This blog post is a guest post from Samantha Carroll, Practice Director | Governance, Compliance & Regulation at Ash St. Legal & Advisory


It has been almost a year since the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 strengthened and consolidated Australia’s whistleblower protections for the corporate and financial sector.[1] Protection of whistleblowers is widely recognised as being integral to promoting transparency, integrity and detecting misconduct. Under the enhanced regime, regulated organisations were required to have a whistleblower policy which complied with the new regime in place by 1 January 2020. Upon achieving this milestone, organisations should now be turning their focus to effectiveness and performance of their whistleblower policies. A common challenge faced by many organisations is how best to ensure the protections they have set out in their whistleblower policy are applied in practice.


One particular protection under the whistleblower regime that has presented practical challenges for some organisations, is how to maintain the confidentiality of a whistleblower given:

  • there are multiple persons in the organisation who are ‘eligible recipients’ under the law;
  • the ‘eligible recipient’ who receives the disclosure may not be the person who is ultimately responsible for assessing and (where applicable) investigating the disclosure; and
  • there is an expectation that boards and senior management have oversight over the effective implementation of the whistleblower policy.


A policy may stress the importance of maintaining the confidentiality of a whistleblower’s identity and disclosure, but a single lapse in procedures can still result in a failure in the statutory duty of care to protect a whistleblower from detriment which could have severe financial and reputational repercussions for the organisation.


Expect the Unexpected

In today’s digital age, ensuring the confidentiality of the any communication between a whistleblower and the eligible recipient is maintained can be fraught with risks. For example, an emailed disclosure may be particularly at risk in the following ways:


  • the email is erroneously sent, forwarded, misdirected by the ‘eligible recipient’;
  • the email is sent into an inbox used for other communications and as a consequence, the disclosure is missed, not recognised as a whistleblower disclosure, miscategorised or misinterpreted by the eligible recipient;
  • procedures and protocols designed to protect confidentiality are not followed or have not been considered in sufficient detail – for instance, how emails are filed by the eligible recipient;
  • the inbox may be managed by secretarial staff/third party who view the content and by the mere fact they have accessed the disclosure, could breach confidentiality of the whistleblower;
  • disclosures are printed or otherwise mishandled; and
  • a data breach arises as a result of hacking or other unauthorised access to the inbox of an eligible recipient.


Recent reporting of a World Vision Australia (WVA) whistleblower matter[2] is an illustrative example of how such risks could materialise. According to media reports, in March 2020, allegations surfaced of kickback payments from a procurement contract connected with the family of one senior staff member at WVA. In an email from the whistleblower to the CEO’s administrative assistant, they requested an urgent meeting with the CEO to disclose concerns they held in relation to the procurement arrangement. Despite an explicit request for anonymity from the whistleblower, the response to the whistleblower (communicated by the assistant) was to direct the whistleblower to meet with other personnel at WVA including an who was connected to the alleged misconduct. While the matter is reportedly now under investigation by Victorian police and the auditors for WVA, the CEO has since resigned and reported to have said that while the resignation itself was for personal family reasons, the announcement had been brought forward to pre-empt the publication of the whistleblower story in the media. One senior manager connected with the alleged misconduct has also been reported to have been suspended.


How to Effectively Maintain Confidentiality in Practice

The WVA matter illustrates that it is imperative that as part of implementing a whistleblower policy, the risk of breaching a whilstleblower’s confidentiality is assessed and appropriate controls implemented to mitigate this risk. In assessing the risk, organisations should consider the possible scenarios that may arise as a result of the procedures and processes that have been put in place to facilitate implementation of the policy such as the medium/s through which a disclosure can be made to each of the eligible recipients. In addition, procedures should be supported by effective training (especially for eligible recipients) and regular review of the performance and effectiveness of controls.


Organisations may also consider other options to support implementation such as RegTech to build further trust in the whistleblower framework for the organisation. For instance, a whistleblower reporting platform can be used to ensure disclosures are only received by eligible recipients who have access to the platform and ensure the eligible recipients are directly notified when a disclosure is made to them. The use of such a platform not only makes it clear that the matter should be treated as a whistleblower disclosure, it also ensures that only those persons authorised to receive disclosures have access to the disclosure and identity of the whistleblower.


Upon receiving the disclosure, organisations will also need to coordinate and manage investigation of the disclosure to ensure confidentiality is maintained and that appropriate communication with the whistleblower occurs.


How Ash St. Can Help

An effective whistleblower framework will foster commitment and trust at critical points in a whistleblower disclosure which will assist in achieving the best outcome for the whistleblower and your organisation. If your organisation is currently facing challenges or needs further information, please contact Samantha Carroll on  +61 438 323 584 or email.



*The author would like to acknowledge the contribution of Edwin Kwok, Lawyer, Ash St. for his assistance in producing this article.


Important to note: This communication is intended to provide commentary and general information only. It is not intended to be a comprehensive review of all aspects of the matter referred to. It should not be relied upon as legal advice as to specific issues or transactions. 


[1] The New Whistleblower Regime, Ash Street, May 2019,

[2] World Vision brushed off reports of corruption months ago, Sydney Morning Herald, 9 March 2020,