Whistleblower Protections Under the Aged Care Act 2024

Fear of reprisal remains one of the greatest barriers to reporting wrongdoing in aged care. Staff who witness unsafe practices, financial misconduct, or neglect face a painful dilemma: speak up and risk their livelihood, or stay silent and allow harm to continue. The Aged Care Act 2024 addresses this directly. Sections 547-554 establish a statutory whistleblower protection framework that shields anyone who reports suspected breaches of aged care laws from adverse action, identity disclosure, and reprisal. For providers, these protections are not optional — they are a registration condition. For governing bodies, they represent both a legal obligation and a test of organisational culture. If your people do not feel safe to raise concerns, your compliance framework has a structural weakness that no amount of documentation can fix.

The protections under ss 547-554 apply broadly. Any person who discloses information about suspected contraventions of aged care legislation, risks to the safety or wellbeing of care recipients, or conduct that falls below the standards expected of a registered provider may qualify as a protected discloser. This includes current and former employees, contractors, volunteers, board members, and — critically — care recipients and their families.

A disclosure qualifies for protection when it is made to an eligible recipient within the provider organisation (such as a compliance officer, CEO, or board chair), or directly to the Aged Care Quality and Safety Commission (ACQSC) or another Commonwealth body. The discloser does not need to prove that the conduct actually occurred — a reasonable suspicion that a breach has taken place or is occurring is sufficient. Importantly, the discloser does not need to identify themselves by name if the disclosure is made through an anonymous channel, provided the provider has one in place.

Protected disclosures are not limited to criminal conduct. They encompass breaches of registration conditions, failures to meet the Aged Care Quality Standards, unsafe clinical practices, financial mismanagement, and systemic failures in governance. The breadth of the definition reflects a deliberate legislative intent: the scheme is designed to surface problems early, before they escalate into serious incidents or harm.

The Act imposes four specific obligations on registered providers. First, every provider must have a documented whistleblower policy that explains how disclosures can be made, who the eligible recipients are, how disclosures will be investigated, and what protections are available to disclosers. This policy must be reviewed at least annually and be accessible to all staff, contractors, and volunteers.

Second, providers must establish confidential disclosure channels. This means providing at least one mechanism through which a person can make a disclosure without their identity being revealed to anyone other than a designated eligible recipient. Best practice is to offer multiple channels — such as a secure online portal, a dedicated email address, and a direct reporting line to the board chair — so that disclosers can choose the channel they are most comfortable with.

Third, the provider must designate eligible recipients. These are the individuals authorised to receive protected disclosures and access discloser identity information. Eligible recipients are typically the compliance officer, CEO, and board chair. The list should be kept small, documented in the whistleblower policy, and reviewed whenever personnel changes occur.

Fourth, the existence of a whistleblower policy is a registration condition. The ACQSC can — and does — verify that a current policy exists during assessment contacts. A missing or outdated policy is a compliance gap that puts your registration at risk.

The identity protection provisions in the Act are among its most stringent. Once a protected disclosure is made, the discloser's identity must be restricted to eligible recipients only. No other person — including managers, HR staff, or the subject of the disclosure — may be told who made the report. Breaching this restriction is itself a contravention of the Act.

This has practical implications for how providers design their systems. Paper-based or email-based disclosure processes are inherently risky because they create records that can be accessed by people outside the eligible recipient group. A compliant system must enforce access controls at the technology level — restricting visibility of the discloser's identity to designated users and logging every access event for audit purposes.

The no-reprisal protections are equally important. Providers must not take any adverse action against a person because they made, or are suspected of having made, a protected disclosure. Adverse action includes termination, demotion, transfer, reduction in hours, exclusion from opportunities, harassment, and any other conduct that disadvantages the discloser. Providers should actively monitor for reprisal — particularly in the weeks and months following a disclosure — by tracking changes to the discloser's employment conditions, roster patterns, and performance reviews.

When a protected disclosure is received, the provider must investigate the substance of the disclosure promptly and fairly. The investigation must be conducted by a person who is independent of the conduct being investigated — in many cases, this means engaging an external investigator or assigning the matter to a senior leader who was not involved in the events described.

Procedural fairness requires that the subject of the disclosure is given an opportunity to respond to the allegations before any adverse finding is made. However, this right to respond must be balanced against the obligation to protect the discloser's identity. The subject should be told the nature of the allegations with enough specificity to respond meaningfully, but must not be given information that would identify or tend to identify the discloser.

The investigation should result in documented findings, recommended actions, and a timeline for implementation. All investigation records must be stored securely and access-restricted to eligible recipients and the investigator.

Critically, a protected disclosure can trigger the creation of a SIRS reportable incident where the conduct described meets the criteria for a serious incident — such as abuse, neglect, or inappropriate use of restrictive practices. Providers must have a process for assessing each disclosure against the SIRS reporting criteria and escalating to the ACQSC within the applicable Priority 1 or Priority 2 timeframe.

Statura Care's Whistleblower module is purpose-built to enforce the protections required by ss 547-554. The module includes an anonymous submission portal that allows disclosers to report concerns without revealing their identity, while still enabling two-way communication between the discloser and the eligible recipient through a secure message thread.

Discloser identity is restricted at the system level — only users designated as eligible recipients can view identifying information, and every access event is logged with a timestamp and user ID. This access log provides auditable evidence that identity protections are being maintained.

The module provides a structured investigation workflow with independence checks, natural justice steps, documented findings, and remediation tracking. Where an investigation reveals conduct that meets SIRS criteria, the disclosure can be escalated directly to the SIRS module, creating a linked incident with pre-populated details and automatic deadline calculation.

Reprisal monitoring tracks changes to the discloser's employment conditions — including roster changes, role changes, and performance actions — and flags potential adverse action for review by the eligible recipient. Policy management features ensure your whistleblower policy is version-controlled, distributed to staff with acknowledgement tracking, and flagged for annual review before it lapses.