This article was first published in ICLG - Corporate Investigations 2023

Regulatory investigations, commissions and inquiries are increasingly a critical and everyday part of corporate life in Australia.

In the 2023 International Comparative Legal Guide for Corporate Investigations, Partners Richard Harris, Elizabeth Avery and Daniel MacPherson identify the key considerations and provide up-to-date, practical insights into conducting corporate investigations in Australia.

Chapters

• The Decision to Conduct an Internal Investigation
• Self-Disclosure to Enforcement Authorities
• Cooperation with Law Enforcement Authorities
• The Investigation Process
• Confidentiality and Attorney-Client Privileges
• Data Collection and Data Privacy Issues
• Witness Interviews
• Investigation Report
• Trends and Reform

---

The Decision to Conduct an Internal Investigation

What statutory or regulatory obligations should an entity consider when deciding whether to conduct an internal investigation in your jurisdiction? Are there any consequences for failing to comply with these statutory or regulatory regulations? Are there any regulatory or legal benefits for conducting an investigation?

In Australia, regulators do not commonly have the power to compel an entity to conduct an internal investigation, although there are a range of practical measures that a regulator may take to persuade an entity to do so. Financial services licensees can be compelled by the Australian Securities and Investments Commission (ASIC) to provide answers to questions that may in turn require the investigation of some facts. In limited circumstances, entities that hold a regulatory licence (e.g. a financial services licence) may have a condition imposed on their licence that may require them to conduct some form of internal investigation. However, the imposition of a licence condition is most frequently used to compel an audit (which is often independent) to be conducted at the conclusion of an investigation to ensure that an already identified issue has been rectified. Financial services licensees also have certain supervisory obligations as conditions on their licence that may have the effect of requiring them to conduct investigations of issues that come to their attention in order to be able to satisfy the condition.

Internal investigations in Australia are usually conducted on a voluntary basis at an initial stage after the discovery of a compliance or regulatory issue by an entity. A proactive decision to conduct an internal investigation carries many benefits and is typically a course of action that would be recommended for an entity to undertake. Primarily, an internal investigation allows an entity to identify the full nature of the compliance or regulatory issue that it is facing, gauge its level of exposure to regulatory action, and to formulate a strategy in how to respond to the issue and any subsequent or ongoing regulator investigation(s). In some circumstances the approach to the investigation might be agreed with the regulator, or the outcomes of the investigation might be provided to the regulator.

In addition, if an entity is an immunity applicant to the Australian Competition and Consumer Commission (ACCC) in relation to potential cartel conduct under the ACCC’s Immunity Policy, then the ACCC’s grant of immunity will depend upon the entity’s full cooperation, which will require a full internal investigation of the facts.

The proactive commencement of an internal investigation better prepares a corporation in the event that they are required to respond to the use of compulsory powers by a regulator. For example, ASIC, the financial services regulator, has broad powers in the exercise of its enforcement or investigatory functions, including compelling the production of documents, to conduct compulsory examinations of staff members, and to inspect premises and documents. Similar powers exist for the ACCC, the Australian Prudential Regulatory Authority (APRA), the Australian Taxation Office (ATO), the Australian Transaction Reports and Analysis Centre (AUSTRAC) (which has regulatory responsibility for anti-money laundering and counter-terrorism financing), and the Office of the Australian Information Commissioner (OAIC).

How should an entity assess the credibility of a whistleblower’s complaint and determine whether an internal investigation is necessary? Are there any legal implications for dealing with whistleblowers?

To enable a corporate entity to consistently determine whether an issue raised by a whistleblower is credible, entities should maintain a whistleblower policy that outlines the framework by which they respond to a complaint by a potential whistleblower and assess their complaint (it is compulsory for public companies and certain other corporations incorporated in or operating in Australia to maintain a whistleblower policy which is made available to employees). To determine whether the complaint is credible, a corporate entity should undertake a confidential initial assessment. This should look at the nature of the complaint, the seriousness of the allegations and concerns raised in the complaint, the relevant work history of the complainant, whether supporting evidence is or could be made available, and the significance of the risks posed by the complaint.

In addition, the use of a whistleblower policy will better ensure that a corporate entity does not breach the statutory protections that exist for whistleblowers. The Corporations Act 2001 (Cth) (Corporations Act) protects certain whistleblower activities and protects whistleblowers from persecution. The Corporations Act contains protections for whistleblowers who meet the statutory criteria, including:

• protection of information provided by whistleblowers;
• protections for whistleblowers against litigation; and
• protections for whistleblowers from victimisation.

These protections encourage people within companies, or with special connections to companies, to alert the company (through its officers), or the regulator, to illegal behaviour.

How does outside counsel determine who “the client” is for the purposes of conducting an internal investigation and reporting findings (e.g. the Legal Department, the Chief Compliance Officer, the Board of Directors, the Audit Committee, a special committee, etc.)? What steps must outside counsel take to ensure that the reporting relationship is free of any internal conflicts? When is it appropriate to exclude an in-house attorney, senior executive, or major shareholder who might have an interest in influencing the direction of the investigation?

