The terms ‘whistleblowing’ or 'speak up' typically refer an individual raising a concern about something (often on behalf of a group of people) that they perceive as an illegal, unethical or unprofessional. Actions such as regulatory breaches, non-adherence to processes and/or non-compliance with organisational policies, as well as wrongdoing to customers, stakeholders or members of staff, along with on-conformance to organisational values.
Whistleblowing is defined by the UK Government as ‘workers reporting certain types of wrongdoing that are in the public interest’. The allegation is often made, in the first instance, to a line manager, human resources or staff representative group but may also be made publicly to a regulator or the press or via social media. More commonly, an organisation’s non-executives are also being included in Whistleblowing Policies as a route to receive whistleblowing concerns; for example the Chair of Audit Committee (or equivalent committee).
In 2018 and 2019, the EU introduced directives to protect whistleblowers. These are at different levels of embedding across member states – see our blog post on the implications of the 2019 directive here. In the UK, whistleblowers are protected by law (Public Interest Disclosure Act 1998 [PIDA]) and shouldn’t be treated unfairly because they report concerns. The Protected Disclosures Act 2014 protects whistleblowers in Ireland. If, however, concerns are reported directly to the media, then whistleblowers can lose many of their legal rights. Under the Public Interest Disclosure Act 1998, whistleblowing is an employee raising a concern about an alleged wrongdoing including corrupt, illegal or unethical behaviours in a public or private sector organisation.
To be covered by whistleblowing law, an employee blowing the whistle must reasonably believe two things:
While PIDA grants protection to employees and some ‘workers’ e.g. agency staff and contractors (as specified in the PIDA 1998 Part IVA Protected Disclosures, Section 43K), there are gaps meaning that some do not qualify for protection, including job applicants, volunteers, interns and independent non-executive directors. It has been criticised for no longer being fit for purpose as it is too complicated and does not protect all citizens.
The ability for a person to be able to blow the whistle is fundamental, as well as the need for the organisation to have appropriate investigation protocols in place and ensure that there is adequate management reporting to relevant governance groups; such as the board, audit committee and others.
Internal audit should play an important role in regularly reviewing the whistleblowing arrangements in place (unless internal audit is involved in the procedures for whistleblowing, in which case a separate, independent mechanism should be in place to provide assurance on the effectiveness of the whistleblowing procedures).
The scope of an internal audit review of Whistleblowing arrangements should include:
Whistleblowing policy and procedures
The design of the whistleblowing policy and process, including:
Governance, monitoring and reporting arrangements
Awareness
Mechanisms for reporting
Investigation of reported concerns
Continuous improvement
Confidentiality
The UK government provides guidance and a code of practice on whistleblowing for all employers. There are additional considerations for specific sectors:
Public sector
In 2017 the government introduced a nationwide pilot Whistleblowers Support Scheme offering a range of services for NHS staff who have suffered detriment as a result of raising concerns. A key recommendation from the Stafford Hospital inquiry (involving concerns over poor care and high mortality rates amongst patients) stated that whistleblowers needed to be protected. One of the main findings was that people had known about poor levels of care but did not speak-up. The Care Quality Commission as regulator provides guidance on whistleblowing to providers and to those raising a concern.
Financial Services
The Financial Conduct Authority (FCA) places responsibility on the firms it regulates to implement effective whistleblowing arrangements, including written procedures, protections of employees, escalations of disclosures, training, annual reporting on effectiveness of controls, and nominating a whistleblowers’ champion. More detail is available within the FCA handbook.
Private sector
While there is no legal requirement for those organisations not regulated by the Financial Reporting Council (FRC) to have a whistleblowing/speak up policy, having one demonstrates a commitment by the organisation to listen to concerns raised by customer, stakeholder and employees. The UK Corporate Governance Code July 2018, (Board Leadership and Company Purpose, Provision 6) requires a 'means for the workforce to raise concerns in confidence and – if they wish – anonymously. The board should routinely review this and the reports arising from its operation. It should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.' Employees may raise whistleblowing concerns with the FRC, but disclosures will only be protected in certain circumstances.
Third sector
The Charity Commission, as the statutory regulator of charities, states that charity workers and volunteers can report incidents that have happened, are happening or likely to happen that could cause serious harm to a charity’s beneficiaries, its staff and volunteers, the services it provides, its assets and reputation. In 2019, the Charity Commission updated its guidance in relation to Whistleblowing for the sector and commenced a trial of a confidential advice line, specifically for charity whistle-blowers, in response to what it observed as a systematic underreporting of incidents throughout the sector.
The ‘Public Concern at Work’ organisation who assisted in the creation of the PIDA has been renamed to ‘Protect’ and is also a registered charity (Protect - Speak up stop harm (protect-advice.org.uk))
Having a whistleblowing policy in place (and accompanying procedure to robustly investigate) is fundamental to any organisation. The policy should be clear, well understood, easily accessible and regularly refreshed and championed; and importantly communicated to all levels within an organisation.
UK Government - Whistleblowing for employees
Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998)
NHS - Report on the Freedom to Speak Up review
Department for Business Innovation and Services - Whistleblowing - Guidance for Employers and Code of Practice
NVCO/Knowhow - Whistleblowing
Protect (formerly Public Concern at Work)
Chartered IIA - Whistleblowing in the US and the EU blog
Financial Conduct Authority & Prudential Regulation Authority - press release re Chief Executive of Barclays Group
Safecall - Case studies
Information Commissioner's Office - 'Speak up' the ICO's whistleblowing policy and procedure
Public Interest Disclosure Act 1998
Protected Disclosures Act 2014 - Protection for Whistleblowers