Whistleblower Policy
Under the Corporations Act 2001, public companies and large proprietary companies must have a whistleblower policy — and it must be accessible to officers and employees.
What is a Whistleblower Policy?
The Corporations Act 2001 (Cth), as amended by the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, requires public companies, large proprietary companies, and entities registered under the Banking Act or Insurance Act to have a whistleblower policy. The policy must cover: who qualifies as a protected discloser, what disclosures are protected, how disclosures can be made, how the company will investigate, and the protections available to whistleblowers.
Failure to have a compliant policy is an offence under the Corporations Act. Even for companies not legally required to have one, a whistleblower policy is best practice — it provides a structured channel for employees to raise concerns about misconduct before they escalate, and it demonstrates a culture of transparency and accountability.
When do you need a Whistleblower Policy?
- ✓If you are a public company or large proprietary company (two of the three: revenue > $25M, assets > $12.5M, employees > 50)
- ✓Before your company scales to the size that triggers the legal requirement
- ✓As part of a governance and compliance policy refresh
- ✓When implementing a speak-up or ethics reporting program
Key provisions to include
Eligible Disclosers
Current and former employees, officers, contractors, and their associates.
Qualifying Disclosures
Misconduct, improper state of affairs, breach of the Corporations Act, tax law, financial reporting.
Reporting Channels
Named internal officer and anonymous external hotline or platform.
Investigation Process
Acknowledgement timeline, investigator appointment, outcome communication.
Whistleblower Protections
Confidentiality, no victimisation, identity protection, compensation if detriment occurs.
Anonymous Disclosures
How anonymous reports will be handled and what limitations apply.
Common mistakes to avoid
Not naming a specific Whistleblower Protection Officer — the policy must name a role or individual
Failing to include an anonymous reporting channel, which the ASIC guidance recommends
Not distributing the policy to all employees and officers — it must be accessible, not just filed away
Treating a whistleblower complaint the same as a general HR grievance — the legal protections are different
Frequently asked questions
Which companies must have a whistleblower policy?
Public companies and large proprietary companies (those that satisfy at least two of: consolidated revenue over $25M, consolidated gross assets over $12.5M, 50 or more employees). Also entities registered under the Banking Act 1959 or Insurance Act 1973. The policy must be in place and accessible by 1 January 2020 for those covered at that date. Smaller companies are not legally required to have one but are encouraged to adopt best practice.
Can a whistleblower be dismissed for making a disclosure?
No. The Corporations Act provides strong protections against victimisation of eligible whistleblowers. If an employer dismisses, injures, alters the position of, or discriminates against a whistleblower because of their disclosure, the employer is liable for a civil penalty and the whistleblower may seek compensation. This protection applies even if the disclosure turns out to be incorrect, provided the whistleblower had reasonable grounds to suspect misconduct.
Related documents
Draft your Whistleblower Policy in minutes
Try Neureson free for 3 days — no credit card required.
Start for free →