AustCyber’s Whistleblower Policy – April 2020

Purpose

AustCyber is committed to the highest standards of integrity and conduct. We encourage the reporting of any instances of suspected unethical, illegal, fraudulent or undesirable conduct involving AustCyber’s business and provides protections and measures so that people who make a report can do so confidentially and without fear of intimidation, disadvantage or reprisal.

The purpose of this whistleblowing policy is to:

  • encourage disclosures of wrong doing;
  • ensure people who disclose and report information can do so safely, securely and with confidence that they will be protected and supported;
  • ensure disclosures are dealt with appropriately and on a timely basis;
  • provide transparency around AustCyber’s framework for receiving, handling and investigating disclosures;
  • support AustCyber’s long-term sustainability and reputation.

Our whistleblower policy is an important tool for helping AustCyber to identify breaches that negatively impact the organisation and/or wrongdoing that may not be uncovered unless there is a safe and secure way to disclose and report this information.

Who and what does this policy apply to?

This policy applies to and provides protection to Protected Whistleblowers.

You are a Protected Whistleblower and entitled to protection under the Corporations Act 2001 (Cth) (Corporations Act) and, if applicable, under the Taxation Administration Act 1953 (Cth) (Taxation Administration Act) if:

  • you are an Eligible Whistleblower; and
  • you have disclosed (or intend to disclose) a Reportable Matter to an Eligible Recipient or to the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA) or another entity prescribed under the Corporations Act.

You will also be entitled to protection as a Protected Whistleblower if you get advice from a legal practitioner on the operation of whistleblowing protection laws.

Also, in more specific and limited circumstances where a matter is of public interest or there is an emergency, a report may be protected if it is made to a journalist or a member of Parliament. It is important that you understand the criteria for making a public interest or an emergency disclosure to be covered by the whistleblower protections. AustCyber recommends that you seek independent legal advice before making a public interest or an emergency disclosure.

An Eligible Whistleblower is a person who is, or has been, any of the following:

  • an officer or employee of AustCyber – this includes current and former employees who are permanent, part-time, fixed-term or temporary, interns, secondees, managers and directors;
  • a person who supplies goods or services to AustCyber or an employee of a person who supplies goods or services to AustCyber (whether paid or unpaid) – this could include current and former volunteers, contractors, consultants, service providers and business partners;
  • a person who is an associate of AustCyber – for example, a director or company secretary of AustCyber or a related body corporate of AustCyber; or
  • a relative, dependent or dependent of the spouse of any person referred to in this definition of Eligible Whistleblower.

Applicable matters

The section below sets out what is a Reportable Matter that will qualify for legal protection under the Corporations Act (or the Taxation Administration Act, where relevant). Disclosures that are not about a Reportable Matter will not be protected under the Corporations Act or the Taxation Administration Act and this policy.

Reportable matter

A disclosure will concern a Reportable Matter if an Eligible Whistleblower has reasonable grounds to suspect that the information being disclosed is about:

  • misconduct (including fraud, negligence, default, breach of trust and breach of duty);
  • an improper state of affairs or circumstances;
  • behaviour that represents a danger to the public or the financial system;
  • a breach of the Corporations Act; or
  • a breach of the Taxation Administration Act or improper conduct in relation to the tax affairs,

in relation to AustCyber or a related body corporate of AustCyber.

Personal work-related grievances

Personal work-related grievances that do not involve a detriment caused to you as a Protected Whistleblower (or a threat of detriment) are not a Reportable Matter and are not protected under the Corporations Act or Taxation Administration Act.

A personal work-related grievance is one that relates to your current or former employment that has implications for you personally but does not have significant implications for AustCyber.

An example of a work-related grievance that is not protected by law could include if you believe you have missed out on a promotion that you deserve or if you do not like the managerial style of your supervisor.

However, a work-related grievance may still qualify for protection under the law if (for example):

  • it is a mixed report that includes information about a Reportable Matter (as well as a work-related grievance);
  • AustCyber has broken employment or other laws which are punishable by imprisonment for 12 months or more or acted in a way that is a threat to public safety;
  • the disclosure relates to information that suggests misconduct that goes further than the whistleblower's personal circumstances; or
  • the whistleblower suffers from or is threatened with detriment for making a disclosure.

How do I make a report and who do I report to?

Making a disclosure

Reports can be made in person or by telephone, post or email. Reports can be made within business hours or outside business hours.

If, at any time, you are not sure about whether to make a protected disclosure, you can get independent legal advice. Any discussions you have with a lawyer will be protected under this policy and under law.

Eligible recipients

A protected disclosure of a Reportable Matter can be made using any of the channels below (each is an Eligible Recipient of Reportable Matter):

  • an officer, director or senior manager of AustCyber, or
  • an internal or external auditor of AustCyber.

Other designated bodies that can receive disclosures

Disclosures of a Reportable Matter may also be protected when made to a Commonwealth authority prescribed by law.

False reports

A Protected Whistleblower will still qualify for protection for a disclosure even if their disclosure turns out to be incorrect. However, anyone who knowingly makes a false report of a Reportable Matter, or who otherwise fails to act honestly with reasonable belief in respect of the report may be subject to disciplinary action, including dismissal.

