Dixon, Olivia --- "Honesty Without Fear? Whistleblower Anti-Retaliation Protections in Corporate Codes of Conduct" [2016] MelbULawRw 12; (2016) 40(1) Melbourne University Law Review 168

HONESTY WITHOUT FEAR?

WHISTLEBLOWER ANTI-RETALIATION PROTECTIONS IN CORPORATE

CODES OF CONDUCT

OLIVIA DIXON^[*]

Whistleblowing is considered to be an integral component of corporate governance through exposing and remedying corruption, fraud and other types of wrongdoing in both the public and private sector. While whistleblowers face a very real threat of retaliation, the current regime which purports to prohibit retaliation against private-sector whistleblowers is fragmented, complex and suffers from significant gaps. This article argues that in the absence of progress towards comprehensive private-sector whistleblower protection, private commitments contained in corporate codes of conduct may provide an interim regulatory solution by setting a ‘best practices’ benchmark and diffusing norms that influence organisational behaviour and culture. By examining the whistleblower policies of Australia’s 200 largest listed companies, this article further argues that private commitments potentially provide broader protection for whistleblowers than currently available under statute, and, in their strongest form, may provide an alternative route for enforcement, through contract.

CONTENTS

I INTRODUCTION

Over the past decade whistleblowers have emerged as an integral component of corporate governance through the monitoring and control of agency costs in large public companies.^[1] By virtue of their relationships or position, whistleblowers often have privileged access to information about corporate misconduct.^[2] As such, ‘[w]histleblowing is now considered to be among the most effective, if not the most effective means to expose and remedy corruption, fraud and other types of wrongdoing in the public and private sectors.’^[3] The expression ‘whistleblowing’ is often traced to United States consumer activist Ralph Nader in 1971;^[4] however, it is most commonly defined as ‘disclosure by organization members (former or current) of illegal, immoral or illegitimate practices under the control of their employers, to persons or organizations that may be able to effect action.’^[5] The disclosed misconduct most often relates to a violation of a law, rule, regulation or a direct threat to the public interest such as health or safety violations, fraud, bribery or corruption.^[6]

Australian whistleblowing legislation emerged in the aftermath of the systemic government corruption inquiries of the late 1980s,^[7] meaning that although whistleblower protection was squarely on the political agenda, legislative development was firmly fixed on the public sector. The Commonwealth,^[8] states^[9] and territories^[10] have all enacted public sector whistleblower protection or public interest disclosure Acts (based on an ‘“anti-retaliation” model ... albeit with [a] stronger ... “structural” model of protection’)^[11] which prohibit retaliation against whistleblowers for reporting misconduct. While academic debate continues as to whether private sector legislation should ultimately be based on a ‘structural’, ‘anti-retaliation’, ‘reward’ or blended model,^[12] political will to enact comprehensive private sector legislation has effectively stagnated and current legal avenues that are available to targets of retaliation are inherently complex, fragmented and unpredictable.

At the Commonwealth level, the Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (‘CLERP’) introduced whistleblower protection provisions into the Corporations Act 2001 (Cth) (‘Corporations Act’) to encourage company officers, employees and contractors to report potential violations of the Corporations Act;^[13] however, the provisions are poorly regarded and rarely used.^[14] More generalised remedies for targets of retaliation may exist through occupational health and safety legislation, anti-discrimination legislation or workers’ compensation legislation, and, in certain circumstances, targets of retaliation may seek recourse through the Fair Work Act 2009 (Cth) (‘Fair Work Act’) if they can demonstrate workplace bullying or an adverse action. At the state and territory level, only the South Australian^[15] and Queensland^[16] whistleblower protection acts incorporate aspects of private sector protection. At common law, retaliation may give rise to a number of actions both in tort and contract; however, onerous burdens, fiduciary duties, defamation laws and private confidentiality agreements have all traditionally undermined the viability of this option.

As regulators are becoming increasingly reliant upon ‘private initiatives [as] the first line of enforcement’,^[17] this article argues that in the absence of progress towards comprehensive private sector whistleblower protection, private commitments can provide an important interim regulatory function. Under Listing Rule 4.10.3, Australian Securities Exchange (‘ASX’) listed entities are required to benchmark their corporate governance practices against the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations and, where they do not conform, to disclose that fact and the reasons why.^[18] Recommendation 3.1 states: ‘A listed entity should: (a) have a code of conduct for its directors, senior executives and employees; and (b) disclose that code or a summary of it.’^[19] Increasingly, companies are incorporating whistleblowing policies within these corporate codes of conduct (‘Codes’). Vandekerckhove and Commers refer to these policies as ‘[i]nstitutionalized whistle blowing’, defined as ‘the set of procedures allowing potential whistle blowers to raise the matter internally before they become whistle blowers in the strict sense.’^[20] The benefits of institutionalised whistleblowing are manifold. Wrongdoing that is corrected by the company in a timely manner will avoid external disclosures and potential reputational and financial damage. Further, an appropriate management response to disclosures of wrongdoing enhances the organisational culture, and employee satisfaction and commitment.^[21]

A distinguishing feature of Codes is that they are a form of voluntary regulation and prima facie are not legally enforceable.^[22] However, the promulgation of Codes by companies has a regulatory effect through signalling appropriate behaviour.^[23] Whistleblower protection policies are therefore, at least in part, expressive in character.^[24] That is, their function is about ‘“making statements” as opposed to controlling behaviour directly.’^[25] The whistleblower policies contained in Codes not only set a benchmark, causing some companies to alter or modify their behaviour, but by diffusing norms, they positively influence organisational behaviour and culture.^[26]

By examining the whistleblower policies of Australia’s 200 largest listed companies, this article further argues that private commitments potentially provide broader protection against retaliation for whistleblowers than currently available under statute. The majority of Codes frame the good faith reporting of misconduct as a requirement, duty or responsibility of employment; either promising that the company will not retaliate against a whistleblower or prohibiting retaliation against whistleblowers. The unqualified breadth of these promises avoids many of the problems inherent in the legal avenues currently available to targets of retaliation and, in their strongest form, may provide an alternative route for enforcement, through the

employment contract.^[27]

This article proceeds as follows. Part II summarises the traditional statutory and common law protections afforded to private sector whistleblowers and examines the weaknesses of each approach. Part III considers the whistleblower policies of Australia’s largest 200 listed companies, analysing the breadth of the voluntary promises made by companies against current statutory benchmarks and guidelines. Part IV considers the circumstances under which whistleblower protection policies contained in Codes may bind the company and employee as part of the employment contract, providing an alternate cause of action for targets of retaliation. Consistent with policy rationales, enforcement of promises in Codes may provide important substantive benefits to whistleblowers by facilitating less retaliation, more certainty and therefore more whistleblowing. Part V argues that enforcement of Code provisions will incur normative benefits through encouraging the movement towards corporate self-regulation. Part VI concludes that while broader statutory protection is necessary to ensure consistent application of promises and protection of private sector whistleblowers, permitting whistleblowers to enforce a company promise through a breach of contract action could serve as a valuable additional cause of action and a deterrent to retaliation.

II CURRENT APPROACHES TO PRIVATE SECTOR

WHISTLEBLOWER PROTECTION

Encouraging employees to disclose their inside knowledge is a vital tool in combating corporate fraud and misconduct;^[28] however, the current approaches to private sector whistleblower protection suffer from significant gaps and grossly misaligned incentives. A complex web of federal and state legislation prohibits companies from retaliating against whistleblowers, the intention being that such protections will encourage whistleblowers and deter corporate misconduct. However, while society, shareholders and employees all benefit positively from such disclosure and face negligible downside risk, a whistleblower is often typecast as a snitch who ‘betrays a sacred trust largely for personal gain’,^[29] and faces a very real threat of retaliation.^[30]

This Part briefly describes the current statutory and common law causes of action available to targets of retaliation. As discussed below, although a wide variety of legislation exists which theoretically may protect whistleblowers, each piece of legislation covers only a narrow type of whistleblowing activity engaged in by a narrow group of individuals. The limited scope and inconsistent relief afforded to whistleblowers accounts for the very few successful claims for anti-retaliation protection.

