In Part One of this insight series, Whistleblower Protections at an Inflection Point, we discussed most of the key elements of the eligibility framework for protection under the whistleblower protection regime in Part 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act). You can read Part One here.
In Part Two, we explore the legal boundaries of protected whistleblower disclosures under the Corporations Act, including:
- case law that has considered the meaning of ‘misconduct or an improper state of affairs or circumstances’,
- the distinction between disclosable matters, commonly referred to as ‘reportable conduct’, which are protected under the whistleblower laws, and personal work-related grievances, which are not, and
- what it means for a discloser to have ‘reasonable grounds to suspect’ reportable conduct.
We then highlight practical considerations for organisations in light of these matters.
Clarifying the boundaries of protected whistleblower disclosures under the Corporations Act
Navigating the scope of protected whistleblower disclosures under the Corporations Act can be challenging. As the legal landscape continues to evolve, one of the key questions is whether the subject matter of a report aligns with the statutory test.
That question is more than a technical threshold issue. Treasury’s upcoming statutory review is expressly testing whether the current private sector whistleblowing regimes under the Corporations Act and the Tax Administration Act 1953 (Cth) (Tax Act) are operating as intended, including in relation to their scope and coverage. At the same time, recent parliamentary scrutiny of the regimes has shown how contested the application of the laws can become in practice, particularly where allegations of serious governance failures intersect with employment consequences for the person raising them. The legal status of a disclosure remains dependent on the factual circumstances, but the broader lesson is clear: early and accurate characterisation matters, and labels such as “workplace grievance” should not be a shortcut for analysis.
First, we explore the recent case law shaping the boundaries of protected whistleblower disclosures by examining the meaning of ‘misconduct’ and ‘improper state of affairs or circumstances’ within the context of the regimes, and exploring the differences between disclosable matters and personal work-related grievances.
‘Misconduct or an improper state of affairs or circumstances’
What is the law?
Since the introduction of Part 9.4AAA in July 2019, it has been clear that the main purpose of the Corporations Act whistleblowing regime is to improve the detection and prosecution of criminal and other misconduct in the corporate and financial sectors by encouraging individuals to disclose wrongdoing. Sitting parallel to this purpose is the regime’s intention to reduce the personal and financial risks to individuals who make such disclosures.[1]
The disclosable matters in section 1317AA of the Corporations Act, often referred to as ‘reportable conduct’ in many whistleblower policies, define the statutory threshold for the types of wrongdoing that can be the subject of protection under the Corporations Act regime and, it follows, under organisational whistleblower frameworks. Disclosable matters include ‘information’ that a person has ‘reasonable grounds to suspect’:[2]
- concerns misconduct or an improper state of affairs or circumstances in relation to a regulated entity (or related body corporate); or
- indicates that the regulated entity (or an officer or employee) has engaged in conduct that:
- constitutes an offence against or contravention of certain Commonwealth laws such as the Corporations Act and other financial sector legislation, or any other Commonwealth law punishable by 12 months’ imprisonment; or
- represents a danger to the public or the financial system.
Putting aside the requirement to have ‘reasonable grounds to suspect’ the relevant conduct (discussed below) the question of precisely what does and doesn’t comprise ‘misconduct or an improper state of affairs or circumstances’ within the meaning of Part 9.4AAA has remained largely unanswered. The lack of any bright line delineating this boundary has created uncertainty among regulated entities about how to determine whether a report of particular conduct should be dealt with as a protected disclosure or by some other grievance or complaint handling process. Our practical experience is that, as a consequence, many organisations feel it is necessary to take an inclusive approach.
The phrase has been the subject of discussion in recent Federal Court decisions handed down over the past few months. Of note are the Court’s comments in Jackson v Heart Research Institute Ltd [2025] FCA 301 (Jackson). Jackson provided the following definition of ‘misconduct’ and ‘improper state of affairs or circumstances’, relying on the combined effect of observations made in both Mount v Dover Castle Metals Pty Ltd [2025] FCA 101 (Dover) and Reiche v Neometals Ltd (No 2) [2025] FCA 125 (Reiche):
Reiche v Neometals Ltd (No 2) [2025] FCA 125 (Reiche) at [66].
