Australian whistleblower protection laws, the Corporations Act and Public Interest Disclosure Act
Australia has no single whistleblower law. It protects people who report wrongdoing through a set of separate laws. The one most private companies fall under is the Corporations Act 2001. Since 2020 it has made larger companies run a whistleblower policy, protect anonymous reports, and treat payback as a crime.
Key facts
- Australia has no single whistleblower act. The rules are split across company, public-sector, and tax law.
- Since 1 January 2020, public and large private companies must have a whistleblower policy.
- A report stays protected even when it's made anonymously.
- Revealing a whistleblower's identity is a criminal offence.
- Unlike the United States, Australia pays no reward for a tip.
Is there one Australian whistleblower law?
No. Australia protects whistleblowers through several laws. Each one is tied to a sector. The Corporations Act 2001 covers companies and finance. The Public Interest Disclosure Act 2013 covers the federal public service. People who report tax fraud, and union members, have their own rules on top.
The Corporations Act carries the most weight for business. Its whistleblower rules sit in Part 9.4AAA. They reach every company and almost anyone who deals with one. You can see how other countries handle the same question in our list of whistleblowing laws by country.
| Law | Who it covers | What it protects | Run by |
|---|---|---|---|
| Corporations Act 2001, Part 9.4AAA | Company officers, staff, suppliers, and their relatives | Misconduct or an improper state of affairs in companies and finance | ASIC and APRA |
| Public Interest Disclosure Act 2013 | Commonwealth public officials and contractors | Wrongdoing inside federal government agencies | Commonwealth Ombudsman and agency officers |
| Taxation Administration Act 1953, Part IVD | People with information about a tax entity | Breaches of the tax laws | Australian Taxation Office |
| Fair Work (Registered Organisations) Act 2009 | Members and officers of unions and employer bodies | Misconduct in registered organisations | Fair Work Commission |
What changed in the 2019 overhaul?
Australia's modern company rules date from 2019. The Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 got assent on 12 March 2019. It started on 1 July 2019. It replaced a set of rules from 2004. Those old rules were so narrow that they were almost never used.
The reform came after the Hayne Royal Commission into banking misconduct. That inquiry heard how staff who raised the alarm were ignored or pushed out. So the new law widened who counts as a whistleblower. It added the right to compensation. And it turned identity protection and the ban on payback into real duties, with penalties behind them.
It also made the internal channel a legal must. Before 2019 a company could choose whether to invite reports at all. Now the larger ones have to run a written policy and give staff a way to use it. That change, from a nice-to-have to a standing duty, is the heart of the reform.
Who is protected, and what can they report?
The Corporations Act protects a wide group, not just staff. An eligible whistleblower can be a current or former officer, employee, contractor, or supplier. It can even be their relative, spouse, or dependant. The protection holds whether the person gives a name or stays anonymous.
"An individual is an eligible whistleblower in relation to a regulated entity if the individual is, or has been, any of the following: (a) an officer of the regulated entity; (b) an employee of the regulated entity; (c) an individual who supplies services or goods to the regulated entity (whether paid or unpaid); (d) an employee of a person that supplies services or goods to the regulated entity..."
Section 1317AAA, Corporations Act 2001
What you can report is broad too. You're covered for misconduct or an "improper state of affairs" in a company. You're covered for a breach of the corporations or finance laws. And you're covered for a serious federal crime, one that carries 12 months in prison or more. A purely personal work gripe, like a dispute over your own pay, doesn't count on its own.
A protected report has to reach the right person. Inside the company, that means an officer, a senior manager, the auditor, or the actuary. Outside it, a report can go to the corporate regulator, ASIC (the Australian Securities and Investments Commission). It can also go to APRA (the Australian Prudential Regulation Authority) for banks and insurers. A lawyer can be told too, for advice.
How must companies run an internal whistleblower channel?
Since 1 January 2020, larger companies must have a whistleblower policy. The duty falls on public companies, large proprietary companies, and corporate trustees of super funds. A proprietary company counts as large when it meets two of three marks. These are yearly revenue of 50 million dollars or more, gross assets of 25 million or more, or 100 or more staff.
The policy has to do real work, not just sit in a drawer. It must spell out the protections on offer. It must say who can take a disclosure. It must explain how the company will support a whistleblower. And it must show how it looks into a report and keeps the person's name private. ASIC set out what a sound policy looks like in its guidance for company officers.