A Federal Statutory Protection

1 Corporations Act

In 2004, pt 9.4AAA was inserted into the Corporations Act,^[31] providing a certain immunity and protection from retaliation for any company officer,^[32] employee, contractor or employee of a contractor,^[33] who reports a suspected violation of the Corporations Act.^[34] The preclusion against the reporting of other forms of harm and misconduct significantly limits the accessibility of these protections. To qualify for protection, an informant must: (i) make the disclosure to the Australian Securities and Investments Commission (‘ASIC’), an auditor, an internal company officer, or a person authorised by the company to receive such disclosures;^[35] (ii) have reasonable grounds to suspect that the information indicates a breach of corporations law has occurred or may occur;^[36] (iii) be acting in good faith;^[37] and (iv) provide their name prior to making the disclosure.^[38]

Where a person makes a disclosure that qualifies for protection, the Corporations Act provides protection against any retaliation against a whistleblower and grants them a civil right, including the right to seek reinstatement of employment.^[39] It provides qualified privilege against defamation where the disclosure is made in good faith, and precludes contractual or other remedies being enforced, including civil and criminal liability for making the disclosure.^[40] A protected disclosure must be treated as confidential by the person to whom the disclosure is made;^[41] however, protection will not be afforded to those who seek absolute anonymity.^[42]

While the Corporations Act establishes protections available to whistleblowers, it does not mandate or enable ASIC to act on behalf of a whistleblower to ensure that their rights are protected.^[43] It does not provide any mechanisms for independent investigation of retaliation claims nor does it require the establishment of internal reporting structures.^[44] Ultimately, the effectiveness of the provisions is questionable as there is no evidence of any enforcement activity by ASIC involving breaches of the provisions. The Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 (Cth) introduced similar protections to a whistleblower in possession of information relating to contraventions of banking, insurance and superannuation legislation under the Banking Act 1959 (Cth),^[45] the Insurance Act 1973 (Cth),^[46] the Life Insurance Act 1995 (Cth)^[47] and the Superannuation Industry (Supervision) Act 1993 (Cth).^[48]

2 Fair Work Act

Retaliation for whistleblowing may enliven a number of remedies for targets under the Fair Work Act and the Fair Work (Registered Organisations) Act 2009 (Cth). If an enterprise agreement which applies to a whistleblower contains a clause relating to workplace health and safety or harassment, the whistleblower may argue a breach of the enterprise agreement.^[49] The remedies are broad, including orders for injunctive relief,^[50] compensation^[51] or for reinstatement of a person.^[52]

The general provisions of the Fair Work Act and the Fair Work (Registered Organisations) Act 2009 (Cth) protect employees from ‘adverse action’ by an employer if they have exercised, propose to exercise, or fail to exercise a ‘workplace right’.^[53] Importantly, the ability to make complaints or inquiries forms part of the definition of a ‘workplace right’.^[54] Adverse action includes, but is not limited to, termination of employment, physical and/or psychological injury, alteration of an employee’s position to their disadvantage and workplace discrimination.^[55] Further, case law has held that constructive dismissal may amount to an adverse action.^[56] Whistleblowers may be able to bring a claim for adverse action where they suffer harassment or bullying subsequent to disclosure, either internally or externally.

However, a more direct remedy may now exist under the new express provisions addressing workplace bullying.^[57] A worker is bullied at work if one or more individuals ‘repeatedly behaves unreasonably towards the worker, or a group of workers of which the worker is a member; and ... that behaviour creates a risk to health and safety.’^[58] However, ‘reasonable management action carried out in a reasonable manner’ is not bullying.^[59] In one of the first cases under the new provisions, Re SB, it was held that ‘the making of vexatious allegations, spreading rude and/or inaccurate rumours ... and conducting an investigation in a grossly unfair manner’ could be considered unreasonable conduct,^[60] and constitute bullying under pt 6-4B if the conduct occurred repeatedly.^[61] While standing to bring a bullying action is broad,^[62] the Fair Work Commissioner is unable to make orders for compensation, damages, or the payment of a pecuniary amount.^[63] Further, the remedies available for contravention of any orders are inadequate, as the maximum penalties imposed are low for both individuals and companies.^[64]

3 Occupational Health and Safety Acts

Occupational health and safety legislation in each Australian jurisdiction imposes a duty upon the employer to ensure, ‘so far as is reasonably practicable’, a working environment that is safe and without risks to health.^[65] This duty extends beyond tangible factors to include, for example, harassment by fellow employees.^[66] Whistleblowers may argue that exposure to retaliation at work constitutes a failure to provide a safe working environment. However, while whistleblowers may achieve some level of compensation through arguing

this cause of action, the specificity requirements coupled with the burdens

of proof suggest that alternate causes of action may provide a more

complete remedy.

4 ‘Regulated Organisations’

In many cases, conduct in the private sector that a whistleblower might seek to disclose may also be conduct that the law requires his or her employer to disclose to a regulator. For example, financial services licensees are obliged under the Corporations Act to lodge a report with ASIC if they have committed a significant breach, or are likely to commit such a breach, of any of their obligations under the Corporations Act.^[67] Additionally, under the Banking Act 1959 (Cth), a member of a ‘relevant group of bodies corporate’ (that is, an authorised deposit-taking institution or one of various bodies connected to it) is obliged to immediately notify the Australian Prudential Regulation Authority (‘APRA’) once it becomes aware that it, another member, or the group as a whole ‘may not be in a sound financial position’.^[68]

Whistleblowing is therefore one of the channels through which a regulator will become aware of relevant information about a regulated organisation. If a regulator obtains information through a third party, this suggests that that company’s self-monitoring and self-reporting systems have failed and the entity may be subject to enforcement for not only the breach itself, but also for a failure to report the breach.

B State Statutory Protection

All Australian jurisdictions have enacted whistleblower protection or public interest disclosure acts covering predominantly public sector wrongdoing disclosed by public sector employees.^[69] The original purpose was to remove traditional barriers to disclosure and to provide criminal and civil remedies if retaliation occurred. A tort of victimisation was created which provides a right to sue for damages for detrimental action in general courts.^[70] However, only South Australia^[71] and Queensland^[72] incorporate aspects of private sector protection. The South Australian legislation covers disclosures by any person about any ‘illegal activity’, whether within public agencies or private companies.^[73] The Queensland legislation permits any person to disclose dangers to the environment or the health and safety of people with disabilities.^[74] As noted by Terry Morehead Dworkin and A J Brown, ‘[g]eneral problems of cost and risk of adverse outcomes mean there have never been more

than a handful of claims’^[75] for compensation based on retaliatory or

detrimental action.

C Common Law

An employer owes a non-delegable^[76] duty of care to its employees to take reasonable care not to expose employees to health and safety risks at work, which can include psychiatric injury.^[77] Retaliation against a whistleblower in the workplace could constitute a breach of such a duty. The duty exists concurrently in tort and contract,^[78] although the means of establishing liability are different. However, similar to the statutory legal avenues, the availability of this remedy to victims of workplace retaliation is limited by the heavy evidentiary onus placed on the plaintiff and the inherent uncertainty

in outcome.

For example, in tort, to recover damages for pure psychiatric injury, the plaintiff must demonstrate that the defendant owed a duty of care because the psychiatric injury was reasonably foreseeable; and the degree of risk, on balance, was that the plaintiff would suffer a psychiatric injury.^[79] In general, there is no liability in negligence for causing ‘distress, alarm, fear, anxiety, annoyance, or despondency, without any resulting recognised psychiatric [injury]’,^[80] which significantly limits its applicability to whistleblowers. Further, breach of duty and causation must now be considered in the context of the provisions of the various state and territory civil liability Acts.^[81] While there is no suggestion that these provisions dramatically change the content of the general law,^[82] they eloquently highlight the difficult issues faced in psychiatric injury cases. Employers have limited insight into the personal circumstances of each employee and thus the stressors that may give rise to the risk that the employee will suffer a psychiatric injury.^[83] A genuinely held belief on the part of the plaintiff is insufficient to establish causation for injury arising from that belief. In the absence of evidence that the genuinely held belief was true or correct, the plaintiff cannot establish that the injury arose from the defendant’s negligence.^[84]

Despite the evidentiary burdens, Wheadon v New South Wales demonstrates that if an employee is subject to sustained harassment or discrimination, the employer can face serious sanctions at common law.^[85] In that case the plaintiff, a policeman, made a statement to an officer of the Internal Affairs section of the New South Wales Police alleging corruption on the part of a senior officer.^[86] He ‘claimed that because of this, over the following decade he was subject to harassment, victimisation, and denied any welfare assistance’, which was the cause of serious stress, leading to psychiatric illness.^[87] Included within the twenty-five main breaches in the judgment, were:

(1) Failure to provide the plaintiff with adequate protection from harassment. (2) Failure to properly investigate the allegation made by the whistleblower, and also the failure to investigate properly those allegations made against the whistleblower. (3) Failure to give support and guidance to the plaintiff. (4) Failure to prevent the conduct of colleagues in persecuting the plaintiff for having blown the whistle (which was the plaintiff’s sworn duty). (5) Failure to assure the plaintiff that by reporting corruption, he had done the right thing.^[88]

The damages award of $664 270 coupled with the cost of all parties, exceeded $1 million.^[89]

An alternative cause of action for whistleblowers may exist in vicarious liability. While an employer will not be vicariously liable for a wrongful act if it is committed by an employee upon a ‘frolic of his own’,^[90] an employer can be ‘liable even for unauthorised acts if they are so connected with authorised acts that they be regarded as modes — although improper modes — of doing them’.^[91] Further, an employee may be liable even if there has been an express prohibition against the wrongful conduct.^[92] Although an extreme case, in Nationwide News Pty Ltd v Naidu, the New South Wales Court of Appeal held a company to be vicariously liable for the harassment and extreme bullying perpetrated on a contractor hired by its Fire and Safety Officer.^[93] The trial judge had found that the perpetrator’s conduct was ‘so brutal, demeaning and unrelenting that it was reasonably foreseeable that, if continued for a significant period of time ... it would be likely to cause significant, recognizable psychiatric injury.’^[94] Similar to actions based on a breach of duty of care, the accessibility of this remedy is limited by the heavy burdens placed on

the plaintiff.

III ANTI-RETALIATION PROTECTIONS IN

CORPORATE CODES OF CONDUCT

Whistleblowers have little ability to predict whether the law will protect them if they disclose misconduct under current legal avenues.^[95] The inability to predict the requirements of a cause of action has inevitably resulted in fewer whistleblower disclosures. A 2012 survey found that while 80 per cent of Australian employees felt personally obliged to report wrongdoing in their organisations, only 49 per cent felt that their managers would be serious about protecting them against retaliation.^[96] If statutory and traditional common law anti-retaliation provisions do not adequately protect employees, employees will be unwilling to report corporate misconduct and companies will not be deterred from engaging in conduct harmful to society.