A determination concerning who should be provided with the findings of an internal investigation should take into account how the internal investigation was initiated, the extent to which any regulator might be involved, the extent to which a senior officer of the company may be implicated in the investigation and the sensitivity of the issues being investigated. As a practical matter, this should usually be identified and agreed at the commencement of any investigation retainer. Persons should be excluded from the investigation (or the reports) to the extent that they may improperly influence the investigation’s findings. This may require either a whole or partial exclusion, and analysis on a case-by-case basis. The manager of the investigation should clearly document this at the start of an investigation and have a mechanism to review this determination at regular intervals.

Outside counsel should review these documented determinations to better inform themselves of any internal conflicts. In addition, outside counsel should ensure that the terms of their engagement expressly set out the nature of the reporting relationship, including the extent to which persons may be excluded from the investigation, the extent to which their findings can be subject to alteration by the corporate entity, and a mechanism to resolve any conflicts dispute that may arise over the course of the investigation. Any report of the investigation should also be clear on the nature of the engagement to avoid any potential for confusion, mindful that in some circumstances clients may choose or be compelled to provide the report to a regulator.

Self-Disclosure to Enforcement Authorities

When considering whether to impose civil or criminal penalties, do law enforcement authorities in your jurisdiction consider an entity’s willingness to voluntarily disclose the results of a properly conducted internal investigation? What factors do they consider?

Each of the ACCC, ASIC and ATO have cooperation policies that consider an entity’s willingness to self-report breaches or misconduct. While voluntary disclosure does not necessarily deter a regulator from taking enforcement action, cooperation is typically encouraged from a relationship perspective and may result in immunity from prosecution, joint submissions to a court for an appropriate reduction in the quantum of penalties, reaching a settlement in lieu of litigation or reduced penalties for taxation offences.

The Australian Federal Police and Commonwealth Director of Public Prosecutions (CDPP) also have guidelines for self-reporting foreign bribery and related offences. Cooperation within those guidelines is a significant factor in decisions to prosecute and in sentencing. Self-reporting can be done without admitting criminal liability or waiving privilege. Robust cooperation will be expected.

The ACCC immunity and cooperation policy for cartel conduct applies to entities and individuals who are whistleblowers in relation to cartel conduct, conditional upon the immunity applicant complying with certain criteria. Importantly, the ACCC’s policy requires the applicant for immunity to admit to cartel conduct within the meaning of the Competition and Consumer Act 2010 (Cth). Immunity is only available to one applicant, typically the “first in”; but if they fail to provide “full and frank cooperation”, the “next in the queue” may be eligible. The ACCC’s Immunity Policy on cartel conduct only relates to civil matters – the CDPP has discretion on whether to recognise cooperation and grant immunity in criminal cases. However, the ACCC and the CDPP have signed a memorandum of understanding pursuant to which the ACCC receives and manages requests for both criminal and civil immunity and makes recommendations to the CDPP based on the ACCC’s assessment of whether the conduct meets the criteria set out in the ACCC’s Immunity and Cooperation Policy. The CDPP will decide whether to grant immunity, exercising its discretion in taking into account the ACCC’s recommendation.

If immunity is not available, the ACCC will generally consider that any “serious cartel conduct” should be recommended for criminal prosecution. However, if an entity was not “first in”, then the ACCC will generally be prepared to make a submission to the court that the entity should be entitled to a significant discount on penalty for full cooperation.

The ACCC’s policy on leniency on enforcement matters generally applies where an entity comes forward with valuable evidence of breaches the ACCC was unaware of, where the ACCC lacks enough evidence to take enforcement action. This may apply to other forms of anti-competitive conduct or where the company is not first in line to report potential cartel conduct. There are various requirements a company needs to meet to qualify for leniency, including that the company promptly terminates its involvement in the anti-competitive conduct on becoming aware of the breach, and was not the instigator of, and did not coerce others into, the conduct.

Australia has a judicial enforcement model: only the court may impose penalties. If the enforcement agency reaches an agreement with an entity to resolve a matter, they cannot set the penalty, but rather may make joint submissions to the court on what an appropriate penalty may be; however, this is significantly limited in the criminal sentencing context, where the court must maintain unfettered discretion to impose the sentence.

There are also various criteria the ACCC will take into account in determining whether to reach an agreement on joint submissions to a court on appropriate penalties, including whether an entity or individual has cooperated with the ACCC, and whether the individuals involved in the conduct were senior managers of the entity or at a lower level.

In some instances, entities are required to self-report breaches to the regulator within prescribed timeframes. An example is the obligation on Australian financial services and credit licensees to make a written report to ASIC of (among other things) significant breaches or likely breaches or investigations into such matters, conduct constituting gross negligence in the course of providing a financial service or serious fraud and certain investigations within 30 calendar days of becoming aware of, or being reckless as to whether there exist, reasonable grounds to believe the reportable situation has arisen. Self-reporting in accordance with such an obligation does not typically preclude the regulator from taking enforcement action in respect of the breach, but the candidness of the report and the entity’s rectification actions are among the many factors the regulator may consider in practice in determining what action (if any) to take.

