Australia: Handling Internal Investigations
It goes without saying that wrongful conduct in a corporate setting can have drastic and irreparable legal, commercial and reputational consequences for the individuals and entities involved. Internal investigations, which can be carried out quickly and tailored to address specific company concerns, can be particularly well suited to identifying, minimising and remediating such fallout. This is particularly relevant in the current corporate climate in Australia, which has seen an increased level of scrutiny over corporate governance and operational issues. More than ever, there is an expectation that board members and senior managers understand what is happening in their company and wider third-party business and supply chain networks, and take responsibility for the actions of employees and third parties who carry out business on behalf of the company. In this climate, internal investigations are becoming more prevalent; a trend that we expect will continue.
What makes an efficient and effective investigation can vary dramatically depending on the subject matter of the investigation, and the individuals and entities involved. This article provides a brief overview of the key considerations that will allow a company to craft and manage an effective Australian internal investigation, and achieve a prompt and robust outcome.
Launching an investigation
There are countless reasons for commencing an internal investigation. A company may itself have identified potential wrongdoing. Third parties may have alleged inappropriate conduct. Regulators may have made informal enquiries or launched a formal investigation, either of the company itself or of another industry participant, that has knock-on consequences for the company. In some cases, regulators may have required an organisation to undertake an internal investigation (see, for example, section 53 of the Independent Commission Against Corruption Act 1988 (NSW)), or there may be other circumstances creating the impetus to investigate (for example, licence requirements or positive reporting obligations in particular industries).
Entities may commence investigations to determine whether notification is required under the mandatory data breach notification laws introduced into the Privacy Act 1988 (Cth) effective 22 February 2018, in the event the entity suspects but is not certain that a serious and eligible data breach has occurred. Entities are required under the data breach notification scheme to undertake ‘reasonable and expeditious assessment’ to determine whether there are ‘reasonable grounds’ to consider that an eligible data breach has occurred. This assessment must be made within 30 days of the entity becoming aware of the relevant circumstances. Entities may also avoid the new notification requirements if they take remedial action before any serious harm is caused by any eligible data breaches.
Entities may also commence investigations in relation to Commonwealth and state modern slavery laws, which require large commercial organisations to report on the steps they have taken to ensure that their goods and services are not a product of supply chains in which modern slavery is taking place. The Commonwealth modern slavery legislation commenced on 1 January 2019.
In some circumstances, urgent action is necessary. This includes where there is an actual or anticipated destruction of documents (discussed below), a need to promptly inform third parties what has occurred, or where relevant personnel are about to depart from the organisation. Immediate action is also required where any unreasonable delay in launching the investigation could be seen as acquiescence or tacit approval of the impugned conduct by the company.
While those considerations may dictate the timing of immediate steps in an investigation, other factors, such as the need to efficiently carry on business and the availability of resources, will also influence an investigation’s progress. Insufficient information and resources can result in a haphazard investigation process and a less than credible – or even unreliable – investigation report.
Identifying who will conduct the investigation
Once the company has decided to commence an internal investigation, it will need to appoint someone to take responsibility for coordinating and conducting the investigation. Often, this will be a member of the company’s legal team. However, there may be cases where it is more appropriate for members of the board to have oversight of the conduct of the investigation – for example, where the conduct of senior management is impugned.
Likewise, if the scale of the investigation involves numerous persons across various offices and a large quantity of factually or technically dense material, the company may need to allocate additional and specific resources to the investigation. For example, if the subject matter of the investigation is a serious and systemic issue, or potentially involves misconduct on the part of senior personnel, it may be advisable for external advisers to conduct the investigation. This often adds an additional layer of impartiality, objectivity and forensic scrutiny, and can assist in navigating difficulties created by internal reporting lines or interpersonal relationships between company personnel.
The members of the investigations team should have an appropriate combination of skills, training and experience to support a well-rounded and thorough investigation. If the investigation involves topics where specialised expertise would be beneficial (such as concerns about securities or antitrust violations), that should be taken into account in forming the team. Failure to appoint appropriate persons could compromise the investigation process and outcome. For similar reasons, close colleagues or peers of persons who are ‘at risk’ in the investigation should not be appointed to the investigations team.