Assuming that an imminent legislative solution remains unlikely, this part explores whether whistleblowers who suffer retaliation by their co-workers or employers should be able to bring breach of contract claims to enforce the anti-retaliation promises made by companies in their corporate Codes. The majority of the ASX 200 listed entities publish a Code that promises protection from retaliation for any employee who reports any act of misconduct in good faith. The breadth of this promise suggests that whistleblowers who suffer retaliation by companies that publish Codes may attempt to enforce their employer’s anti-retaliation promises through their employment contract.

A Corporate Codes of Conduct

Corporate Codes can be broadly defined as ‘commitments voluntarily made by companies, associations or other entities, which put forth standards and principles for the conduct of business activities in the marketplace.’^[97] Codes vary significantly in terms of breadth and detail of content coverage. Reflective of the underlying diversity of the issuing companies and the differing motivational underpinnings, Code content may be wide and aspirational, or detailed and operational.^[98]

Under Listing Rule 4.10.3, ASX listed entities are required to benchmark their corporate governance practices against the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations and, where they do not conform, to disclose that fact and the reasons why.^[99] The rule effectively encourages listed entities to adopt the Council’s recommended practices but does not force them to do so. It gives a listed entity the flexibility to adopt alternative corporate governance practices, if its board considers those to be more suitable to its particular circumstances, subject to the requirement for the board to explain its reasons for adopting those alternative practices. Recommendation 3.1 states that ‘a listed entity should: (a) have a code of conduct for its directors, senior executives and employees; and (b) disclose that code or a summary of it.’^[100] The Council further suggests that the Code should ‘[i]dentify the measures the organisation follows to encourage the reporting of unlawful or unethical behaviour. This might include a reference to how the organisation protects “whistleblowers” who report violations in good faith.’^[101]

B The Whistleblowing Policies of Australia’s Largest Listed Companies

This section details a qualitative study of the whistleblower policies of Australia’s 200 largest listed companies. Only a limited number of studies have analysed the design of private sector whistleblowing policies: Hassink, de Vries and Bollen examine whistleblower provisions issued by European companies;^[102] Lewis and Kender examine provisions issued by companies listed on the London Stock Exchange;^[103] and Moberly and Wylie examine United States corporate codes of ethics.^[104] In Australia, Pascoe and Welsh, examine the adoption of whistleblower policies of Australia’s 200 largest listed companies, but not the design.^[105] If courts lend credence to the anti-retaliation promises contained in Codes, the Codes could provide broader whistleblower protection than traditional common law and statutory anti-retaliation remedies because they most often (i) apply to all of the company’s workers, which extends beyond employees; (ii) apply to a broad range of misconduct capable of being disclosed; and (iii) require a whistleblower only to have a ‘good faith’ belief in the accuracy of the disclosure.

1 Sample and Methodology

The data sample comprised the ASX 200 companies, ranked by market capitalisation at 4 October 2013.^[106] As Recommendation 3.1 of the ASX Corporate Governance Council’s Corporate Governance Principles and Recommendations requires disclosure of a company’s Code,^[107] data collection commenced with publicly available sources.

The website of each ASX 200 company was searched. If the company had either a full separate whistleblower policy, or a corporate code of conduct or code of ethics that contained what objectively appeared to be a full and complete whistleblower policy, those policies were downloaded and noted as public documents. To the extent that there was any doubt as to whether a separate whistleblower policy existed it was not included in this initial sample. During this stage, 50 policies were collected. All other companies were sent an initial email on 12 December 2013 through their general counsel or company secretary asking: ‘Does your company have a whistleblower policy, and if so can you please provide it to me on the basis that (1) your company will not be identified; and (2) results will be reported on a consolidated basis.’ A follow up email was sent on 22 January 2014 conveying the same information.

The final sample of 166 whistleblower policies included 121 publicly available^[108] and 45 provided by email. Of the 34 unavailable policies, nine were in draft form or no policy was available, three declined to participate and 22 did not respond to emails.

Although now withdrawn,^[109] a template for private sector internal disclosure structures during the sample period was provided for by the Australian Standard 8004—2003: Whistleblower Protection Programs for Entities (‘AS 8004—2003’)^[110] which sets out ‘elements for establishing, implementing and managing ... effective whistleblower protection program[s] ... for corporations, government agencies and not-for-profit entities’.^[111] The objective of the standard is to ‘provide essential elements for establishing, implementing and managing an effective whistleblower scheme within an entity and provides guidance when using these elements.’^[112] As such, despite its withdrawal, AS 8004—2003 is expected to strongly influence the content of the whistleblower policies adopted by Australian companies.

The Codes were examined with regard to their: (i) general content, scope and tone; (ii) the nature of the corporate violations that whistleblowers were instructed to report; (iii) the officials to whom the Codes indicated that misconduct should be reported; (iv) any reporting guidelines or formalities; (v) any provisions related to confidentiality or anonymity; (vi) the extent of the protection from retaliation provided by the Codes; and (vii) details regarding the investigation of any whistleblower report.

2 Whom Do the Codes Cover?

AS 8004—2003 includes a ‘director, manager, employee or contractor of an entity’ within the definition of ‘whistleblower’.^[113] The Corporations Act captures a slightly broader group by also including employees of contractors within the definition of a ‘discloser’.^[114] As Table 1 shows, the majority of Codes comply with both requirements: 98.2 per cent cover all employees; and 65.7 per cent extend to contractors. Interestingly, only 45.2 per cent refer to officers. This may be explained through a drafting issue in the Codes themselves, the drafter perhaps assuming that officers were already adequately captured by use of the term ‘employees’.

Fifty-nine per cent of the Codes explicitly refer to directors with 34.9 per cent extending obligations to subsidiaries and their employees. Further, 28.9 per cent of Codes extended to third parties: a diverse group including suppliers, tenderers, business partners, employees of contractors, representatives and, in a minority of cases, stakeholders in the broader community including shareholders and regulators. For the most part, the Codes captured company workers regardless of job duty or geographical location. When the protections extended more broadly to these stakeholder groups, the tone of the Code generally changed from reporting being a requirement, to a neutral tone. That is, these third parties ‘could’ use the process if they chose to, but there was no requirement for them to do so.

Table 1: Applicability of the Policy (% of Policies)

3 Is Reporting Required or Encouraged?

Although there are always exceptions, until recently the law has rarely required employees to report illegal behaviour. Under ss 311 and 601HG of the Corporations Act, auditors are obliged to notify ASIC about matters that they have reasonable grounds to suspect constitute a significant contravention of the Corporations Act. Under pt 5.11 of the ASIC Market Integrity Rules, market participants are required to notify ASIC of certain suspicious trading activity.^[115] The Corporations Act is silent as to the tone that a Code should take. However, AS 8004—2003 states that the policy should include a

statement that the purpose of the policy is to ‘encourage the reporting of reportable conduct.’^[116]

Table 2 shows that a large number of ASX 200 companies have gone beyond merely encouraging or promoting the internal reporting of misconduct — they require it. Overall, 53.6 per cent of these Codes make whistleblowing a duty of employment; 34.3 per cent follow the AS 8004—2003 and encourage employees to report misconduct; and 12.1 per cent have either a neutral tone or an absence of tone. Tone is a fundamental element in charactering these provisions as either aspirational standards, or potentially contractual. To the extent that language is prescriptive, where the Code states that reporting is a requirement, a duty, or a responsibility, there is an argument that these provisions may elevate to become promissory obligations, capable of giving rise to contractual rights through the employment contract.

Table 2: Tone of the Policy (% of Policies)

4 What Violations Matter to the Companies?

Whistleblowers must always determine whether the misconduct they witness is the type of wrongdoing the company wants reported and whether the company will protect them from wrongdoing. To resolve this question of which violations should be reported, AS 8004—2003 includes a default list of suggestions.^[117] As a whole, Codes create a broader scope of protected activity than statutory or common law protection. Federal statutes typically protect only disclosures related to specific areas. For example, the Corporations Act only covers disclosure as to suspected violations of the Corporations Act itself,^[118] and does not extend to other violations such as occupational health and safety or the environment. State statutory protection provides broader protected activity coverage than federal law; however, it generally does not extend to the private sector. These restrictions on protected activity effectively leave whistleblowers without coverage if they disclose misconduct not covered by a particular statute.

Table 3: Nature of the Violations to be Reported (% of Policies)

Table 3 shows that a large percentage of companies (90.4 per cent) include a ‘catch all’ provision, indicating that misconduct to be reported includes violations of the Code — whether the whistleblower protections were in the Code or a separate document. Furthermore, 1.2 per cent of the Codes extend this requirement to breach of the Code by a business partner. Taken together, the Codes’ requirement that employees report: violations of the Code; illegal conduct; and unethical behaviour indicates that companies require employees to report an extremely broad range of potential misconduct.

