March 2026
Executive Summary
Australia has some of the most comprehensive whistleblower protection laws in the world. Private sector workers are protected under Part 9.4AAA of the Corporations Act 2001. Public sector workers have the Public Interest Disclosure Act 2013. Eligible disclosers have statutory immunities from civil, criminal, and administrative liability. Retaliation is a criminal offence punishable by up to two years in prison. Confidentiality breaches attract criminal penalties. The laws are well-designed, the protections are extensive on paper, and the gap between that paper and reality is large enough to swallow careers.
Research finds that approximately eight out of ten people who raise concerns at work face some form of reprisal. The Human Rights Law Centre, which operates Australia's first dedicated legal service for whistleblowers, reported that seven in ten whistleblowers who came to the centre for advice suffered retaliation from their employers. In the healthcare sector, that figure was 100 per cent. Against that background, the 2023 report Cost of Courage: Fixing Australia's Whistleblower Protections compiled every whistleblower protection case to proceed to judgment across all Australian jurisdictions, from the early 1990s until April 2023. Its finding: not a single successful decision for a whistleblower under the primary federal public or private sector laws. In August 2025, Human Rights Watch confirmed that across three decades, there has been just one case in which an Australian whistleblower received court-ordered compensation for the harm they experienced.
This article examines what Australian whistleblower law actually requires of organisations, why the gap between legal compliance and lived experience remains so wide, what the Richard Boyle and TerraCom proceedings reveal about where the law works and where it does not, what is changing in 2026 and beyond, and what organisations can do right now to close the gap between having a whistleblower policy and having a whistleblower system that genuinely functions when someone uses it.
What the Law Actually Requires of Private Sector Organisations
The private sector framework sits in Part 9.4AAA of the Corporations Act 2001. It applies to companies regulated under the Corporations Act, which covers the vast majority of Australian private sector employers. The framework has three principal elements: who is protected, what disclosures are protected, and what organisations must do in response.
Who Is an Eligible Discloser
The definition of eligible discloser is broad. It includes current employees, officers, and directors; contractors, consultants, and their employees; associates of the company; relatives and dependants of any of the above; and former employees, officers, contractors, and associates. This breadth is deliberate: it means that an organisation's whistleblower obligations extend well beyond the immediate workforce to the full network of people who may have genuine visibility of wrongdoing.
What Disclosures Are Protected
A disclosure is protected under the Corporations Act where the discloser has reasonable grounds to suspect that the information concerns misconduct or an improper state of affairs in relation to the company or a related body corporate, or conduct that constitutes an offence against specified legislation, or conduct that represents a danger to the public or the financial system. The reasonable grounds test does not require the discloser to be right, or to have proof. It requires only that a reasonable person in the same position would have suspected what the discloser suspected. A disclosure that turns out to be incorrect still attracts protection if the reasonable grounds test was met at the time of disclosure.
Disclosures must be made to an eligible recipient to attract the full protections. Eligible recipients include senior managers and designated whistleblower officers within the company, auditors, ASIC, APRA, and the ATO. Public interest disclosures to journalists or members of parliament are available in strictly defined circumstances: the discloser must first have reported to a regulator, waited at least 90 days, have reasonable grounds to believe no action is being taken, and notify the regulator of the intention to go public.
What Organisations Must Do
The Corporations Act imposes four principal obligations on organisations. First, confidentiality: the identity of the whistleblower must be protected at all stages of the process. Disclosing the identity of a whistleblower, or information likely to identify them, without their consent, is a criminal offence. Second, protection from detriment: organisations must not cause or threaten detriment to a whistleblower because of their disclosure. Detriment includes dismissal, demotion, harassment, discrimination, and any action causing injury, loss or damage. Third, the Corporations Act prohibits legal action against eligible disclosers for making protected disclosures; standard confidentiality clauses and non-disclosure obligations cannot be used to suppress a protected disclosure. Fourth, for public companies, large proprietary companies, and proprietary companies that are trustees of a registerable superannuation entity, ASIC's Regulatory Guide 270 requires a written whistleblower policy that is accessible to officers and employees.