Corporations Act s 1317AA.
|
Misconduct See Jackson at [224], Reiche at [88] and Dover at [129]. Jaskson at [224], Reiche at [88] – [92], Dover at [129] and [90]-[91]. Dover and Reiche cited Parker v Comptroller-General of Customs [2009] HCA 7 at [29] (French CJ). |
Information concerning ‘misconduct’ includes information concerning “fraud, negligence, default, breach of trust and breach of duty”, by picking up the definition of “misconduct” in section 9 of the Corporations Act.[3] See Jackson at [224], Reiche at [88] and Dover at [129]. Jaskson at [224], Reiche at [88] – [92], Dover at [129] and [90]-[91]. Dover and Reiche cited Parker v Comptroller-General of Customs [2009] HCA 7 at [29] (French CJ). |
|
Improper state of affairs or circumstances See Jackson at [224], Reiche at [88] and Dover at [129]. Jaskson at [224], Reiche at [88] – [92], Dover at [129] and [90]-[91]. Dover and Reiche cited Parker v Comptroller-General of Customs [2009] HCA 7 at [29] (French CJ). |
'Improper state of affairs or circumstances’ is not defined in the Corporations Act and is to be given its ordinary meaning. ‘Improper’ is intentionally broad and includes something not in accordance with truth, fact, reason or rule – i.e., it is abnormal, irregular, incorrect, inaccurate, erroneous, or wrong. The terms ‘improper state of affairs or circumstances’ may therefore include conduct which, whilst not necessarily unlawful, might indicate a systemic issue that would assist regulators like ASIC, APRA or another Commonwealth authority in performing its functions in relation to the regulated entity (or related body corporate). This reflects the underlying purpose of Part 9.4AAA to encourage whistleblowing to aid or improve compliance with the law.[4] See Jackson at [224], Reiche at [88] and Dover at [129]. Jaskson at [224], Reiche at [88] – [92], Dover at [129] and [90]-[91]. Dover and Reiche cited Parker v Comptroller-General of Customs [2009] HCA 7 at [29] (French CJ). |
Allegations concerning misuse of confidential information or other integrity or governance failures, if sufficiently connected to a regulated entity, are the kinds of matters that may engage regulatory considerations even if they may not indicate a breach of a relevant law.
Consistent with these definitions, ASIC Regulatory Guide 270 on Whistleblower Policies notes:
… ‘misconduct or an improper state of affairs or circumstances’ may not involve unlawful conduct in relation to the entity or a related body corporate of the entity but may indicate a systemic issue that the relevant regulator should know about to properly perform its functions. It may also relate to business behaviour and practices that may cause consumer harm.[5]
Case examples of disclosable matters
In Reiche, Feutrill J stated that:
…information does not qualify for protection if it is information that would not engage or assist the regulatory functions of ASIC, APRA or another Commonwealth authority in relation to the regulated entity.[6]
Feutrill J’s comments were made by reference to the text and context of the statutory provisions, in particular the express reference to contraventions of laws that engage the regulatory functions of ASIC, APRA or a prescribed Commonwealth authority.[7] It’s important to note, however, that in doing so his Honour was expressly not delimiting the scope of the phrase ‘improper state of affairs or circumstances’ for all cases. Rather, Feutrill J was observing the more narrow point that where the information is of a nature that does not obviously or readily engage or assist the regulators’ functions, it may make it plausible that a person who causes detriment did not have reason to believe or suspect the disclosure of the information would qualify for protection.
This distinction is important, noting that in Dover (handed down just before Reiche), safety-related concerns were held to be qualifying disclosures by Justice Katzmann.
Safety concerns are not concerns that would obviously or readily engage or assist the regulatory functions of ASIC or APRA. They could, perhaps, represent a danger to the public, within the meaning of s 1317AA(5)(e) of the Corporations Act. The point, is that while the case law is tending to suggest a narrowing of the meaning of the phrase towards the core governance and financial matters overseen by ASIC and APRA as regulators, there may be room for other kinds of conduct to be captured.