When, during an internal investigation, should a disclosure be made to enforcement authorities? What are the steps that should be followed for making a disclosure?

When disclosure should be made to regulators needs to be assessed on a case-by-case basis. Depending on the industry in which the company operates, the subject matter of the investigation and its outcomes, the company may be obliged to disclose certain facts identified during the course of the investigation to certain regulators. This is particularly likely in circumstances where there is overlap with an existing or anticipated regulatory investigation, and if the company is seeking to self-report conduct in order to try to seek either immunity or leniency for cooperation in respect of penalties or if it is under an obligation to self-report. Under the Privacy Act 1988 (Cth) (Privacy Act), entities are also required to notify the OAIC and affected individuals where they have reasonable grounds to believe that an “eligible data breach” has occurred. As noted above, in relation to potential cartel conduct, there may be benefits to early disclosure to the ACCC due to the potential to obtain immunity from civil and criminal prosecution. In the first instance, an anonymous marker may be obtained from the ACCC, via the potential applicant’s legal representative. If the entity decides to “perfect” the marker and seek immunity, it would be required to admit to cartel conduct and provide the results of its internal investigation to qualify for conditional immunity.

How, and in what format, should the findings of an internal investigation be reported? Must the findings of an internal investigation be reported in writing? What risks, if any, arise from providing reports in writing?

While the precise external reporting requirements for the findings of an internal investigation will depend on the nature of the specific investigation being undertaken, in some instances, companies may be required to report the findings of internal investigations under statutory and regulatory reporting requirements. In some cases, companies will decide to voluntarily report the investigation’s findings for commercial or relationship reasons. The company’s legal advisers should give clear guidance about how external communications should be structured so that communications to the regulator or third parties regarding the investigation do not result in privilege being waived. The ACCC may accept oral “proffers” to avoid a waiver of legal privilege.

Care must also be taken to ensure the nature of the investigation, and the relationship between those carrying out the investigation and the company (or relevant individuals or groups of individuals in the company) is clearly set out in the written report to mitigate the risk of the regulator or some other party later alleging that the nature of the investigation was misrepresented to achieve a favourable outcome.

It can often be difficult to establish that communications connected with internal investigations are privileged because they are often prepared for multiple purposes, and because of the sheer number of documents created. Ideally, at the outset of an investigation, companies should develop and implement suitable controls over internal communications and seek to limit communication regarding the investigation to those with a clear “need to know”. Companies should also develop and implement appropriate confidentiality protocols and a clear escalation and reporting path to senior management. In order to try to manage the risks of documents being created for multiple purposes, those creating documents regarding the internal investigation should be clear about why a document is being created, and try to separate communications for the purposes of legal advice or litigation from communications for other purposes.

Depending on the nature of the investigation, it may also be important to consider whether certain officers or employees may have interests that differ from those of the company in respect of the investigation, and for those individuals to be excluded from internal communications regarding the investigation.

Cooperation with Law Enforcement Authorities

If an entity is aware that it is the subject or target of a government investigation, is it required to liaise with local authorities before starting an internal investigation? Should it liaise with local authorities even if it is not required to do so?

While an entity that is the subject of a government investigation is not obliged to liaise with local authorities before commencing an internal investigation, it can be appropriate in some circumstances. This will depend on the company’s regulatory engagement strategy (see section 4) and needs to be assessed on a case-by-case basis. If the government investigation and the internal investigation relate to the same conduct and where there is ongoing engagement with the relevant regulator, some level of coordination is often desirable in order to reduce inefficiencies. This engagement may sometimes mean a regulator may delay or discontinue its investigation due to the internal investigation, provided the company commits to frank and full disclosure of the outcomes of the internal investigation. Alternatively, this strategy may also mean the regulator requests the company cease its own investigation due to concerns that it may prejudice the government investigation and any enforcement activity arising out of its investigation.

There may also be benefits of proactive early engagement with regulators in terms of cooperation where the company chooses to voluntarily self-report potential breaches or misconduct, in terms of immunity, leniency or reduced penalties (as discussed in section 2). On the other hand, if companies engage prematurely with regulators, this may result in regulatory enquiries commencing before the company is in a position to address and respond to them.

If regulatory or law enforcement authorities are investigating an entity’s conduct, does the entity have the ability to help define or limit the scope of a government investigation? If so, how is it best achieved?

Australian regulators will not allow an entity to define the scope of the investigation. However, typically, Australian regulators will engage with the entity whose conduct they are investigating and consult on the scope of a compulsory notice. Often, this process is mutually beneficial, as a more detailed understanding of the entity’s structure, systems, records and processes can assist the regulator in focusing their investigation on the most relevant documents (see information on the steps of determining the scope of the investigation and how to assist the regulator in section 4). It is theoretically open to a company to challenge aspects of the regulator’s exercise of its investigatory powers if the company considers the regulator to be acting outside its statutory remit; however, this is almost never carried out in practice, given that the regulators typically have very broad remits and such a challenge would severely undermine the relationship with the regulator.