The penalties for breaching these obligations are significant. Causing or threatening detriment to a whistleblower is a criminal offence attracting up to 25 penalty units or two years imprisonment, or both. Breaching confidentiality attracts up to 60 penalty units or 12 months imprisonment. Civil liability to the whistleblower also arises for contraventions.
The Two Cases That Defined the Law in 2025
TerraCom: The First Enforcement Outcome Under the Corporations Act
In August 2025, ASIC obtained its first enforcement outcomes for contraventions of the Corporations Act whistleblower provisions, in proceedings against ASX-listed coal mining company TerraCom Limited.
Justin Williams had made a whistleblower disclosure asserting that TerraCom had falsified its coal quality results. ASIC alleged that TerraCom's subsequent conduct caused detriment to Williams in breach of the Corporations Act, and that certain directors and officers had failed to act with the care and diligence required by section 180 in their response to the whistleblowing allegations and the PwC report commissioned to investigate them.
The court proceedings produced mixed results. TerraCom itself and two of its officers consented to declarations of contravention and penalties. However, ASIC's proceedings against TerraCom's directors for failing to act with due care and diligence in response to the whistleblowing disclosure were dismissed. The court found ASIC's position against the directors to be, in its words, "plainly untenable." The court also found that TerraCom's chair had not breached section 180 by not personally reading PwC's findings, because appropriate mechanisms had been implemented to manage, review, and report on the investigations.
The TerraCom outcome matters for two reasons. It is the first time the Corporations Act's whistleblower provisions have been enforced to a judgment, establishing that the private sector protections do have teeth. But it also illustrates that the question of exactly where director liability begins and ends in the management of a whistleblower disclosure remains a live one, and that robust governance processes around investigation and response are essential to demonstrating that directors met their duty of care obligations.
ASIC Deputy Chair Sarah Court had stated publicly that ASIC takes "any indication that companies are engaging in conduct that harms or deters whistleblowers very seriously." The TerraCom outcome puts content behind that statement.
Richard Boyle: Seven Years of Prosecution for Raising a Concern
Richard Boyle was a debt collection officer at the Australian Taxation Office. In 2017, he raised concerns internally about what he believed were aggressive and unethical garnishee practices being used against small business taxpayers, applied earlier in the collection process than was protocol. His internal disclosure was dismissed. He subsequently gathered evidence using his iPhone -- photographing documents and recording conversations at his workplace -- before going public with his concerns through the ABC's Four Corners program and the Sydney Morning Herald in 2018.
Prosecutors charged him with 66 criminal offences in 2019 in connection with his evidence gathering: recording protected information, noting a taxpayer's tax file number, using a listening device to record private conversations without consent. If proven, those charges carried a combined maximum sentence of 161 years in prison. Boyle spent seven years fighting those charges while his assertions about ATO practice were partially vindicated by a 2019 Inspector-General of Taxation review and by subsequent ATO reforms.
The South Australian Court of Appeal ruled that Boyle was not protected by federal whistleblowing laws for charges relating to his recording of conversations and photographing documents -- the preparatory steps he took before his public interest disclosure was made. The High Court refused special leave to appeal on the immunity question. In May 2025, facing a criminal trial and potential imprisonment, Boyle pleaded guilty to four remaining charges as part of a plea agreement with prosecutors. On 28 August 2025, the South Australian District Court sentenced him to a 12-month good behaviour bond with no conviction recorded.
The sentencing judge acknowledged that his offending had occurred in "extenuating circumstances." His lawyer argued that Boyle had acted in "sincere belief that he was acting in the public interest." Boyle had said in 2024 that the experience had left him "broken, physically, mentally and financially."
The Whistleblower Justice Fund founder Rex Patrick said that "he actually thought he was protected. It's taken four judges, and silks and lawyers to work out whether or not he was protected. He went in thinking he was, but it turns out that he wasn't." The Human Rights Law Centre's Kieran Pender said the case had "exposed how little the law protects whistleblowers" and that prosecuting whistleblowers had "a chilling effect on people speaking up."
