UK Whistleblowing Policy Template

What is a UK whistleblowing policy?

Quick answer. A UK whistleblowing policy is the written procedure setting out how workers can raise concerns about wrongdoing internally and the protections they receive when they do. It operates under the Public Interest Disclosure Act 1998 (PIDA), which inserted Part IVA into the Employment Rights Act 1996 and protects workers from detriment or dismissal for making a “protected disclosure” from day one of employment.

The policy serves three operational purposes simultaneously: it tells workers what counts as a disclosure that PIDA protects (the six categories of wrongdoing in s43B of the ERA 1996); it names internal recipients to whom disclosures can be made (typically a senior manager outside the worker’s reporting line, or an external whistleblowing service); and it sets out what the employer will do once a disclosure is received — investigation timeframes, communication back to the worker, confidentiality safeguards, anti-retaliation commitments, and appeal routes.

The policy also serves a fourth purpose, often overlooked: it gives the employer the chance to handle a serious problem internally before it becomes a regulatory matter or hits the press. Without a credible internal channel, the only routes left to a concerned worker are the regulator (Prescribed Persons under PIDA), legal advisers, or in narrow circumstances the wider public — each of which is dramatically more damaging than internal escalation.

Who needs a UK whistleblowing policy?

Quick answer. Every UK employer with workers, plus several specifically-regulated organisations. Particularly critical for: financial services firms (FCA SYSC 18), NHS bodies under Freedom to Speak Up, charities (Charity Commission CC9), public-sector contractors, listed companies, organisations operating in the EU (Directive 2019/1937), and any employer wanting to keep concerns inside the building rather than at the regulator’s desk. The PIDA day-one protection applies to all workers regardless of size.

The threshold is set by PIDA, not by company size. Any UK worker can make a protected disclosure from day one. The employer either has a credible internal channel or doesn’t. Without one, a 5-person SME is exposed to the same uncapped tribunal liability for whistleblowing dismissal as a 5,000-person bank — and is far more likely to be ambushed by the disclosure landing externally.

What must a UK whistleblowing policy include?

Quick answer. Eight clauses: scope (who is a worker for PIDA purposes), the six categories of qualifying disclosure under s43B ERA 1996, named internal recipients independent of any potential wrongdoer, external escalation routes (Prescribed Persons), confidentiality and anti-retaliation guarantees, investigation procedure with timeframes, feedback to the disclosing worker, and a no-detriment statement covering 100% of the protections in PIDA. Skipping any one clause undermines the rest.

• Scope — who is a worker for PIDA — PIDA's definition is broader than ordinary employment law, covering employees, workers, contractors, agency staff, trainees, NHS practitioners, and others under section 43K. Name them explicitly so a contractor reading the policy knows it covers them.
• The six categories of qualifying disclosure — criminal offences, breach of legal obligations, miscarriages of justice, danger to health and safety, environmental damage, deliberate concealment of any of the above. List them with workplace examples so a worker reading the policy can self-identify whether their concern qualifies.
• Named internal recipients — the single most-mishandled clause. The policy must name actual roles (typically the General Counsel, Head of Internal Audit, Chair of the Audit & Risk Committee, or an external whistleblowing service like Protect or Safecall) who can receive disclosures independently of any potential wrongdoer’s reporting line. Multiple routes are essential because the line manager may be the subject of the disclosure.
• External escalation routes — the named regulator(s) the worker can disclose to as a Prescribed Person under the gov.uk Prescribed Persons list: ICO for data protection, FCA for financial services, HSE for health and safety, etc. The policy preserves PIDA protection on external disclosure when the internal route is impracticable, but the policy should make clear that internal first is the strong expectation.
• Confidentiality and anti-retaliation — explicit guarantees that the worker’s identity is protected to the fullest extent compatible with effective investigation, that retaliation is itself a disciplinary offence, and that protections apply throughout the disclosure’s lifecycle (including after the worker leaves).
• Investigation procedure — named investigator (independent of the alleged wrongdoer), confidentiality of investigation materials under UK GDPR employment guidance, target timeframes (typically initial assessment within 5 working days, full investigation within 30), and the involvement of external counsel where the disclosure is serious or implicates senior management.
• Feedback to the worker — the cadence of communication during the investigation (initial acknowledgement within 7 days, status updates at defined intervals), and the final outcome communication. The EU Directive 2019/1937 mandates 3-month feedback for EU operations; many UK SMEs adopt the same standard for simplicity.
• No-detriment statement — an explicit commitment that the worker will suffer no detriment for making a disclosure in good faith, that PIDA protections apply from day one of employment, and that any retaliation will be investigated and treated as a disciplinary offence in its own right. Cross-reference the disciplinary policy.

How does this map to UK and EU law?

Quick answer. The policy operates under three overlapping legal frameworks: (1) PIDA 1998 + Part IVA of Employment Rights Act 1996 (the core UK protection), (2) sector-specific rules (FCA SYSC 18 for financial services, NHS Freedom to Speak Up, Charity Commission CC9), and (3) for UK firms with EU operations, Directive 2019/1937 as transposed into Member-State law (50+ employee threshold, 3-month feedback, named recipient roles, confidentiality).

Tribunals examine the policy’s content, distribution, training records, and consistent application together. A whistleblowing claim that succeeds typically does so on procedural grounds — the worker followed the policy, the employer didn’t handle it, the worker subsequently suffered detriment that the employer can’t justify on independent grounds. Robust documentation of every step is the only defence.

Related UK HR resources

Frequently asked questions