Do law enforcement authorities in your jurisdiction tend to coordinate with authorities in other jurisdictions? What strategies can entities adopt if they face investigations in multiple jurisdictions?

Enforcement authorities are increasingly coordinating with authorities in other jurisdictions via formal and informal mechanisms. See the answer to question 6.3 for further details.

For companies facing investigation in multiple jurisdictions, it is critical to coordinate the response across the relevant jurisdictions. This will typically require the appointment of a dedicated individual or team to coordinate the responses and consolidate the strategy. Having clear compliance and management plans in place will also help prepare an entity for a multijurisdictional investigation.

The Investigation Process

What steps should typically be included in an investigation plan?

An investigation plan should include the following steps:

1. Determination of scope: This involves identifying and defining the scope of the issue that is the subject of the investigation plan. This should include considerations of what will and what will not be investigated, the key risks associated with the issue, the level of sensitivity associated with the issue being investigated, and a preliminary consideration of the potential levels of exposure/significance of the issue being investigated.
2. Creation of investigation framework: This will involve consideration of:
   • Resources – Identifying the resources required, including internal staff, I.T., and any external services (e.g. a forensic accountant).
   • Internal management – Identifying who will be the internal stakeholders responsible for the day-to-day management of the investigation and the supervision of the investigation.
   • Internal risks – Identifying the level of security around the investigation, the extent to which it needs to be quarantined from others within the organisation, and who will need to be excluded.
   • External counsel – Planning the engagement of external counsel.
   • Reporting lines – Determining who will receive progress reports on the investigation, the nature of the reports and the frequency of the reports (e.g. monthly report to the Board).
   • Timeframe for report – Establishing deadlines for a preliminary and final report to be completed.
3. Determination of regulatory engagement strategy: This should include consideration of whether the matter should be voluntarily (or otherwise) reported to a regulator, who should be responsible for liaising with the regulator, and the general approach to dealing with the relevant regulator(s) who may be interested in the outcome of the investigation.
4. Obtaining key documents and evidence: This will include identifying what evidence is required, as well as who are the key custodians of information, documents, and data necessary for the internal investigation, and undertaking steps to obtain this information.
5. Review of evidence: The review of data and documents, including witness interviews where necessary.
6. Report preparation/writing: This might include a consultation period for a preliminary report to obtain feedback on the report’s findings, before the findings are finalised, in order to correct any factual errors.
7. Report delivery: The report should be delivered, reviewed and responded to in a timely manner and include recommendations for next steps, including consideration of regulatory notification.

An investigation plan should include the following steps:

1. Determination of scope: This involves identifying and defining the scope of the issue that is the subject of the investigation plan. This should include considerations of what will and what will not be investigated, the key risks associated with the issue, the level of sensitivity associated with the issue being investigated, and a preliminary consideration of the potential levels of exposure/significance of the issue being investigated.
2. Creation of investigation framework: This will involve consideration of:
   • Resources – Identifying the resources required, including internal staff, I.T., and any external services (e.g. a forensic accountant).
   • Internal management – Identifying who will be the internal stakeholders responsible for the day-to-day management of the investigation and the supervision of the investigation.
   • Internal risks – Identifying the level of security around the investigation, the extent to which it needs to be quarantined from others within the organisation, and who will need to be excluded.
   • External counsel – Planning the engagement of external counsel.
   • Reporting lines – Determining who will receive progress reports on the investigation, the nature of the reports and the frequency of the reports (e.g. monthly report to the Board).
   • Timeframe for report – Establishing deadlines for a preliminary and final report to be completed.
3. Determination of regulatory engagement strategy: This should include consideration of whether the matter should be voluntarily (or otherwise) reported to a regulator, who should be responsible for liaising with the regulator, and the general approach to dealing with the relevant regulator(s) who may be interested in the outcome of the investigation.
4. Obtaining key documents and evidence: This will include identifying what evidence is required, as well as who are the key custodians of information, documents, and data necessary for the internal investigation, and undertaking steps to obtain this information.
5. Review of evidence: The review of data and documents, including witness interviews where necessary.
6. Report preparation/writing: This might include a consultation period for a preliminary report to obtain feedback on the report’s findings, before the findings are finalised, in order to correct any factual errors.
7. Report delivery: The report should be delivered, reviewed and responded to in a timely manner and include recommendations for next steps, including consideration of regulatory notification.

When should companies elicit the assistance of outside counsel or outside resources such as forensic consultants? If outside counsel is used, what criteria or credentials should one seek in retaining outside counsel?

Legal advice should be obtained at an early stage for all regulatory or compliance concerns that may warrant an investigation and, depending on the specifics of the issue, should include outside counsel. As a general rule, given the risks to independence for internal lawyers, significant or sensitive investigations should have ongoing involvement of outside counsel. Outside counsel who are familiar with the business will be able to assist a company to monitor its legal obligations over the course of an investigation, provide important legal advice about the substantive issues being investigated, and also bring an independent and external perspective to the investigation to help guide the company. Additionally, the engagement of outside counsel can help to ensure and make clear that an investigation, and sensitive materials created in it, are protected by legal professional privilege that may otherwise be subject to disclosure at a later point in time.

