Whistleblower rights and protections
Whistleblowers play an important role in identifying and calling out misconduct and harm to consumers and the community. To encourage whistleblowers to come forward with their concerns and protect them when they do, the Corporations Act 2001 (Corporations Act) gives certain people legal rights and protections as whistleblowers.
This information sheet (INFO 238) explains:
- who is a whistleblower under the law
- how a whistleblower can access the legal rights and protections
- what protections are available to whistleblowers under the law
- when the whistleblower protections may not be available
We value the people from inside companies and organisations who report potential misconduct or breaches of the law. We appreciate that these whistleblowers can find themselves in difficult and stressful circumstances, and may risk their careers or even their personal safety. We take the concerns whistleblowers raise with ASIC seriously.
For further information on ASIC's role in relation to whistleblowers, see Information Sheet 239 How ASIC handles whistleblower reports (INFO 239).
Criteria for protection as a whistleblower under the law
You can access the legal rights and protections for whistleblowers in the Corporations Act if you meet the definition of an ‘eligible whistleblower’.
These criteria seek to include most people with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face reprisals for reporting it. These people can access the rights and protections in the law from when they report misconduct. The protections also extend to the spouses and relatives of these people.
Whistleblowers can provide their name and contact details when they report. They can also report anonymously.
The criteria are set out in Table 1. There is no formal registration process for whistleblowers; the protections apply to anyone who meets the criteria in Table 1.
|Criteria||The law requires|
|Your role||You must be a current or former:
While you must hold or have held one of these roles to access the protections, you do not have to identify yourself or your role, and you can raise your concerns anonymously.
|Company or organisation your disclosure is about||The organisation your disclosure is about must be:
|Who you make the disclosure to||You must make your disclosure to:
While you must make your disclosure to one of these people or organisations, you can raise your concerns anonymously.
|Subject of your disclosure||You must have reasonable grounds to suspect that the information you are disclosing about the company or organisation concerns:
This information can be about the company or organisation, or an officer or employee of the company or organisation, engaging in conduct that:
'Reasonable grounds' means that a reasonable person in your position would also suspect the information indicates misconduct or a breach of the law.
Whistleblower reports to a journalist or parliamentarian
The Corporations Act protects you if you make a whistleblower report internally within the company or organisation or externally to the company's or organisation's auditor, actuary, or authorised whistleblower complaints service or hotline, or to ASIC or APRA as regulators.
The protections can also apply to you if you make a whistleblower report to a journalist or a member of the Commonwealth Parliament or a state or territory parliament (parliamentarian). However, this is only in certain limited circumstances, which are set out in Table 2 (for reports of matters in the public interest) and Table 3 (for reports of emergencies). If you disclose your concerns to the public in another way, these protections do not apply.
|Criteria||The law requires|
|Previous report||You must have previously made a report to ASIC or APRA that satisfies the criteria in Table 1.|
|90 days||At least 90 days have passed since you reported your concerns to ASIC or APRA, and you do not have reasonable grounds to believe that action to address your concerns is being or has been taken.|
|Public interest||You have reasonable grounds to believe that reporting your concerns to a journalist or parliamentarian would be in the public interest.|
|Written notice to ASIC or APRA||After 90 days from when you reported to ASIC or APRA, you give ASIC or APRA a written notice that includes sufficient information to identify your earlier report and states your intention to make a public interest disclosure. This could be by contacting the ASIC officer who considered your concerns and quoting the reference number of your case.|
|Journalist or parliamentarian||You report your concerns about misconduct or an improper state of affairs or circumstances or a breach of the law to a journalist or a parliamentarian. The extent of the information disclosed is no greater than is necessary to inform the recipient about your concerns.|
|Previous report||You must have previously made a report to ASIC or APRA that satisfies the criteria in Table 1.|
|Emergency||You have reasonable grounds to believe that the information in your report concerns substantial and imminent danger to the health or safety of one or more people or to the natural environment.|
|Written notice to ASIC or APRA||You give ASIC or APRA a written notice that includes sufficient information to identify your earlier report and states your intention to make an emergency disclosure. This could be by contacting the ASIC officer who considered your concerns and quoting the reference number of your case.|
|Journalist or parliamentarian||You report your concerns about the substantial or imminent danger to a journalist or parliamentarian. The extent of the information disclosed is no greater than is necessary to inform the recipient about the substantial and imminent danger.|
We communicate with people who report misconduct to ASIC, but we may not be able to tell you what specific action we may take in response to your report: see Information Sheet 152 Public comment on ASIC's regulatory activities (INFO 152). Generally, we will not respond to your notice of your intended public interest disclosure or emergency disclosure unless we consider it may affect action we are pursuing.
