Whistleblowing Policy: UK Employer Guide to Protected Disclosures

Whistleblowing law gives workers legal protection when they report wrongdoing in the workplace. The Public Interest Disclosure Act 1998 (PIDA), which inserted provisions into the Employment Rights Act 1996, protects workers from being dismissed or subjected to any detriment because they have made a qualifying disclosure. For UK employers, understanding this legislation is not optional — getting it wrong can result in uncapped compensation awards, reputational damage, and regulatory consequences.

This guide explains what whistleblowing means in law, how to create a compliant whistleblowing policy, and how to handle disclosures when they arise.

What is a protected disclosure

A protected disclosure is a qualifying disclosure made by a worker to the right person, in the right way. To qualify, the disclosure must relate to information that, in the reasonable belief of the worker, is in the public interest and tends to show one or more of the following types of wrongdoing.

The six categories of qualifying disclosure

1. A criminal offence has been committed, is being committed, or is likely to be committed
2. A person has failed, is failing, or is likely to fail to comply with a legal obligation
3. A miscarriage of justice has occurred, is occurring, or is likely to occur
4. The health or safety of any individual has been, is being, or is likely to be endangered
5. The environment has been, is being, or is likely to be damaged
6. Information tending to show any of the above has been, is being, or is likely to be deliberately concealed

The public interest test

Since the Enterprise and Regulatory Reform Act 2013, the disclosure must also be made in the public interest. This was introduced to prevent workers from using whistleblowing legislation for purely personal grievances, such as complaints about their own contract of employment. However, the courts have interpreted "public interest" broadly — a disclosure affecting a group of workers (not just the individual) can satisfy the test.

Who is protected

PIDA protection extends beyond employees. It covers employees, agency workers, contractors and their staff, trainees, NHS practitioners, police officers, and job applicants (in relation to disclosures made during the recruitment process).

The protection is available from day one of employment — there is no qualifying service period, unlike unfair dismissal.

How disclosures should be made

PIDA sets out a hierarchy of recipients for disclosures, with different conditions for protection at each level.

Disclosure to the employer

The most straightforward route — and the one your policy should encourage — is disclosure to the employer. A disclosure to the employer is protected as long as it is a qualifying disclosure (relates to one of the six categories and is made in the public interest). There are no additional conditions.

Disclosure to a prescribed person

Workers can also make disclosures to prescribed persons — regulators and bodies designated by the government. These include HMRC for tax fraud, the Health and Safety Executive for health and safety matters, the Information Commissioner for data protection breaches, the Financial Conduct Authority for financial services misconduct, the Environment Agency for environmental damage, and the Care Quality Commission for health and social care concerns.

To be protected, the worker must reasonably believe the information is substantially true and that it falls within the prescribed person's remit.

Wider disclosure

Disclosures to the media, MPs, or the public are protected only if additional conditions are met: the worker must reasonably believe the information is substantially true, must not be acting for personal gain, and must have already raised the matter with the employer or a prescribed person (unless they reasonably believe they would be subjected to detriment for doing so, or that evidence would be destroyed).

Creating a whistleblowing policy

Every UK employer should have a written whistleblowing policy. While there is no statutory requirement for most private sector employers to have one (listed companies must under the UK Corporate Governance Code), it is strongly recommended by ACAS and by regulators in many sectors.

Essential elements of the policy

Your whistleblowing policy should include a clear statement that the organisation takes wrongdoing seriously and encourages workers to report concerns, a definition of what whistleblowing is (and what it is not — it is not a route for personal grievances), who workers should report to (named individuals or roles, with alternatives if the concern involves their line manager), how disclosures will be investigated, the protections available to whistleblowers (no dismissal, no detriment, confidentiality as far as possible), how the organisation will respond and communicate outcomes, and the right to raise concerns with external bodies if the worker is not satisfied with the internal response.

What your policy should not do

Do not include any requirement for the worker to prove their concern before reporting it. Do not include a clause requiring confidentiality that could be read as discouraging external disclosures. Do not include any penalty for raising concerns in good faith that turn out to be unfounded. And do not include a requirement to raise concerns internally before going to a regulator — workers have the legal right to go directly to a prescribed person.

Handling a whistleblowing disclosure

When a worker makes a disclosure, your response must be prompt, fair, and thorough.

Step 1: Acknowledge and record

Acknowledge the disclosure as soon as possible. Record the date, the identity of the worker (if known — anonymous disclosures should also be investigated), the nature of the concern, and any evidence provided. Confirm to the worker that the matter will be investigated and explain the expected process and timeframe.

Step 2: Assess the disclosure

Determine whether the disclosure falls within the scope of PIDA. Not every workplace complaint is a whistleblowing disclosure — personal grievances about terms and conditions are not. However, err on the side of caution: if the concern could relate to wrongdoing affecting others, treat it as a potential protected disclosure.

Step 3: Investigate

Appoint an appropriate investigator — someone independent of the matter being investigated and sufficiently senior to access the information and people needed. The investigation should be proportionate to the nature of the concern. Keep the whistleblower informed of progress (without compromising the investigation), and consider involving external specialists for complex or sensitive matters.

Step 4: Outcome and action

Communicate the outcome to the whistleblower to the extent that confidentiality and legal constraints allow. If wrongdoing is confirmed, take appropriate remedial action. If the matter falls within a regulator's remit, consider whether a regulatory notification is required.

Step 5: Monitor for detriment

After the disclosure, actively monitor for any detriment against the whistleblower. This includes dismissal, demotion, denial of promotion or training, bullying or ostracism by colleagues, and any other disadvantageous treatment. Managers must understand that any retaliation against a whistleblower is unlawful and will be treated as a serious disciplinary matter.

Common mistakes employers make

The most frequent errors that lead to successful tribunal claims include treating the disclosure as a grievance rather than a whistleblowing matter, investigating the whistleblower instead of the concern they raised, failing to protect the whistleblower's identity where they requested confidentiality, subjecting the whistleblower to detriment (even subtle detriment such as exclusion from meetings or opportunities), dismissing the concern without adequate investigation, and not having a policy in place at all.

The relationship between whistleblowing and other procedures

Whistleblowing is distinct from a grievance. A grievance is a personal complaint about the worker's own employment. A whistleblowing disclosure concerns wrongdoing that affects others or the public interest. Sometimes the two overlap — for example, a worker who reports that their manager is fiddling expenses is blowing the whistle on criminal conduct, even if the motivation is partly personal.

If in doubt, treat the matter under both procedures simultaneously. Apply whistleblowing protections and investigate the substance of the concern through the appropriate channel.

Whistleblowing disclosures about health and safety matters may also trigger duties under health and safety legislation. Disclosures about data breaches engage UK GDPR obligations. Ensure your investigation addresses all relevant legal frameworks.

Frequently asked questions

Next steps

Key takeaways

Whistleblowing law gives workers robust protection when they report wrongdoing in the public interest. Employers need a clear policy, multiple reporting channels, a fair investigation process, and active protection against retaliation. The legal consequences of getting this wrong — uncapped compensation, regulatory scrutiny, and reputational damage — far outweigh the cost of getting it right. Treat every disclosure seriously, investigate thoroughly, and never penalise a worker for raising a genuine concern.