1. Privacy Policy
  2. Whistleblower Policy


1. Privacy Policy

We’re here to make your life better. Which is why your privacy and personal information is important to us. We do not share to any third parties. We do not store your credit card details.

We are committed to protecting the privacy of your personal information and we will endeavour to abide by the Australian Privacy Principles (APPs), as set out in the Privacy Act 1988 (Cth).

This policy sets out how we collect, use and manage personal information. You agree to the collection, use and disclosure of personal information in accordance with this privacy policy. This privacy policy is effective from 16 May 2016. From time to time, our privacy policies and procedures will be reviewed and, if appropriate, updated. If any changes are made to this policy these will be posted on our Website.



In this policy: “we”, “us” and “our” are references to Nutricare Holding Pty Ltd (ACN 613 504 724);

  • “you” or “your” means a person whose personal information we have knowingly collected;

  • “Website” means the website located at the URLs and

  • “User” means a user of the Website.


Collection of Personal Information

Depending on the purpose for which we collect information from you, the personal information we collect or hold may include your name, date of birth, address, telephone phone number, email address, gender and any other personal information you or a person authorised by you submits to us, as well any other information that we consider is necessary to provide our products.

We collect your personal information for the primary purpose of conducting our business, which includes:

  • producing and selling our products to you; maintaining and improving customer services;

  • telling you about other services or products that we think may be of interest to you;

  • facilitating your interaction with us and other Users on our Website;

  • considering any application for employment or contracting made by you;

  • meeting our legal obligations;

  • managing and resolving any legal or commercial complaints and issues;

  • carrying out internal functions including training and risk management;

  • conducting marketing research and analysis;

  • providing you with ongoing updates about our products and services and those products of others;

  • and any other use to which you have given your consent (whether express or implied).

Where we can, we will allow you to deal with us anonymously, by using a pseudonym or without providing personal information. However, in some circumstances, this may not be possible, and we may need to collect personal information from you to provide you with our products.

Where reasonably possible, we will collect your personal information directly from you and we will not use government identifiers, such as a driver’s licence or Medicare number, as our own identifier for you.


Use and Disclosure of Personal Information

Any personal information that you provide via our Website or directly is collected and managed by us.

  • We will not disclose your personal information in other circumstances unless one of the following applies: you have consented to the disclosure;

  • the disclosure is in accordance with this Privacy Policy or any other agreement you have entered into with us;

  • you would reasonably expect, or have been told, that your information is passed to those individuals, bodies or agencies;

  • or it is otherwise required or authorised by law, including without limitation, the APPs under the Privacy Act 1988 (Cth).

If we disclose personal information to a third party, we will take all reasonable steps to ensure that the third parties do not breach the APPs in relation to that information. For the purpose of providing or offering services and benefits to you, we may also disclose personal information to organisations such as:

  • our employees, contractors and suppliers; professional advisors (such as accountants or auditors);

  • the government;

  • payment system operators and financial institutions;

  • outsourced service providers; and market research and promotional companies.

Our contractors and outsourced service providers may disclose your personal information overseas in connection with providing their services to us. Additionally, some of your personal information may be transferred, stored, processed, used or disclosed overseas by us.

If you do not wish for your personal information to be disclosed or used in such a way anticipated by our Privacy Policy, we will use reasonable endeavours to accommodate your request where disclosure is not otherwise required by law.

However, if we comply with your request, it may not be practicable for us to provide you some or all goods or services that we may otherwise provide to others. In the case of email communications that amount to commercial electronic messages, you may also use the “opt-out” facility contained in our emails. Once you have unsubscribed from our mailing list, we will refrain from contacting you for that purpose.

Third Party Information

During the course of business, we may also collect personal information that is given to us by third parties. This information forms part of personal information referred to in this Privacy Policy. We will not intentionally solicit personal information from third parties that is unintentionally disclosed about you.

If you provide your personal information to a third party via a link from the Website, that information is collected and managed by those third parties. You should familiarise yourself with their privacy policy prior to deciding whether you wish to provide them with your information. If you provide us with information about any third party, you must obtain that person’s permission to give us the information and inform them that you have given the information to us.


Direct Marketing

When you provide your personal details, you may consent to us using your personal information for direct marketing purposes (for an indefinite period).

From time to time, we may contact you with information about products and services offered by us and our related entities and our business partners, which we think may be of interest to you. When we contact you it may be by mail, telephone, email or SMS. We will only ever contact you if you have consented to direct marketing.

Where we use or disclose your personal information for the purpose of direct marketing, we will allow you to request not to receive direct marketing communications (also known as ‘opting-out’); and comply with your request to ‘opt-out’ of receiving further communications within a reasonable timeframe.

If you do not wish to be contacted by us, please contact us.


Data Quality and Security

We will take all reasonable steps to ensure that your personal information is stored securely and is protected from misuse and loss and from unauthorised access, modification or disclosure. Access to your personal information is restricted to those properly authorised to have access.

Please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorised persons will access or view your personal information. We cannot ensure that information you share on the Website or provide to us will not become publicly available. We are not responsible for third party circumvention of security measures on the Website or at any of our premises.

In relation to any personal information accessible through the Website, you can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software.

We will always try to maintain accurate, complete and up-to-date information about you, so far as it is practicable for us to do so, and will take reasonable steps to update any personal information that we learn is inaccurate, incomplete or no longer up-to-date.

We keep your personal information for as long as it is required to provide you with the services you requested from us and to comply with legal requirements. If we no longer require your personal information for any purpose, including legal purposes, we will take reasonable steps to securely destroy or de-identify your personal information.


Website Usage

We take website and credit card security extremely seriously, and always endeavour to provide a secure safe platform on which to conduct online transactions.

When using our Website, you should be aware that there is always an inherent risk in transmitting your personal information via the Internet. It is important for you to protect against unauthorised access to your password and to your computer. Ensure you logout when you have finished visiting our Website especially if you accessed it from a shared computer.