Forensic consultants (or other outside resources) should be utilised on a case-by-case basis. Their use may be beneficial to:

1. provide additional levels of expertise that are required for the investigation (e.g. a forensic accountant may be able to investigate complex discrepancies in financial accounts);
2. provide an additional level of scrutiny to the investigation; and/or
3. provide independent assurances regarding the reasonableness of the methods or outcomes of the investigation.

Confidentiality and Attorney-Client Privileges

Does your jurisdiction recognise the attorney-client, attorney work product, or any other legal privileges in the context of internal investigations? What best practices should be followed to preserve these privileges?

Legal professional privilege in Australia (also known as client legal privilege of attorney-client privilege) is generally protected under both common law and legislation.

Legal professional privilege applies to all confidential communications (whether oral or written) and documents brought into existence for the dominant purpose of obtaining legal advice, or for the purposes of actual or reasonably anticipated litigation. The protection applies to communications between a client and their lawyer, documents that record the contents of a protected communication (e.g. a client’s file note of a meeting with their lawyer), and documents created for one of the dominant purposes outlined above. It may also apply to certain categories of communications between a lawyer and a third party.

Therefore, communications in the course of an internal investigation that are created for the dominant purpose of obtaining legal advice are protected by law.

In order to ensure that privilege is maintained, an entity should maintain a policy on how it handles privileged material. At a minimum, the policy should set out the following principles:

1. Ensure that privileged communications (including their substance and effect) are kept confidential and not disclosed outside the company. Loss of confidentiality in a communication is likely to be regarded as a waiver of the right to assert privilege.
2. Documents that attract privilege should be clearly marked as such to ensure that the document is not inadvertently distributed by a person within the entity who is unaware of its privileged status, as this may amount to a waiver of privilege. In particular, caution should be taken where there is a large volume of documents being disclosed by an entity, as this is where inadvertent disclosure most commonly occurs. The entity providing any such large-scale disclosure of documents should also clearly state in their cover letter that any inadvertent disclosure of privileged material is not to be taken as a waiver of privilege.
3. To ensure that confidentiality is maintained, verbal advice should be provided in private to persons who are necessarily required to receive the advice.
4. As in-house counsel must provide independent advice to maintain privilege, an in-house counsel’s legal advice should not be mixed with comments about strategic or operational matters. Additionally, the personal loyalties, duties and interests of the in-house lawyer as an employee should not influence the professional legal advice they give.
5. Care should be taken when providing legal advice to a Board as part of any Board papers in order to ensure that the communication’s dominant purpose is not diluted. Specific procedures should be followed to provide legal advice separately to any other matter.
6. The engagement of an expert during an investigation and all communications with the expert should be made by a lawyer for the express purpose of the expert providing assistance to the lawyer to give advice. This will help ensure privilege attaches to these communications.

Do any privileges or rules of confidentiality apply to interactions between the client and third parties engaged by outside counsel during the investigation (e.g. an accounting firm engaged to perform transaction testing or a document collection vendor)?

Yes, legal professional privilege may extend to third parties if the dominant purpose test is met. To strengthen the privilege claim, communications with third parties should typically be conducted by the lawyer and not the client. This will help establish that the dominant purpose of the communication is to assist the lawyer to provide legal advice to the client.

Do legal privileges apply equally whether in-house counsel or outside counsel direct the internal investigation?

Legal professional privilege may be claimed regardless of whether the lawyer is acting in a role as in-house or outside counsel, provided that the requirements identified in question 5.1 are met.

As in-house counsel may be involved in activities that are outside the role of a lawyer as part of their day-to-day role within an entity, care must be taken to ensure that the in-house counsel separates the legal advice they provide from other matters of the business in which they may be involved (for example, strategic commercial advice). Failure to do so may mean that the communication over which privilege is asserted is deemed to be for mixed purposes, rather than for the dominant purpose of legal advice or litigation. In these circumstances, privilege will not apply. Furthermore, an in-house lawyer must ensure that their advice is independent for privilege to apply. An in-house lawyer will lack the requisite measure of independence if their advice is at risk of being compromised by virtue of the nature of their employment relationship with their employer. Accordingly, the personal loyalties, duties and interests of the in-house lawyer as an employee should not influence the professional legal advice they give for privilege to apply. Whether or not an in-house lawyer’s advice is considered independent is ordinarily determined on a case-by-case basis, assessing the facts surrounding the provision of that specific advice. However, some of the indicia of independence, such as terms of the employment contract, the in-house lawyer’s position in the organisational hierarchy of the company, whether the lawyer’s remuneration is linked to the financial performance of the business, and to whom the in-house lawyer reports may all be general factors that a court considers relevant in any such determination.

How can entities protect privileged documents during an internal investigation conducted in your jurisdiction?