In addition, if your report to ASIC about misconduct by a company or organisation refers to matters that fall within the responsibilities of another regulator or law enforcement agency, we will generally encourage you to directly contact the other regulator or agency. We may not be able to inform you of the actions that may be taken by the other regulator or agency, and we would encourage you to contact them directly for an update if you are considering a public interest disclosure.
For further information, see INFO 239.
Reporting your concerns to a company or organisation
If you believe you are a whistleblower with information about misconduct or potential breaches of the law within a company or organisation, you access the whistleblower rights and protections when you report or disclose your concerns.
You can report your concerns internally to an officer, senior manager or a person the company or organisation has authorised to receive whistleblower reports. You are covered by the whistleblower protections when you make your report to a person holding one of these roles, and may also be covered when you could make your report: see 'Protections for whistleblowers from detriment'.
Generally, an 'officer' includes a director or company secretary of a company or organisation. A 'senior manager' is a person other than a director or company secretary who makes, or participates in making decisions that:
- affect the whole, or a substantial part of the business of the company or organisation, or
- have the capacity to significantly affect the company's or organisation's financial standing.
This will generally be senior executives within a company or organisation and may include chief executive officers, chief financial officers, chief operating officers, and chief risk officers, as well as public officers of charities or not-for-profit organisations.
You can also report your concerns externally, to the company's or organisation's auditor or actuary, or a service provider that the relevant company or organisation has authorised to provide a whistleblower complaints service or hotline.
Companies and organisations may prefer you to use the whistleblower complaints service or hotline they have established, rather than reporting to other people holding the roles mentioned above, to help ensure the company or organisation becomes aware of your concerns and can address them promptly. However, you will still be able to access the whistleblower protections if you report to a person holding one of these roles. These roles are also listed in Table 1.
You can report your concerns anonymously and still access the whistleblower protections.
Reporting your concerns to regulators
We appreciate receiving reports from whistleblowers. Whistleblowers provide ASIC with important information about misconduct by companies and organisations. You are covered by the whistleblower protections if you report your concerns to ASIC, even if you have not first raised your concerns internally. You can lodge a report through our online misconduct reporting form or by writing to ASIC.
Further information about ASIC's handling of whistleblower reports, our enforcement approach, and how we deal with reports of misconduct is available in:
- INFO 239
- Information Sheet 151 ASIC’s approach to enforcement (INFO 151)
- Information Sheet 153 How ASIC deals with reports of misconduct (INFO 153)
You can report your concerns to ASIC anonymously; however, we will not be able to follow up with you for further information or tell you what steps we may take based on your information. You will still qualify for the whistleblower protections.
If your report is about matters within APRA's responsibilities, you may wish to raise your concerns directly with APRA. The whistleblower protections also apply to reports from whistleblowers made directly to APRA. For guidance on providing information on institutions APRA regulates, see APRA's webpage on whistleblowing.
If you believe you may be a whistleblower or are unsure about what protections or rights to compensation may apply to you, it is important to seek legal advice. We are not able to give personal legal advice and can only provide general information on these issues.
Only a properly accredited legal practitioner who understands your circumstances can give you legal advice. This is especially important if you are thinking of acting on the rights the whistleblower protections give you.
