This blog post is a guest post from Samantha Carroll, Practice Director | Governance, Compliance & Regulation at Ash St. Legal & Advisory.
It has been almost a year since the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 strengthened and consolidated Australia’s whistleblower protections for the corporate and financial sector.[1] Protection of whistleblowers is widely recognised as being integral to promoting transparency, integrity and detecting misconduct. Under the enhanced regime, regulated organisations were required to have a whistleblower policy which complied with the new regime in place by 1 January 2020.
Upon achieving this milestone, organisations should now be turning their focus to effectiveness and performance of their whistleblower policies. A common challenge faced by many organisations is how best to ensure the protections they have set out in their whistleblower policy are applied in practice. One particular protection under the whistleblower regime that has presented practical challenges is how to maintain the confidentiality of a whistleblower given:
- there are multiple persons in the organisation who are ‘eligible recipients’ under the law;
- the ‘eligible recipient’ who receives the disclosure may not be the person who is ultimately responsible for assessing and investigating the disclosure;
- there is an expectation that boards and senior management have oversight over the effective implementation of the whistleblower policy.
A policy may stress the importance of maintaining confidentiality, but a single lapse in procedures can still result in a failure in the statutory duty of care to protect a whistleblower from detriment, which could have severe financial and reputational repercussions.
Expect the Unexpected
In today’s digital age, ensuring the confidentiality of any communication between a whistleblower and the eligible recipient can be fraught with risks. For example, an emailed disclosure may be particularly at risk in the following ways:
- the email is erroneously sent, forwarded, or misdirected by the ‘eligible recipient’;
- the email is sent into an inbox used for other communications and the disclosure is missed, miscategorised, or misinterpreted;
- procedures and protocols designed to protect confidentiality are not followed (for instance, how emails are filed by the eligible recipient);
- the inbox may be managed by secretarial staff or a third party who view the content;
- disclosures are printed or otherwise mishandled;
- a data breach arises as a result of hacking or other unauthorised access to the inbox of an eligible recipient.
Recent reporting of a World Vision Australia (WVA) whistleblower matter[2] is an illustrative example. Allegations surfaced of kickback payments connected with the family of a senior staff member. In an email from the whistleblower to the CEO’s administrative assistant, they requested an urgent meeting to disclose concerns. Despite an explicit request for anonymity, the response (communicated by the assistant) was to direct the whistleblower to meet with personnel including one connected to the alleged misconduct. While the matter is now under investigation, the CEO resigned, noting that the announcement had been brought forward to pre-empt the publication of the story in the media.
How to Effectively Maintain Confidentiality in Practice
The WVA matter illustrates that it is imperative to assess the risk of breaching a whistleblower’s confidentiality and implement appropriate controls. Organisations should consider the possible scenarios that may arise based on the medium through which a disclosure can be made. In addition, procedures should be supported by effective training and regular review of the performance of controls.
Organisations may also consider other options to support implementation such as RegTech to build further trust. For instance, a whistleblower reporting platform can be used to ensure disclosures are only received by authorised eligible recipients. The use of such a platform not only makes it clear that the matter should be treated as a whistleblower disclosure, it also ensures that only those persons authorised have access to the identity of the whistleblower.
How Ash St. Can Help
An effective whistleblower framework will foster commitment and trust at critical points in a whistleblower disclosure which will assist in achieving the best outcome for the whistleblower and your organisation. If your organisation is currently facing challenges or needs further information, please contact Samantha Carroll on +61 438 323 584 or email.
Conclusion
The World Vision Australia case is a stark reminder that even the most robust policies fail if the reporting channel is insecure. Relying on general email inboxes or administrative staff to handle sensitive reports creates a massive liability for any organisation.
Whispli provides the exactly the kind of secure, dedicated environment required to manage these risks. By moving away from general email and using an encrypted reporting platform, you ensure that disclosures only reach the designated eligible recipients.
Whispli protects the whistleblower's identity from the first click, allowing you to build a culture of trust while shielding your leadership from the fallout of an accidental confidentiality breach. In the digital age, a secure platform is not just a tool: it is your strongest defense against procedural failure.
[1] The New Whistleblower Regime, Ash Street, May 2019.
[2] World Vision brushed off reports of corruption months ago, Sydney Morning Herald, 9 March 2020.
%201.avif)
%201%20(2).avif)
%201%20(1).avif)