By meeting the best practice principles outlined in question 5.1, an entity can protect documents that are subject to legal professional privilege. In larger internal investigations, it is ordinarily beneficial to implement a protocol governing how privileged documents are to be treated in a consistent manner.

By meeting the best practice principles outlined in question 5.1, an entity can protect documents that are subject to legal professional privilege. In larger internal investigations, it is ordinarily beneficial to implement a protocol governing how privileged documents are to be treated in a consistent manner.

Do enforcement agencies in your jurisdictions keep the results of an internal investigation confidential if such results were voluntarily provided by the entity?

The voluntary disclosure of an internal investigation to an enforcement agency may not always be confidential. Subject to any agreement with the agency, the enforcement agency may choose to disclose the results publicly.

Additionally, documents provided to an enforcement agency may be subject to disclosure to an applicant who applies under the Freedom of Information Act 1982 (Cth), legislation that (subject to certain exemptions) provides a right of access to documents held by most government agencies. Legal advice should be sought prior to any voluntary disclosure of an internal investigation about the risks of public disclosure.

Data Collection and Data Privacy Issues

What data protection laws or regulations apply to internal investigations in your jurisdiction?

The key data protection obligations that apply to entities, including in the context of any internal investigations, are contained in the Australian Privacy Principles (APPs) in Schedule 1 to the Privacy Act.

Under the Privacy Act, if an entity holds personal information about an individual that was collected for a particular purpose, the entity must not use or disclose the information for a secondary purpose without consent from the individual, or if an exception applies.

In this context, the most relevant exceptions are:

• where the use or disclosure of the information is required or authorised by or under an Australian law or the order of a court or tribunal;
• an entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement-related activities conducted by, or on behalf of, an enforcement body;
• an entity has reason to suspect that unlawful activity, or misconduct of a serious nature that relates to the entity’s functions or activities, is being or may be engaged in, and the use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter; and
• the use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.

Is it a common practice or a legal requirement in your jurisdiction to prepare and issue a document preservation notice to individuals who may have documents related to the issues under investigation? Who should receive such a notice? What types of documents or data should be preserved? How should the investigation be described? How should compliance with the preservation notice be recorded?

While there is no legal requirement in Australian jurisdictions to prepare and issue document preservation notices, it is often prudent for companies to do so. Furthermore, there are common law and legislative duties and obligations in relation to document destruction, including an obligation not to destroy a document which is reasonably likely to be required in legal proceedings.

What factors must an entity consider when documents are located in multiple jurisdictions (e.g. bank secrecy laws, data privacy, procedural requirements, etc.)?

If the entity wishes to move documents from Australia, there are privacy obligations that need to be satisfied before the cross- border disclosure of documents located in Australia containing personal information to third-party overseas recipients. These obligations require the discloser, subject to limited exceptions, to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8).

While regulators cannot compel overseas arms of an entity to produce documents, regulators do have cooperative processes available to them to seek assistance from their overseas counterparts, as set out below. Court processes can also be used to seek to compel international parties to produce documents in some circumstances.

The ACCC has a number of cooperation arrangements and treaties with counterpart regulators internationally. While each agreement is specific to the particular agencies and the legislation they administer, they generally recognise the benefits that come from cooperation and coordination in improving the effectiveness of their enforcement activities. The extent and type of cooperation can include notification obligations, coordination of enforcement activities, the exchange of information and/or evidence, and agreements to advise of potential conflicts.

The ACCC may also request reciprocal waivers with overseas competition regulators to facilitate the exchange of information, which will enable receipt of documents produced to those other regulators.

The Australian corporate regulator, ASIC, has signed up to the International Organisation of Securities Commissions (IOSCO) Multilateral Memorandum of Understanding and other bilateral agreements. The memoranda generally require ASIC and the international agency to use reasonable efforts to provide each other with mutual assistance, including providing and exchanging information and, in some circumstances, verifying information and questioning or taking testimony from witnesses.

For the Australian Government and foreign governments to request government-to-government assistance, regulators can also use the Mutual Assistance in Criminal Matters Act 1987 (Cth) (for criminal matters) or the Mutual Assistance in Business Regulation Act 1992 (Cth) to exercise information gathering and document compulsion powers (for civil matters). The Attorney-General is responsible for approving and making requests to foreign countries for assistance in investigations.

What types of documents are generally deemed important to collect for an internal investigation by your jurisdiction’s enforcement agencies?

The types of documents that should be collected in an Australian internal investigation will vary depending on the nature of the investigation. In general, the documents that could be collected include internal reports, documents evidencing processes, management assurance or internal audit reports, standard forms, customer files and data, other internal data, phone recordings, retrieval of messages from phones and tablets, correspondence, financial records, sales and marketing material and staff training instructions or manuals. In some instances, information as well as documents (including in the form of written statements) can be required. Compulsory oral testimony may also be required.

What resources are typically used to collect documents during an internal investigation, and which resources are considered the most efficient?

