New laws were passed in 2019 that make significant reforms to Australia’s private sector whistleblower laws. Under these laws, public companies, large proprietary companies and corporate trustees of superannuation entities regulated by APRA are required to have a Whistleblower Policy in place by 1 January 2020.
In addition, all entities regulated by the Corporations Act (even if not mandatorily required to have a whistleblower policy) must comply with strict protections for whistleblowers, or face significant penalties.
Organisations coming under the mandatory whistleblower policy requirement should have formulated a policy and made it known to staff by 1 January 2020. If this has not been done it should be attended to on an urgent basis.
For organisations with an existing policy, it should be reviewed to ensure compliance with the law, and with regulatory guidance released by ASIC in November 2019. The regulatory guidance sets out further details on the mandatory information that a whistleblower policy must include, as well as a number of recommendations as to 'better practice' in running a whistleblowing program. For example, organisations may wish to consider implementing dedicated channels to allow anonymous reporting (such as an internal or external hotline or web reporting service), to ensure that disclosures are handled consistently and in a manner that is compliant with legislative requirements.
Directors, officers and senior managers of the company are all ‘eligible recipients’ for protected whistleblowing disclosures under the law. As such, they have individual responsibility for ensuring that any reports made to them are handled in compliance with the law. These individuals will need to be identified, and trained in:
Disclosure of a whistleblower’s identity without consent will not be a breach of the law if it is made to a legal practitioner for the purpose of obtaining legal advice on the whistleblowing laws. This may be an important exemption for eligible recipients, since a legal practitioner may be the only 'safe harbour' where the recipient can discuss and receive advice on a report they have received. Companies may wish to consider arranging independent legal advice for recipients who receive a disclosure and are unsure of whether it is protected, or how to handle it.
A company’s whistleblower policy must contain information on how whistleblowing reports will be investigated. Information in an anonymous whistleblowing report can be disclosed if it is reasonably necessary for the purpose of investigation, but only if all reasonable steps are taken to reduce the risk that the whistleblower will be identified.
Companies will need to ensure that investigations of whistleblowing reports:
KPMG provides a comprehensive range of specialist whistleblower services, including: