Whistleblower policies required by 1 January 2020
As we noted in our recent article , from 1 January 2020, it is mandatory for all public companies, large proprietary companies and proprietary companies that are trustees of registrable superannuation entities to have a compliant whistleblower policy, and to make that policy available to officers and employees.
Failure to comply with the requirement to have and make available a whistleblower policy is an offence of strict liability.
In accordance with ASIC’s enforcement approach, it will periodically conduct surveillance activities to ensure compliance, and companies failing to meet their obligations deadline may incur a fine.
What is required in a whistleblower policy?
Section 1317AI(5) of the Corporations Act 2001 (Cth) mandates that whistleblower policies must include information about:
a) the protections available to whistleblowers, including protections under the Corporations Act; b) to whom disclosures that qualify for protection under the Corporations Act may be made, and how they may be made; c) how the entity will support whistleblowers and protect them from detriment; d) how the entity will investigate disclosures that qualify for protection under the Corporations Act; e) how the entity will ensure fair treatment of its employees who are mentioned in disclosures that qualify for protection, or its employees who are the subject of disclosures; f) how the policy will be made available to officers and employees of the entity; and g) any matters prescribed by regulations.
The whistleblower policy should also include information about the protections provided in the tax whistleblower regime under Part IVD of the Taxation Administration Act 1953.
ASIC’s enhanced focus on whistleblowers
To facilitate the new whistleblower regime, ASIC has established the Office of the Whistleblower and has enhanced their internal processes for communicating with whistleblowers and addressing the matters raised by their disclosure.
ASIC will be surveying whistleblower policies from a sample of public companies, large proprietary companies and corporate superannuation trustees during 2020 to review compliance with the legal requirements and to monitor the good practice requirements.
Now is the time to consider and take action to establish a suitable and compliant whistleblower policy. Please contact us if you require any advice or assistance regarding the requirements of the new whistleblower regime and how to comply with your obligations.
For more general information, see our previous article: “The corporate whistleblower regime: strengthening mandatory requirements”.
ASIC has released Regulatory Guide 270 Whistleblower policies which gives guidance to help those companies and entities that are required to have a whistleblower policy establish one that complies with their legal obligations, and provides ASIC’s good practice guidance on implementing and maintaining a whistleblower policy.
The following table sets out some (non-exhaustive) examples of ASIC’s guidance with respect to the matters that the Corporations Act requires a whistleblower policy to address.
|Matters that the Act requires a policy to address||ASIC’s guidance|
|The protections available to whistleblowers, including protections under Part 9.4AAA of the Corporations Act||The policy must identify the different types of disclosers within and outside the entity who can make a disclosure that qualifies for protection (i.e. ‘eligible whistleblowers’).
The policy must set out the criteria for a discloser to qualify for protection as a whistleblower under the Corporations Act.
The policy must identify the types of wrongdoing that can be reported (i.e. ‘disclosable matters’), based on the entity’s business operations and practices. In addition, the policy must outline the types of matters that are not covered by the policy (e.g. personal work-related grievances).
The policy must state that disclosures that are not about ‘disclosable matters’ do not qualify for protection under the Corporations Act.
The protections that the policy must cover are:
· identity protection (confidentiality);
· protection from detrimental acts or omissions;
· compensation and other remedies; and
· civil, criminal and administrative liability protection.
|To whom disclosures that qualify for protection under the Corporations Act may be made, and how they may be made||The policy must identify the types of people within and outside the entity who can receive a disclosure that qualifies for protection— that is:
· ‘eligible recipients’;
· legal practitioners;
· regulatory bodies and other external parties; and
· journalists and members of Commonwealth, state or territory parliaments (parliamentarians), under certain circumstances.
The policy must also:
· include information about who a discloser can contact to obtain additional information before making a disclosure;
· outline the different options available for making a disclosure – the options should allow for disclosures to be made anonymously and/or confidentially, securely and outside of business hours; and
· include information about how to access each option, along with the relevant instructions.
The policy may include the following information, depending on the options available to disclosers:
· information on how to contact the entity’s eligible recipients in person or through post or email;
· the telephone number for the entity’s internal whistleblower hotline or the entity-authorised external hotline; and
· a link to the entity-authorised external whistleblower platform.
The policy must advise that disclosures can be made anonymously and still be protected under the Corporations Act.
The policy may refer to the following measures and/or mechanisms for protecting anonymity (where applicable):
· communication with disclosers will be through anonymous telephone hotlines and anonymised email addresses; and
· a discloser may adopt a pseudonym for the purpose of their disclosure— this may be appropriate in circumstances where the discloser’s identity is known to their supervisor, the whistleblower protection officer or equivalent but the discloser prefers not to disclose their identity to others.
|How the entity will support whistleblowers and protect them from detriment||Reducing the risk that the discloser will be identified from the information contained in a disclosure
The policy may set out that:
· all personal information or reference to the discloser witnessing an event will be redacted;
· the discloser will be referred to in a gender-neutral context;
· where possible, the discloser will be contacted to help identify certain aspects of their disclosure that could inadvertently identify them; and
· disclosures will be handled and investigated by qualified staff.
Secure record-keeping and information-sharing processes
The policy may set out that:
· all paper and electronic documents and other materials relating to disclosures will be stored securely;
· access to all information relating to a disclosure will be limited to those directly involved in managing and investigating the disclosure;
· only a restricted number of people who are directly involved in handling and investigating a disclosure will be made aware of a discloser’s identity (subject to the discloser’s consent) or information that is likely to lead to the identification of the discloser;
· communications and documents relating to the investigation of a disclosure will not to be sent to an email address or to a printer that can be accessed by other staff; and
· each person who is involved in handling and investigating a disclosure will be reminded about the confidentiality requirements, including that an unauthorised disclosure of a discloser’s identity may be a criminal offence.
Protection from detriment
The policy may refer to the following measures and mechanisms for protecting disclosers from detrimental acts or omissions (where applicable):
· processes for assessing the risk of detriment against a discloser and other persons (e.g. other staff who might be suspected to have made a disclosure), which will commence as soon as possible after receiving a disclosure;
· support services (including counselling or other professional or legal services) that are available to disclosers;
· strategies to help a discloser minimise and manage stress, time or performance impacts, or other challenges resulting from the disclosure or its investigation;
· actions for protecting a discloser from risk of detriment—for example, the entity could allow the discloser to perform their duties from another location, reassign the discloser to another role at the same level, make other modifications to the discloser’s workplace or the way they perform their work duties, or reassign or relocate other staff involved in the disclosable matter;
· processes for ensuring that management are aware of their responsibilities to maintain the confidentiality of a disclosure, address the risks of isolation or harassment, manage conflicts, and ensure fairness when managing the performance of, or taking other management action relating to, a discloser;
· procedures on how a discloser can lodge a complaint if they have suffered detriment, and the actions the entity may take in response to such complaints (e.g. the complaint could be investigated as a separate matter by an officer who is not involved in dealing with disclosures and the investigation findings will be provided to the board or audit or risk committee); and
· interventions for protecting a discloser if detriment has already occurred— for example, the entity could investigate and address the detrimental conduct, such as by taking disciplinary action, or the entity could allow the discloser to take extended leave, develop a career development plan for the discloser that includes new training and career opportunities, or offer compensation or other remedies.
|How the entity will investigate disclosures that qualify for protection under the Corporations Act||The policy must provide transparency about how it will handle and investigate disclosures, including timeframes for handling and investigating disclosures.
Handling a disclosure
The policy must outline the key steps the entity will take after it receives a disclosure
The policy should state that the entity will need to assess each disclosure to determine whether:
· it qualifies for protection; and
· a formal, in-depth investigation is required.
Investigating a disclosure
The policy must outline the key steps involved in investigating a disclosure, including the timeframes, while acknowledging that the process may vary depending on the nature of the disclosure.
The policy should highlight that without the discloser’s consent, the entity cannot disclose information that is likely to lead to the identification of the discloser as part of its investigation process—unless:
· the information does not include the discloser’s identity;
· the entity removes information relating to the discloser’s identity or other information that is likely to lead to the identification of the discloser (e.g. the discloser’s name, position title and other identifying details); and
· it is reasonably necessary for investigating the issues raised in the disclosure.
The policy should also acknowledge any limitations of the entity’s investigation process.
Keeping a discloser informed
The policy must state that a discloser will be provided with regular updates, if the discloser can be contacted (including through anonymous channels).
The policy should acknowledge that the frequency and timeframe may vary depending on the nature of the disclosure.
How the investigation findings will be documented, reported internally and communicated to the discloser
The policy must outline how the findings from an investigation will be documented and reported to those responsible for oversight of the policy, while preserving confidentiality.
The policy should indicate the information the discloser will receive at the end of the investigation.
The policy should also clarify that the method for documenting and reporting the findings will depend on the nature of the disclosure. It should also clarify that there may be circumstances where it may not be appropriate to provide details of the outcome to the discloser
|How the entity will ensure fair treatment of its employees who are mentioned in disclosures that qualify for protection, or its employees who are the subject of disclosures||The policy may include the following measures and/or mechanisms for ensuring fair treatment of individuals mentioned in a disclosure (where applicable):
· disclosures will be handled confidentially, when it is practical and appropriate in the circumstances;
· each disclosure will be assessed and may be the subject of an investigation;
· the objective of an investigation is to determine whether there is enough evidence to substantiate or refute the matters reported;
· when an investigation needs to be undertaken, the process will be objective, fair and independent;
· an employee who is the subject of a disclosure will be advised about the subject matter of the disclosure as and when required by principles of natural justice and procedural fairness and prior to any actions being taken—for example, if the disclosure will be the subject of an investigation; and
· an employee who is the subject of a disclosure may contact the entity’s support services (e.g. counselling).
|How the policy will be made available to officers and employees of the entity||The policy must cover information about how the policy will be made available to the entity’s officers and employees.
The policy may include the following methods for making the policy available to the entity’s officers and employees (where applicable):
· holding staff briefing sessions and/or smaller team meetings;
· posting the policy on the staff intranet or other communication platform;
· posting information on staff noticeboards;
· setting out the policy in the employee handbook; and
· incorporating the policy in employee induction information packs and training for new starters.