The resources used to collect documents during an internal investigation depend on the nature and scope of the investigation, informed by the particular types of documents and data the entity holds and the definition of “Document” set out in the investigative notice. The definition of “Document” may include electronic, hard copy and draft documents, voice recordings, texts, emails, spreadsheets and instant messaging chats.

The process for the identification and collection of relevant documents depends on the investigation and its scope. Overall, there needs to be an understanding of the types of documents and data held and it is important to have a documented process and plan for the identification and collection of relevant documents, including the resources, timing and steps (such as searches) to be undertaken to locate the documents (see question 4.2). Specialist I.T. and data analytics resources are often required. Entities should also consider whether third-party verification of data or external experts are required.

When reviewing documents, do judicial or enforcement authorities in your jurisdiction permit the use of predictive coding techniques? What are best practices for reviewing a voluminous document collection in internal investigations?

Australian courts have increasingly accepted the use of predictive coding technology, though the appropriateness of its use should still be determined on a case-by-case basis. Notably, the Federal Court of Australia, the Supreme Court of Tasmania and the Supreme Court of Victoria have each issued practice notes that support the possibility of predictive coding. Both the Federal Court of Australia and the Supreme Court of Victoria have also issued judgments in which predictive coding was permitted in the circumstances of particular cases.

Parties should be mindful that courts might require them to expose their predictive coding process in some detail to their opponents to allow them to consider the sufficiency of document production. It may be necessary for expert reports to be provided or for experts to confer.

The attitude of regulators is less clear. Regulators will not always be given insight into the search strategies undertaken to prepare document productions, but this might sometimes be necessary (especially if an internal investigation is conducted with the regulator’s agreement in place of a regulator investigation).
In every case, best practice using predictive coding will include detailed documentation of the methodology used, because it may be necessary to justify the use of the technology. It may be prudent to obtain expert consultant reports in some instances.

More broadly, best practices for voluminous document exercises include: clearly documenting search and review methodologies; identifying priority sets of documents; and treating the review as an iterative process so that strategies and insights from earlier phases of the review are formally fed into later stages. Depending on the particular review, a range of technologies can usually be used to either define the review set or identify priority sets, such as the use of keyword searches, predictive coding, and analytical software.

Witness Interviews

What local laws or regulations apply to interviews of employees, former employees, or third parties? What authorities, if any, do entities need to consult before initiating witness interviews?

There are no protections, laws or regulations in Australia that directly apply to interviews of employees, former employees or third parties, and an entity does not need to consult any authority before initiating a witness interview. However, where an entity is seeking to interview an employee who is the subject of the investigation, the entity will need to be conscious of employment laws, which offer a range of protections for employees. The entity should also be aware of legal or procedural frameworks that may apply specifically to their industry. For example, the APS Code of Conduct set out in Section 13 of the Public Service Act 1999 (Cth) applies to interviews conducted in connection with internal investigations by the Commonwealth Australian Public Service. In particular, if an entity is seeking to take disciplinary action against the employee, it must afford procedural fairness to the employee.

Are employees required to cooperate with their employer’s internal investigation? When and under what circumstances may they decline to participate in a witness interview?

Employees are required to cooperate with their employer’s internal investigation. Under Australian common law, employees are required to cooperate and participate in good faith in any lawful and reasonable internal investigation undertaken by their employer. The employment contracts and entity codes of conduct, which are binding on employees, will typically also impose similar obligations.

Employees may not need to comply in circumstances where the questions being asked by their employer are unreasonable or unfair.  Employees can also not be compelled to answer questions that would be self-incriminating (given the privilege against self-incrimination). An employer is not entitled to take any adverse action against the employee for the failure to comply with an investigation in these circumstances.

Is an entity required to provide legal representation to witnesses prior to interviews? If so, under what circumstances must an entity provide legal representation for witnesses?

An entity is not required to provide legal representation to witnesses either prior to or during an interview. Typically, witnesses are encouraged to bring a support person to the interview (whether or not that person is a legal representative), which is a mandatory requirement where the employee is being interviewed about an allegation of misconduct against them.

Where a witness is the subject of the investigation, it is advisable for an entity to facilitate the provision of legal representation for this witness, to ensure that there is no later allegation of impropriety against the entity.

What are best practices for conducting witness interviews in your jurisdiction?

Best practice for a witness interview should be determined on a case-by-case basis. As a general practice, entities conducting witness interviews should:

1. maintain a policy that outlines how the interviews are conducted to ensure consistency (e.g. governing periods of notice before the interview is required, the hours in which an interview can take place, the length of an interview, and the frequency of breaks for lengthy meetings);
2. take a record of the interview (ordinarily written);
3. offer the opportunity for the witness to review and, where necessary, correct any written record of the meeting;
4. have an independent person (whether a support person chosen by the interviewee or a HR representative) attend the interview (particularly where the interview relates to matters of particular significance or concern); and
5. ensure that the witness is provided procedural fairness.

What cultural factors should interviewers be aware of when conducting interviews in your jurisdiction?