Setting the remit of the investigation
The scope of the internal investigation must be set carefully and clearly, with its sole focus on responding to the particular identified problem. It can be useful to prepare written terms of reference, which identify those matters that fall within the subject matter of the internal investigation and – equally critically – those that fall outside. If the investigation has been prompted by regulatory attention, the intended interaction between the internal investigation and any existing or anticipated regulatory process should be taken into account.
The proper constitution of the investigations team, along with the drafting of suitable terms of reference, not only ensures the integrity of the investigation and the information gathered by it, but also plays an important part in determining issues of privilege (discussed below). These initial decisions should not be made on a ‘set and forget’ basis. As investigations invariably evolve over time, it is vital to reassess the scope of the investigation at frequent and regular intervals, and make any necessary changes.
Recent changes to Australia’s whistleblower regime, which came into effect on 1 July 2019, will impact how a company commences and carries out an internal investigation. Relevantly, the amendments require public companies and large proprietary companies to have a whistleblower policy in place that explains, among other things, how concerns can be raised, the protections available for the whistleblower, and how the company will ensure the fair treatment of employees who are mentioned in any protected disclosures made in accordance with the legislation. A related consideration is for companies to have in place systems and processes to make sure that internal investigations based on whistleblower disclosures proceed in a manner congruent with the enhanced protections – for example, protecting the identity of anonymous whistleblowers, and preventing whistleblowers from suffering detriment due to their disclosures.
Communicating the existence of the investigation
The next step is for the company to communicate information internally regarding the investigation. It can be appropriate to issue a document preservation notice, drafted in a neutral and objective way, to all relevant personnel and, in some cases, to all staff, on a confidential basis. Specific document collation requests to relevant individuals may also be needed, as well as guidance on what may and may not be discussed between company staff, or third parties, concerning the investigation. The company will also need to carefully consider how broadly it makes known the fact of the investigation.
As a general rule, it is not advisable to disclose the details of the investigation in such communications, or the circumstances that have led to the investigation. This is for many reasons, but particularly because those communications may not be privileged, and may therefore be the subject of disclosure to third parties in the future. The enhanced whistleblower protections discussed above may also impact how such communications are framed.
Conducting the investigation
There are no general specifications in Australia as to how an internal investigation should be carried out, including in relation to procedural matters such as independent representation for company employees interviewed in the course of an investigation. The company should consider and address these issues prior to gathering evidence in the investigation. Best practice suggests companies take into account principles of natural justice, as well as anticipated interactions with regulators about the subject matter of the investigation, in deciding how to proceed.
An important first step in internal investigations in Australia – like many other jurisdictions – is the appropriate collation, compilation and retention of relevant documents. Document preservation must include both hard copy and electronic documents to ensure all original documents are quarantined in their original form. It may be appropriate to take a forensic image of all relevant electronic data to ensure the integrity of information (including metadata) is maintained throughout the course of the investigation. The company should take urgent steps to preserve documents that could otherwise be destroyed by innocent means (for example, scheduled record management) or malicious means.
The company will also need to consider the impact of the Privacy Act 1988 (Cth), which regulates the company’s handling of personal information about individuals. There are also differing laws across various state and territory jurisdictions about the ability to use surveillance or recording devices to obtain information without the consent of the person under surveillance. As privacy and surveillance considerations can arise in various ways throughout an internal investigation, the investigations team should ensure it has addressed the relevant legal requirements when embarking on data collection.
Another key aspect of any investigation is interviewing relevant individuals. It is vitally important that the investigations team properly identifies the relevant individuals, and arranges for them to be interviewed separately, in an appropriate order, and with clear objectives. A core bundle of documents should be produced for each interviewee to be taken through during the course of the interview. It is generally not desirable to provide the interviewees with advance copies of the documents, and they should not be permitted to retain copies of any such documents. The interviewees should also be instructed not to discuss their evidence with anyone else. This is to maintain confidentiality, avoid a potential waiver of privilege and also avoid potential contamination of evidence.
When conducting interviews, the company’s legal representatives should clearly inform the interviewee that they represent the interests of the company, and while the content of the interview is confidential and privileged, the company reserves the right to waive that confidentiality or privilege in the future.
In appropriate circumstances, interviewees should not only be allowed but encouraged to obtain independent legal representation for the purposes of the interview. In some cases, the company – or an insurer – may be obliged to indemnify the interviewee for the costs of such representation.