A review of the three decisions shows the following alleged matters were found to amount to misconduct or an improper state of affairs or circumstances:
- Dover – “Widespread fraud” including a director not disclosing their personal interests in company projects, a director seeking and receiving secret commissions, the ignoring of “significant safety risks” on a mining site including open and unfenced mine shafts, lack of development and/or implementation of a safety management system and the presence of guns at the site where alcohol was also consumed.[8]
- Reiche – Ongoing governance and “unresolved high-risk” operations risks associated with a joint venture that were identified at board strategy meetings but remained unresolved. Examples included potential breaches of contract, exploitation of the intellectual property of a third party to obtain a business advantage, conflict of interest in relation to decision-making, highly deficient and/or absent information flow and a forged signature.[9]
- Jackson - Multi‑year misallocation or management of discretionary funding involving hundreds of thousands of dollars, despite the discretionary character of the spending decisions.[10]
The breadth of conduct found to fall within the term by the Federal Court in these cases confirms that its scope remains unsettled, albeit that we are starting to see development of some guiding and clarifying principles.
Application to disputes
In applying the principles in Reiche, the Court at the interlocutory stage in Williams v Natural Solar Pty Ltd (Urgent Reinstatement Application) [2025] FCA 527 (Williams) found that allegations that concern purely bilateral contract disputes will not be in scope.[11]
The Court in Williams noted that allegations regarding an incorrect, improper or deliberate delay of financial accounts or attempt to avoid or delay paying the agreed purchase price for shares and breaching a Share Purchase Agreement have
… a quality of inter-partes rights about them rather than matters which could be whistleblower complaints engaging with regulatory compliance. That is not to say that the allegations of manipulation of financial records for a party’s gain, or a failure to adhere to contractual obligations such as the variable components of the purchase price cannot be the subject of regulatory complaints; in this case, however, those factors are more comfortably dealt with in that inter-partes sphere rather than by the kind of governance issues which give rise to whistleblower complaints.[12]
Williams suggests that the approach is to look for a clear connection between the information and matters that would engage a regulator’s compliance, enforcement, or disciplinary functions in relation to the entity (for example, systemic governance weaknesses, financial reporting irregularities, or conduct posing public or financial system risks). If that nexus is absent and the issue raised in a disclosure is essentially bilateral, as between the parties, the disclosure will likely not fall within scope of the regime.
Therefore, the approach is fact-specific: when assessing whether a disclosure concerns a disclosable matter, it is crucial for entities to carefully consider if the information points to systemic issues or regulatory concerns, rather than merely bilateral disputes or personal work-related grievances (discussed in more detail below). Practically, organisations should focus on ensuring their triage processes are robust and that those responsible for handling disclosures are trained to identify when a matter may have broader compliance, regulatory, public harm or governance implications, including having sufficient resources to test this with the benefit of legal advice if required.
Personal work-related grievances
Matters that are personal employment grievances will generally fall outside of the ambit of disclosable matters. Section 1317AADA of the Corporations Act excludes from the protection of the regime the disclosure of information concerning a personal work-related grievance of the discloser, such as an interpersonal conflict between the discloser and another employee, or a decision relating to the engagement, terms and conditions, transfer or promotion of the discloser.
In technical terms, a personal-work related grievance:[13]
- concerns a grievance about any matter in relation to the discloser’s employment, or former employment, having (or tending to have) implications for the discloser personally; and
- does not:
- have significant implications for the regulated entity to which it relates, or another regulated entity, that do not relate to the discloser; or
- concern victimisation in contravention of section 1317AC or an offence, contravention or danger described in section 1317AA(5).
From the outset, it seems that this provision is designed to keep routine human resources disputes out of the regime, while preserving protection for reprisal behaviour and for issues with broader compliance or governance significance.
A key practical risk is re-characterisation. A disclosure should not be treated as a personal work-related grievance merely because it is made by an employee in dispute with the organisation, or because the consequences of the alleged conduct are personal to the discloser. Treasury’s Consultation Paper recognises the challenge presented by such overlap: research cited in the paper suggests that many disclosures involve both integrity issues and workplace issues, meaning that the existence of a workplace issue between the parties does not alone answer the statutory question. The better approach is to ask whether the information also points to misconduct, an improper state of affairs, victimisation, systemic control failures, or other significant implications for the regulated entity beyond the discloser’s personal circumstances.
