Carepage

Menu
Book a demo

Aged Care Whistleblowing Requirements in 2026: What Every Provider Needs to Know

Whistleblowing
whistleblowing aged care management

Whistleblowing in aged care is no longer a nice-to-have governance practice. From 1 November 2025, every registered aged care provider in Australia is legally required to operate a mandatory whistleblower system under the Aged Care Act 2024. Having a policy document on file is not enough. The new obligations go substantially further than what most providers had in place under the old Act.

This matters for residential aged care, home care, and retirement living providers alike. The requirements apply across all registration categories. And unlike the previous regime — which was largely limited to SIRS-related disclosures — the new framework is broad, rights-based, and actively enforced. Here is what the law now requires, what it means in practice, and what providers need to have in place.

Why the framework changed

The Royal Commission into Aged Care Quality and Safety was direct about the inadequacy of whistleblower protections under the old Aged Care Act 1997. The protections that existed were narrow, applying only to a limited category of people in limited circumstances. Staff who witnessed abuse or poor care had little formal protection if they spoke up. Residents and families had even less.

The Aged Care Act 2024 changed this fundamentally. The new framework is rights-based — built around the premise that older people, their families, workers, and advocates should all be able to raise concerns about suspected breaches of aged care law without fear of punishment, unfair treatment, or having their identity exposed. This is not a compliance tweak. It is a structural change to how accountability works in the sector.

Who can make a disclosure

Under the new Act, almost anyone can make a protected whistleblower disclosure. This includes older people receiving aged care services, their family members, carers, and representatives, aged care workers at any level including volunteers and subcontractors, responsible persons and board members, and advocates.

The disclosure must relate to a reasonable suspicion that an organisation or individual has contravened a provision of the Aged Care Act. The discloser does not need to be certain — reasonable grounds to suspect is the threshold.

One significant practical implication: disclosures can be made to any aged care worker. Under the previous regime, disclosures needed to go through specific channels. Now, a resident telling a personal care worker about something they witnessed is potentially a qualifying disclosure that triggers the provider’s whistleblower obligations. Every worker in the organisation is effectively a potential point of receipt.

This means training is not optional. Every worker needs to know what a qualifying disclosure looks like, what to do when one is made to them, and how the escalation pathway works.

What the law requires providers to have

Sections 165-40 to 165-60 of the Aged Care Rules set out the specific obligations. Together they require providers to operate an integrated whistleblower system — not just a policy document, but a functioning end-to-end process.

The key requirements are as follows.

A written whistleblower policy is mandatory. It must clearly explain the protections available to whistleblowers, describe who qualifies as an eligible recipient, explain how disclosures are handled, and be published in an accessible format and provided to all workers, responsible persons, and anyone who requests a copy. Where necessary, the policy must be translated into other languages.

Training is compulsory for all workers and responsible persons. The training must cover how to recognise a qualifying disclosure, how to handle personal information and data involved in a disclosure, how the escalation pathway works, and the penalties for breaching confidentiality. This is not a one-off exercise — it needs to be embedded in induction and refreshed regularly.

Ongoing communication is a specific requirement. Providers must communicate to workers and responsible persons, at a minimum monthly, that qualifying disclosures are encouraged and supported. This is a deliberate requirement to maintain a culture of openness rather than letting the policy sit in a folder. The system must be reviewed at least annually to ensure it remains effective and compliant with evolving legal requirements.

Confidentiality of the discloser’s identity is legally protected. Providers are prohibited from disclosing information that identifies or could identify a whistleblower except in limited circumstances — for example, where necessary to prevent a serious threat to a person, or with the discloser’s consent. Fines apply for breaches.

The dual pathway: whistleblower or complaints stream

One of the more practical complexities in the new framework is the dual pathway. When someone raises a concern, they — or the provider — must determine whether it should be handled under the whistleblower stream or the complaints and feedback stream.

The whistleblower stream prioritises anonymity and statutory protections. The complaints stream allows for more open disclosure and direct involvement of the affected parties in resolution. Both pathways are valid, and in some cases the same matter could qualify for either.

As King & Wood Mallesons notes, providers need a clear triage process that determines — in consultation with the discloser where possible — which stream a matter should proceed through. A decision tree and flowchart built into the policy is the practical way to manage this. Without it, disclosures can fall between the cracks, staff can inadvertently misroute concerns, and the provider is exposed to compliance risk.

Documenting the rationale for the chosen pathway is essential. If the Commission ever reviews how a disclosure was handled, the reasoning for the stream decision needs to be on record.