During the interview process, the interviewer should be focused on assessing the interviewee’s recollection, as opposed to his or her recreation, of relevant events. Interviewers should always be alive to the potential for interviewees to give incorrect accounts, and should be prepared to challenge and test the evidence given by the interviewee there and then without the need to adjourn the interview, which may allow the interviewee an opportunity to tailor his or her evidence.
In Australia, written records of the interview created by internal or external lawyers for the purpose of advising the company will usually be privileged. This is not the case for notes taken by the interviewee, or any ‘support person’ brought into the interview by the interviewee. The only exception is where notes are created by the interviewee’s appointed legal representative, who has attended the interview for the purpose of advising the interviewee. Those notes will ordinarily be privileged in the hands of the interviewee, but not the company.
The investigations team should also consider whether it is useful to record the interview, or obtain a signed written statement from the interviewee reflecting the evidence given during the interview. In the event the interview was recorded, the team should also consider whether to request that the interviewee sign a transcript of the interview, verifying its accuracy. The assessment of how to record the interview may be influenced by views about the prospect of future regulatory or litigious activity. The more typical course has been for Australian regulators to exercise their compulsory powers to conduct their own interview processes, rather than request access to written statements or notes of witness interviews produced in the course of internal investigations (which requests are typically met with claims of privilege). However, there have been recent shifts in this position, where companies have sometimes agreed to provide output from internal investigations to regulators under a ‘limited waiver’ structure, or where regulators have shown a preparedness to challenge privilege claims made over notes taken during internal investigations (the litigation by the Australian Securities and Investments Commission against AMP Limited challenging privilege claims in such notes, which settled in March 2019 prior to hearing, being one example). Accordingly, companies should bear these possibilities in mind when conducting internal investigations. Even if privilege over such materials is maintained in Australia, if the subject matter of the investigation involves multi-jurisdictional issues, regulators in other jurisdictions may have different practices, and different rules as to the availability of privilege claims may apply.
The company may also need to confront issues that arise when individuals refuse to participate in an interview or other aspects of the investigation, which can trigger the need for disciplinary action. The company must also consider whether certain employees who are the subject of (or are at risk in) the investigation need to be suspended, or, where serious wrongdoing is clearly identified, dismissed (which can then affect the willingness of those individuals to cooperate with the investigation). All of these issues should be assessed with an awareness of the company’s relevant employment obligations.
Reporting on the investigation
The investigations team should keep relevant internal stakeholders informed of the progress of the investigation. Once the investigation has concluded, they will also need to report its findings. A key issue that often arises in this context is identifying the relevant stakeholders who need to be informed, and at what stages. Generally, dissemination of information relating to the investigation should be on a ‘need to know’ basis. That is because doing otherwise may jeopardise a company’s ability to claim or retain privilege over those reports. Reporting should also take into account the subject matter of the investigation and the personnel potentially implicated. For example, if senior management is potentially involved, it will be necessary to devise reporting arrangements that avoid communication to those persons, and guard against their accessing any relevant documents or reports created.
Depending on the company in question, there may be some requirement or obligation to disclose aspects of the investigation to regulatory bodies or authorities. This is particularly so if the investigation intersects with an actual or anticipated regulatory investigation, and especially if the company wishes to self-report certain conduct in an effort to obtain immunity from, or leniency in respect of potential penalties. In some industries, licence conditions can also create positive reporting obligations where potential contraventions are identified (for example, in the financial services industry).
If the company is a publicly listed entity, disclosure of certain aspects of the investigation may be required to comply with the company’s continuous disclosure obligations under the Australian Securities Exchange Listing Rules. The company may also need to disclose certain circumstances to their insurer to obtain coverage in respect of future claims against the company.
The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) also imposes certain transaction and compliance reporting obligations on reporting entities, which can be triggered if certain circumstances are identified in the course of an internal investigation. Reporting entities must also take care not to ‘tip off’ persons in relation to these matters at any time, including during or following an investigation, as it is an offence to do so.
Where criminal conduct is suspected or identified, although there is usually no positive obligation to do so, the company may decide to engage with relevant law enforcement agencies, such as the police. Where aspects of an investigation may become public, the company may also wish to engage public relations personnel to assist in managing media coverage and potential reputational impact.