While the nature of violations for the most part reflects the recommendations of AS 8004—2003, many companies went further to point out specific types of misconduct that should be reported. From one perspective, the Codes identify specific areas to be reported that align with corporate self-interest. For example, one of the most frequently identified cases of misconduct was conflicts of interest (either one’s own conflict; the conflict of others; or conflicts in general) which are covered by 74.7 per cent of the Codes. There were also requests to identify financial reporting problems, including accounting, internal controls or auditing problems in 48.8 per cent of the Codes.

This broader coverage should enable courts to avoid the difficulty in determining whether a whistleblower engaged in protected activity by reporting wrongdoing captured by a specific statute.

5 Who Receives the Reports of Misconduct?

The Corporations Act requires that the disclosure be made to:

(i) ASIC; or (ii) the company’s auditor or a member of an audit team conducting an audit of the company; or (iii) a director, secretary or senior manager of the company; or (iv) a person authorised by the company to receive disclosures of that kind ...^[119]

In contrast, AS 8004—2003 merely suggests that an effective whistleblower program should include ‘[a] statement of to whom and how whistleblowing concerns can be directed.’^[120]

Table 4: Officials to Whom Misconduct May Be Reported (% of Policies)

Table 4 shows mixed results, as the vast majority of Codes provide for concurrent processes. The Codes encourage the reporting of any acts of misconduct to a direct supervisor at first instance and use of the whistleblower provisions as a method of final resort. Despite this, most Codes contain carve outs, for example: if the whistleblower feels uncomfortable or wants to be anonymous; if the primary contact is not appropriate; or the report involves a serious violation of the law. As the results indicate, companies tend to implement a hierarchical reporting structure.

In our data sample, secondary contacts are by far dominated by third party external hotlines. These hotlines are managed by a variety of independent external groups such as Deloitte and KPMG. They offer the benefit of permitting the whistleblower to remain anonymous to the company, but still are likely to qualify for protection under the Corporations Act if they disclose their identity to the hotline.^[121] As noted in a recent Ernst and Young report:

a company’s whistleblower hotline is often seen by the employees as management’s visible commitment to ethical behaviour. Having a whistleblower hotline that employees trust and are prepared to use without fear of retaliation sends a clear message that the company will not tolerate unethical behaviour.^[122]

However, a survey found that 45 per cent of companies in the Asia-Pacific do not have a whistleblower hotline.^[123]

There is some concern that employees may be receiving a confusing message in relation to whom to report. For example, in 33.1 per cent of the Codes, reporting channels vary depending on the type of misconduct that is being reported, and in 14.5 per cent of Codes, a separate process is identified for the reporting of financial problems.

Table 5: Reporting Guidelines and Formalities (% of Policies)

6 Do Companies Promise Not to Retaliate against Whistleblowers?

Table 6 shows that the vast majority of Codes (87.3 per cent) either promise that the company will not retaliate against a whistleblower or affirmatively protect whistleblowers against retaliation. While the Corporations Act is currently the predominant source of private sector whistleblower protection, only 26.5 per cent of the Codes expressly reference obligations under the Corporations Act. The Corporations Act prohibits victimisation, either actual or threatened.^[124] It is therefore surprising that only 35 per cent of Codes state that the company will punish anyone who retaliates against a whistleblower.

The Corporations Act requires a high standard of proof before protection is afforded, including that the report be made in ‘good faith’, and based on ‘reasonable grounds’.^[125] That is, even if the employee reported the misconduct in good faith, unless an objectively reasonable person would conclude that the wrongdoing violated the law, the employee would not be protected. It is likely that the absence of guidelines as to how to interpret ‘good faith’ or what constitutes ‘reasonable grounds’ has led to inconsistency in application.

The good faith standard set forth by 82.5 per cent of Codes attempts to present a burden more appropriately set to encourage employees to report misconduct with confidence knowing that they will be protected even if they are wrong about the illegality of the conduct that they report. However, requiring that disclosure be made in ‘good faith’ to qualify for protection creates unnecessary interpretative^[126] and procedural hurdles by focussing on the motive for whistleblowing, rather than the veracity of the disclosure. Similar rationales were recently applied in the United Kingdom, where the Enterprise and Regulatory Reform Act 2013 (UK) c 24 removed the requirement set out in the Public Interest Disclosure Act 1998 (UK) c 23 (‘PIDA’) that protected disclosures be made in ‘good faith’.^[127] Instead, tribunals are now vested with a discretionary power to reduce any compensatory award by up to 25 percent if ‘it appears to the tribunal that the protected disclosure was not made in good faith’.^[128] Interpretation of such a nebulous concept as ‘good faith’ had previously proved problematic for courts. In Street v Derbyshire Unemployed Workers’ Centre,^[129] the Court of Appeal held that ‘good faith’ meant more than simply that the disclosure was believed to be made honestly or with honest intention.^[130] It was held that disclosure is ‘not made in good faith ... [where] the dominant or predominant purpose of making it was for some ulterior motive’, and not for the public interest purpose as required by statute.^[131] In that case, the disclosure was not made in good faith because the claimant’s predominant motivation was antagonism towards her line manager.^[132] Similarly, in Bachnak v Emerging Markets Partnership (Europe) Ltd,^[133] it was held that ‘[t]he statutory protection is afforded to those who make disclosures in the public interest; thus where the predominant purpose is the employee’s personal interest ... the disclosure will not be made in good faith.’^[134] Equating good faith with the public interest arguably blocked a large section of whistleblowers from being afforded protection. For example, an employee who made a disclosure to remedy an alleged breach of a contract of employment, would not satisfy the good faith requirement and would not be afforded protection as he or she would be disclosing to benefit personally.^[135] The purpose of the PIDA, like the purpose of the whistleblower protections under the Corporations Act is to encourage employees and officers to report breaches.^[136] From a public policy perspective, this aim is not undermined by removing a ‘good faith’ requirement, and ‘encouraging the disclosure of concerns may be no less compelling merely because there are ulterior motives.’^[137] Similarly, if the predominant purpose of the whistleblower policies in Codes is disclosure of misconduct, current best practice dictates removal of any requirement that the disclosure be made in ‘good faith’.

It is surprising that only 51.2 per cent of Codes punish making a false or malicious report and currently only 3.6 per cent of Codes contain a contractual disclaimer. For example, the code of conduct for Adelaide Brighton Ltd reads: ‘Note: This Code of Conduct is not an employment contract. Adelaide Brighton does not create any contractual rights by issuing this Code of Conduct.’^[138] However, it is reasonable to speculate that other employment materials likely contain disclaimers, such as an employee handbook or other documents distributed to employees creating patent ambiguity. To the extent that courts may be inclined to enforce anti-retaliation protections through the employment contract, it is likely that significantly more companies will respond by incorporating contractual disclaimers in their Codes.

Table 6: Protection from Retaliation and Qualifications (% of Policies)

7 Is Confidentiality or Anonymity Guaranteed?

Courts have warned that the prejudice that whistleblowers may face upon disclosure of their identity should not be underestimated;^[139] however, evidence with respect to anonymity is mixed. Some studies have found that there is ‘scant evidence that anonymity promotes whistle-blowing’,^[140] while others find that individuals are more likely to voice dissenting views if offered anonymity.^[141] The Corporations Act requires that a whistleblower disclose their identity to be afforded the protections offered, but includes strict confidentiality requirements on the company, with the purpose of protecting the whistleblower’s identity.^[142]

In addition, privacy considerations play an integral role in the development of a whistleblower policy. The potential applicability of the Privacy Act 1988 (Cth) (‘Privacy Act’) turns on whether the whistleblower is an employee and whether the improper conduct relates to an employee. Information disclosed by an employee about another employee forms part of the employment records of both persons and is excluded under the Privacy Act.^[143] However, if regulated under the Privacy Act, the information will need to be treated confidentially and not used for unrelated purposes. The legislation allows use or disclosure for the investigation of seriously improper conduct or unlawful activity or disclosure authorised by another law.^[144] Otherwise, it can only be used for the purpose for which it was collected and there is a requirement that certain disclosures are made. Further, the information must be disclosed to the person that it relates to.^[145]

Table 7: Confidentiality and Anonymity (% of Policies)

A vast majority of the Codes state that some or all reports will be treated confidentially; with a substantial number including carve outs for investigation or as required by law. Only 27.7 per cent state that a report will be kept confidential in the absence of consent of the whistleblower, a requirement under the Corporations Act.^[146] This may be due to the loophole which currently exists, whereby a third party who receives information with the whistleblower’s consent is not subject to the same confidentiality requirements as the person who initially received the information. In acknowledging that providing anonymous reporting may facilitate whistleblowing, over 65 per cent of companies allow for it. However, over 25 per cent of companies expressly discourage anonymous reporting on the basis that it will make investigation much more difficult.

Table 8: Investigation Details (% of Policies)

There is no statutory requirement to investigate reportable conduct. However, best practice currently dictates that the organisation commit to investigating reports as recommended by the ASX Guidelines^[147] and AS 8004—2003.^[148] Over 75 per cent of companies commit to investigating or giving serious treatment to disclosure.

IV SUBSTANTIVE BENEFITS:

BROADER CONTRACTUAL PROTECTIONS?