The overlap with the Corporations Act

For providers structured as large proprietary companies, public companies, or public companies limited by guarantee — which covers many of the larger aged care organisations — the whistleblower obligations under the Aged Care Act operate alongside, not instead of, the whistleblower regime under the Corporations Act 2001.

This creates a situation where some disclosures may trigger obligations under both frameworks simultaneously. The two regimes have different requirements in some respects, and the risk of inadvertent non-compliance with one while managing the other is real.

MinterEllison’s guidance on this is clear: providers covered by both regimes need to ensure their policies and processes accommodate both frameworks and clearly note the existence of both regimes for potential disclosers. This may mean maintaining separate but cross-referenced policies for each, or a single integrated policy that addresses both in distinct sections.

What a compliant policy must include

Section 165-55 of the Aged Care Rules sets a specific bar for policy content. A compliant policy must explain the effect of the whistleblower protections in Part 5 of Chapter 7 of the Act, describe who qualifies as an eligible recipient for disclosures, explain how disclosures are handled and investigated, describe the protections available to whistleblowers including confidentiality and anti-victimisation, explain how the provider prevents and addresses victimisation, and provide information about how someone can make a disclosure to the Aged Care Quality and Safety Commission.

Providers should also note that maintaining a whistleblower policy is a condition of registration. The Commission may request a copy of the policy on registration or renewal. A policy that does not meet the requirements in section 165-55 is a registration compliance issue, not just an internal governance gap.

What “victimisation” means and why it matters

The Act explicitly prohibits victimising or discriminating against anyone who makes a complaint, provides feedback, or makes a whistleblower disclosure. Victimisation includes actions such as harassment, unfair treatment, demotion, threats, and any form of reprisal.

This protection covers workers, residents, family members, and anyone else who exercises their rights under the new framework. Breaches are treated seriously — the Act creates both civil and criminal liability for victimisation of a whistleblower.

For providers, this means the commitment to a speak-up culture cannot be rhetorical. The same manager who receives a disclosure and then treats the discloser differently has potentially exposed the organisation to legal action. Building genuine psychological safety around disclosure is now a legal obligation, not just good practice.

How this connects to the strengthened Quality Standards

The whistleblower framework does not sit in isolation. It connects directly to Standard 7 of the strengthened Aged Care Quality Standards — feedback and complaints management — which requires providers to actively create an environment where older people and their families feel safe and supported to raise concerns.

A provider that has a technically compliant whistleblower policy but no genuine speak-up culture is likely to struggle with Standard 7 as well. The Commission is looking at both the system and the evidence that the system is working — disclosure volumes, how matters were handled, outcomes, and whether the environment supports people to come forward.

Feedback tools, complaints management systems, and safe disclosure platforms are all part of the evidence picture. Providers who can demonstrate an integrated approach — where complaints, feedback, and disclosures are captured, tracked, and acted on systematically — are in a much stronger position than those managing each of these streams in isolation.

The practical checklist for providers

Based on the requirements in the Aged Care Rules, every registered provider should be able to answer yes to each of the following.

  • Do you have a written whistleblower policy that meets the requirements of section 165-55 of the Rules?
  • Have you provided that policy to all workers, responsible persons, and people in your care?
  • Do you have a system in place that ensures anynymised handling of the requests?
  • Have all workers and responsible persons completed training on recognising and handling qualifying disclosures?
  • Are you communicating at least monthly that disclosures are encouraged and supported?
  • Do you have a triage process that determines whether a matter should proceed through the whistleblower stream or the complaints stream?
  • Is that process documented?
  • Do you have a system for protecting the confidentiality of disclosers’ identities?
  • Are you reviewing the system at least annually?
  • Do you have automation in place to ensure that your organisation can handle the process?
  • If you are covered by the Corporations Act, have you ensured your policies address both frameworks?

If the answer to any of these is no or uncertain, that is where to start.

How Carepage supports safe disclosure

Carepage’s Safe Voice module is built for exactly this environment — a purpose-built safe disclosure tool that gives workers, residents, and families a confidential channel to raise concerns, with a case management workflow that supports the triage, escalation, and documentation requirements the new Act demands.

For providers who need to demonstrate to the Commission that their whistleblower system is functioning — not just documented — having a technology platform that captures disclosures, routes them correctly, and maintains an audit trail of how each was handled is a meaningful part of that evidence.

Book a demo to see how Carepage’s Safe Voice module supports the aged care whistleblower requirements.

Related articles for you

customer experience Retirement living

Transforming retirement living through customer experience

Happy Life Index Quality of Life resident happiness

Quality of Life tool for elder care finds link with Maslow’s Hierarchy of Needs

complaints complaints module

ARI – the smarter way to deliver lifestyle and wellbeing in aged care

Scroll to Top