How (not) to handle disclosures by whistleblowers

Although the UK’s whistleblowing regime has been around for nearly 25 years, employers still frequently get into trouble when handling disclosures by employees. 

For example, both private and public sector organisations have, in recent years, been criticised for trying to “unmask” whistleblowers and in some cases this has led to fines by regulators for both the organisation and individuals in senior management. 

There are therefore clear risks for organisations in not handling disclosures which are protected under the whistleblowing regime appropriately.

Brush up on the latest employment law:

Recent developments in employment law

Hybrid working: five key employment law considerations for employers

What a new UK GDPR law might look like

Unfortunately, as HR professionals are aware, claiming protection under the whistleblowing regime is a fairly common tactic for employees facing adverse action or dismissal, given the uncapped compensation such claims attract if successful. 

This is particularly true for employees with less than two years’ continuous service who would not otherwise have any employment protections except discrimination. This combination of a high volume of whistleblowing claims and inappropriate handling makes for a perfect storm which organisations need to navigate carefully to avoid what can be very expensive, not to mention, time-consuming, consequences.

For those larger private sector organisations with operations in the European Union (EU) as well as the UK, the position will get even more complicated as a result of the Whistleblowing Directive (2019/1937/EU). 

The Directive introduces common minimum standards to protect individuals from retaliation for reporting breaches of laws in specific policy areas, where the breach may cause serious harm to the public interest or where there is an identified need to strengthen enforcement. 

EU Member States may “gold plate” these standards, which could result in significant divergence between Member States’ whistleblowing regimes and challenges for organisations that wish to apply a consistent EU/UK standard of protection. Also, the protections under the Directive do not correspond with those under the current UK regime, another potential headache for organisations. 

The Directive is wider in scope than the UK legislation in some cases. For example, it protects individuals who acquire information on breaches in a work-related context, not just employees and workers, with the result that organisations will need to manage relationships with contractors, supply chains and shareholders (amongst others) through the lense of potential whistleblower protection.

In other cases though, it is narrower. Failures in the prescribed policy areas are not as wide in scope as failures relating to any legal obligation under the UK regime, for example. There is also no explicit requirement under the Directive for the whistleblower to believe that their disclosure is made in the public interest, unlike in the UK. 

The Directive also sets out the arrangements that organisations must put in place to facilitate and handle whistleblowing. For example, after making their report, a whistleblower must be given confirmation of receipt within seven days and, within three months, told of any follow-up action. These requirements may raise concerns about revealing confidential information or personal data of other individuals.

EU Member States must implement the Directive by 17 December 2021. However, most Member States are still in the process of passing national legislation and some have not yet begun to do so. 

For HR professionals, this means a watching brief to see how individual Member States implement the Directive and what, if any changes, this will require to their whistleblowing regime in the EU.  However, as a result of Brexit, there is no requirement for the UK to implement the Directive, which HR may feel is at least one silver lining from Brexit.


Ann Bevitt is partner at Cooley