The specific problem the Boyle case exposed -- that the immunity under the PID Act does not extend to the preparatory steps a person takes before their disclosure is formally made -- is a gap that remains unaddressed in 2026. The Albanese Government's second term commenced in May 2025 following a landslide election win; Attorney-General Mark Dreyfus was not reappointed, and his proposed wholesale reform of the PID Act through the Public Interest Disclosure and Other Legislation Amendment (Whistleblower Protections) Bill 2025 has not been progressed. The new AG in July 2025 indicated the government is "considering further reforms."
The Architecture of the Gap
The distance between Australia's whistleblower law on paper and the experience of people who use it can be mapped across four structural dimensions.
The Patchwork Problem
Whistleblower protection in Australia is spread across a legislative patchwork. Private sector workers are covered by the Corporations Act, subject to eligibility criteria that require them to hold or have held a specified connection to the company. The Corporations Act does not cover employees of partnerships, trusts, or unincorporated associations -- meaning, for example, that a law firm employee, a worker employed by a family trust, or an employee of an unincorporated community organisation may not be an eligible discloser under the primary private sector framework. The Taxation Administration Act 1953 provides separate coverage for tax-related disclosures.
Public sector workers are covered by the PID Act, which is a different framework with different requirements, different eligible recipients, different immunities, and a different enforcement mechanism. State and territory equivalents exist, each with their own variations. The private sector protections were last substantially updated in 2019; the PID Act has been in place since 2013 with minor amendments. The Governance Institute of Australia has observed that this patchwork "require[s] a legal expert to decipher," and BAL Lawyers have noted that the inconsistencies, gaps, and overlaps between regimes create significant uncertainty for people considering whether to disclose.
Treasury is currently conducting a statutory review of the Corporations Act and Taxation Act whistleblower provisions. This review may have implications for wider reform of the private sector framework. The ACC has flagged this as a key area to watch in 2026.
The Burden of Proof Problem
Under current law, a whistleblower who alleges they have been subjected to detriment in retaliation for their disclosure must prove that the detriment was caused by their disclosure. This is a difficult evidentiary burden in practice. Employers rarely document retaliatory intent. The most common forms of retaliation -- a subtle change in conditions, exclusion from meetings, removal from projects, performance management initiated shortly after a disclosure, or the creation of a hostile environment that makes the whistleblower's position untenable -- are exactly the kinds of conduct that are hardest to prove in court while being entirely consistent with deliberate retaliation.
The proposed stage 2 PID Act reforms include a reverse onus provision for public sector whistleblowers, modelled on the existing position for private sector disclosures under the Corporations Act. Under this approach, a whistleblower need only point to evidence suggesting a reasonable possibility that detriment was caused by their disclosure; the burden then shifts to the respondent to prove it was not. BAL Lawyers note that the difficulty of proving reprisal "has stymied the effectiveness of the PID Act -- in over a decade, a PID Act claim has never succeeded in court."
The Human Rights Watch submission to the Senate committee on the Whistleblower Protection Authority Bill confirmed that despite research finding eight in ten whistleblowers face some form of reprisal, in three decades there has been just one case in which an Australian whistleblower received court-ordered compensation. The gap between prevalence of retaliation and successful legal redress reflects the structural barriers in the current framework.
The Preparatory Steps Problem
The Boyle case exposed a specific and significant gap: the whistleblower immunity provisions protect the act of disclosure, but they do not, under the current interpretation, protect the steps a person takes in preparing to make that disclosure. Boyle was prosecuted for photographing documents, noting a tax file number, and recording conversations that formed the evidence base for his public interest disclosure. His conviction -- even on only four of the original 66 charges, and with no conviction recorded -- confirmed that the immunity does not extend backwards to cover evidence gathering.
For organisational whistleblower policy purposes, this gap has important implications. The expected behaviour of a worker who witnesses wrongdoing is to gather sufficient evidence to make a credible disclosure and then report through an eligible channel. The law as currently interpreted does not protect that gathering phase. A worker who does what any reasonable person would do in preparing to speak up may be exposed to liability for the preparatory acts regardless of the public interest value of what they ultimately disclose.