There is minimal case law on what could constitute ‘personal work-related grievances’ beyond the definition provided in the legislation, and ASIC’s RG270 provides little additional guidance.
In Dover, it was held that alleged insubordination or a misunderstanding of the discloser’s authority was “essentially an interpersonal complaint” and therefore concerned a personal work-related grievance and was not a disclosure protected by Pt 9.4AAA.[14] Interestingly, the Court noted the discloser did not contend that the contents of his report on alleged insubordination “had significant implications for DCM or another regulated entity.”[15] We wonder whether the Court’s finding on this question may have been different had submissions to this effect been made by the discloser.
Bullying and harassment
Of particular interest to many of our clients is the intersection between the personal-work related grievances exception and the disclosure of allegations of bullying and harassment.
The 2021 case of Dunn v Broadspectrum [2021] SAET 62 (Dunn) held that a disclosure concerning allegations of bullying and harassment towards numerous other employees extended beyond a mere personal work-related grievance and concerned misconduct, or an improper state of affairs or circumstances.[16] The South Australian Employment Tribunal said
[b]y virtue of the complaint involving the conduct of the Applicant towards a number of the [Employer’s] employees, the complaint goes beyond mere interpersonal conflict within the s1317AADA exception.[17]
Importantly though, that decision was at an interlocutory stage and the Tribunal relied upon authorities outside the whistleblower jurisdiction to rule in favour of redaction of the relevant material to avoid disclosure of the individual’s identity. It did not involve a comprehensive analysis of the legal framework of Part 9.4AAA.
Given the subsequent finding in Jackson that to be in scope of the protection regime the information disclosed should concern a systemic issue that would assist regulators like ASIC, APRA or another Commonwealth authority in performing its functions in relation to the regulated entity, it’s not clear where the Dunn decision now sits and we caution reliance upon it.
In any event, while Dunn demonstrates that allegations of bullying or harassment involving multiple employees might be held to transcend the personal work-related grievance exclusion and amount to a disclosable matter, the position becomes cloudy where the allegation relates to the treatment of a single individual. In such cases, we would expect the disclosure will more often fall within the scope of a personal work-related grievance given it does not concern a systemic or organisational issue attracting regulatory concern, and is unlikely also to attract the public safety dimension that perhaps was a factor in Dover. Although, as we note below, it is plain that where the alleged perpetrator is an executive or there are other factors going to the gravity of the issue, this is not a rule than can be universally applied.
We are increasingly seeing clients seek to clarify in their policies that bullying and harassment complaints will not typically be dealt with under their whistleblower program on the basis that such matters are more appropriately raised via other grievance channels, especially where they are confined and not at the more serious or systemic end of the behaviour spectrum. We acknowledge, however, that approaches vary across the market and that this is ultimately a judgment call based on each client’s circumstances, culture, intelligence on levels of trust in existing human resources and whistleblower systems and risk appetite.
It is our view that the status of legal protection should not fall to such matters. Clarity is required. This is not to suggest that such matters can be dismissed as irrelevant to the broader integrity of the workplace. As part of this assessment, organisations should remain alert to whether the nature, context and seriousness of the alleged behaviour suggests something more insidious than a one-off interpersonal dispute. For example, even where only one person complains, on the current state of the law the complaint may still indicate an improper state of affairs risk if:
- there are indications of cultural, governance, or control failings (for example, inadequate supervision, human resources processes, or escalation mechanisms); or
- the alleged perpetrator is in a senior or powerful position organisationally, and their conduct raises broader questions about the organisation’s compliance with its legal, ethical and/or governance obligations.
These complexities highlight the need to assess the nature of a report early and ensure appropriate triage processes are in play so that even grievances framed as individual complaints are reviewed for potential systemic implications and public safety risk. Training is also an important step to ensure team members, particularly those tasked with dealing with disclosures, understand how to identify and differentiate between a disclosable matter and a bullying complaint.