To the extent that criminal conduct is suspected or identified, companies may be incentivised in the near future to proactively self-report internal misconduct in return for reduced penalties, with draft legislation to introduce a deferred prosecution agreement (DPA) scheme in Australia set to be reintroduced to the newly formed Federal Parliament sometime after July 2019. The intention of the proposed DPA scheme is to encourage self-reporting of misconduct by corporations, to assist in addressing some challenges inherent in detecting and investigating serious corporate crime, and to offer corporations the opportunity to reduce the time, cost and uncertainty connected with drawn-out investigations and prosecutions.
If passed in its previous draft form (being the Crimes Legislation Amendment (Combatting Corporate Crime) Bill 2017 (Cth)), the Australian DPA scheme will allow the Commonwealth Director of Public Prosecutions (CDPP) to invite a company that is alleged to have engaged in serious corporate crime to negotiate an agreement to comply with a range of specified conditions. In considering whether to offer a DPA, the CDPP will take into account whether the company has self-reported the suspected misconduct and the extent to which the company has demonstrated a willingness to cooperate with the law enforcement agency. Conditions of the DPA will require a company to admit to agreed facts detailing their misconduct, pay a financial penalty to the government and disgorge profits and other benefits obtained through the misconduct. If the company fulfils its obligations under the DPA, it will not subsequently be prosecuted in relation to the offences identified in the DPA.
Mandatory data breach notification laws came into effect in February 2018 via amendments to the Privacy Act 1988 (Cth). They require the relevant entity to notify the Office of the Australian Information Commissioner and any affected individuals where there are reasonable grounds to believe a serious, eligible data breach has occurred. The Privacy Commissioner has encouraged relevant entities to begin undertaking audits and developing breach response plans in anticipation.
While it is one thing to identify who should be provided with information relating to the investigation, it is another to identify what should be reported. In some circumstances, it might be appropriate merely to identify that an investigation has been undertaken and has concluded. In other circumstances, it may be appropriate to identify the results of the investigation, or the recommendations or findings made in relation to certain matters.
At all stages, the company should also consider whether communications will be protected by privilege and, if so, how to best protect that privilege.
Privilege – a critical factor
Privilege is a key consideration throughout the course of an internal investigation. An internal investigation where relevant communications are protected by privilege can greatly assist an investigations team to obtain full and frank disclosure, and enable the company to thoroughly assess the situation with a fuller understanding of the facts than might otherwise occur.
There is a healthy respect for privilege in Australia, including in respect of documents created for the purpose of internal investigations. However, this does not mean any claim for privilege over such documents will be blindly accepted. Regulators and other litigants can and often do vigorously challenge privilege claims.
In Australia, legal professional privilege applies to communications that are prepared for the dominant purpose of the following:
- obtaining or providing legal advice; or
- obtaining or providing legal services (including representation) in actual or anticipated litigation.
The test of whether a communication was prepared for the dominant purpose of either of the above limbs requires consideration of the ruling, prevailing or most influential purpose of the communication. The starting point is generally to ask what is the intended use of the communication. Where a communication has mixed purposes, only one of which is a privileged purpose, it is unlikely to be protected by privilege. It is critical to consider the communications to be made and any documents created in the course of an internal investigation against that test.
Where legal advice is given by an in-house lawyer during the course of or in response to an internal investigation, legal professional privilege may still attach to that advice, provided the in-house lawyer was a qualified lawyer acting in the capacity of a lawyer, not in some other capacity (such as an executive giving an opinion on a commercial matter). Matters affecting the independence of a lawyer may inform the capacity in which the lawyer is acting, which in turn may inform the dominant purpose of the relevance communication, although independence of itself is no longer considered a standalone requirement in establishing privilege over communications with in-house lawyers. Given the continuing relevance of independence in-house lawyers should maintain their practising certificates, maintain secure files that are separate from the remainder of the organisation, and ensure their legal and non-legal work functions are separated as much as possible.