Codes are a form of voluntary self-regulation that work in partnership with formal, prescriptive regulations intended to ‘impel corporations towards substantive, rather than legalistic, compliance with socially responsible goals and best corporate practice.’^[149] Historically, debate has been bifurcated with respect to the practical benefits of Codes. Proponents argue that self-regulation is beneficial as it permits companies to develop rules tailored to the particular organisation, with the potential to change corporate behaviour through monitoring and standardisation.^[150] Others highlight the symbolic nature of self-regulatory structures, characterising Codes as ‘window dressing’, and, coupled with the structure of corporate legal liability, incentivises companies to invest in ‘costly — potentially ineffective — internal compliance structures’ that fail to reduce organizational misconduct.^[151] Further, as unilateral commitments by private actors on matters of potential public interest, Codes face serious legitimacy questions.^[152] More recently, interest

has shifted towards the potential of Codes to serve as the basis for

legal obligations.

While prima facie unenforceable, under certain circumstances the promises contained in Codes may bind the employer and employee as part of the employment contract,^[153] although wholesale transposition of commitments contained in Codes into legally acceptable standards suffers from a number of defects. Terms are implied into employment contracts by the same legal means as any other type of contract,^[154] including by reference. For example, a statement in an employment contract which states that an employee agrees to be bound by the employer’s policies ‘will incorporate those policies and procedures into the employment contract, to the extent that the matters contained in [those policies] create obligations of a promissory nature for the employer or employee.’^[155] If the policies and procedures incorporate a further document, then obligations in that further document may also be incorporated into the employee’s contract of employment.^[156]

Therefore, for whistleblowers to rely on promises contained in Codes, they must prove that the promises within the Codes constitute promissory obligations. The leading case of Riverwood International Australia Pty Ltd v McCormick (‘Riverwood’) showed that language, context and timing is imperative in determining this issue.^[157] Consideration of language is based on an objective standard: would a reasonable person in the position of a promisee conclude that, having regard to the surrounding circumstances, a promisor intended to be contractually bound by the statement?^[158] Expressions ‘such as “the employer will” or “shall” undertake some “duty” or “obligation” suggest a serious intention to be bound, but words that indicate nothing more than imprecise “aims” to achieve certain standards will not’.^[159] In Riverwood, the policies in the employer policy manual were:

expressed in terms which are entirely apt to be treated as expressing mutually enforceable obligations; they are clear, precise, direct and mainly deal with matters which one might expect to be encompassed within a particular employment contract.^[160]

In contrast, in Goldman Sachs JBWere Services Pty Ltd v Nikolich,^[161] the employer handbook entitled ‘Working with Us’ contained a ‘Code of Conduct’ chapter concerning harassment and setting out behavioural prescriptions, including that the employee ‘will’, ‘shall’ or ‘must’ do certain things with regard to treating people with respect and courtesy and without aggression and discrimination.^[162] It claimed that Goldman Sachs was committed to providing a safe and healthy work environment.^[163] Of particular note for the claim made by Mr Nikolich was the Grievance Procedures which instructed employees to contact the ‘Department Heads, Directors [or] Human Resources’ with any grievance or complaint, and advised that Goldman Sachs was committed to ensuring that anyone with a ‘genuine’ complaint would be able to discuss it confidentially, and be supported and not penalised in any way by the firm.^[164] However in this instance, the Full Federal Court found that those words were not promissory in nature and therefore did not form part of the employment contract.^[165]

The decision is particularly relevant as the trial judge had awarded general damages for ‘pain and suffering’^[166] for the first time in Australia in the employment context since the 1909 House of Lords decision in Addis v Gramophone Co Ltd (‘Addis’),^[167] which prevented general damages for breach of contract.^[168] Wilcox J held that the employee’s contract fell within the only exception to Addis, a contract for ‘pleasure’, finding that one of the contract’s objects was to provide comfort as to how employees would be treated and to instil ‘peace of mind’ in the employee.^[169] Currently, only 53.6 per cent of Codes make whistleblowing a duty of employment by requiring employees to report misconduct.^[170] To the extent that there is an incorporating provision, there is an argument that such provisions constitute part of the employment contract. In contrast, aspirational or descriptive statements on a particular topic, in the form of direction or advice, are generally not contractual.^[171]

The time that the employee received the policy is important. If an employee receives a policy subsequent to executing a contract of employment, there is an implicit assumption that the parties did not intend to be contractually bound.^[172] For example, in Akmeemana v Murray,^[173] a company could not rely on the contents of a human resources policy which resulted in lower pay for employees implemented after a contract for employment was executed, except to the extent that the matters in the policy were consistent with the employment contract.^[174] That is, for a new policy or policy amendment to be contractually binding it must have been within the parties’ intentions at the time of entering the contract.^[175]

A key contingency on the effectiveness of a contractual claim by whistleblowers is the potential to expressly include or exclude a policy from the employment contract through a disclaimer provision in either the policy or the employment contract. For example, in Yousif v Commonwealth Bank of Australia [No 2],^[176] the Court found that the policies in question had no contractual force because the introduction to the policy contained a disclaimer stating that ‘[t]he manual is not in any way incorporated as part of any industrial award or agreement entered into by the Bank, nor does it form any part of any employee’s contract of employment.’^[177] As noted above in Table 6, only 3.6 per cent of Codes currently contain a contractual disclaimer, however if courts are inclined to accept a breach of contract claim by employees, it is inevitable that employers will increasingly rely on express disclaimers to act as a procedural defence and this alternate cause of action will be moot.

If courts permit whistleblowers to bring a breach of contract claim based on Code provisions, it is unlikely to act as a bar to issuance as Codes can engender substantial tangible benefits to the issuing company including improved loyalty, better compliance with workplace rules and enhanced employee morale.^[178] Code promises also lead to benefits for stakeholders due to the public nature of the commitments. By publishing a Code on its website which includes a promise not to retaliate against employees, a company assures shareholders and regulators that the company encourages employees to report misconduct.^[179] Further, by promising not to retaliate against an employee whistleblower when he or she discloses through the publicised internal channel, an employer may prevent an employee from reporting misconduct externally, which may lead to greater costs than if the employee reports internally.^[180] Finally, to the extent that a company can demonstrate a ‘lived’ commitment to the Code, it may constitute a mitigating factor to a regulatory enforcement action by evidencing a culture of compliance.

V NORMATIVE BENEFITS:

ENFORCING CORPORATE SELF-REGULATION

In his seminal text on corporate responsibility and compliance, Stone argues that the law can most effectively shape organisational behaviour by generating normative commitments through systemic internal controls.^[181] Since then, regulatory scholars have developed a body of work arguing that internal compliance structures can align the behaviour of companies with the law and social expectations, transforming them into more responsive and democratic institutions.^[182] Permitting contractual enforcement of whistleblower promises in Codes may provide important substantive benefits to whistleblowers, facilitating less retaliation and more whistleblowing. However, to the extent that contractual enforcement is unachievable, normative benefits flow through by encouraging the movement towards corporate self-regulation.^[183]

Braithwaite identifies two criteria that are necessary for enforced self-regulation to be effective: (i) public enforcement of internal rules; and (ii) public monitoring of private enforcement of the rules.^[184] A threshold requirement for self-regulation to be effective is either regulatory requirement or strong encouragement of all companies to adopt internal structures that will deter wrongdoing.^[185] However the efficacy of using structural requirements to encourage self-regulation is somewhat questionable as there is universally little evidence of subsequent oversight by regulators to ensure the effectiveness of implementation of internal rules. For example, while the ASX requires companies to disclose whether they have a Code, the ASX plays no ongoing role in monitoring or enforcing the Code.^[186] Motivation to design a resilient Code that is lived throughout the organisation therefore predominantly rests on the threat of reputational sanctions from other stakeholders such as shareholders, trade unions and the public. Limited ongoing

oversight encourages companies to implement structures that appear

effective on paper but do little to facilitate a culture of compliance, or deter corporate misconduct.^[187]

Internal enforcement of Codes is also problematic where ‘[v]iolations [of Codes] are frequent, and compliance is a major practical problem.’^[188] Studies have shown that despite their prevalence, Codes rarely modify employee behaviour^[189] due to a lack of substantive internal enforcement provisions. Permitting whistleblowers to enforce anti-retaliation provisions contained in a Code may ameliorate these problems and encourage compliance through self-regulation. Companies can supplement weak formal enforcement by providing internal enforcement however, this is contingent on predictable, enforceable promises of non-retaliation. Whistleblowers will likely be encouraged to report misconduct if they are able to enforce contractual promises of non-retaliation, which in turn should improve internal compliance with the Code’s other provisions.

VI CONCLUSION

Legitimising whistleblowing by developing and committing to protection policies contained in a Code is an integral component of corporate governance. Regulatory capacity is limited and permitting enforcement of voluntary private promises made between an employer and employee is consistent with the movement towards corporate self-regulation. It forces companies to focus on implementing a culture of compliance, with demonstrable benefits for both employer and employee.

However, currently, private sector whistleblowers who are victims of retaliation may find themselves faced with statutory and common law remedial options that are gap-filled, unpredictable and narrow, which ultimately provide no legal remedy. This article has argued that private commitments

can provide an important interim regulatory function, both substantively

and normatively.

The increase in the number of whistleblower polices in recent years and the public focus on such instruments has seen the evolution of more standardised Codes, at least to the extent that minimum criteria have evolved. Australian listed companies have similar ways of encouraging employees to report misconduct. The majority of companies make whistleblowing a duty of employment and provide detailed instructions on how to blow the whistle internally. Numerous people can accept employee reports, and most importantly, companies promise to protect whistleblowers from retaliation. However, questions remain as to the enforceability of these private promises, particularly if companies choose to incorporate contractual disclaimers. Further research is needed to determine how companies actually implement whistleblower policies. Employees may have difficulty enforcing promises

not to retaliate legally, but the practical effects of such promises are

still understudied.

