Whistleblower protection and reporting channels in the United Kingdom

1. Is there a law on whistleblowing in your country?

Yes. In the UK the Public Interest Disclosure Act 1998 (“PIDA”) protects workers who “blow the whistle” in certain situations. Where a worker attracts protection under this law, they have the right not to be subjected to detriment or be dismissed for having disclosed wrongdoing in the workplace (see Q.6 below). This law came into force in 1999.

In order for a complaint to be protected in law (this is known as a ‘protected disclosure’), it must involve a qualifying disclosure covering one of six relevant failures in PIDA (e.g. a breach of a legal obligation, damage to the environment, breach of health and safety) and the worker must have a reasonable belief that the information shows wrongdoing and that the disclosure is in the public interest. A worker must also make the disclosure to a ‘prescribed person’ set out in PIDA (see Q.5 below).

In addition to this statutory protection, the common law recognises that even where express and implied duties of confidence are imposed on an individual, these can be overridden where a disclosure is in the public interest or for ‘just cause’.  However, this is a relatively high threshold.

We have seen a renewed focus on the strength of statutory protection afforded by PIDA in the context of Non-Disclosure Agreements, which came to light after the #MeToo movement. In 2018 the UK legal regulator, the Solicitors Regulation Authority, issued a warning notice to lawyers explaining that Non-Disclosure Agreements should explicitly confirm that any obligation of confidentiality does not prevent a person making a protected disclosure to the police or a regulator.  The UK Government has also indicated that it intends to introduce legislation on this issue.

We may see other changes to the whistleblowing regime in the UK following an announcement by the UK Government in March 2023 of a review into its effectiveness. The aim of the review is to gather evidence to inform policy choices on developing and improving the UK whistleblowing regime. The research stage of the review is expected to conclude by Autumn 2023.

2. Does local law require private entities to establish a whistleblowing system? (If so, which private entities?)

Under PIDA there is no legal requirement for employers to introduce whistleblowing procedures.  Different rules apply where an organisation is a UK listed company or operates in the financial services sector (see exceptions below).

However, the UK Government's Guidance for Employers and Code of Practice recommends that employers introduce an internal whistleblowing policy. The non-statutory Code of Practice developed by the Whistleblowing Commission which was established by the UK whistleblowing charity, Protect, also contains guidance on written procedures.

In practice the majority of UK employers do have a whistleblowing policy which encourages employees to report concerns internally and may also signpost whether workers can report their concerns in other ways such as by submitting online reports, using a mobile app or by using an anonymous third party hotline.  

Exceptions where obligations apply:

Certain financial services firms in the UK including large banks, insurers and building societies who are regulated by the Prudential Regulation Authority (PRA) and/or the Financial Conduct Authority (FCA) are required to have a written whistleblowing policy. Parts of the rules also apply to the UK branches of overseas firms. Non-binding guidance applies to all other regulated financial services firms. Advice should be obtained to determine whether a firm operating in the UK is in scope and the extent of the obligations that apply. 

Premium listed companies must apply the UK Corporate Governance Code on a ‘comply or explain’ basis in the UK. The Code states that the Board must introduce the appropriate internal controls, which includes the ability of staff to raise concerns about wrongdoing in confidence and that there should be a means by which workers can do so. Essentially this means that there should be a whistleblowing policy and a process for raising concerns.

There are no direct legal risks for employers failing to have a whistleblowing policy. However, it is seen as best practice to have such a policy and there are a number of benefits in having one. For example, a policy may assist in clarifying the position where there are whistleblowing issues, help to deal with the worker’s concerns and reduce the risk of information being disclosed outside of the business. In addition, it can also be useful for making clear that victimising or bullying of co-workers who are whistleblowers is unacceptable and detailing what steps a worker should take if they feel they are being bullied or harassed. The policy should also assist an employer in establishing that it took reasonable steps to prevent such treatment occurring.

Where an organisation falls into one of the exceptions listed at Q.2 above, there could be regulatory consequences for failure to establish appropriate whistleblowing systems.

4. Are there any mandatory requirements for establishing a reporting channel under local labour law?

Only in-scope financial services firms are subject to mandatory rules. (See response to Q.2 above.)