The Corporations Act contains certain protections for whistleblowers who meet the criteria in the tables above, including:
- protection of information provided by whistleblowers
- protections for whistleblowers against legal action
- protections for whistleblowers from detriment
Company or organisation
You can ask the company or organisation that receives your whistleblower report to keep your identity, or information that is likely to lead to your identification, confidential. Generally, companies and organisations that receive your report cannot disclose this information without your consent. However, they may report the information to ASIC, APRA, or the Australian Federal Police, or to a lawyer for advice about the whistleblower protections.
It is illegal for a person to reveal the identity of a whistleblower, or information likely to lead to the identification of whistleblower, outside of these circumstances. We can investigate allegations from a whistleblower that their confidentiality has been breached following their report.
In a company's or organisation's investigation of the concerns raised in your report, the company or organisation must take reasonable steps to ensure that information likely to lead to your identification is not disclosed without your consent. However, the company or organisation may face difficulties investigating or internally addressing or correcting the misconduct unless you provide some approval for the company or organisation to use your information. You may wish to understand the company's or organisation's investigation practices – such as by reading the company's or organisation's whistleblower policy – before making your report to the company or organisation.
We must keep information provided by a whistleblower confidential. We may not disclose either the information or the identity of the whistleblower without the whistleblower's consent or unless that disclosure is specifically authorised by law. Further, we can resist producing documents to a court or tribunal where it may reveal a whistleblower's identity, unless a court or tribunal thinks it necessary or in the interests of justice.
You can find out more about how we protect information we receive by reading Regulatory Guide 103 Confidentiality and release of information (RG 103).
The Corporations Act protects a whistleblower against certain legal actions related to making the whistleblower disclosure, including:
- criminal prosecution (and the disclosure cannot be used against the whistleblower in a prosecution, unless the disclosure is false)
- civil litigation (such as for breach of an employment contract, duty of confidentiality, or other contractual obligation), or
- administrative action (including disciplinary action).
If you are the subject of an action for making a whistleblower disclosure, you may rely on this protection in your defence.
This protection does not grant immunity to you for any misconduct that you were involved in that is revealed in the disclosure.
However, if you voluntarily self report your involvement in corporate misconduct, we will often take into account your cooperation when we consider the action we will take to pursue any wrongdoing and what remedies we will seek. For more information, see Information Sheet 172 Cooperating with ASIC (INFO 172).
Taking action against people who cause or threaten detriment
The Corporations Act makes it illegal (through a criminal offence and civil penalty) for someone to cause or threaten detriment to you because they believe or suspect that you have made, may have made, or could make a whistleblower disclosure.
The criminal offence and civil penalty apply even if you have not made a whistleblower report, but the offender causes or threatens detriment to you because they believe or suspect you have or might make a report.
A person may be causing you detriment if they:
- dismiss you from your employment
- injure you in your employment
- alter your position or duties to your disadvantage
- discriminate between you and other employees of the same employer
- harass or intimidate you
- harm or injure you, including causing you psychological harm
- damage your property
- damage your reputation
- damage your business or financial position
- cause you any other damage.
The offence and penalty require that the detriment be the result of an actual or suspected whistleblower disclosure. In many cases, particularly in the context of private employment, there may be arguments about whether the conduct involved was victimisation as a result of the whistleblower disclosure or for some other reason.
We can investigate allegations that a person caused or threatened detriment to you, but we would need your assistance to investigate the claim. Any action we take may result in a penalty to the person but not necessarily any compensation.
You can seek compensation through a court if you suffer loss, damage or injury for making your disclosure. If you are or were an employee and experienced detriment at work for reporting misconduct, the court may order the person causing you detriment or your employer to compensate you.
You can also pursue other remedies, such as:
- your employer reinstating you to your original position or a comparable position
- the court issuing an injunction to prevent or stop detrimental conduct
- the person, company or organisation that caused you detriment or threatened you with detriment apologising to you.