This article has argued that, in their strongest form, policies contained in Codes may bind the employer and employee as part of the employment contract to the extent that the provisions create obligations of a promissory nature for the employer or employee. In Nikolich v Goldman Sachs J B Were Services Pty Ltd, the trial judge found instructional language similar to the language incorporated in the majority of Codes promissory in nature and therefore forming part of the employment contract.^[190] While ultimately overturned on appeal,^[191] the contractual nature of Codes (and thus their enforceability under the employment contract) depends on the circumstances of each case. There are, however, some downsides for whistleblowers in electing to bring a cause of action based on breach of the employment contract. Some anti-retaliation statutes permit whistleblowers to bring claims against individuals who retaliate against them as well as their employer. However, as it is the company that issues the Code, the company is likely the proper defendant in any action for a breach of contract claim. Whistleblowers are therefore unlikely to have standing to bring a breach of contract claim against individuals, potentially reducing the overall deterrence effect. A further downside is employer reaction in the form of procedural hurdles. Codes are subject to amendment. To the extent that courts accept a contract claim and permit employees to enforce anti-retaliation protections in Codes, employers may react simply and quickly, through either incorporating a disclaimer or imposing substantive procedural requirements which may act as a prerequisite to any entitlement to protection.

This article does not argue that permitting contractual enforcement of anti-retaliation promises optimally encourages whistleblowers. Self-regulatory models such as Codes require support of a regulator-backed deterrence model in the event of internal regulatory failure. Ultimately, broader statutory protection is a necessary complement to ensure consistent application and protection. However, permitting whistleblowers to enforce a company promise contained in a Code through a breach of contract action could serve as a valuable additional cause of action and deterrent to retaliation.

^[*] BCom (Bond), MLLP (UTS), LLM, JSD (NYU), GCertHigherEd (Syd); Lecturer, Sydney Law School, The University of Sydney. I am grateful, with the usual caveats, to Lucinda Bradshaw and Catherine Dawson for their research assistance and to the two anonymous referees.

^[1] Jonathan Macey, ‘Getting the Word Out about Fraud: A Theoretical Analysis of Whistleblowing and Insider Trading’ [2007] MichLawRw 41; (2007) 105 Michigan Law Review 1899, 1901–2.

^[2] Alexander Dyck, Adair Morse and Luigi Zingales, ‘Who Blows the Whistle on Corporate Fraud?’ (2010) 65 Journal of Finance 2213, 2240.

^[3] Simon Wolfe et al, ‘Whistleblower Protection Laws in G20 Countries: Priorities for Action’ (Final Report, Blueprint for Free Speech, September 2014) 10 (emphasis altered).

^[4] Nicholas M Rongine, ‘Toward a Coherent Legal Response to the Public Policy Dilemma Posed by Whistleblowing’ (1985) 23(2) American Business Law Journal 281, 282–3.

^[5] Janet P Near and Marcia P Miceli, ‘Organisational Dissidence: The Case of Whistle-Blowing’ (1985) 4 Journal of Business Ethics 1, 4.

^[6] Ibid 5.

^[7] Terry Morehead Dworkin and A J Brown, ‘The Money or the Media? Lessons from Contrasting Developments in US and Australian Whistleblowing Laws’ (2013) 11 Seattle Journal for Social Justice 653, 654. See also A J Brown, ‘Restoring the Sunshine to the Sunshine State: Priorities for Whistleblowing Law Reform in Queensland’ (2009) 18 Griffith Law Review 666.

^[8] Public Interest Disclosure Act 2013 (Cth).

^[9] Public Interest Disclosures Act 1994 (NSW); Public Interest Disclosure Act 2010 (Qld); Whistleblowers Protection Act 1993 (SA); Public Interest Disclosures Act 2002 (Tas); Protected Disclosure Act 2012 (Vic); Public Interest Disclosure Act 2003 (WA).

^[10] Public Interest Disclosure Act 2012 (ACT); Public Interest Disclosure Act 2008 (NT).

^[11] See, eg, Dworkin and Brown, ‘The Money or the Media?’, above n 7, 654.

^[12] Ibid 654–6.

^[13] Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (Cth) sch 4 pt 2, inserting Corporations Act 2001 (Cth) ss 1317AA–1317AE.

^[14] See, eg, Senate Economics References Committee, Parliament of Australia, Performance of the Australian Securities and Investments Commission (2014) 201–3 [14.22]–[14.29].

^[15] Whistleblowers Protection Act 1993 (SA) s 4 (definition of ‘public interest information’ para (a)).

^[16] Public Interest Disclosure Act 2010 (Qld) s 12.

^[17] Organisation for Economic Co-Operation and Development, ‘Public Policy and Voluntary Initiatives: What Roles Have Governments Played?’ (Working Papers on International Investment No 2001/4, Organisation for Economic Co-Operation and Development, February 2001) 5.

^[18] ASX, Listing Rules (at 1 July 2014) r 4.10.3. See also ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014).

^[19] ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014) 19.

^[20] Wim Vandekerckhove and M S Ronald Commers, ‘Whistle Blowing and Rational Loyalty’ (2004) 53 Journal of Business Ethics 225, 226.

^[21] Marcia P Miceli, Janet P Near and Terry Morehead Dworkin, ‘A Word to the Wise: How Managers and Policy-Makers Can Encourage Employees to Report Wrongdoing’ (2009) 86 Journal of Business Ethics 379, 379–80.

^[22] See generally Krista Bondy, Dirk Matten and Jeremy Moon, ‘The Adoption of Voluntary Codes of Conduct in MNCs: A Three-Country Comparative Study’ (2004) 109 Business and Society Review 449; Kernaghan Webb, ‘Understanding the Voluntary Codes Phenomenon’ in Kernaghan Webb (ed), Voluntary Codes: Private Governance, the Public Interest and Innovation (Carleton Research Unit for Innovation, Science and Environment, 2004) 3.

^[23] Ralitza Nikolaeva and Marta Bicho, ‘The Role of Institutional and Reputational Factors in the Voluntary Adoption of Corporate Social Responsibility Reporting Standards’ (2011) 39 Journal of the Academy of Marketing Science 136.

^[24] See generally Cass R Sunstein, ‘On the Expressive Function of Law’ (1996) 144 University of Pennsylvania Law Review 2021; Lawrence Lessig, ‘The Regulation of Social Meaning’ (1995) 62 University of Chicago Law Review 943.

^[25] Sunstein, above n 24, 2024.

^[26] See Kelly Kollman, ‘The Regulatory Power of Business Norms: A Call for a New Research Agenda’ (2008) 10 International Studies Review 397; John W Meyer and Brian Rowan, ‘Institutionalized Organizations: Formal Structure as Myth and Ceremony’ (1977) 83 American Journal of Sociology 340.

^[27] Richard Moberly, ‘Protecting Whistleblowers by Contract’ (2008) 79 University of Colorado Law Review 975.

^[28] Ibid 980.

^[29] Terance D Miethe, Whistleblowing at Work: Tough Choices in Exposing Fraud, Waste, and Abuse on the Job (Westview Press, 1999) 12.

^[30] See generally Marcia P Miceli and Janet P Near, Blowing the Whistle: The Organizational and Legal Implications for Companies and Employees (Lexington Books, 1992); David Culp, ‘Whistleblowers: Corporate Anarchists or Heroes? Towards a Judicial Perspective’ (1995) 13 Hofstra Labor Law Journal 109, 112–14; Dyck, Morse and Zingales, above n 2, 2245.

^[31] Corporations Act pt 9.4AAA, as inserted by CLERP sch 4 pt 2.

^[32] See the broad definition in Corporations Act s 9 (definition of ‘officer’).

^[33] Ibid s 1317AA(1)(a).

^[34] Ibid s 1317AA(1)(d).

^[35] Ibid s 1317AA(1)(b).

^[36] Ibid s 1317AA(1)(d).

^[37] Ibid s 1317AA(1)(e).

^[38] Ibid s 1317AA(1)(c).

^[39] Ibid ss 1317AB–1317AC.

^[40] Ibid s 1317AB.

^[41] Ibid s 1317AE.

^[42] See ibid s 1317AA(1)(c).

^[43] Parliamentary Joint Committee on Corporations and Financial Services, Parliament of Australia, CLERP (Audit Reform and Corporate Disclosure) Bill 2003: Part 1 (2004) 27 [2.88].

^[44] Ibid 27–30 [2.88]–[2.98].

^[45] Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 (Cth) s 44, inserting Banking Act 1959 (Cth) ss 52A–52F.

^[46] Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 (Cth) s 62, inserting Insurance Act 1973 (Cth) ss 38A–38F.

^[47] Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 (Cth) s 115, inserting Life Insurance Act 1995 (Cth) ss 156A–156F.

^[48] Financial Sector Legislation Amendment (Simplifying Regulation and Review) Act 2007 (Cth) s 154, inserting Superannuation Industry (Supervision) Act 1993 (Cth) ss 336A–336F.

^[49] Fair Work Act s 50.

^[50] Ibid s 545(2)(a).

^[51] Ibid s 545(2)(b).

^[52] Ibid s 545(2)(c).

^[53] Ibid s 340.