When you access the Website we may make a record of your visit and logs for statistical and business purposes and we may collect information including: your server address, your domain name, IP address, the date and time of visit, the pages accessed and documents downloaded, the previous site visited, the operating system used and the type of browser used. We may also track some of the actions you take on the Website such as when you provide information or content to us.

You understand that any information you provide on the Website might be re-shared or copied by other users of the Website. Even after you remove information from your profile or delete your account with us, copies of your information may remain viewable elsewhere to the extent it has been shared with others or it was copied or stored by other users.


Links to Third Party Sites

Whilst links to third party websites may be provided on our Website, we are not responsible for the content or practices of these third party websites. These links are provided for your convenience and do not represent our endorsement of their content or currency. We recommend that you check the privacy policies of these third parties prior to providing them with your personal information.

No links may be made to this website without our prior written consent. Applications for consent must be made to us via email.


Access to or Correction of Your Personal Information

You can request access to the personal information we hold about you at any time, and we will provide you with that information unless we are prevented by law from giving it to you. If we are unable to give you access to the information you have requested, we will give you reasons for this decision when we respond to your request. You will not be charged for accessing your information, although we might have to charge the reasonable cost of processing your request, including photocopying, administration and postage. We will advise you of any fee payable before we process your request. If personal information we hold about you is incorrect, we will, on your request to correct it or where we are satisfied that the information is inaccurate, out of date, incomplete, irrelevant or misleading, take such steps as are reasonable in the circumstances to ensure that the information is corrected.

If you believe that your personal information is not accurate, complete or up to date, please contact us using the following details: Post: P.O. Box 270 Moorabbin, Victoria, Australia 3189 Email:


How You Can Notify Us Of A Privacy Concern

If you have queries, concerns or complaints about the manner in which your personal information has been collected or handled by us or would like to request access to or correction of the personal information we hold about you, please write to:

  • Post: Privacy Officer P.O. Box 270 Moorabbin, Victoria, Australia 3189

  • Email:

If you consider your privacy concerns have not been resolved satisfactorily by us, or you wish to obtain more information on privacy requirements, you can contact: Office of the Australian Information Commissioner

  • Phone: 1300 363 992 Website at

By visiting our Website and/or providing your personal information to us, you consent to the terms and conditions in this privacy policy, unless you tell us to the contrary by contacting us using the details above.



2. Whistleblower Policy

Nutricare Holdings Limited (Company) and its related bodies corporate (together the Group and individually each a Group member) encourages a culture within the Group of ‘speaking up’ to raise concerns about possible unlawful, unethical or socially irresponsible behaviour or other improprieties of or within the Group without fear of retaliation or otherwise being disadvantaged.

The Company encourages employees (and non-employees) who are aware of possible wrongdoing to have the confidence to speak up.

This policy encourages reporting of such matters and provides effective protection from victimisation or dismissal to those reporting by implementing systems for confidentiality and report handling. The policy is also to:

  • encourage more disclosures of wrongdoing;

  • help deter wrongdoing, in line with the Company’s risk management and governance framework;

  • ensure individuals who disclose wrongdoing covered by the policy can do so safely, securely and with confidence that they will be protected and supported;

  • ensure disclosures are dealt with appropriately and on a timely basis;

  • provide transparency around the Company’s framework for receiving, handling and investigating disclosures;

  • support the Company’s values, code of conduct and/or ethics policy;

  • support the Company’s long-term sustainability and reputation;

  • meet the Company’s legal and regulatory obligations; and

  • align with the ASX Corporate Governance Principles and Recommendations and relevant standards.

Disclosures of wrongdoing are of importance to the Company’s risk management and corporate governance framework.

This policy is an important and practical tool for helping the Company to identify wrongdoing that may not be uncovered unless there is a safe and secure means for disclosing wrongdoing.


Policy Rationale

The rationale for this policy is:

  • to support the Company’s values, code of conduct and/or ethics policy;

  • to encourage those who are aware of wrongdoing to speak up without fear of retribution;

  • to support the Company’s long-term sustainability and reputation;

  • to meet the Company’s legal and regulatory obligations; and

  • to align with the ASX Corporate Governance Principles and Recommendations (which applies to listed companies) and relevant standards.


Protected Matters

In addition to any protections under this policy, an ‘eligible whistleblower’ reporting certain information about a member of the Group may have additional protections under Part 9.4AAA of the Corporations Act 2001 (Cth) (Corporations Act), which may include, if eligible, identity protection, protection of disclosures to the Discloser’s lawyer, civil criminal and administrative liability protection, detrimental conduct protection and compensation and other remedies (Corporations Act Protections). Some of these are discussed in this policy. Similar protections are provided in the tax whistleblower regime under the Taxation Administration Act 1953 (Cth).

The Corporations Act Protections apply not only to internal disclosures, but to disclosures to legal practitioners for the purposes of obtaining legal advice in relation to Corporations Act Protections, certain regulatory and other external bodies, and public interest and emergency disclosures that are made in accordance with the Corporations Act. These matters are further discussed in this policy.


Qualifying Under The Corporations Act Protections

Pursuant to the Corporations Act Protections, an ‘eligible whistleblower’ (as defined) qualifies for protection as a whistleblower under the Corporations Act if they have made a disclosure of information relating to a ‘disclosable matter’ directly to an ‘eligible recipient’ (and accordingly are referred to as an ‘eligible whistleblower’ or Discloser in this policy) – discussed further at Part 7 below.

A Discloser qualifies for protection under the Corporations Act Protections from the time they make their disclosure, regardless of whether the Discloser or recipient recognises that the disclosure qualifies for protection.


Who This Policy Applies To - Eligible Whistleblowers

Pursuant to the Corporations Act Protections, an ‘eligible whistleblower’ is any of the following:

  • an officer or employee of a member of the Company (both current or former and includes interns, secondees, managers and directors);

  • a supplier (including their employees) of goods or services to the Company (both current and former);

  • an associate of the Company; and

  • a relative, dependant or spouse of any of the above.