It is important to note that it is your responsibility to bring any such action for compensation. We strongly encourage you, if you believe you are a whistleblower, to seek independent legal advice about what remedies may be available to you if you suffer loss, damage, or injury. We are unable to give legal advice.
If you are unsuccessful in your claim for compensation for detriment against a person, company or organisation, you are protected from having to pay their legal costs (unless a court finds your claim to be vexatious or you acted unreasonably).
The whistleblower protections apply to people who meet the criteria in the tables above. There are certain exclusions from the protections for people who may otherwise meet some of the criteria above and who have observed or been affected by misconduct of a company or organisation.
If you fall into one of the following categories, you may not be covered by the whistleblower protections. Accordingly, we encourage you to seek your own legal advice about any other rights or remedies that may be available to you. These categories include:
- People experiencing employment disputes or a personal work-related grievance
- Customers or clients
Report of a personal work-related grievance may not be covered
If you are a current or former officer, employee, or contractor of a company or organisation who has an employment dispute or work related grievance with the company or organisation, you may wish to report misconduct by the company or organisation about that work-related dispute. However, the whistleblower protections do not cover a report of misconduct solely about your personal work-related grievance.
Generally, a personal work-related grievance will include:
- an interpersonal conflict with another employee
- a decision about your employment, transfer, or promotion
- a decision about the terms and conditions of your employment
- a decision to suspend or terminate your employment or otherwise discipline you.
Instead, you may have rights and protections under employment or contract law. We encourage you to seek your own legal advice about how you can resolve your personal work-related grievance.
Report of significant, wider concerns about employment dispute may be covered
If you have a personal work-related grievance, you may still be able to access the whistleblower protections for a report about your treatment.
However, this is only if the report also raises significant implications for the company or organisation. For example, if the company's or organisation's treatment of you breaks employment or other laws, or suggests systemic misconduct beyond your own circumstances.
In addition, you can access the whistleblower protections if you suffer or are threatened with detriment for reporting your own circumstances or making a report to your lawyer.
Similarly, you may also access the whistleblower protections if you make a report about other misconduct you have observed or been affected by.
We encourages you to seek your own legal advice about whether you may be covered by the whistleblower protections and how you can resolve your personal work-related grievance.
You may observe or be affected by misconduct of a competitor to your business, and wish to report the misconduct to the competitor's management or ASIC. This could include where your business suffers loss as a result of the competitor's misconduct, such as the competitor infringing on your intellectual property rights.
However, you cannot access the whistleblower protections, as these protections are targeted at insiders of companies or organisations. Instead, you may have rights and protections under other laws, such as intellectual property or tort.
We encourage you to report your concerns to ASIC if they relate to matters within our regulatory responsibilities. We also encourage you to seek your own legal advice about how you can resolve your dispute.
If you are a customer or client of a company or organisation, you may also observe or be affected by the company's or organisation's misconduct. However, you are not able to access the whistleblower protections if you are not otherwise an insider to the company or organisation.
You may have other legal rights and remedies you can pursue against a company or organisation if you are affected by the company's or organisation's misconduct. We encourage you to report your concerns to ASIC if they relate to matters within our regulatory responsibilities. We also encourage you to seek your own legal advice about your personal disputes.
Where to find more information
- RG 103 Confidentiality and release of information
- INFO 151 ASIC’s approach to enforcement
- INFO 153 How ASIC deals with reports of misconduct
- INFO 172 Cooperating with ASIC
- INFO 239 How ASIC handles whistleblower reports
Read the whistleblower provisions of the Corporations Act (especially Part 9.4AAA) on the Federal Register of Legislation.
Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. Omission of any matter in this information sheet will not relieve a company or its officers from any penalty incurred by failing to comply with the statutory obligations of the Corporations Act.
You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.
This is Information Sheet 238 (INFO 238) issued on 1 July 2019.