Australian Whistleblower Laws: One Month On.

A complexity that arises with the new laws is understanding the scope of what constitutes a disclosable matter, and the lack of certainty as to whether something is or is not caught within that scope.

Under the Corporations Act whistleblower provisions, a protected disclosure includes information which concerns "misconduct or an improper state of affairs or circumstances" in relation to a regulated entity or of a related body corporate. While misconduct is broadly defined under the Corporations Act to include fraud, negligence, default, breach of trust and breach of duty, the phrase "improper state of affairs or circumstances" has not been defined. This can raise a range of questions as to whether alleged conduct contained in a disclosure is or is not caught by the Corporations Act whistleblower protections regime.

While the personal work-related grievance carve out provides some limitation to the scope of this concept, it remains difficult to apply the concept of "misconduct or an improper state of affairs or circumstances" in practice. Further, the alleged conduct merely needs to be "in relation to" a regulated entity or its related body corporate, which raises further questions as to what types of employee or officer conduct fall within the scope of a disclosable matter.

The transitional provisions of the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Cth) confirm that the Corporations Act whistleblower protections regime will apply to a qualifying disclosure that is made on or after 1 July 2019 and relates to matters that occurred before, at or after 1 July 2019.

The legislation does not otherwise establish any limitation period in relation to its retrospective application. Accordingly, organisations should be alive to its potential exposure to the re agitation of former concerns raised by an eligible whistleblower.

In practice, an organisation's ability to assess and deal with a protected disclosure about a historical issue may turn on whether the passing of time impacts on the organisation's ability to fairly investigate the disclosure. In particular, the key witnesses relevant to the issue may no longer be available for interview, or their memories may have faded. Depending on the circumstances, an organisation may need to carefully manage an eligible whistleblower's expectations in relation to how their protected disclosure will be dealt with.

The Corporations Act and Tax Administration Act whistleblower protections regimes impose a strict confidentiality obligation on any person who knows a whistleblower's identity either directly or indirectly from a protected disclosure. Specifically, a person must not disclose a whistleblower's identity, or information that is likely to lead to the whistleblower's identification, unless authorised under section 1317AAE of the Corporations Act. The category of authorisation that will most likely be of use to an organisation is where the whistleblower consents to the disclosure of their confidential identity information.

In practice, these strict confidentiality obligations may impact on an organisation's existing process for escalating and investigating a report of wrongdoing. This becomes a particularly live issue where the nature of the disclosed allegations tend to reveal the whistleblower's identity.

The Corporations Act introduces a narrow exception to the confidentiality obligation under section 1317AAE(1) of the Corporations Act where:

• a person does not disclose the whistleblower's identity specifically but discloses information that may lead to the identification of the whistleblower;
• this disclosure is "reasonably necessary" for investigating the matter; and
• "all reasonable steps" have been taken to reduce the risk that the whistleblower will be identified as a result of this disclosure.

While this exception is welcome relief to the strict confidentiality obligations under the Corporations Act, it is at this stage unclear how it will operate in practice. To the extent possible and where appropriate, organisations should seek a whistleblower's consent to any disclosures of their identity at the first instance. Initially, the scope of that consent may be cast narrowly, with the scope being revisited with the whistleblower depending on how the matter progresses.

Sections 3 and 5 of the Corporations Act confirm that its provisions may apply to acts and omissions outside Australia "according to its tenor".

This is significant in relation to the whistleblower protections regime as set out in the Corporations Act given:

• The term regulated entities is defined to include a constitutional corporation and, accordingly, a foreign corporation. 
• The scope of disclosable matters includes conduct of a related body corporate. "Related body corporate" is defined to include holding companies of a body corporate. Depending on the corporate structure of your business, this definition may capture foreign holding companies.
• Similarly, eligible recipients of a body corporate include an officer or senior manager of a related body corporate. For companies which are a part of a global group, this may create additional complexity in relation to managing the potential receipt of protected disclosures under the Corporations Act.

There is currently no further guidance in relation to the extent to which the Corporations Act whistleblower protections regime has extraterritorial application. For example, the following circumstances may be caught within the regime:

• a disclosure of conduct by an Australian company that occurs overseas; and
• a disclosure by an eligible whistleblower who is based outside of Australia about a disclosable matter in relation to an Australian company.

Whether the regime has even broader extraterritorial application is a live issue that may need to be tested through litigation.

A further issue arises as to how an organisation should manage disclosures that do not qualify for protection under the Corporations Act whistleblower protections regime. 

A particular complication may arise where an eligible whistleblower believes that they have made a disclosure that qualifies for protection, but had made it to a non-eligible recipient. Organisations should consider the process that they wish to adopt to respond to such a disclosure. This may also vary depending on each disclosure. Organisations should be careful not to treat a disclosure as a protected disclosure at law if the disclosure does not meet the requirements under the legislation. In certain circumstances, where the risk of victimising conduct is significant, it may be appropriate for both the original discloser and the non-eligible recipient to jointly make a protected disclosure to an eligible recipient, to ensure that they both benefit from the statutory protections.

"Eligible whistleblower" is now defined to include both current and formeremployees, officers and certain suppliers of a regulated entity, as well as their current and former relatives, dependants and spouse's dependants.

The expansion of the definition of eligible whistleblower to include individuals that are external to an organisation brings with it considerable complexities.

While there are no mandatory requirements for an organisation to provide a whistleblower policy to the public, there are advantages to implementing some kind of process for external whistleblowers to make a disclosure to your organisation. Certainly, it is impossible for any organisation to completely control or manage the process of disclosures by an external individual. Nevertheless, it may be worthwhile considering steps to reduce your organisation's exposure to the risk that sensitive issues are aired in public or to the incorrect recipient within the organisation, such as:

• providing a brief overview of your organisation's whistleblower policy, which should be tailored to assisting external individuals in understanding how they may make a protected disclosure;
• on your "Contact Us" page, providing specific contact details for "whistleblower complaints"; and
• contacting your suppliers to check if they are providing adequate training to their workforce on the new whistleblower laws.

The Corporations Act whistleblower protections regime introduces a requirement for public companies and large proprietary companies (which, since 1 July 2019, is defined as a company that meets at least two of the following conditions: at least $50 million consolidated revenue per financial year, $25 million in assets or 100 employees) to implement and maintain a whistleblower policy which for most entities is from 1 January 2020 onwards.

In order for a policy to be compliant with the Corporations Act, the whistleblower policy must also contain particular mandatory content, such as information about the protections available to whistleblowers, to whom protected disclosures may be made and how an eligible whistleblower may make a protected disclosure.

In order to comply with the prescribed mandatory content, this has meant that whistleblower policies generally end up being more legalistic and technical in nature than how company policies are normally drafted. It is also difficult for organisations to adopt a global whistleblower policy without a section or addendum expressly dealing with the Australian whistleblower protections regime.