Matters This Policy Applies To - Disclosable Matters

    Pursuant to the Corporations Act Protections, a disclosable matter is information in which the ‘eligible whistleblower’ has reasonable grounds to suspect that the information (Disclosable Matter):

    • concerns misconduct, or an improper state of affairs or circumstances in relation to the company or any of its related bodies corporate;

    • indicates that the company, a related body corporate or any of their officers or employees have engaged in conduct that constitutes an offence against, or a contravention of, a provision of any of the following:

      • the Corporations Act;

      • the ASIC Act;

      • the Banking Act 1959;

      • the Financial Sector (Collection of Data) Act 2001;

      • the Insurance Act 1973;

      • the Life Insurance Act 1995;

      • the National Consumer Credit Protection Act 2009;

      • the Superannuation Industry (Supervision) Act 1993;

      • an instrument made under an Act referred to above; or

    • constitutes an offence against any other law of the Commonwealth that is punishable by imprisonment for a period of 12 months or more;

    • represents a danger to the public or the financial system; or

    • is prescribed by the Corporation Regulations.

    See schedule 1 for further information on disclosable matters, including what constitutes misconduct and reasonable grounds to suspect, and workplace related grievances.


    Who Can Receive A Disclosure - Eligible Recipients

    To be eligible for the Corporations Act Protections, an ‘eligible whistleblower’ must report the Disclosable Matter directly to any of the following:

    • an officer or senior manager of the Company or a subsidiary;

    • a person authorised by the Company to received disclosures that may qualify for protection under Part 9.4AAA of the Corporations Act;

    • the Company’s auditor (internal or external and includes any member of the audit team);

    • legal practitioners for the purposes of obtaining legal advice or legal representation in relation to the operation of the whistleblower provisions in the Corporations Act are protected (even in the event the legal practitioner concludes that a disclosure does not relate to a ‘disclosable matter’);

    • the Australian Securities and Investments Commission (ASIC);

    • the Australian Prudential Regulation Authority (APRA);

    • Journalists, but only in the circumstances described in section 8 of this policy;

    • members of Commonwealth, State or Territory parliaments, but only in the circumstances described in section 8 of this policy; and

    • a person prescribed by Corporations Regulations to be an eligible recipient.

    For the purposes of the above, a senior manager is a senior executive within a company, other than a director or company secretary, who:

    • makes or participates in making decisions that affect the whole, or a substantial part, of the business of the company; or

    • has the capacity to significantly affect the Company’s financial standing; Regarding reporting to ASIC.

    For the purposes of the above, an officer includes directors and the company secretary of the Company.

    A discloser may wish to seek additional information before formally making a disclosure, in which case they may contact any of the above eligible recipients or an independent legal adviser.

    With regards to reporting disclosable matters to ASIC, please follow this link for details about how ASIC handles the report.


    Public Interest & Emergency Disclosure

    A Discloser may disclose Disclosable Matters to a journalist or parliamentarian qualify for protection under the Corporations Act Protection where the disclosure is a public interest disclosure or an emergency disclosure under the Corporations Act.

    A ‘public interest disclosure’ is the disclosure of information to a journalist or a parliamentarian, where:

    • at least 90 days have passed since the Discloser made the disclosure to ASIC, APRA or another Commonwealth body prescribed by regulation;

    • the Discloser does not have reasonable grounds to believe that action is being, or has been taken, in relation to their disclosure;

    • the Discloser has reasonable grounds to believe that making a further disclosure of the information is in the public interest; and

    • before making the public interest disclosure, the Discloser has given written notice to the body to which the previous disclosure was made that:

      • includes sufficient information to identify the previous disclosure; and

      • states that the Discloser intends to make a public interest disclosure.

    An ‘emergency disclosure’ is the disclosure of information to a journalist or parliamentarian, where:

    • the Discloser has previously made a disclosure of the information to ASIC, APRA or another Commonwealth body prescribed by regulation;

    • the Discloser has reasonable grounds to believe that the information concerns a substantial and imminent danger to the health or safety of one or more persons or to the natural environment;

    • before making the emergency disclosure, the Discloser has given written notice to the body to which the previous disclosure was made that:

      • includes sufficient information to identify the previous disclosure; and

      • states that the Discloser intends to make an emergency disclosure; and

    • the extent of the information disclosed in the emergency disclosure is no greater than is necessary to inform the journalist or parliamentarian of the substantial and imminent danger.

    A Discloser should contact the WPIO or an independent legal adviser to ensure they understand the criteria for making a public interest or emergency disclosure that qualifies for protection before for making a disclosure in reliance on the Corporations Act Protections for those types of disclosures.


    How To Make A Disclosure - Reporting Disclosable Matters Within The Company

    Where an ‘eligible whistleblower’ is concerned about potential Disclosable Matters they may report the matter to the Whistleblower Protection and Investigation Officer (WPIO). The current WPIO is as follows:


    Name: Luke Leviston

    Position: Chief Financial Officer

    Tel: 1300 824 739



    A Discloser must have objectively reasonable grounds for suspecting Disclosable Matters. It is a serious disciplinary offence to make allegations that prove to be unsubstantiated and made maliciously or known to be false.

    Individuals who deliberately submit false reports will not able to access the whistleblower protections under the Corporations Act. Deliberately submitting false reports is strongly discouraged.  

    If any person is not comfortable speaking with the WPIO on a particular matter or if they are unavailable and the matter is urgent, they should contact a member of the board of directors of the Company (Board) or another member of management personnel within the Group (WPIO Alternative), who shall undertake the WPIO’s responsibilities under this policy in relation to the matter to the extent of their capabilities.

    If a WPIO Alternative is advised of a Disclosable Matter from a Discloser they may disclose the matter to the WPIO and the Board unless they consider there is good reason not to in the context of undertaking an investigation.

