflict between the discloser and another employee;

(b) a decision relating to the engagement, transfer or promotion of the discloser;

(c) a decision relating to the terms and conditions of engagement of the discloser; and

(d) a decision to suspend and terminate the engagement of the discloser, or otherwise to discipline the discloser.[3]

This carve out should (to a large extent) ameliorate concerns with the original form of legislation which suggested that employment related grievances would need to be handled in accordance with the whistleblower laws. Nevertheless, it remains possible for whistleblower protection to extend to these "personal" issues if the information has "significant implications for the regulated entity".  As an undefined term, it is hard to speculate what sort of information will be considered "significant".  The challenge for employers will be adjudicating whether certain bullying and harassment complaints may have implications that are "significant" enough to be protected under the onerous whistleblower regime (for example a complaint related to the behaviour of a CEO or other responsible officer may have material implications for the organisation).

Anonymous disclosures

The current whistleblower laws require the whistleblower to provide their name to qualify as a protected disclosure for the purpose of the whistleblower protections.

The new laws remove this requirement – permitting anonymous disclosures – and further protects the identity of the discloser through:

  • prohibiting the publishing of whistleblower or victim's name in court proceedings;
  • prohibiting a person from being required to disclose the whistleblower's identity, and documents that would identify the whistleblower; and
  • confidentiality restrictions imposed on recipients of information (discussed further below).
While the policy rationale for anonymous disclosures is sound, permitting anonymous disclosures will present challenges.  There are real practical difficulties trying to investigate a complaint/allegation without being able to engage with the complainant and obtain the necessary details of their allegation to conduct a meaningful investigation.  This is undesirable and will most likely impair the ability of organisations to investigate whistleblower disclosures.   It also seems unnecessary given the other protections under the new laws.

Eliminating the 'good faith' requirement

Under the current whistleblower laws a disclosure must be made in 'good faith' to qualify as a protected disclosure.  The policy reason behind this requirement was to prevent vexatious allegations.[4]

The new laws remove the 'good faith' requirement and instead require that the discloser have reasonable grounds to suspect that 'misconduct or an improper state of affairs exists' in relation to the relevant entity.

Disclosure to lawyers

The new laws provide that disclosure to a person's legal practitioner will qualify as a protected disclosure but maintains legal professional privilege over the disclosure.  This is an unusual extension of the protection, because a person alleged to be in breach of the laws will not have knowledge of the confidential communications which pass between the whistleblower and their lawyer which will be subject to legal professional privilege and will not be able to take any action in response to this information.  Nor will there be any way of testing whether the content of the disclosure meets the requirements of the law.

Public interest and emergency disclosure

The new laws recognise that "in some situations, wrongdoing may be of such gravity and urgency that disclosure to the media or a parliamentarian is justified".  In these situations, disclosure to a member of parliament or a "person working in a professional capacity as a journalist" (ie not a self-defined social media commentator) will qualify as a protected disclosure. 

A public interest disclosure will be permitted where:

  • the disclosure has previously been made to a regulatory body;
  • 90 days has passed since the disclosure was made and the whistleblower does not have reasonable grounds to believe that action is being, or has been taken, to address the matters raised in the disclosure;
  • the whistleblower has informed the regulatory body that they intend to make a public interest disclosure.

An emergency disclosure may be made where:

  • the disclosure has previously been made to a regulatory body,
    • there is an imminent risk of serious harm or danger to public health or safety, or to the financial system, if the information is not acted on immediately;
      • the whistleblower has informed the regulatory body that they intend to make an emergency disclosure

        The potential for information to be disclosed in this way will present new challenges for those expected to deal with the inevitable flurry of action and fallout from unexpected media reports linked to a whistleblower.

        Protection against detrimental conduct

        The new laws expand the protections for whistleblowers against victimisation/retaliation and increase the sanctions for these.  It is unlawful for a person to engage in conduct that causes detriment to the whistleblower (or an associate of the whistleblower) in the belief or suspicion that a person has made, may make, proposes to make or could make a protected disclosure or to purport to terminate an employee because of a protected disclosure. 

        "Detriment" is defined very broadly to include dismissal, alteration to position, discrimination, harassment, injury in employment or damage to reputation.

        The victimisation provisions have the following significant features:

        • there is no need to establish a disclosure has actually been made or a the respondent had actual knowledge of that disclosure – a belief or suspicion a person has or could make a protected disclosure is sufficient;
        • there is a reverse onus of poof – once the whistleblower demonstrates detriment the respondent bears the onus of proving that the protected disclosure (or the proposal or ability to make such a disclosure) was not in any part a reason for the respondent's conduct.

        The extended protections are very similar in approach to the general protections provisions of the Fair Work Act particularly in respect of the concepts of detriment and the reverse onus of proof to demonstrate the protected disclosure as not any part of the reasoning.  One implication of the reverse onus is that key senior decision makers will be required to give evidence in whistleblower matters. 

        Remedies for breaching the protections include compensation to the whistleblower, criminal sanctions, civil penalties or reinstatement to employment for the whistleblower. 

        Civil penalties:  Following the enactment of the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Bill 2018, the maximum civil penalties for "detrimental conduct" are as follows:

        • for a body corporate – 50,000 penalty units (approximately $10.5 million), three times the benefit derived or detriment avoided, or 10% of annual turnover; and
        • for an individual – 5,000 penalty units (approximately $1.05 million) or three times the benefit derived or detriment avoided.

        Criminal penalties:  The maximum criminal penalty is 60 penalty units and/or 2 years imprisonment.