The Chilling Effect
The cumulative impact of the prosecution of Boyle, the earlier prosecution of David McBride (the defence lawyer convicted in 2024 of offences related to his disclosures about alleged Australian war crimes in Afghanistan), and the Super Retail Group case -- in which two former employees who made disclosures about the company's internal culture faced the company publishing an ASX announcement about the dispute before the matter settled in late 2025 for a significant undisclosed sum -- is not primarily about the legal outcomes in those individual cases. It is about what potential whistleblowers who are aware of these cases conclude about the personal cost of speaking up.
The Human Rights Law Centre's Kieran Pender articulated this directly after Boyle's sentencing: prosecuting whistleblowers has "a chilling effect on people speaking up." An employee who is considering raising a concern about their organisation -- about safety risks, about financial misconduct, about governance failures -- is making a judgment not about what the law says they are entitled to do, but about what is likely to actually happen to them if they do. The current case history does not give them cause for confidence.
This chilling effect operates at exactly the point where early disclosure is most valuable. The wrongdoing that a whistleblower considers raising at an early stage -- before it has escalated, before it has caused widespread harm, before it has attracted regulatory attention -- is the wrongdoing where early detection has the most preventive value. The deterrence of speaking up early is also the deterrence of preventing harm early. The costs are borne not only by the individual who stays silent, but by the organisation, its stakeholders, and the people whose interests were not protected.
What 2026 Looks Like for Organisational Obligations
The whistleblower landscape in 2026 is characterised by legal frameworks that are substantially in place but under active review, enforcement that is becoming more real (as TerraCom demonstrates), and reform that is pending but not yet delivered. For organisations, the practical obligations fall into three areas.
The Policy Requirement
Public companies, large proprietary companies, and registerable superannuation trustees are required under the Corporations Act and ASIC Regulatory Guide 270 to have a written whistleblower policy that is accessible to officers and employees. The policy must set out how the company will protect eligible disclosers, how it will receive, investigate, and respond to disclosures, how it will maintain confidentiality, and how it will protect disclosers from detriment. ASIC has signalled that "when regulators, auditors, or employees ask how your whistleblower system works, 'we have a policy' is no longer enough. They expect evidence of accessibility, confidentiality, and follow-through."
The TerraCom proceedings reinforced this. The question in a governance context is not whether the policy exists; it is whether the policy functioned as required when tested.
The Investigation Obligation
When a protected disclosure is made, the organisation has an obligation to handle it appropriately. This means: acknowledging receipt, maintaining confidentiality throughout, assessing whether the disclosure falls within the protected framework, conducting a fair and impartial investigation of the substance of the disclosure where appropriate, and protecting the discloser from detriment during and after the process. The obligation to protect from detriment applies not only to the formal act of dismissal or demotion, but to the full range of conduct that creates a hostile or adverse working environment for someone who has raised a concern.
The interface with WHS obligations is direct. A whistleblower who raises a concern and then experiences the psychosocial harms of isolation, exclusion, performance management, or a hostile work environment as a result of that disclosure is a worker to whom the employer owes a WHS duty of care. The Codes of Practice on managing psychosocial hazards explicitly require that organisations do not victimise workers who raise concerns and that the investigation process itself does not create or amplify psychosocial harm to any participant. Managing a whistleblower disclosure well is simultaneously a Corporations Act obligation, a potential WHS obligation, and an obligation under the Fair Work Act's adverse action provisions.
The Cultural Obligation
The ACC's year-in-review analysis concluded that "without a strong corporate culture of accountability, a whistleblowing reporting system alone may not be enough to reduce a company's exposure to liability and reputational risk." This observation points to what is, ultimately, the most important and least tractable dimension of Australia's whistleblower problem.
The law protects people who speak up. The culture determines whether they believe it is safe to do so. An organisation that has a technically compliant whistleblower policy but has never had a single disclosure through it, or whose most recent disclosure resulted in the discloser being managed out within a year, or whose senior leaders have never publicly acknowledged the importance of raising concerns, has not solved the whistleblower problem. It has created the documented appearance of having solved it.