    Generally, the WPIO who receives a disclosure of a Disclosable Matter will handle and investigate the matter. However, where the matter implicates either party the matter should be handled and investigated by a non-interested member of the Board, or failing one, an external consultant nominated by the chairman of the Board.

    A Discloser may:

    • make the disclosure anonymously. This can be done with or without the WPIO’s knowledge of the identity of the Discloser at the Discloser’s discretion. If disclosure is to be made without anybody (including the WPIO) knowing the identity of the Discloser, the disclosure should be sent by an anonymous letter or email) directed to the WPIO with inclusion of all information relevant to the matter. Other services that enable anonymous communication (i.e. anonymous phonelines and email addresses) may be used to communicate with the WPIO;

    • choose to adopt a pseudonym for the purposes of their disclosure, and not use their true name, to remain anonymous. This may be appropriate in circumstances where the Discloser’s identity is known to their supervisor, the internal reporting point or whistleblower protection officer, but the Discloser prefers not to disclose their identity to others;

    • refuse to answer questions that they feel could reveal their identity during follow-up conversations; and

    • request meetings with the WPIO occur outside of business hours and the WPIO must make themselves available for such meetings.


    Legal Protections For A Discloser - Anonymity

      There is no obligation for a Discloser to reveal their identity and if they reveal it to the WPIO they may request that their identity remain confidential and known only to the WPIO. 

      Disclosures of Disclosable Matters by a Discloser can be made anonymously and or confidentially and still be protected under the Corporations Act. 

      If the Discloser reports anonymously, the WPIO is required to preserve that person’s anonymity and will not disclose their identity except with the Discloser’s consent or as permitted by the Corporations Act Protections.

      Communications between anonymous Disclosers and the WPIO can occur through anonymous telephone lines and anonymous email addresses. As noted in the section above, Disclosers choosing to remain anonymous can adopt a pseudonym.

      It is important for Disclosers to understand that in some situations, if they choose for their identity to remain anonymous this can limit or prevent the Company’s ability to effectively investigate the matter or to take appropriate action.  If this is the case, the Discloser will be contacted to discuss the matter further and explain the limitations caused and protections that can be provided, so that the Discloser can make an informed choice about whether to remain anonymous.

      If confidentiality of the identity of a Discloser is required, a WPIO must provide assurance to a Discloser that the Company is committed to protecting the confidentiality of their identity subject to the Corporations Act Protections.

      The WPIO must explain the procedures the Company has in place for ensuring confidentiality.  The WPIO must also explain that people may be able to guess the Discloser’s identity if:

      • the Discloser has previously mentioned to other people that they are considering making a disclosure;

      • the Discloser is one of a very small number of people with access to the information; or

      • the disclosure relates to information that a Discloser has previously been told privately and in confidence.

      Where a Discloser desires their identity remains anonymous the Company and others have legal obligations to protect the confidentiality of their identity subject to certain exceptions discussed below.

      In practice, a Discloser may be asked for consent to a limited disclosure (e.g. disclosure to the entity’s WPIO).

      If disclosure comes from an email address from which the sender’s identity cannot be determined, and the discloser does not identify themselves in the email, it should be treated as an anonymous disclosure.

      Generally, person cannot disclose the identity of a Discloser or information that is likely to lead to the identification of the Discloser (which they have obtained directly or indirectly because the Discloser made a disclosure that qualifies for protection under the Corporations Act Protections).

      However, a person may disclose the identity of a Discloser:

      • to ASIC, APRA, or a member of the Australian Federal Police;

      • to a legal practitioner (for the purposes of obtaining legal advice or legal representation about the whistleblower provisions in the Corporations Act);

      • to a person or body prescribed by the Corporations Regulations; or

      • with the consent of the Discloser.

      A person can disclose the information contained in a disclosure of Disclosable Matters without the Discloser’s consent if:

      • the information does not include the Discloser’s identity;

      • the Company has taken all reasonable steps to reduce the risk that the Discloser will be identified from the information; and

      • it is reasonably necessary for investigating the issues raised in the disclosure.

      ASIC, APRA or the Australian Federal Police can disclose the identity of the Discloser, or information that is likely to lead to the identification of the Discloser, to a Commonwealth, state or territory authority to help the authority in the performance of its functions or duties.

      It is illegal for a person to identify a Discloser or disclose information that is likely to lead to the identification of the Discloser, outside of the exceptions above.


      Legal Protections For A Discloser - Confidentiality

      The Company has measures in place for ensuring confidentiality. The Company has established secure record-keeping and information sharing procedures and ensures that:

      • all paper and electronic documents and other materials relating to disclosures are stored securely;

      • all personal information or reference to the Discloser witnessing an event will be redacted;

      • the Discloser will be referred to in a gender-neutral context;

      • where possible, the Discloser will be contacted to help identify certain aspects of their disclosure that could inadvertently identify them;

      • all information relating to a disclosure can only be accessed by those directly involved in managing and investigating the disclosure;

      • only a restricted number of people who are directly involved in handling and investigating a disclosure are made aware of a Discloser’s identity or information that is likely to lead to the identification of the Discloser;

      • communications and documents relating to the investigation of a disclosure are not sent to an email address or to a printer that can be accessed by other staff; and

      • each person who is involved in handling and investigating a disclosure is reminded that they should keep the identity of the Discloser and the disclosure confidential and that an unauthorised disclosure of a Discloser’s identity may be a criminal offence.

      A Discloser can lodge a complaint with the Company about a breach of confidentiality to the WPIO. They may also lodge a complaint with a regulator, such as ASIC or APRA, for investigation.


      Legal Protections For A Discloser - Protection From Detrimental Acts Or Omissions

      There are legal protections for protecting a Discloser, or any other person, from detriment in relation to a disclosure.

      A person cannot engage in conduct that causes detriment to a Discloser (or another person), in relation to a disclosure of Disclosable Matters, if:

      • the person believes or suspects that the Discloser (or another person) made, may have made, proposes to make or could make a disclosure that qualifies for protection; and

      • the belief or suspicion is the reason, or part of the reason, for the conduct.