There have been a series of cases in the UK that considered whether documents produced and communications made by in-house lawyers in the course of undertaking internal investigations were not protected by privilege. In the UK, the English Court of Appeal in 1 EWCA Civ 2006, overturning a first instance decision to the contrary, found that criminal proceedings against ENRC were reasonably in contemplation when an internal investigation had begun, and that interview notes taken during that investigation were for the dominant purpose of use in connection with the anticipated criminal proceedings (therefore attracting litigation privilege). The Court in that case also commented on the position, flowing from 1 QB 1556, that not all officers and employees of the company should be treated as a client for the purpose of legal advice privilege (a position which in other cases had meant that certain transcripts and notes from interviews conducted by in-house lawyers gathered during internal investigations therefore were not considered to be lawyer–client communications and were not protected by legal advice privilege: see 1  EWHC 3161 (Ch), 1  EWCA Crim 176, and 1  EWHC 856 (Admin)). In ENRC, the Court of Appeal indicated that it considered the 1position incorrect, but that it was for the UK Supreme Court to address that matter.
Australian courts tend to take a broader approach as to who constitutes a client, however, they have taken differing approaches about whether lawyers’ notes of interviews of witnesses are protected by privilege, depending on the particular circumstances.
Issues also frequently arise as to whether privilege attaches to documents prepared by third parties. Third-party service providers, such as information technology consultants or forensic accountants (among others), may need to be involved in the investigation process, including to provide specific advice in relation to narrow or discrete issues. In Australia, privilege can attach to documents prepared by these third parties, provided the document was created for the dominant purpose of obtaining legal advice or for use in actual or anticipated litigation. When engaging third parties, the engagement letter should clearly specify the limited purpose for which those third parties are engaged, their obligations to maintain confidentiality, and confirm that disclosure of any privileged documents to them will not constitute a waiver to the world at large.
In Australia, whether ‘limited waiver’ arrangements are effective to allow disclosure of privileged information to a regulator, while maintaining privilege against third parties, was examined in 1 FCA 1391. There, the Federal Court of Australia considered whether legal advice disclosed to a German regulator in response to its requests for information from the company during the course of its investigations maintained privilege for the purpose of the Australian litigation. The Court held that privilege was maintained as against the applicants, because the document had been provided in circumstances of confidentiality such that any waiver of privilege was limited to the German regulator. That regulator had no authority to waive that privilege, except to the extent compelled by law, which had not been successfully forced upon the regulator. However, Australian courts are yet to authoritatively determine whether ‘limited waiver’ arrangements are effective to allow disclosure of privileged information to an Australian regulator, although at least one Australian regulator, ASIC, offers a pro forma agreement to facilitate disclosure of privileged information to it on a voluntary basis.
The UK decision 1  EWHC 1557 (Ch) potentially offers some further guidance. There, the Court considered whether communication with regulatory bodies in the course of an investigation was capable of attracting privilege. It held that disclosure by individuals and entities to regulators will not necessarily result in a waiver of privilege if it occurs confidentially and for the limited purpose of the ongoing investigation. Such communications and disclosures are capable of retaining privilege on the basis they are subject to a limited waiver in respect of the relevant regulatory body only. However, importantly, the privilege may be lost if the party claiming privilege later seeks to rely on the findings of the regulatory body with which it communicated.
There are also many other ways in which privilege can be waived. As confidentiality is an essential precondition to the existence and maintenance of the privilege, waiver will often occur where the actions of a party are plainly inconsistent with the maintenance of that confidentiality. This can include where the substance of legal advice is disclosed in company announcements, where legal advice is referred to in correspondence to support a position (including in correspondence with regulators), or when the effect of legal advice is disclosed and recorded in minutes of board meetings.
Where an investigation deals with cross-border subject matter, the company should take into account the fact that rules regarding privilege can vary between jurisdictions, so that communications protected by privilege in Australia may not receive the same treatment elsewhere.
Internal investigations are an important tool for identifying, minimising and remediating actual or alleged corporate wrongdoing. The way in which an internal investigation is conducted can also have significant benefits for preparing for and responding to any associated civil and criminal proceedings. Yet there is obviously no one-size-fits-all solution. The subject matter of each internal investigation, along with any regulatory involvement, will shape the many forensic decisions to be made during each investigation.
Having in place an appropriate regime for the effective conduct of internal investigations, taking into account the topics outlined in this article, is viewed positively by Australian courts and regulators as a sign of good corporate governance. Indeed, when used properly, the internal investigations process is not only a valuable part of a company’s arsenal to respond to allegations of wrongful conduct, but a deterrent to future wrongful conduct, thereby yielding an even greater benefit to the company in the medium to long term.