Whistleblowers laws: how to handle a protected disclosure
With the new Federal whistleblower laws commencing on 1 July 2019, it is an opportune time to review how your organisation will handle and manage protected disclosures. The proper handling of a disclosure is vital from many perspectives.
Undoubtedly, the poor handling of disclosures can result in a culture of silence and lost opportunities for improvement. A failure to act on a disclosure can result in the matter being reported to the media or Parliament with potential reputational damage. Conversely, the good management of a disclosure can result in a more ethical culture. It can avoid reputational damage and prosecution for breach of the whistleblower laws.
In this bulletin, we:
summarise the key obligations on business when handling a protected disclosure;
outline the broad process of handling and managing a disclosure; and
discuss some of the many considerations that influence how you can best handle a protected disclosure.
A consideration of these matters, and how your organisation will investigate disclosures, will then influence the content of any whistleblower policy to be promulgated by your business.
If a protected disclosure is made, strict confidentiality must be maintained. The information that is confidential is both the discloser’s identity and information that is “likely to lead to the identification of a discloser” (the confidential information).
This obligation of confidentiality is imposed on the recipient of the disclosure, the organisation and any other person that directly, or indirectly, obtains the confidential information. What this means is that the recipient of the disclosure cannot disclose the identity of the discloser, even to other eligible recipients in the organisation or to those that will investigate.
Confidential information can be disclosed if it is made to a prescribed regulator or the discloser gives consent. Obtaining consent is important in order to assist in the effective management of the disclosure. Normally there would be a need for the recipient to initially obtain consent from the discloser to at least refer the disclosure to the relevant personnel equipped to investigate and manage the matter, like HR, legal or internal audit.
The obligation of confidentiality also does not apply if:
the information is not of the identity of the discloser; and
- the disclosure is “reasonably necessary for the purposes of investigating” the matter; and
the business and relevant personnel “takes all reasonable steps to reduce the risk that the [whistleblower] will be identified”.
No guidance is otherwise provided as to what constitutes “all reasonable steps”. This will be assessed on a case-by-case basis with the protection of disclosers given paramount importance.
Protecting the confidential information will therefore mean taking care in what you say, including:
referencing a personal identification by a trait such as gender, age, disability, religion or ethnicity;
revealing the nature of the information disclosed in circumstances where the information would only be known to a limited number of individuals; and
the role or position of the discloser if there are a small number of people who fit that description.
There are significant protections against victimisation. Crucially, these provisions apply to persons who are believed or suspected to have made, or have proposed to make, a protected disclosure. The protections are enlivened if the victimising conduct was motivated by the belief or suspicion that the person has made, or will make, a disclosure.
The types of conduct that may constitute victimisation are broad and include dismissal, injury, alteration of an employee’s position, harassment or intimidation and harm (including psychological harm) and damage to a person’s property, their reputation, business or financial position.
Failure to comply with these protections attracts significant penalties for both individuals and companies.
The disclosure management process
The steps leading up to the investigation of a disclosure are critical. These steps put in place the framework as to how a disclosure is best managed balancing obligations to protect confidentiality and avoid victimisation but have the appropriate freedom to manage, investigate and respond to the disclosure. Broadly the process is as follows:
The triage step
The first step is to determine whether you are dealing with a protected disclosure covered by the strict whistleblower provisions in the Corporations Act 2001 (Cth), or some other type of complaint. This step is broadly about checking the following matters:
Business should err on the side of caution in determining whether a disclosure concerns misconduct or an improper state of affairs but jealously protect from personal work-related grievances being treated as a protected disclosure. A complaint, disclosure or grievance that is not protected under the Corporations Act may provide more freedom and flexibility to manage.
A report of information that is not a protected disclosure may still be, for example, an exercise of a workplace right by an employee under the Fair Work Act 2009 (Cth) to make complaint. Protections apply under that legislation against adverse action because a workplace right was exercised.
The assessment step
This is the next critical step – assessing the disclosure and planning the next steps needed to act on the disclosure.
Assessment is about more than just the disclosure itself. Sure, you need to assess whether further information and detail is needed from the discloser to enable you to act on the matter. You may also make an assessment as to whether the report warrants any action or investigation at all, or needs to be referred externally to a regulator. But more is needed.
You must undertake a risk assessment early, including from a work health and safety perspective. What is the risk of harm or victimisation to the discloser? What are the risks of a breach of confidentiality? What are the risks of harm to the subject of the disclosure? A risk assessment will identify strategies to managing risk, the steps you need to take prevent victimisation and manage confidentiality but also identify the ability to action the matter.
Organisations should be discreet in all communications and holding meetings with disclosers at times and locations to avoid identification and speculation. Disclosures (and any subsequent investigation material) should be stored securely on networks and separately from HR files.
The assessment step also involves considering whether the disclosure can be appropriately dealt with by investigation or managerially. Some complaints, including anonymous complaints, may allow or require an audit or inquiry of business records, or some surveillance, as opposed to interviews or more formal investigative processes.
Assessment is also about identifying how you will investigate the matter, and what you need to be able to investigate properly. You should start to develop terms of reference and an investigation plan. Is the matter to be dealt with internally or externally? Will the need to maintain confidentiality impede the investigation? Do you need consent from the discloser to reveal their identity?
What is the reporting structure for any action, noting the confidentiality requirements? Is consent needed to be able to report the matter to any internal reports, including to action the disclosure and any outcomes?
The consultation step
This step works in tandem with the assessment step. Communication about the process and protections are vital to obtaining consent and flexibility in the management of the disclosure.
Consulting with disclosers about risk is a valuable source of information. For example, has the discloser discussed their complaint with others? This may identify sources for a breach of confidentiality. Alternatively, is the disclosed matter widely known?
The inclusion of disclosers in the risk management process also builds their confidence and trust in the process. Discussion needs to take place about any risk management measures and strategies to be implemented.
The business needs to discuss with the discloser any limitations in the investigation due to confidentiality. A discussion about sources of information may assist in identifying if the matter can be dealt with without revealing confidential information. But if consent to disclose is needed to investigate the matter more deeply, the discloser needs to be told. Any consent obtained should be documented.
Disclosers need to be told of the protections to them from victimisation. If they give consent to disclose their identity, they need to know that the organisation will appropriately warn all those involved against victimisation and notify them of the responsibility to maintain confidence. Disclosers also need to be aware of the support available to them during any investigation, such as contact officers and EAP.
Importantly, any risk assessment process and investigation plan needs to be continuously reviewed. Part of avoiding a protected interest disclosure is to regularly keep the discloser up to date on steps and actions being taken. Continual communication is vital.
The action step
The organisation must be seen to take action in response to a disclosure.
The action step does not always need to involve an investigation. Other ways to gather information may include an IT audit, some form of surveillance, or a survey to gauge culture. The may also be steps to address the problem revealed by the disclosure, such as training, improvements to procedures, policy reform or other managerial action. These responses may avoid the need for the disclosure of confidential information or for a formal investigation.
Companies need to develop and promote clear policies and procedures regarding whistleblowers and the handling and management of their disclosures. Training recipients of protected disclosures and those that manage them is vital to ensure good complaint handling.
Author: James Mattson and Jade Bond