      In addition, a person cannot make a threat to cause detriment to a Discloser (or another person) in relation to a disclosure of Disclosable Matters. A threat may be express or implied, or conditional or unconditional. A Discloser (or another person) who has been threatened in relation to a disclosure does not have to actually fear that the threat will be carried out.

      Examples of detrimental conduct include:

      • dismissal of an employee;

      • injury of an employee in his or her employment;

      • alteration of an employee’s position or duties to his or her disadvantage;

      • discrimination between an employee and other employees of the same employer;

      • harassment or intimidation of a person;

      • harm or injury to a person, including psychological harm;

      • damage to a person’s property;

      • damage to a person’s reputation;

      • damage to a person’s business or financial position; or

      • any other damage to a person.

      Some actions may not necessarily be detrimental conduct. In practice, administrative action that is reasonable to protect a Discloser from detriment (e.g. when the disclosure relates to wrongdoing in the Discloser’s immediate work area) will not be considered as detrimental conduct. Protecting a Discloser from detriment also does not prevent the Company from managing a Discloser’s unsatisfactory work performance, if the action is in line with the Company’s performance management framework. It is important for a Company to ensure that a Discloser understands the reason for the Company’s administrative or management action.

      The Company will protect Disclosers from detrimental acts or omissions including by:

      • protecting their welfare;

      • assessing the risk of detriment against a Discloser and other persons (e.g. other staff who might be suspected to have made a disclosure) as soon as possible after receiving a disclosure;

      • providing support services (including counselling or other professional or legal services) as requested;

      • developing strategies to help a Discloser minimise and manage stress, time or performance impacts, or other challenges resulting from the disclosure or its investigation;

      • allowing the Discloser to perform their duties from another location, reassign the Discloser to another role at the same level, make other modifications to the Discloser’s workplace or the way they perform their work duties, or reassign or relocate other staff involved in the Disclosable Matter;

      • will ensure that management are aware of their responsibilities to:

        • maintain the confidentiality of a disclosure;

        • address the risks of isolation or harassment;

        • manage conflicts; and

        • ensure fairness when managing the performance of, or taking other management action relating to, a Discloser; and

      • having complaints about determinant investigated as a separate matter by an officer who is not involved in dealing with disclosures and the investigation findings will be provided to the Overseeing Committee.

      Where an allegation of determinantal conduct has occurred, the Company will investigate and address the detrimental conduct by taking disciplinary action or:

      • allow the Discloser to take extended leave;

      • develop an alternative career development plan for the Discloser, including new training and career opportunities; or

      • the Company could offer compensation or other remedies.

      A Discloser may seek independent legal advice or contact regulatory bodies, such as ASIC, APRA or the ATO, if they believe they have suffered detriment.


      Whistleblower Protection & Investigation Officer

      The WPIO is responsible within the Group for investigation and resolving all reported complaints and allegations concerning Disclosable Matters. 

      At their discretion, the WPIO shall advise the Chairman and/ or Managing Director of the Company of the Disclosable Matters having consideration to any anonymity wishes of the Discloser and the circumstances of the Disclosable Matters.

      The Overseeing Committee be notified immediately, if a disclosure of Disclosable Matters relates to serious misconduct.

      The WPIO is provided direct access to the Board or any relevant sub-committee charged with overseeing this policy (either being the Overseeing Committee as determined by the Board).

      Disclosers, whether employees or external parties, are encouraged to make a disclosure of Disclosable Matters to the Company, through the WPIO, in the first instance. The Company would like to identify and address wrongdoing as early as possible. The Company’s approach is intended to help build confidence and trust in its whistleblower policy, processes and procedures. However, Disclosers are entitled to disclose Disclosable Matters to external parties as set out in Part 8 of this policy in addition or substitution of disclosure to the Company.

      Currently, the Company has not appointed an independent whistleblowing service provider to directly receive disclosures of Disclosable Matters from Disclosers.  However, independent whistleblowing services may be engaged by the WPIO or Company on a case by case basis if determined as necessary.

      The Company will provide the WPIO access to independent advisers as reasonably required by the WPIO. The WPIO may report directly to a senior executive or officer with responsibility for legal, compliance or risk matters.


      Handling & Investigating A Disclosure

      All reports will be promptly considered and, if warranted, investigated with appropriate corrective action will be taken. 

      The WPIO will notify the Discloser to acknowledge receipt of their report within five (5) business days, if the Discloser can be contactable. 

      The WPIO will need to assess each disclosure to determine whether:

      • it falls within the policy; and

      • a formal, in-depth investigation is required,

      and advise the Discloser of the outcome.

      If an investigation is required, the WPIO will need to determine:

      • the nature and scope of the investigation;

      • the person(s) within and/or outside the Company that should lead the investigation;

      • whether additional internal or external investigators are required;

      • the nature of any technical, financial or legal advice that may be required to support the investigation; and

      • the timeframe for the investigation.

      When assessing disclosures the WPIO should focus on the substance, rather than the motive of the disclosure. It is also important for the WPIO and Company not to assume that disclosures about conduct or behaviour that appear to have had a personal impact on a Discloser are somehow less serious. The Discloser’s experience may indicate a larger or systemic issue. For example, bullying or harassment experienced by the Discloser may be representative of a more general culture of bullying or harassment in the Company or may indicate an environment where other misconduct is occurring. In circumstances where it may be unclear whether a disclosure qualifies for protection, a WPIO and Company could elect to treat the Discloser as though they were protected as a whistleblower under the Corporations Act (or the Taxation Administration Act, where relevant).

      When an investigation needs to be undertaken, the process will be thorough, objective, fair and independent, while preserving the confidentiality of the investigation. The objective of an investigation is to determine whether there is enough evidence to substantiate or refute the matters reported.

      The WPIO must ensure that all investigations follow best practice.