WeMoral turns the whistleblower policy the Corporations Act demands into a channel people actually use. Every report reaches only the officer you name. It arrives encrypted and stays sealed. That seal earns its keep in Australia, where leaking a discloser's name is a crime in its own right. The channel takes named or anonymous reports. It timestamps each step. So your file is ready the day ASIC or APRA asks how you handled a case. Appoint your own eligible recipient, or hand the seat to WeMoral, hosted and tamper-evident whistleblowing software. You can stand up the internal reporting channel without writing code.
When can a whistleblower go public?
Australia sets a high bar before a whistleblower can go to the press. A normal protected report goes to the company, to ASIC, or to APRA. But the law adds two narrow routes to a journalist or a member of parliament, and both come with strict conditions.
The first is a public interest disclosure. A whistleblower can use it only after they've already reported to ASIC or APRA. At least 90 days must pass with no action. They then have to give written notice first. And they need a good reason to believe that going public serves the public interest.
The second is an emergency disclosure. It opens when there's a substantial and imminent danger to health, safety, or the environment. Both routes are easy to get wrong. A misstep can cost the whistleblower their protection. So most reports still start inside the company or with the regulator.
What protections and remedies do whistleblowers get?
A protected whistleblower gets four things. Their name is kept private. They can't be sued or charged for making the report. They're protected from any harm at work. And they can claim a payout if they're punished for speaking up.
"A person (the first person) contravenes this subsection if... the first person's conduct causes any detriment to another person... [and] the first person believes or suspects that the second person... made... a disclosure that qualifies for protection under this Part... [and this] is the reason, or part of the reason, for the conduct."
Section 1317AC, Corporations Act 2001 (victimisation prohibited)
The identity rule is strict. Once a disclosure qualifies, no one may reveal who made it. No one may share details likely to point to them either, except in a few cases like a report to ASIC. A court can also keep those details out of the evidence, so a case doesn't have to name the source. ASIC lays out these rights in plain terms on its corporate whistleblower page.
The burden of proof leans the whistleblower's way. Say a worker claims they were harmed for a disclosure. The company then has to prove the real reason was something else. A court can order a payout, give the person their job back, and grant other relief. And the worker usually won't pay the company's legal costs, even if the claim fails, unless they acted in bad faith.
What are the penalties?
The penalties are heavy, and they fall on people and companies alike. Breaking secrecy or punishing a whistleblower is both a crime and a civil wrong. So a wrongdoer can face prison, a fine, and a separate civil penalty for the same act.
| Breach | Who is liable | Maximum penalty |
|---|---|---|
| Revealing a whistleblower's identity | An individual | 6 months in prison, 60 penalty units, or both |
| Victimising or threatening a whistleblower | An individual | 2 years in prison, 240 penalty units, or both |
| Either breach, as a civil penalty | A company | The greater of 50,000 penalty units, three times the benefit, or 10% of yearly turnover |
| Having no whistleblower policy | A company | A separate offence under the Corporations Act |
The dollar figures are large. Penalties are counted in penalty units. Each unit is a standard Commonwealth measure worth a few hundred dollars. For a company, the civil maximum runs into the tens of millions. It's set at the greater of 50,000 penalty units, three times any gain, or a tenth of yearly turnover. A firm that never puts a policy in place breaks a separate rule on top.
The company can be on the hook too, not just the person who did the harm. Say a manager leaks a name or punishes a whistleblower. The business can share the blame, and a court can order the firm itself to pay the compensation. That's why a board treats the policy as a real risk to manage, not a form to file and forget.
What about the public sector, tax, and unions?
The Corporations Act is only one piece of the picture. The Public Interest Disclosure Act 2013 covers the federal public service. It lets a public official report wrongdoing to an authorised officer inside their own agency. And it makes taking payback a criminal offence.
"It is an offence to take a reprisal against a person because of a public interest disclosure (including a proposed or a suspected public interest disclosure)."
Public Interest Disclosure Act 2013, simplified outline of the reprisal offence
Two more regimes fill the gaps. Part IVD of the Taxation Administration Act 1953 protects tax whistleblowers. They can report a tax breach to the ATO (the Australian Taxation Office) or a registered tax agent. The Fair Work (Registered Organisations) Act 2009 does a similar job for union and employer-body members. State and territory laws add another layer for their own public sectors.
Australia's regime is strong on paper. It makes the policy a must. It protects the anonymous report. And it puts prison terms behind the ban on payback. Yet it pays no bounty, and few whistleblowers have actually won compensation in court, where cases drag and the harm is hard to prove. The law can make a company build the channel. Whether workers trust it enough to use it is still settled inside each firm. The safest place to hear about a problem is your own reporting line, long before it reaches ASIC or the front page.
Legal advisor specializing in business, commercial and IP law. Writes on whistleblower legislation, the EU Directive, and implementing reporting procedures.