To ensure consistency in approach, entities should facilitate processes by which whistleblower program coordinators and legal teams can safely discuss borderline cases and share insights. Additionally, providing clear communication channels for employees to seek clarification on how their concerns will be handled can help manage expectations and reduce confusion about the distinction between personal work-related grievances and protected whistleblower disclosures.
Triage should therefore be treated as an evaluative process, not a labelling exercise. Where a report contains both personal employment issues and broader integrity or governance allegations, the organisation should document why the matter is, or is not, being treated as a protected disclosure and should revisit that assessment if further information emerges. In borderline cases, preserving confidentiality, separating employment decision-making from disclosure assessment and escalating the matter to legal or whistleblower governance functions will usually be safer than prematurely diverting the matter into an ordinary grievance pathway.
Reasonable grounds to suspect
Critically, to qualify for protection the discloser must have reasonable grounds to suspect the information they are disclosing relates to a disclosable matter. Whether a discloser has such grounds is an objective question of fact and will ultimately turn on the evidence in each matter.[18]
Practically, a discloser should be encouraged to identify the information known to them, the basis for their suspicion and why that information suggests misconduct, an improper state of affairs or another disclosable matter. Ideally an organisation’s policy should explain this distinction, so that potential whistleblowers don’t think they need to prove wrongdoing before speaking up, and eligible recipients and those assessing the disclosure’s character do not impose a higher test of proof than the law requires.
The following principles have emerged from the case law since the introduction of the revised whistleblower regime in 2019:
- The phrase comprises both subjective and objective elements - the discloser must themselves subjectively possess grounds to suspect the relevant things alleged, and those grounds must objectively be reasonable.[19]
- The objective element requires the existence of facts sufficient to induce the state of mind in a reasonable person and there must be some factual basis, known to the person who suspects, for the suspicion.[20]
- Whether a discloser has reasonable grounds to suspect the relevant matters directs attention to the information that formed the basis of the particular discloser’s suspicion, rather than, objectively, by reference to other information not known by the discloser or which becomes known subsequently.[21] Therefore, matters not within the knowledge of the discloser at the time of the disclosures are not relevant to the question of whether those disclosures qualify for protection.[22]
- ‘Reasonable grounds to suspect’ does not equate to proof on the balance of probabilities but does require something more than idle wondering. A suspicion is less than a belief. A suspicion is a slight opinion, but without sufficient evidence. A reasonable ground to suspect is material that, in the mind of a reasonable person, would lead to the relevant suspicion.[23]
- The Corporations Act does not require the reasonable grounds to be contained in the disclosure.[24]
Whether a discloser has ‘reasonable grounds to suspect’ is ultimately a factual assessment. Sometimes it may be difficult to determine whether a discloser had reasonable grounds to suspect the conduct alleged in the way they describe it in their disclosure. This may occur in instances where the discloser has incorrectly suspected misconduct or an improper state of affairs – i.e., the matters disclosed do not, on an objective assessment, reach the threshold for disclosable matters under the regime.
There may be circumstances where, based on the information available to the discloser, their suspicions may not be so unreasonable or far-fetched as to negate the existence of ‘reasonable grounds to suspect’ some form of misconduct or improper state of affairs. This is the case irrespective of whether that alleged conduct qualifies as ‘misconduct’ or an ‘improper state of affairs’ under the Corporations Act. In these circumstances, on an objective view, it could at least be arguable on the basis of the information known at the time that the discloser had ‘reasonable grounds to suspect’ the conduct alleged in their disclosure.
As a matter of practicality, it will not usually be feasible to form a detailed assessment of whether the discloser has ‘reasonable grounds to suspect’ as part of the triage process. However, it is prudent for those tasked with triaging whistleblower matters to give appropriate consideration to whether the discloser’s suspicions were objectively reasonable in light of the information available to them at the time, and to avoid prematurely concluding that a disclosure falls outside the whistleblower regime merely because there is uncertainty as to whether the ‘reasonable grounds to suspect’ threshold has been met.
The threshold question of whether a disclosure is protected is only one part of the analysis. If action is later taken in relation to a discloser, the separate detriment provisions require close attention to what decision-makers believed or suspected, and whether that belief or suspicion was a substantial and operative reason for the conduct. Those issues are considered in Part Three of this series.
What you should be thinking about
ASIC RG 270.52.