      The WPIO and will investigate and/or take action to address all matters reported under this policy.  Investigations will be conducted in an objective and fair manner, in line with the Company’s values and procedures.  Where appropriate, feedback will be provided to the Discloser regarding the investigation’s progress and/or outcome. The investigation process may vary depending on the nature of the disclosure as determined by the investigating person.

      Investigations will ensure fair treatment of employees of the Company and its related bodies corporate who are mentioned in the report of Disclosable Matters or to whom such disclosures relate. This includes without limitation affording such person’s due process and a right to be heard on the matter during the conduct of the investigation and before making any adverse finding against them.

      There are limitations of the Company’s investigation process. The Company may not be able to undertake an investigation if it is not able to contact the Discloser (e.g. if a disclosure is made anonymously and the Discloser has refused or omitted to provide a means of contacting them).

      Without the Discloser’s consent, the Company cannot disclose information that is contained in a disclosure as part of its investigation process—unless:

      • the information does not include the Discloser’s identity;

      • the Company removes information relating to the Discloser’s identity or other information that is likely to lead to the identification of the Discloser (e.g. the Discloser’s name, position title and other identifying details); and

      • it is reasonably necessary for investigating the issues raised in the disclosure.

      To protect a Discloser’s identity from being revealed and to protect them from detriment, the Company could investigate a disclosure by conducting a broad review on the subject matter or the work area disclosed. In addition, it could investigate an anonymous disclosure, even if it cannot get in contact with the Discloser, if the Discloser has provided sufficient information to the Company and the Company removes information that is likely to lead to the identification of the Discloser.

      All investigations need to be independent of the Discloser, the individuals who are the subject of the disclosure, and the department or business unit involved.

      The WPIO will provide Disclosers with updates at various stages—for example when the investigation process has begun, while the investigation is in progress and after the investigation has been finalised. Updates will be provided monthly through the Discloser’s desired means of communication. At the end of the investigation, the Discloser will be notified of the outcome of the findings.  The method for documenting and reporting the findings will depend on the nature of the disclosure.  There may be circumstances where it may not be appropriate to provide details of the outcome to the Discloser.

      The findings from an investigation will be documented and reported to those responsible for oversight of the policy, while preserving confidentiality.

      An employee who is the subject of a disclosure of Disclosable Matters will be advised about:

      • the subject matter of the disclosure as and when required by principles of natural justice and procedural fairness, and prior to any actions being taken—for example, if the disclosure is to be the subject of an investigation or if the disclosure is serious and needs to be referred to ASIC, APRA or the Federal Police; and

      • the outcome of the investigation (but they will not be provided with a copy of the investigation report).

      The Company may determine the most appropriate time to inform the individual who is the subject of a disclosure about the investigation, provided that they inform the individual before making any adverse finding against them. In some circumstances, informing the individual at an early stage of an investigation may compromise the effectiveness of the investigation, such as when there may be concerns that the individual may destroy information or the disclosure needs to be referred to ASIC, APRA, the ATO or the Federal Police.

      At any time during before or during an investigation the WPIO may exercise independent judgment in terms of whether potential problems discovered from disclosures of Disclosable Matters need to be advised of to other areas within the Company and the WPIO is empowered to take matters straight to the Company’s board of directors.  Where possible (as determined by the WPIO) the Company’s board of directors should be afforded oversight and monitoring of investigations.


      Discloser Not Satisfied With Outcome

      If the Discloser is not satisfied with the outcome of the investigation it may refer the matter to the Overseeing Committee, or their nominee, for review. The review should be conducted by an officer who is not involved in handling and investigating disclosures. In addition, the review findings should be provided to the board or audit or risk committee and the Discloser.

      The Company is not obliged to reopen an investigation and that it can conclude a review if it finds that the investigation was conducted properly, or new information is either not available or would not change the findings of the investigation.

      A Discloser may lodge a complaint with a regulator, such as ASIC, APRA or the ATO, if they are not satisfied with the outcome of the Company’s investigation.


      Risk Assessment Framework & Procedures

      The WPIO should establish frameworks and procedures relating to the implementation of this policy which should cover risk identification, risk analysis and evaluation, risk control and risk monitoring.

      Upon receiving a report from a Discloser, the WPIO should gather information from a Discloser about:

      • the risk of their identity becoming known;

      • who they fear might cause detriment to them;

      • whether there are any existing conflicts or problems in the work place; and

      • whether there have already been threats to cause detriment.

      The WPIO should also assess whether anyone may have a motive to cause detriment.

      Each risk should be analysed. The likelihood of each risk and the severity of the consequences should be evaluated. In addition, strategies should be developed and implemented to prevent or contain the risks.

      If an anonymous disclosure is made, the Company should conduct a risk assessment to assess whether the Discloser’s identity can be readily identified or may become apparent during an investigation.

      As the risk of detriment may increase or change as an investigation progresses, and even after an investigation is finalised, the WPIO should monitor and reassess the risk of detriment.

      Steps in assessing and controlling the risk of detriment

      • Risk identification: Assessing whether anyone may have a motive to cause detriment—information could be gathered from a discloser about:

        • the risk of their identity becoming known;

        • who they fear might cause detriment to them;

        • whether there are any existing conflicts or problems in the work place; and

        • whether there have already been threats to cause detriment.

      • Risk analysis and evaluation: Analysing and evaluating the likelihood of each risk and evaluating the severity of the consequences.

      • Risk control: Developing and implementing strategies to prevent or contain the risks—for anonymous disclosures, it may be worthwhile assessing whether the discloser’s identity can be readily identified or may become apparent during an investigation.

      • Risk monitoring: Monitoring and reassessing the risk of detriment where required—the risk of detriment may increase or change as an investigation progresses, and even after an investigation is finalised.

      The WPIO should keep appropriate records of its risk assessments and risk control plans.