Building a genuine reporting culture requires that people have access to reporting channels they trust -- channels that are confidential, accessible outside business hours, accessible without using a work device or a work email address, accessible anonymously where the person needs that protection, and backed by a process they have some reason to believe will be handled with integrity. It also requires that the organisation visibly demonstrates that raising concerns is valued, not punished: that outcomes are communicated appropriately, that disclosers are protected in practice and not just in policy, and that concerns raised lead to action.
Key Takeaways
Australia's private sector whistleblower framework under Part 9.4AAA of the Corporations Act 2001 is extensive: eligible disclosers include employees, officers, contractors, associates, relatives, and former staff. Protections include identity confidentiality, immunity from civil and criminal liability, and prohibition on causing detriment. Retaliation is a criminal offence. ASIC RG 270 requires public companies, large proprietary companies, and APRA-regulated trustees to have accessible written whistleblower policies.
In August 2025, ASIC obtained its first enforcement outcomes under the Corporations Act whistleblower provisions in the TerraCom proceedings: TerraCom and two officers consented to declarations of contravention and penalties for causing detriment to a whistleblower who had disclosed falsified coal quality results. This is the first judicial confirmation that the private sector protections have real enforcement consequences.
Richard Boyle, the ATO whistleblower who exposed aggressive garnishee practices against small businesses, was sentenced on 28 August 2025 to a 12-month good behaviour bond with no conviction recorded, after seven years of prosecution. His case exposed the gap in whistleblower immunity coverage: the protections do not extend to the preparatory steps a whistleblower takes before formally making a disclosure. This gap remains unaddressed in current law. The proposed stage 2 PID Act reforms and the Whistleblower Protection Authority Bill 2025 remain pending.
The Human Rights Watch reported in July 2025 that research finds eight out of ten whistleblowers face some form of reprisal. The Human Rights Law Centre reported that in the healthcare sector, that figure was 100 per cent. Against this, there has been just one case in three decades in which an Australian whistleblower received court-ordered compensation for retaliation. The burden of proof in retaliation cases remains a structural barrier, though proposed PID Act reforms include a reverse onus provision.
Managing a whistleblower disclosure creates simultaneous obligations under the Corporations Act (confidentiality, protection from detriment, investigation), WHS law (managing psychosocial risk to the discloser during and after the process), and the Fair Work Act (adverse action provisions). These obligations reinforce each other: an organisation that manages a disclosure badly is not merely at risk of a Corporations Act contravention; it may also be creating psychosocial harm that engages WHS liability.
The gap between policy compliance and cultural reality is the defining challenge. An organisation with a technically compliant policy that has no genuine reporting culture, no accessible trusted channel, and no demonstrated track record of protecting people who raise concerns has not met the spirit of the Corporations Act framework. Regulators, courts, and ASIC audits are increasingly assessing not whether a policy exists, but whether it functions.
Salus provides the confidential, accessible, 24/7 reporting infrastructure that makes a genuine reporting culture possible: a channel that workers trust because it is available when and how they need it, anonymous where appropriate, and independent of the management structures that may be the subject of their concern. For organisations with Corporations Act whistleblower obligations, Salus provides the operational backbone that turns a written policy into a functioning system -- and generates the documented evidence that the channel is trusted and used that, if ever needed, demonstrates real compliance rather than paper compliance.
The most dangerous whistleblower dynamic for any organisation is the one where the wrongdoing that needed to be disclosed never was -- because the person who saw it had seen what happened to people who spoke up and decided the risk was not worth taking. That is the silence that regulatory frameworks cannot reach, and that cultural change is the only remedy for. Safe Work Tech's Salus platform is designed to remove the barriers that turn witnesses of wrongdoing into people who stay silent: accessible, trusted, confidential reporting infrastructure that demonstrates, in practice rather than just in policy, that the organisation is safe to speak up in. Contact Safe Work Tech to understand how Salus can bridge the gap between your whistleblower obligations and the culture that makes them real.