When an individual blows the whistle on suspected malpractice or wrongdoing in the workplace, this can lead to an internal investigation. A huge range of issues can be raised by whistle-blowers, and how the whistle-blower’s own rights are dealt with is a crucial consideration when scoping an investigation. Following on from World Whistle-blowers’ Day on 23 June, Emmanuelle Ries and Caroline Day provide a whistle stop tour of the key features of whistleblowing protection in the UK and in Europe.

The UK was a pioneer in implementing whistleblowing legislation 25 years ago (through the Public Interest Disclosure Act 1998 ("PIDA"), as incorporated into the Employment Rights Act 1996). When the EU was looking into drafting a Whistleblowing Directive, the UK was one of the countries which the EU Commission deemed to have comprehensive whistle-blower protection already in place.

The EU Whistleblowing Directive was adopted on 23 October 2019 and came into effect on 16 December 2019 (Directive (EU) 2019/1937). As the UK had left the EU before the Whistleblowing Directive’s implementation it does not need to implement it. However, the Directive remains relevant in the UK, particularly for financial services firms and organisations which operate across Europe, and may come to be regarded as best practice. It will also impact global companies with a UK presence which seek to establish a consistent approach to whistleblowing across their global organisation.

The European Commission, in February 2023 referred eight Member States, Czechia, Germany, Estonia, Spain, Italy, Luxembourg, Hungary and Poland to the Court of Justice for failure to transpose the Directive, demonstrating its determination to ensure there is adequate whistleblowing protection across the EU.

Key aspects

The UK’s PIDA does not cover everything contained in the Directive. A comparison of some of the key features of whistleblowing protection in the UK and the EU are set out below:

  • Who is protected as a whistle-blower? The Directive has a wider scope than the UK regime in that it protects self-employed people, shareholders and board members (including non-executives), as well as "facilitators" (individuals connected to the whistle-blower in a work-context, such as colleagues and relatives, and legal entities associated with the whistle-blower). The UK regime applies to those falling within the extended definition of “worker” (including LLP members). That does not include job applicants (except those applying to the NHS), volunteers/interns, non-executive directors and those who are self-employed.
  • What constitutes a relevant disclosure? Under the Directive, protection relates to breaches of EU law that fall within specified sectors (including public procurement, financial services, protection of privacy and data (amongst others)). UK protection focuses on categories of wrongdoing (including criminal offences, breach of a legal obligation etc) and is not limited to sectors.
  • Subjective or objective test for protected disclosure? With regard to whether a disclosure is protected, the EU and UK regimes are similar but whereas in the UK, the focus is on the subjective belief of the whistle-blower, the Directive focuses on whether the person had "reasonable grounds" to believe that there were grounds for a whistleblowing disclosure (i.e. there is also an objective element). In the UK, there is an additional element that the disclosure must be, in the reasonable belief of the whistle-blower, in the public interest.
  • Reporting channels: Under the Directive, organisations with 50 or more employees in the private sector irrespective of the nature of their activities will be required to establish internal reporting channels. (The minimum threshold does not apply to regulated entities in the financial services sector or those vulnerable to money laundering or terrorist financing, which are required to have reporting channels regardless of their size.) There is no equivalent requirement in the UK (and no legal requirement for a whistleblowing policy), except for specific requirements applying to regulated firms in the financial sector. This point is explored in further detail below. The Directive regime is similar to the UK in that reporting through internal channels is encouraged in the first instance, with escalation to external channels (“prescribed persons”) in certain circumstances.
  • Confidentiality obligations: The Directive states that the identity of the whistle-blower must not be disclosed without explicit consent to anyone beyond those dealing with the report, unless this is necessary and proportionate in the context of the investigation. This is similar to the position in the UK which has emerged through case law, although it is not specifically set out in legislation (i.e. the law does not expressly protect the identity of whistle-blowers). In internal investigations, confidentiality is also of course always a key consideration.
  • Record keeping: The Directive prescribes obligations to keep records of reports. There is no explicit requirement to keep records of reports in the UK, but in practice these are likely retained by employers within HR records (retained in line with data protection guidelines).
  • Timeframes: The Directive prescribes a specified timeline that organisations must follow, including acknowledging receipt of the report within seven days and providing feedback to the whistle-blower within a reasonable time frame not exceeding three months from acknowledgement of receipt of the report. There is no equivalent timeframe to respond in the UK and no legal requirement to give feedback regarding action envisaged or taken.
  • External oversight: Member States must also designate a competent national authority to establish user-friendly external reporting channels. This body will be responsible for ensuring the public has accessible information on the whistle-blower protections. There is currently no national authority in the UK with such a remit (although the charity Protect (formerly Public Concern at Work) provides support and advice to whistle-blowers and organisations, and set up an expert independent commission to review the effectiveness of whistleblowing arrangements and make recommendations for change).
  • Retaliation: Member States must take measures to ensure that whistle-blowers are protected against retaliation. This protection is already incorporated into UK whistleblowing law under PIDA. Under the Directive, in any associated litigation, the burden of proof shifts to the person who has taken the detrimental measure to show it was taken on justified grounds.

Modernising whistleblowing protection in the UK

There have been calls for reform in the UK for a number of years, not least from Protect, the UK whistleblowing charity.

In recognition of the fact that the UK regime requires modernisation, a few private member’s bills have been making their way through Parliament in recent years, but progress has been slow. These include the Public Interest Disclosure (Protection) Bill (which seeks to create a new independent Whistleblowing Commission to set, monitor and enforce standards) and the Office of the Whistleblower Bill 2019/2021 (which seeks to establish an independent Office of the Whistleblower).

On 27 March 2023, the UK government launched a review of the current whistleblowing framework which is expected to conclude in autumn 2023. The review seeks evidence on the effectiveness of the current regime in meeting its original objectives its outcomes are intended to inform government policies on the development and improvement of the existing whistleblowing laws. The review will also examine evidence on the definition of “worker” for whistleblowing purposes. It will be interesting to see the outcome of that review and whether it results in an escalation (or replacement with rapid passing) of the private members’ bills currently in the pipeline.

Sector-specific approaches also form an important part of the overall whistleblowing landscape and should not be overlooked. In the regulated financial services sector, for example, reports can be made directly to the Financial Conduct Authority (FCA), which has a special role as a prescribed person under the PIDA, and agreements in place with other regulators as well as law enforcement agencies with regard to information sharing. Whistle-blowers are seen by the FCA as a key and sometimes unique source of intelligence into market developments; the FCA says that hundreds of people make reports to it every year, speaking about issues including money laundering, the fitness and propriety of regulated individuals, and firms’ systems and controls. In May 2023, the FCA announced that it would be taking a number of actions to improve the confidence of whistle-blowers, including: sharing further and more detailed information with whistle-blowers on how it’s acted on their information; improving the use of information provided by whistle-blowers across the FCA; and improving how it captures information from them, including its web-based form.

In the context of internal investigations, developments in this area should also be followed closely, as the scope of protection for whistle-blowers and the rules around the process for dealing with whistleblowing reports will need to be fed into a company’s approach to investigations as a whole. Further, employees will not feel confident about blowing the whistle if they do not trust the integrity of the investigations process which will may be triggered as a result.