      Compensation &  Other Remedies

      A Discloser (or any other employee or person) can seek compensation and other remedies through the courts if:

      • they suffer loss, damage or injury because of a disclosure; and

      • the Company failed to take reasonable precautions and exercise due diligence to prevent a person from causing the detriment.

      Disclosers’ should to seek independent legal advice before disclosing disclosable matters.


      Civil, Criminal & Administrative Liability Protection

      A Discloser is protected from any of the following in relation to their disclosure:

      • civil liability (e.g. any legal action against the Discloser for breach of an employment contract, duty of confidentiality or another contractual obligation);

      • criminal liability (e.g. attempted prosecution of the Discloser for unlawfully releasing information, or other use of the disclosure against the Discloser in a prosecution (other than for making a false disclosure)); and

      • administrative liability (e.g. disciplinary action for making the disclosure).

      However, the above protections do not grant immunity for any misconduct a Discloser has engaged in that is revealed in their disclosure.


      Auditing Matters / Retention Of Records

      The Company is committed to reviewing and updating this policy, processes and procedures. The Company is committed to ensuring the policy is operating effectively and commitment to identifying and rectifying issues. It is important for the Overseeing Committee to ensure that the broader trends, themes and/or emerging risks highlighted by the disclosures made under this policy are addressed and mitigated by the Company as part of its risk management and corporate governance work plans.

      The Overseeing Committee and WPIO will have a biannual audit and review of the policy and related procedures to check if reports of Disclosable Matters were appropriately recorded, investigated and responded to and whether any changes are required to this policy. Changes should be implemented in a timely manner.

      In reviewing the policy, processes and procedures, the Overseeing Committee and WPIO could consider which aspects worked well and did not work well since they were last reviewed. Some issues to consider include whether:

      • the scope and application of the policy are appropriate, particularly if there have been changes to the Company’s business;

      • the policy, processes and procedures are helpful and easy to understand;

      • the policy, processes and procedures reflect current legislation and regulations, and current developments and best practice for managing disclosures; and

      • the Company’s handling of disclosures and its protections and support for Disclosers need to be improved.

      The Overseeing Committee and WPIO could consult with and seek feedback from its employees about the effectiveness of this policy its processes and procedures.

      Updates to this policy and processes and procedures under it following a review must be widely disseminated to, and easily accessible by, individuals covered by the policy.

      When necessary (e.g. if there has been a change to the disclosure procedures), the Company will provide targeted communications and training to all employees and eligible recipients, and additional specialist training to staff members who have specific roles and responsibilities under the policy.

      The WPIO is charged with establishing processes and procedures for matters relating to this policy and for implementing and overseeing any changes to this policy.

      The Overseeing Committee shall retain all records relating to any concern or report of Disclosable Matters of a retaliatory act and to the investigation of any such report for a period judged to be appropriate based upon the merits of the submission.  The types of records to be retained shall include records of all steps taken in connection with the investigation and the results of any such investigation.


      Privacy & Security Of Personal Information

      The Company has in place appropriate information technology resources and organisational measures for securing the personal information they receive, handle and record as part of this policy.  Due to the sensitivity of the information, any leaks or unauthorised disclosure (including from malicious cyber activity) may have adverse consequences for the Disclosers, the individuals who are subject of disclosures and the Company.

      The Privacy Act 1988 (Cth) (Privacy Act) regulates the handling of personal information about individuals.  It includes 13 Australian Privacy Principles (APPs), which set out standards, rights and obligations for the handling, holding, use, accessing and correction of personal information (including sensitive information).  The Company is required to notify affected individuals and the Office of the Australian Information Commissioner about a data breach, if it is likely to result in serious harm to individuals whose personal information is involved in the breach.

      The Company will consult the APPs and other relevant industry, government and technology-specific standards, guidance and frameworks on data security to help safeguard their information.



      The WPIO should submit periodic reports could be submitted to the Overseeing Committee on the following, when it is not likely to lead to the identification of a Discloser:

      • the subject matter of each disclosure;

      • the status of each disclosure;

      • for each disclosure, the type of person who made the disclosure (e.g. employee or supplier) and their status (e.g. whether they are still employed or contracted by the Company);

      • the action taken for each disclosure;

      • how each disclosure was finalised;

      • the timeframe for finalising each disclosure; and

      • the outcome of each disclosure.

      Statistics on the following could also be included in the periodic reports:

      • the timeframe between receiving a disclosure and responding to a Discloser, including the time taken to respond to subsequent messages from a Discloser;

      • the timeframe between receiving a disclosure and assessing whether a disclosure should be investigated;

      • the timeframe between commencing and finalising an investigation; and

      • how frequently communications are made with a Discloser.

      The statistics could be compared to the timeframes outlined in the Company’s policy and procedures for handling and investigating disclosures.

      The report will also include statistics on the total number of reports received, including:

      • the number of reports made through each of the different options available for making a disclosure under the Company’s policy;

      • the types of matters reported; and

      • reports provided by line of business, department, country, office or location.

      In addition, if considered necessary and relevant by the WPIO, the report may also include measures on employees’ understanding of the policy. This information could be gathered through:

      • surveying a sample of staff after the Company initially implements this policy;

      • having conversations with a sample of employees; or

      • monitoring the proportion of disclosures that relate to matters covered by this policy, against those that fall outside the policy.



        The Group will provide for the training of employees about this policy and their rights and obligations under it.

        The Group will provide for the training of managers and others who may receive reports of Disclosable Matters about how to respond to them.

        The Company will monitor employees’ understanding of this policy on a periodic basis may help the Company to determine where there are knowledge gaps in their employees’ understanding of this policy.

        The employee training could include:

        • the key arrangements of the Company’s whistleblower policy, processes and procedures, including:

          • practical examples of disclosable matters;

          • practical information on how to make a disclosure; and

          • advice on how Disclosers can seek further information about the policy if required.

        • information related to protecting and supporting Disclosers, including:

          • the measures the Company has in place for protecting and supporting Disclosers;

          • practical working examples of conduct that may cause detriment to a Discloser; and

          • the consequences for engaging in detrimental conduct.