^[54] Ibid s 341(1)(c).

^[55] Ibid s 342(1) item 1.

^[56] See, eg, Hodkinson v Commonwealth [2011] FMCA 171; (2011) 248 FLR 409, 452–3 [179]–[191] (Cameron FM); Evangeline v Department of Human Services [2013] FCCA 807 (28 June 2013) [23] (Judge Coker); Wilkie v National Storage Operations Pty Ltd [2013] FCCA 1056 (9 August 2013) [102]–[103] (Judge Whelan).

^[57] Fair Work Act pt 6-4B.

^[58] Ibid s 789FD(1).

^[59] Ibid s 789FD(2).

^[60] [2014] FWC 2104; (2014) 244 IR 127, 144 [105] (Commissioner Hampton).

^[61] Ibid 144 [106].

^[62] Fair Work Act s 789FC.

^[63] Ibid s 789FF.

^[64] Ibid s 789FG. The maximum penalty is sixty penalty units which equates to $10 800 for an individual and $54 000 for a company: at ss 539, 546(2); see also at s 12 (definition of ‘penalty unit’); Crimes Act 1914 (Cth) s 4AA.

^[65] Work Health and Safety Act 2011 (Cth) s 19(1). Each state and territory has equivalent legislation: Work Health and Safety Act 2011 (ACT) ss 18–19; Work Health and Safety Act 2011 (NSW) ss 17–19(1); Work Health and Safety (National Uniform Legislation) Act 2011 (NT) ss 18–19; Work Health and Safety Act 2012 (SA) ss 18–19; Work Health and Safety Act 2012 (Tas) ss 18–19; Work Health and Safety Act 2011 (Qld) ss 18–19; Occupational Health and Safety Act 2004 (Vic) s 21; Occupational Safety and Health Act 1984 (WA) s 19(1).

^[66] See, eg, Work Health and Safety Act 2011 (Cth) s 19(3).

^[67] Corporations Act s 912D.

^[68] Banking Act 1959 (Cth) s 62A(1).

^[69] Public Interest Disclosure Act 2013 (Cth); Public Interest Disclosure Act 2012 (ACT); Public Interest Disclosures Act 1994 (NSW); Public Interest Disclosure Act 2008 (NT); Public Interest Disclosure Act 2010 (Qld); Whistleblowers Protection Act 1993 (SA); Public Interest Disclosures Act 2002 (Tas); Protected Disclosure Act 2012 (Vic); Public Interest Disclosure Act 2003 (WA).

^[70] Public Interest Disclosure Act 2012 (ACT) s 41; Public Interest Disclosures Act 1994 (NSW) s 20A; Public Interest Disclosure Act 2008 (NT) s 16; Public Interest Disclosure Act 2010 (Qld) s 42; Whistleblowers Protection Act 1993 (SA) s 9; Public Interest Disclosures Act 2002 (Tas) s 20; Protected Disclosure Act 2012 (Vic) s 47; Public Interest Disclosure Act 2003 (WA) ss 15(1)–(2). See generally Brown, ‘Restoring the Sunshine’, above n 7.

^[71] Whistleblowers Protection Act 1993 (SA).

^[72] Public Interest Disclosure Act 2010 (Qld).

^[73] Whistleblowers Protection Act 1993 (SA) s 4 (definition of ‘public interest information’).

^[74] Public Interest Disclosure Act 2010 (Qld) s 12.

^[75] Dworkin and Brown, ‘The Money or the Media?’, above n 7, 685.

^[76] TNT Australia Pty Ltd v Christie [2003] NSWCA 47; (2003) 65 NSWLR 1.

^[77] See, eg, Mount Isa Mines Ltd v Pusey [1970] HCA 60; (1970) 125 CLR 383; Koehler v Cerebos (Australia) Ltd [2005] HCA 15; (2005) 222 CLR 44.

^[78] Matthews v Kuwait Bechtel Corporation [1959] 2 QB 57, 65–7 (Sellers LJ).

^[79] Nationwide News Pty Ltd v Naidu [2007] NSWCA 377; (2007) 71 NSWLR 471, 478 [26] (Spigelman CJ).

^[80] Tame v New South Wales [2002] HCA 35; (2002) 211 CLR 317, 329 [7] (Gleeson CJ); see also at 338–9 [44] (Gaudron J), 382 [193] (Gummow and Kirby JJ).

^[81] See, eg, Civil Liability Act 2002 (NSW) ss 5B–5E.

^[82] Cf Tame v New South Wales [2002] HCA 35; (2002) 211 CLR 317; Koehler v Cerebos (Australia) Ltd [2005] HCA 15; (2005) 222 CLR 44.

^[83] See New South Wales v Fahy [2007] HCA 20; (2007) 232 CLR 486, 490 [4] (Gleeson CJ).

^[84] Panagiotopoulos v Rajendram [2007] NSWCA 265 (28 September 2007) [57]–[58], [72] (Basten JA).

^[85] (Unreported, District Court of New South Wales, Judge Cooper, 2 February 2001) (‘Wheadon’). See also New South Wales v Coffey [2002] NSWCA 361 (7 November 2002)

[4]–[5], [17] (Meagher JA).

^[86] Wheadon (Unreported, District Court of New South Wales, Judge Cooper, 2 February 2001).

^[87] David Landa, ‘Whistleblowing: Betrayal or Public Duty?’ (Speech delivered at the Transparency International Australia Whistleblowing Conference, Sydney, 6 August 2002), citing ibid. See also NSW Ombudsman, Protected Disclosure Guidelines (NSW Government Publication, 5^th ed, 2004) E-5–E-6.

^[88] Landa, above n 87, citing Wheadon (Unreported, District Court of New South Wales, Judge Cooper, 2 February 2001).

^[89] Landa, above n 87, citing Wheadon (Unreported, District Court of New South Wales, Judge Cooper, 2 February 2001).

^[90] Morris v C W Martin & Sons Ltd [1966] 1 QB 716, 733–4 (Diplock LJ).

^[91] New South Wales v Lepore [2003] HCA 4; (2003) 212 CLR 511, 536 [42] (Gleeson CJ).

^[92] Hollis v Vabu Pty Ltd [2001] HCA 44; (2001) 207 CLR 21, 60 [99].

^[93] [2007] NSWCA 377; (2007) 71 NSWLR 471, 488 [87] (Spigelman CJ), 510 [261] (Beazley JA), 532 [409]–[410] (Basten JA).

^[94] Ibid 483 [51] (Spigelman CJ), quoting Naidu v Group 4 Securitas Pty Ltd [2005] NSWSC 618 (24 June 2005) [187] (Adams J).

^[95] See Martin H Malin, ‘Protecting the Whistleblower from Retaliatory Discharge’ (1983) 16 University of Michigan Journal of Law Reform 277, 286.

^[96] Newspoll, Griffith University and The University of Melbourne, World Online Whistleblowing Survey: Stage 1 Results Release — Adult Population Sample (6 June 2012) <https://www.griffith.edu.au/__data/assets/pdf_file/0003/418638/Summary_Stage_1_Results_Australian_Population_Sample_FULL.pdf>.

^[97] Organisation for Economic Co-operation and Development, ‘Codes of Corporate Conduct: An Inventory’ (Report No TD/TC/WP(98)74/FINAL, Working Party of the Trade Committee, 3 May 1999) 5 [4] (emphasis altered).

^[98] See generally John Braithwaite and Peter Drahos, Global Business Regulation (Cambridge University Press, 2000).

^[99] ASX, Listing Rules (at 1 July 2014) r 4.10.3. See also ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014).

^[100] ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014) 19.

^[101] Ibid 20.

^[102] Harold Hassink, Meinderd de Vries and Laury Bollen, ‘A Content Analysis of Whistleblowing Policies of Leading European Companies’ (2007) 75 Journal of Business Ethics 25.

^[103] David Lewis and Martin Kender, ‘A Survey of Whistleblowing/Confidential Reporting Procedures in the UK Top 250 FTSE Firms’ (Research Report, SAI Global, October 2010).

^[104] Richard Moberly and Lindsey E Wylie, ‘An Empirical Study of Whistleblower Policies in United States Corporate Codes of Ethics’ in David Lewis and Wim Vandekerckhove (eds), Whistleblowing and Democratic Values (International Whistleblowing Research Network, 2011) 27.

^[105] Janine Pascoe and Michelle Welsh, ‘Whistleblowing, Ethics and Corporate Culture: Theory and Practice in Australia’ (2011) 40 Common Law World Review 144.

^[106] As reported on ASX 200 List of Companies, ASX 200 List (14 April 2016) <http://www.asx200list.com> . As at April 2016, ASX 200 covers approximately 70 per cent of Australian equity market capitalisation: Market Index, Market Index (2016) <http://www.marketindex.com.au/asx200> .

^[107] ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014) 19.

^[108] A further 71 companies confirmed via email that the whistleblower protections contained within their publicly available codes of conduct or codes of ethics were complete policies.

^[109] AS 8004—2003 was withdrawn on 3 November 2015: SAI Global, AS 8004—2003: Corporate Governance — Whistleblower Protection Programs for Entities (2016) <http://infostore.saiglobal.com/store/details.aspx?ProductID=323803> .

^[110] Standards Australia, Australian Standard: Whistleblower Protection Programs for Entities (Standards Australia, 2003) (‘AS 8004—2003’).

^[111] Ibid 5 [1.1].