Reiche at [90].
As at the date of writing, no Commonwealth authority has been prescribed.
Dover at [53], [171], [247], [266], [269].
Reiche [312]. [316],
Jackson at [388].
Williams at [63].
Williams at [60] and [66].
Corporations Act s 1317AADA(1) and (2).
Dover at [250].
Dover at [250].
Dunn at [38].
Dunn at [31].
It is important to distinguish this threshold question from the separate inquiry that may arise if a discloser later alleges detrimental conduct. In Reiche v Neometals Ltd [2026] FCAFC 53 (Reiche Appeal), the Full Federal Court considered the state of mind required for liability under the detriment provisions. For the purpose of s 1317AD, the focus is on whether the alleged wrongdoer subjectively believed or suspected that the person had made, might have made or could make a disclosure concerning misconduct or an improper state of affairs, and whether they believed or suspected that the person had reasonable grounds to do so. That is a different inquiry from the discloser’s own need to have reasonable grounds to suspect the relevant matter when making the disclosure. We will be addressing the topic of detriment in Part Three of this series.
Quinlan v ERM Power Ltd (No 2) [2021] QSC 35 at [24], relied on in Express Cargo Services Pty Ltd v Mysko [2023] SASC 11 at [506].
Express Cargo Services Pty Ltd v Mysko [2023] SASC 11 at [507].
Dover at [136], relying on The Environmental Group Ltd (TEG) v Bowd [2019] FCA 951 at [180].
Quinlan v ERM Power Ltd [2021] at [35], [37]
Sheldon v Donvale Christian College [2022] FedCFamC2G 980 at [120]; see also Wu v United Bank Ltd Sydney Branch (No 2) [2021] FEDcFamC2g 264 at [63].
Dover at [266].
|
Strengthen assessment and triage processes |
Ensure your organisation has robust processes in place to assess disclosures in line with the current principles and requirements emerging from the case law and regulatory guidance. Implement effective processes to triage disclosures between the relevant whistleblower program team members or through standard human resources grievance channels. |
|
Ongoing training and awareness |
Team members responsible for receiving and/or handling disclosures made under a whistleblower policy or otherwise should receive ongoing training to help them to distinguish between disclosable matters and personal work-related grievances. Training should also ensure they are reminded of the processes they need to follow to handle these disclosures when they come in (including where to access help or advice if required). |
|
Internal collaboration |
Encourage regular but appropriately confidential communication and collaboration between human resources, whistleblower program team members and internal legal teams. Relevant boards or board committees (where appropriate) should also participate, to ensure consistency in how disclosures are handled and help to reveal any trends or systemic issues. |
|
Communicate with employees about how to make a protected disclosure |
Provide clear, accessible information to employees and others about how to make a protected disclosure. This includes providing them with accurate descriptions of the sorts of conduct and disclosures that will and won’t be protected under the whistleblower policy and the law. Communicate regularly about how reported concerns will be triaged and handled. This helps to manage expectations and reduces confusion about the relevant processes and protections which may apply where a protected disclosure is made. |
|
Strengthen and communicate alternative grievance channels |
Review and, where necessary, strengthen non-whistleblower grievance processes, including those for bullying and harassment, interpersonal disputes, and routine employment concerns, to ensure they are robust, accessible and trusted by employees. When employees trust that workplace concerns will be addressed through appropriate grievance processes, whistleblower channels are less likely to be used for matters outside their intended scope. Clearly communicate the purpose and availability of these grievance channels to help employees choose the appropriate pathway to raise their concerns. |
|
Monitor the statutory review and consider policy settings |
Treasury’s current review is considering the scope, coverage and operation of the Corporations Act and Tax Act whistleblowing regimes, including the kinds of matters that should qualify for protection. Organisations should follow these debates and use the consultation period to test whether their whistleblower policies, triage criteria and training materials give sufficient practical guidance on mixed disclosures, personal work-related grievances and the “reasonable grounds to suspect” thresholds. |
Mallesons will be preparing a submission to Treasury to draw attention to some of these challenging definitional issues in the current statutory framework and we welcome engagement with our clients on these matters as we finalise our submission.