Anonymity when reporting

You may choose to remain anonymous when disclosing a Reportable Matter, over the course of the investigation and after the investigation is finalised. While you are encouraged to share your identity when making a disclosure, as it may make it easier for AustCyber to address your disclosure of a Reportable Matter and for AustCyber to communicate with you, you are not required to share your identity.

If you do not share your identity, AustCyber will assess your disclosure in the same way as if you had revealed your identity. However, there may be some practical limitations in conducting the investigation if you do not share your identity.

Protections for Protected Whistleblowers

Confidentiality

Disclosures from Protected Whistleblowers will be treated confidentially and sensitively. Once a report is received, the Eligible Recipient will make sure immediate steps are taken to protect the identity of the Protected Whistleblower. This will include redacting the name and position of the Protected Whistleblower from any written record of the report and making sure appropriate document security is implemented.

It is illegal for a person to identify Protected Whistleblowers or disclose information that is likely to lead to their identification. If you are a Protected Whistleblower, your identity and position (or any other information which would be likely to identify you) will only be shared if:

  • you consent to the information being shared;
  • the disclosure is to a recipient permitted by law such as the Commissioner of Taxation or Australian Federal Police; or
  • the disclosure is otherwise allowed or required by law (for example, disclosure to a lawyer of AustCyber to receive legal advice relating to the law on whistleblowing).

In addition, for information likely to identify an Eligible Whistleblower, this may be shared if it is reasonably necessary for the purposes of an investigation. In this circumstance all reasonable steps will be taken to reduce the risk that you will be identified.

Protection against detrimental treatment

It is illegal for a person to engage in conduct that causes or threatens to cause detrimental treatment to a Protected Whistleblower in the belief or suspicion that a person has made, may make, proposes to make or could make a report of a Reportable Matter and where that belief or suspicion is a reason for the conduct.

Detrimental treatment could include dismissal, demotion, harassment, damage to your reputation, discrimination, disciplinary action, bias, threats or other unfavourable treatment connected with making a disclosure as a Protected Whistleblower.

AustCyber will seek to ensure that Protected Whistleblowers are not subjected to detrimental treatment as a result of making (or intending to make) a disclosure under this policy. To protect Protected Whistleblowers from detrimental treatment, AustCyber will:

  • make an assessment of the risk of detriment against a Protected Whistleblower as soon as possible after receiving a disclosure of a Reportable Matter;
  • make sure AustCyber management are aware of their responsibilities to maintain the confidentiality of a Protected Whistleblower, address the risks of detriment and ensure fairness when managing the performance of, or taking other management action relating to, a Protected Whistleblower; and
  • take practical action, as necessary, to protect a Protected Whistleblower from the risk of detriment and intervene if detriment has already occurred.

If a Protected Whistleblower believes that they have been subject to detrimental treatment, they should inform an Eligible Recipient immediately.

Other protections for Protected Whistleblowers

Protected Whistleblowers are protected from civil, criminal or administrative liability (including disciplinary action) for making reports of Reportable Matters. No contractual right (including under an employment contract) can be exercised against a Protected Whistleblower to stop them disclosing a Reportable Matter.

If you are a Protected Whistleblower and the disclosure is to an Eligible Recipient or other designated body as set out above or is a public interest disclosure or emergency disclosure, the information you disclose also can’t be used against you in criminal proceedings or in proceedings for the imposition of a penalty (except if the proceedings are in respect of the falsity of the information).

Eligible Whistleblowers may also be entitled to seek compensation and other remedies through the courts if AustCyber fails to protect the Eligible Whistleblower from detriment and the Eligible Whistleblower suffers loss or damage.

How will we investigate disclosures?

Once a report of a Reportable Matter has been received from an Eligible Whistleblower, who has provided reasonable grounds for their belief that the Reportable Matter has occurred, an investigation of those allegations will begin as soon as practicable after the report has been received.

If AustCyber determines that the information disclosed doesn’t amount to a Reportable Matter, the Eligible Whistleblower will be, if practicable, informed of that decision. In some instances, reports may not be able to be responded to, for example, because they are anonymous reports.

If an investigation is conducted, it will:

  • follow a fair process;
  • be conducted in as timely a manner as the circumstances allow; and
  • be independent of the person(s) about whom an allegation has been made.

Provided there are no restrictions or other reasonable bases for doing so, people against whom an allegation has been made will be informed of the allegation and will have an opportunity to respond to any allegation. That is, AustCyber will take steps to ensure fair treatment of any person who is the subject of the Reportable Matter report as well as the Protected Whistleblower.

Investigations will be conducted promptly and fairly with due regard for the nature of the allegation and the rights of the people involved in the investigation. AustCyber recognises the importance of balancing the rights of the Eligible Whistleblower and the rights of people against whom a report is made in ensuring fairness.

Communication with the protected Whistleblower

AustCyber will ensure that, provided the claim was not submitted anonymously, the Protected Whistleblower is kept informed of the outcomes of the investigation of their allegations. This will be subject to the considerations of privacy of those against whom allegations are made and considerations of confidentiality affecting AustCyber.

If the Protected Whistleblower is not an employee of AustCyber, the Protected Whistleblower will be kept informed of the investigative outcomes (subject to privacy considerations as above), once the Protected Whistleblower has agreed in writing to maintain confidentiality in relation to any information provided to them regarding a report made by them.