^[112] Ibid 2.

^[113] Ibid 7 [1.4.7].

^[114] Corporations Act s 1317AA(1)(a)(iv).

^[115] ASIC, ASIC Market Integrity Rules (ASX Market) 2010 (at 27 October 2015) r 5.11.1.

^[116] AS 8004—2003, above n 110, 8 [2.2.2].

^[117] Ibid 6 [1.4.6].

^[118] Corporations Act s 1317AA(1)(d).

^[119] Ibid s 1317AA(1)(b).

^[120] AS 8004—2003, above n 110, 13.

^[121] See Corporations Act ss 1317AA(1)(b)(iv), (c).

^[122] Ernst & Young Global Ltd, ‘Fraud and Corruption — Driving Away Talent? Asia-Pacific Fraud Survey 2015’ (Report, Ernst & Young 2015) 8.

^[123] Ibid 3.

^[124] Corporations Act s 1317AC.

^[125] Ibid ss 1317AA(1)(d)–(e).

^[126] See generally Suzanne Corcoran, ‘Good Faith as a Principle of Interpretation: What Is the Positive Content of Good Faith?’ (2012) 36 Australian Bar Review 1.

^[127] Enterprise and Regulatory Reform Act 2013 (UK) c 24, s 18; Public Interest Disclosure Act 1998 (UK) c 23, s 1.

^[128] Enterprise and Regulatory Reform Act 2013 (UK) c 24, s 18(4), amending Employment Rights Act 1996 (UK) c 18, s 49.

^[129] [2004] EWCA Civ 964; [2005] ICR 97.

^[130] Ibid 112 [48] (Auld LJ).

^[131] Ibid 114 [56].

^[132] Ibid 115 [58].

^[133] (Unreported, United Kingdom Employment Appeal Tribunal, Judge Clark, 27 January 2006).

^[134] Ibid [24] (Judge Clark).

^[135] See Employment Rights Act 1996 (UK) c 18, s 43B.

^[136] This is reflected in the long title of the Public Interest Disclosure Act 1998 (UK) c 23. See also Explanatory Memorandum, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Bill 2003 (Cth) 64 [4.321].

^[137] John Bowers et al, Whistleblowing: Law and Practice (Oxford University Press, 2007) 75.

^[138] Adelaide Brighton, Code of Conduct (at 27 November 2003) 1.

^[139] See, eg, Australian Securities and Investments Commission v P Dawson Nominees Pty Ltd [2008] FCAFC 123; (2008) 169 FCR 227, 237 [51]–[52].

^[140] See, eg, Marcia P Miceli, Janet P Near and Terry Morehead Dworkin, Whistle-Blowing in Organizations (Routledge, 2008) 158.

^[141] Cass R Sunstein, Why Societies Need Dissent (Harvard University Press, 2003) 20.

^[142] Corporations Act ss 1317AA(1)(c), 1317AE.

^[143] Privacy Act ss 6 (definition of ‘employee record’ para (e)), 7B.

^[144] Ibid s 16A.

^[145] Ibid.

^[146] Corporations Act s 1317AE.

^[147] ASX, Whistleblower Protection Policy (2016) 3 <http://www.asx.com.au/documents/about/ whistleblowers-policy.PDF> .

^[148] AS 8004—2003, above n 110, 10–11 [2.3.7].

^[149] Janine Pascoe, ‘Corporate Sector Whistleblower Protection in Australia — Some Regulatory Problems and Issues’ (2008) 22 Australian Journal of Corporate Law 82, 88.

^[150] Ibid 88–90.

^[151] Kimberly D Krawiec, ‘Cosmetic Compliance and the Failure of Negotiated Governance’ (2003) 81 Washington University Law Quarterly 487, 487, 492.

^[152] See, eg, ibid.

^[153] See Bau v Victoria [2009] VSCA 107 (22 May 2009) [113]–[140] (Neave JA).

^[154] Byrne v Australian Airlines Ltd (1995) 185 CLR 410, 422–3 (Brennan CJ, Dawson and Toohey JJ).

^[155] Rosemary Owens, Joellen Riley and Jill Murray, The Law of Work (Oxford University Press, 2^nd ed, 2011) 251.

^[156] McCormick v Riverwood International (Australia) Pty Ltd [1999] FCA 1640; (1999) 167 ALR 689, 706 [97] (Weinberg J).

^[157] [2000] FCA 889; (2000) 177 ALR 193, 209–10 [89] (North J), 217 [129], 221–3 [145]–[151] (Mansfield J).

^[158] Goldman Sachs JBWere Services Pty Ltd v Nikolich [2007] FCAFC 120 (7 August 2007) [23] (Black CJ), quoting Toll (FGCT) Pty Ltd v Alphapharm Pty Ltd (2004) 219 CLR 165, 179 [40].

^[159] Owens, Riley and Murray, above n 155, 252 (emphasis altered).

^[160] [2000] FCA 889; (2000) 177 ALR 193, 223 [151] (Mansfield J). See also ibid 251.

^[161] [2007] FCAFC 120 (7 August 2007).

^[162] See ibid [12]–[14] (Black CJ).

^[163] Ibid [10].

^[164] Ibid [39]–[40].

^[165] Ibid [41]–[42] (Black CJ), [162] (Marshall J), [371] (Jessup J).

^[166] Nikolich v Goldman Sachs J B Were Services Pty Ltd [2006] FCA 784 (23 June 2006) [343] (Wilcox J).

^[167] [1909] AC 488.

^[168] Nikolich v Goldman Sachs J B Were Services Pty Ltd [2006] FCA 784 (23 June 2006) [315] (Wilcox J).

^[169] Ibid [317]–[318], [330]–[331].

^[170] See above Table 2 in Part III(B)(3).

^[171] Goldman Sachs JBWere Services Pty Ltd v Nikolich [2007] FCAFC 120 (7 August 2007)

[37]–[38] (Black CJ).

^[172] See Nikolich v Goldman Sachs J B Were Services Pty Ltd [2006] FCA 784 (23 June 2006) [247] (Wilcox J).

^[173] [2009] NSWSC 979; (2009) 190 IR 66.

^[174] Ibid 79 [54] (Davies J).

^[175] Ibid 78–9 [53]–[55].

^[176] [2009] FCA 656; (2009) 185 IR 414.

^[177] Ibid 433 [96]–[97] (North J).

^[178] Elletta Sangrey Callahan et al, ‘Integrating Trends in Whistleblowing and Corporate Governance: Promoting Organizational Effectiveness, Societal Responsibility, and Employee Empowerment’ (2002) 40 American Business Law Journal 177, 196.

^[179] Emily F Carasco and Jang B Singh, ‘The Content and Focus of the Codes of Ethics of the World’s Largest Transnational Corporations’ (2003) 108 Business and Society Review 71, 72; Tim V Eaton and Michael D Akers, ‘Whistleblowing and Good Governance: Policies for Universities, Government Entities, and Nonprofit Organizations’ (2007) 77(6) CPA Journal 66, 70.

^[180] See, eg, Richard E Moberly, ‘Sarbanes-Oxley’s Structural Model to Encourage Corporate Whistleblowers’ [2006] Brigham Young University Law Review 1107, 1151.

^[181] Christopher D Stone, Where the Law Ends: The Social Control of Corporate Behavior (Harper and Row, 1975). See also Kenneth A Cohen, ‘Reviewed Work: Where the Law Ends — The Social Control of Corporate Behavior by Christopher D Stone’ (1976) 62 Virginia Law Review 259, 259.

^[182] See, eg, Neil Gunningham and Joseph Rees, ‘Industry Self-Regulation: An Institutional Perspective’ (1997) 19 Law and Policy 363; Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate (Oxford University Press, 1992); Christine Parker, The Open Corporation: Effective Self-Regulation and Democracy (Cambridge University Press, 2002).

^[183] See, eg, Cynthia Estlund, ‘Rebuilding the Law of the Workplace in an Era of Self-Regulation’ (2005) 105 Columbia Law Review 319, 324–5.

^[184] John Braithwaite, ‘Enforced Self-Regulation: A New Strategy for Corporate Crime Control’ (1982) 80 Michigan Law Review 1466, 1483.

^[185] See ibid 1467–70.

^[186] ASX Corporate Governance Council, Corporate Governance Principles and Recommendations (at 27 March 2014) 19.

^[187] See, eg, Lawrence A Cunningham, ‘The Appeal and Limits of Internal Controls to Fight Fraud, Terrorism, Other Ills’ (2004) 29 Journal of Corporation Law 267, 314.

^[188] Andrew Brien, ‘Regulating Virtue: Formulating, Engendering and Enforcing Corporate Ethical Codes’ (1996) 15(1) Business and Professional Ethics Journal 21, 22.

^[189] See, eg, Kimberly D Krawiec, ‘Organizational Misconduct: Beyond the Principal–Agent Model’ (2005) 32 Florida State University Law Review 571, 591; Mark S Schwartz, ‘A Code of Ethics for Corporate Code of Ethics’ (2002) 41 Journal of Business Ethics 27, 27–8.

^[190] [2006] FCA 784 (23 June 2006) [248] (Wilcox J).

^[191] Goldman Sachs JBWere Services Pty Ltd v Nikolich [2007] FCAFC 120 (7 August 2007)

[41]–[42] (Black CJ), [162] (Marshall J), [371] (Jessup J).