        • information about matters that are not covered by the Company’s policy, including:

          • practical examples of the types of matters that are not covered by the Company’s policy;

          • information on the Company’s other policies (e.g. on bullying and harassment, workplace health and safety, grievance and code of conduct matters); and

          • information on how and where employees can report general employee feedback or personal work-related grievances.

        The management training could cover the Company’s commitment and obligations to protecting Disclosers of wrongdoing. It could also cover how this policy interacts with the Company’s other policies (e.g. on bullying and harassment). It is important for the training to be incorporated as part of the Company’s management competency training.

        The Company is committed to monitoring the effectiveness of its policy, processes and procedures.

        This policy is intended to be widely disseminated to and easily accessible by its officers and employees. The Company may:

        • hold staff briefing sessions and/or smaller team meetings;

        • make the policy accessible on the staff intranet or other communication platform;

        • post information on staff noticeboards;

        • set out the policy in the employee handbook; and

        • incorporate the policy in employee induction information packs and training for new starters.

        It is important that all levels of management within an entity, particularly line managers, receive appropriate training in how to effectively deal with disclosures.

        Specialist training should be provided to staff members who have specific responsibilities under the policy.

        Australian entities with overseas-based related entities need to ensure that people in their overseas-based operations also receive appropriate training, since disclosures made to the Company’s overseas-based eligible recipients and disclosures about the Company’s overseas-based entities and their officers and employees may qualify for protection.


        Support & Practical Protection - No Retaliation

        A Discloser will not be personally disadvantaged by having made a report.  This includes not being disadvantaged by way of dismissal, demotion, any form of harassment, discrimination or current of future bias.

        No current or former Discloser, who reports Disclosable Matters under this policy shall suffer detriment, either actual or threatened, harassment, retaliation or adverse employment or engagement consequence. 

        If someone engaged by a Group member retaliates against a Discloser, the first mentioned person may be subject to discipline in the Board’s discretion depending on the severity of the conduct, which may include termination of employment or services.

        All Disclosers are requested to report to the WPIO any retaliation or victimisation of a person that reports Disclosable Matters.


        Policy Easily Accessible - Website

        This policy will be available for review on the Company’s website at in the Investors Centre section of the website.

        The Company may exclude information that would not be useful or relevant to external Disclosers or that would not be suitable for external publication.


        Schedule 1 - Disclosable Matters

        Disclosable matters include conduct that may not involve a contravention of a particular law.

        For example, ‘misconduct or an improper state of affairs or circumstances’ may not involve unlawful conduct in relation to the Company or a related body corporate of the Company but may indicate a systemic issue that the relevant regulator should know about to properly perform its functions. It may also relate to dishonest or unethical behaviour and practices, conduct that may cause harm, or conduct prohibited by the Company’s standards or code(s) of conduct.

        Information that indicates a significant risk to public safety or the stability of, or confidence in, the financial system is also a disclosable matter, even if it does not involve a breach of a particular law.

        A Discloser can still qualify for protection even if their disclosure turns out to be incorrect.

        The term ‘reasonable grounds to suspect’ is based on the objective reasonableness of the reasons for the Discloser’s suspicion. It ensures that a Discloser’s motive for making a disclosure, or their personal opinion of the person(s) involved, does not prevent them from qualifying for protection. In practice, a mere allegation with no supporting information is not likely to be considered as having ‘reasonable grounds to suspect’. However, a Discloser does not need to prove their allegations.

        Examples of disclosable matters may include:

        • illegal conduct, such as theft, dealing in, or use of illicit drugs, violence or threatened violence, and criminal damage against property;

        • fraud, money laundering or misappropriation of funds;

        • offering or accepting a bribe;

        • financial irregularities;

        • failure to comply with, or breach of, legal or regulatory requirements; and

        • engaging in or threatening to engage in detrimental conduct against a person who has made a disclosure or is believed or suspected to have made or be planning to make a disclosure.

        Disclosable matters do not include other matters like personal - work related grievances where they do not relate to disclosable matters. These are matters that relate to the Discloser but do not:

        • have any implications for the Company or its related bodies corporate; or

        • relate to any conduct or alleged conduct, about a disclosable matter.

        Examples of work-related grievances may include:

        • an interpersonal conflict between the Discloser and another employee; and

        • decisions that do not involve a breach of workplace laws:

        • decisions about the engagement, transfer or promotion of the Discloser;

        • decisions about the terms and conditions of engagement of the Discloser; or

        • decisions to suspend or terminate the engagement of the Discloser, or otherwise to discipline the Discloser.

        However, workplace grievances may include disclosable matters in which case they may be eligible for protection under the Corporations Act Protections. For example, if:

        • a personal work-related grievance includes information about misconduct, or information about misconduct includes or is accompanied by a personal work-related grievance (mixed report);

        • the Company or a related body corporate has breached employment or other laws punishable by imprisonment for a period of 12 months or more, engaged in conduct that represents a danger to the public, or the disclosure relates to information that suggests misconduct beyond the Discloser’s personal circumstances;

        • the Discloser suffers from or is threatened with detriment for making a disclosure; or

        • the Discloser seeks legal advice or legal representation about the operation of the whistleblower protections under the Corporations Act.

        Disclosures about matters which are not covered by the Corporations Act Protections do not qualify for protection under the Corporations Act (or the Taxation Administration Act where relevant).

        Such disclosures may be protected under other legislation, such as the Fair Work Act 2009 (Cth) (Fair Work Act).

        Disclosures that relate solely to personal work-related grievances, and that do not relate to detriment or threat of detriment to the Discloser, do not qualify for protection under the Corporations Act.

        Employees of the Company or related bodies corporate can internally raise personal work-related grievances and other types of issues or concerns that are not covered by the policy with the WPIO. Employees are encouraged to seek legal advice about their rights and protections under employment or contract law, and how to resolve their personal work-related grievance.