There are no specific issues that commonly arise or are generally recognised, although interviewers should be mindful and sensitive of the fact that Australia is a multicultural nation and they may encounter interviewees from a range of different cultural backgrounds.

When interviewing a whistleblower, how can an entity protect the interests of the company while upholding the rights of the whistleblower?

An entity can protect the interests of the company by reasonably questioning the whistleblower during an interview to assess the merits of their complaint. An entity may choose to use outside counsel to conduct this interview.

To uphold the rights of the whistleblower, it is advisable for an entity to provide a whistleblower with the opportunity to retain a legal representative during an interview as well as ensure adherence to their whistleblower policy. Additionally, at all times, an entity should be aware of the rights of and protections afforded to whistleblowers, as outlined in question 1.2.

Can employees in your jurisdiction request to review or revise statements they have made or are the statements closed?

As a matter of best practice, it is recommended that employees are always given the opportunity to review or revise statements they have made. Where the employee is the subject of the investigation and adverse action may be taken against them on the basis of the statement, an employer is required to afford them this opportunity to review their statement.

Does your jurisdiction require that enforcement authorities or a witness’ legal representative be present during witness interviews for internal investigations?

In Australia, there is no requirement for a representative of an enforcement authority to be present during a witness interview, and it would be uncommon for a representative to attend.

As discussed in question 7.3, witnesses are generally encouraged to bring a support person to the interview (whether or not that person is a legal representative). For reasons of procedural fairness, this is mandatory where the employee is being interviewed about an allegation of misconduct against them.

Investigation Report

How should the investigation report be structured and what topics should it address?

The structure of an investigation report should be determined on a case-by-case basis, as there should be sufficient flexibility in determining the structure to ensure the report is fit for purpose and adequately discloses all relevant material. As a general rule, the report should be structured in a manner that appropriately reflects the complexity of the issues being addressed and the recipients of reports. Reports should be as detailed as needed and should not be unnecessarily condensed. For more complex or lengthy reports, a short version of the report should also be produced to accompany the full-length report. This provides a summary version where brevity is required.

Trends and Reform

Do corporate investigations tend to lead to active government enforcement in your jurisdiction? Has this increased or decreased over recent years?

Regulators have a wide range of regulatory tools available to them, including fines, enforceable undertakings and enforcement action. Regulators have generally used a mix of these tools and have regularly taken enforcement action where they have considered it to be warranted. In the past few years there has been an increase in court-based enforcement action in a stated attempt by regulators to maximise deterrence, enhance market integrity and reduce harm to consumers, in particular, in relation to misconduct that damages market integrity, including insider trading, continuous disclosure breaches, market manipulation, and governance failures.

The ACCC continues to view the enforcement of cartel conduct as a priority, including as a result of its immunity policy. The new ACCC Chair, Gina Cass-Gottlieb, has indicated that whilst there are some questions about the continuing force of immunity programmes (in Australia and elsewhere), the ACCC continues to receive immunity applications. We continue to see corporate investigations in relation to cartel conduct leading to immunity applications, and then active enforcement.

What enforcement trends do you currently see in your jurisdiction?

In the past few years, regulators have had a particular focus on the banking industry and working towards strengthening consumer protection laws. Recently, there has been a shift in focus to other financial institutions, in particular superannuation firms and insurance providers. Consistent with the global growth in the digital and environmental spaces, regulators have also begun to increase their supervision and enforcement of governance, transparency and disclosure standards for the sustainable finance industry, as well as in relation to crypto-assets and decentralised finance. There has also been an increase in investigations into industries that interact with financial flows, such as the gaming industry, in relation to anti-money laundering and anti-corruption.

The ACCC continues to prioritise the enforcement of consumer and competition law in Australia. In particular, it has labelled cartel conduct enforcement as an “enduring priority”: it currently has six cartel matters before the courts. The ACCC has also identified a number of competition and consumer priority enforcement areas in its 2022–23 enforcement priorities, including the impacts of COVID-19 on supply chains, exclusive arrangements, and greenwashing (falsely promoting environmental or green credentials).

What (if any) reforms are on the horizon?

There are currently no major reforms planned that are likely to materially shift the regulatory landscape or enforcement powers described above, but legislative reforms are regularly introduced that strengthen regulators’ powers or vary regulation in particular sectors. Some key reforms include the following.

Federal privacy legislation is currently being reviewed, which is expected to result in material reforms that, among other things, will enhance the regulatory role and powers of the OAIC (including increased penalties and powers to investigate privacy breaches).

In relation to the crypto sector, the government has announced plans to introduce a regulatory framework for industry and regulators, which allows consumers to participate in the crypto space with greater protections. The first step will be to introduce reform around “token mapping”, which will help identify how crypto-assets and related services should be regulated. However, the nature and timing of these reforms is not clear.

In addition, for the past few years, the Australian Law Reform Commission has been undertaking a large-scale review of the legislative framework for corporations and financial services regulation. The final report from the Commission is due in late 2023. However, it remains to be seen whether the review will result in significant reform to the legislative framework, and any such reforms would likely take several years to develop and introduce.