        A person who qualifies for protection under the new laws is not subject to any civil, criminal or administrative liability or contractual right or remedy for making a protected disclosure.  The information is also not admissible against the person in criminal or civil penalty proceedings other than for proceedings in respect of the falsity of the information.

        Third party liability

        The new laws permit a court to make an order for compensation against a body corporate for a third party's "detrimental conduct".  Such an order is permissible where the body corporate has an existing duty to take reasonable steps to prevent the detrimental conduct which has occurred.  There is no guidance about the source or scope of this duty so there is a question as to when this provision will apply.

        There are also standard accessorial liability provisions in the new laws which make a third party liable for another party's contravention of the laws where they aid or abet or are knowingly involved in the contravention.

        Deemed liability for employers

        If the person engaging in detrimental conduct is an employee, and the conduct was in connection with their position as an employee, their employer is effectively deemed to be liable for the employee's conduct. In these circumstances, a court may make an order requiring the employee and the employer to jointly compensate the victim or an order requiring the employer to compensate the victim.

        In deciding whether to make an order against the employer a court may consider whether the employer:
        • took reasonable precautions and exercised due diligence to prevent the conduct;
        • had a policy dealing with these issues and gave effect to it; and
        • had a duty to prevent such conduct, or had taken reasonable steps to ensure it was not engaged in.

        As a result it will be important for employers to implement policies and effective governance mechanisms and training in order to avoid being subject to compensation orders because of the conduct of their employees.

        No costs exposure in court proceedings where a victim seeks compensation

        The new laws include protections from adverse cost orders for whistleblowers and victims seeking compensation.  The only exception to cost protection is where proceedings are instituted vexatiously or without reasonable cause, and the unreasonable act causes the other party to incur costs.  The exception mirrors the Fair Work Act's cost protection regime. This presents a potential for increased litigation under the new laws without the risk of adverse cost consequences.

        Confidentiality of the disclosure

        One very difficult (but often overlooked) feature of the current whistleblower laws is that a person who receives a disclosure (e.g. a senior manager or director) cannot pass on the information disclosed to any other person (excluding police or certain regulators) without the consent of the discloser even if this is necessary to investigate the disclosure that has been made.

        In a positive development, the new laws make these provisions more workable to prohibit the disclosure of the identity of the whistleblower but do not make it unlawful to disclose information relating to the disclosure provided that it is reasonably necessary to investigate the discourse and reasonable steps are taken to reduce the risk that the whistleblower will be identified by the information disclosed.

        The new laws also provide an exemption for disclosure to a legal practitioner for the purpose of obtaining legal advice or representation in relation to the operation of the whistleblower laws.  Query whether this extends to permitting disclosure for the purpose of obtaining legal advice on the subject matter of the disclosure which will likely be required in the case of serious misconduct or reports regarding compliance and regulatory breaches.

        These changes to the new laws are not designed to detract from the seriousness of publicising the whistleblower's identity – and indeed there are increased penalties for contraventions of the confidentiality provisions.

        Whistleblower policy

        All public companies and large proprietary companies will be required to have a whistleblower policy which includes information regarding:

        • the protections available to whistleblowers;
        • to whom and how a protected disclosure may be made;
        • how the company will investigate a protected disclosure;
        • how the company will ensure fair treatment of employees;
        • how the policy will be made available to officers and employees of the company.

        The policy is to be made available to employees and officers of the company.

        Many companies already have whistleblower policies in place but these will most likely need to be updated to address changes in the law including:

        • broadening of the information which qualifies as a protected disclosure;
        • the protection provided for anonymous disclosures;
        • the extension of coverage to former employees/contractors; and
        • the meaning of "personal work-related grievances" so they are appropriately addressed under existing HR grievance procedures;

        The policy will need to provide a workable regime for the likely increase in whistleblower disclosures covering more diverse conduct.

        What you need to do now

        While there is a short lead time before the new laws commence it is time for organisations to start to take steps towards preparing for compliance with the new laws.  This will include:

        • updating current whistleblower polices (or implementing a policy if there is not already one in place) to comply with the new protections;
        • educating officers and senior managers on the requirements of the new laws so they know how to deal with a whistleblower complaint;
        • developing a governance framework to ensure that protected disclosures are handled and investigated in accordance with the requirements of the company's policy and the new laws;
        • providing training to develop employee awareness of the company's policy and what constitutes unlawful conduct under the new laws to show the company has taken reasonable precautions and exercised due diligence to prevent detrimental conduct against whistleblowers and avoid liability for compensation orders being imposed as result of the conduct of employees.

        [1]This note covers the amendments to the Corporations Act but the regime to be included in the Tax Administration Act is substantially the same.

        [2] We note that the whistleblower protections in the financial services legislation use language similar to the new laws.

        [3]Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2018, s 1317AADA(2).

        [4]See the Explanatory Memorandum to the Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Bill 2003 (Cth), [4.322].

        APRA’s new capital framework for ADIs takes effect from 1 January 2023. APRA has just released final Prudential Practice Guides, final reporting standards and an amended APS 113. APRA has also started a short consultation on consequential amendments to NSFR and New Zealand capital requirements. Here is what you need to know.

        16 August 2022

        In person and online, stages are being set for the biggest annual event on Australian listed companies’ corporate calendar. What to expect this AGM season? The KWM Corporate M&A team has pulled together a quickfire list of seven points to watch, and five key issues for every company to consider as they prepare…

        15 August 2022

        With the promise of cost savings, greater flexibility and ability to scale, it is not surprising that companies are continuing to move their key business applications and data to the cloud.

        15 August 2022