Financial services firms that are in-scope should have a whistleblowing policy which contains a whistleblowing channel where workers (and others) can complain about wrongdoing. This is wider in scope than PIDA and more prescriptive in a number of ways.  For example, it is not necessary for a worker to report the concerns directly to the employer and they can report directly to the regulator. The employer must appoint a whistleblowing champion with responsibility for overseeing the process. Firms must also carry out training and submit an annual report on whistleblowing to the firm’s governing body.

5. Does local law require employee involvement when establishing a whistleblowing system?

No. The Whistleblowing Commission’s non-statutory Code of Practice recommends employee involvement as a matter of good practice, but this does not amount to a legal obligation.

6. Does local law prohibit employees from disclosing irregularities/misconduct externally, e.g. to the public?

In the UK there are restrictions (but this is not a prohibition) on the external reporting of disclosures in order to obtain protection under PIDA. It will only be in exceptional situations where a report to the media is protected in law. There are broadly three categories where disclosures can be made and be protected from detriment/dismissal under PIDA, listed below. The worker can disclose to:

  1. the worker’s employer or authorised third party (e.g. a hotline); or to another person who the worker reasonably believes has legal responsibility for the matter to which the whistleblowing is related;
  2. a prescribed body such as a professional body or regulator such as HM Revenue and Customs, the Financial Conduct Authority and the Health and Safety Executive. The correct body will depend on the subject matter of the disclosure. A higher standard is required before the worker can report externally in this category. In these cases a worker will only be protected if the worker reasonably believes that the information disclosed and any allegation contained in it are substantially true; and
  3. anyone not on the list; for example, the media, the police. If a worker wants to report to an organisation in this category and obtain protection under PIDA, then there are strict conditions and it will only be in exceptional circumstances that the disclosure will be protected.

As noted under Q.1, individuals may be subject to express or implied duties of confidentiality which prohibit disclosure of irregularities/misconduct externally.  However as noted above these are subject to a ‘public interest’ or ‘just cause’ exception which may mean that individuals’ liability for breach of those obligations can be avoided. As also noted, there is an increasing public policy trend towards prohibition of Non-Disclosure Agreements that prevent reporting to the police or a regulator.

Under PIDA, the worker is protected from dismissal or other detrimental treatment as a result of making a disclosure.

Detrimental treatment includes actions such as demotion, suspension, refusal of promotion, or any disciplinary sanction, and is a very wide category.

If an employee is dismissed, the dismissal will be ‘automatically unfair’ if the reason (or principal reason) for dismissal is the making of a protected disclosure. Employees do not require a qualifying period of service in order to bring a claim for unfair dismissal in these circumstances and there is no cap on the amount of compensation which can be awarded.

Workers who are not employees do not have the right to bring an unfair dismissal claim, but a worker whose contract is terminated can claim that they have been subjected to detriment.

8. Are there any mandatory requirements and/or accompanying measures under local data protection law?

A whistleblowing complaint and subsequent investigation will involve the processing of personal data of the whistleblower and possibly other individuals named in the disclosure. Therefore all processing must be carried out in accordance with the UK GDPR (and, where applicable to the organisation, EU GDPR) and the Data Protection Act 2018.  This includes any arrangements with third parties such as external hotline providers.

There are no mandatory requirements in the UK around data protection law and whistleblowing in the same way that applies to US companies subject to the Sarbanes Oxley Act 2002.

9. Does local law prohibit a group of entities from different jurisdictions from setting up a joint whistleblowing system?

No it does not. As a result of Brexit, the UK was not required to implement the EU Whistleblowing Directive and the current Government has indicated that it does not intend to do so.  Therefore differences in approach will emerge between the UK and EU countries (subject to the outcome of the UK Government’s review of the existing whistleblowing regime). Companies operating across the EU and UK may want to ‘level up’ their UK policy to meet the requirements of the EU Directive. Advice should be taken before doing so in order to ensure that the policy complies with the existing UK regime.

Portrait ofHannah Netherton
Hannah Netherton
Partner
London
Portrait ofSteven Cochrane
Steven Cochrane
Partner
London