Whistleblowers: The UK Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

5.1 Introduction

Recent years have seen an increasing focus on whistleblowing as a cornerstone of good corporate culture, particularly in the financial services sector where a key feature of the Senior Managers and Certification Regime (SMCR) is a requirement for firms to appoint a ‘whistleblowers’ champion’. Effective whistleblowing procedures can allow problems to be identified early, providing an opportunity to rectify shortcomings and to prevent a crisis. Whistleblowing can also allow businesses to manage market-notification obligations and public relations, identify poor performance and potentially avoid costly employment litigation.

5.2 The legal framework

5.2.1 Employment Rights Act 1996

Whistleblowing legislation was introduced in 1998 following the realisation that a number of high-profile disasters may have been prevented or their effect reduced if a worker had spoken up, or their employer had listened to them.[2] Amendments to the Employment Rights Act 1996 (ERA) came into force in July 1999,[3] providing two key protections for whistleblowers: unlawful detriment (protecting employees and workers, including some limited liability partnership members,[4] and even judicial office holders[5]) and automatically unfair dismissal (protecting employees). There is no qualifying length of service for bringing whistleblowing claims. Unlawful detriment

Subjecting a worker to a detriment because they have made a protected disclosure is unlawful. Detriments include, but are not limited to, pay cuts, limiting career prospects and disciplinary action. Detriments after termination of employment also qualify,[6] so employers should proceed cautiously when drafting references. Automatically unfair dismissal

Dismissing an employee who has blown the whistle is automatically unfair if the reason, or principal reason, for the dismissal is that they have made a protected disclosure. Since compensation for successful whistleblowing unfair dismissal claims is uncapped, compensation can be high – especially if the individual encounters difficulty finding a new job because of the dismissal. Qualifying disclosures

Six categories of disclosure are protected as ‘qualifying disclosures’. The disclosure must, in the worker’s reasonable belief, tend to show that one or more of the following failures has occurred or is likely to occur:

  • a criminal offence;
  • breach of a legal obligation;
  • a miscarriage of justice;
  • danger to the health and safety of any individual;
  • damage to the environment; or
  • the deliberate concealment of information about any of the above.

Since 2013, to make a qualifying disclosure the worker must reasonably believe that the disclosure is in the public interest.[7] ‘Public interest’ is not defined, but in Chesterton Global and Verman v. Nurmohamed,[8] the Court of Appeal decided that the interests served by the disclosure do not have to extend outside the workplace. Four considerations are relevant:

  • the number of people affected by the disclosure;
  • the nature of the interests affected and the extent to which those interests are affected by the wrongdoing disclosed;
  • the nature of the wrongdoing disclosed; and
  • the identity of the alleged wrongdoer.

Anything that affects a class of people could be caught. ‘Everyday’ employment disputes over contractual terms (for example, remuneration) may have a public interest element, especially where these have serious implications or impact large numbers of people. Issues such as discrimination or equal pay at work might also have a public interest element.

Provided workers believe, acting reasonably, that the relevant failure has occurred or is likely to occur, they will be protected even if their belief turns out to be wrong.[9] For a belief to be ‘reasonable’, it must be founded in more than unsubstantiated rumour or opinion.

There is no requirement for the disclosure to be ‘in good faith’. However, if an employment tribunal finds that a disclosure was made in bad faith, it can reduce compensation by up to 25 per cent. Liability

Vicarious liability

Employers may be vicariously liable for detriments caused to a worker by co-workers (and in some cases by agents of the employer) on grounds that the worker made a protected disclosure.[10]

The employer will have a defence if it took all reasonable steps to prevent the detrimental treatment; such steps would include having an appropriate whistleblowing policy and providing training.

Personal liability

Claimants can pursue individuals personally for liability arising from whistleblow­ing detriments. Doing so is often tactical. In Timis and another v. Osipov,[11] the Court of Appeal held that two non-executive directors were jointly and severally liable for the losses flowing from Mr Osipov’s dismissal (totalling approximately £1.75 million).

Civil liability

Where a whistleblower is precluded from bringing a claim under the ERA (e.g., because the employment tribunal does not have territorial jurisdiction to hear the claim), the individual might bring a civil claim against their (former) employer’s UK-based corporate group. In Rihan v Ernst and Young Global Ltd & Others,[12] a whistleblower had raised concerns about impropriety by one of his employer’s clients. The High Court found that, despite not employing him, certain UK-based companies owed the whistleblower a duty to take reasonable steps to prevent him from suffering financial loss (i.e., loss of earnings) by reason of the defendants’ failure to conduct the client’s audit in an ethical and professional manner. In breaching that duty, the companies were negligent, and the High Court awarded the whistleblower damages of approximately US$11 million for past and future earnings (arising from his inability to find subsequent employment).

5.2.2 Legislative proposals

Following its departure from the European Union, the United Kingdom was not required to implement the EU Whistleblower Directive.[13] Despite Protect,[14] the whistleblowing charity, urging the UK government to bring the new provisions into domestic law, there are no proposals to do so. A private members’ bill proposing widespread changes to the UK legislative regime (including extending protection beyond the employment context and imposing mandatory minimum standards for policies and procedures and investigations into protected disclosures) was presented to Parliament in April 2022, but was not passed into law.[15]

5.2.3 Non-disclosure agreements and whistleblowing

A non-disclosure agreement (NDA) – a contractual commitment that a party (or parties) will keep certain information confidential – is commonly included in settlement agreements between employers and departing employees. Under an NDA, confidentiality may attach to the terms of the settlement agreement and to the amount of any sums paid under it, as well as to the underlying complaints that the employee made. If the NDA is breached, the other party can seek damages for breach of contract.

In the wake of the #MeToo movement, the use of NDAs by employers has come under the spotlight and has been criticised as a means of silencing whistleblowers. In July 2019, the All-Party Parliamentary Group for Whistleblowing urged the government to ban the use of NDAs in whistleblowing cases.[16]

Any NDA clause designed to prevent a worker from making a whistleblowing disclosure is void under section 43J of the ERA and unenforceable. Seeking to rely on an NDA to prevent whistleblowing disclosures could amount to an unlawful detriment against the employee or worker, as well as risking additional adverse publicity if the issue becomes public.

Firms authorised by the Financial Conduct Authority (FCA) are under specific obligations when it comes to settlement agreements with workers. Lawyers advising clients on NDAs must also consider their professional obligations, for example the requirements regarding settlement agreements with workers under SYSC 18.

5.2.4 FCA/PRA systems and controls requirements

Both the FCA and the Prudential Regulation Authority (PRA) require firms to implement and maintain appropriate and effective internal whistleblowing arrangements as part of an effective risk management system.[17] The FCA’s rules and guidance are contained in SYSC 18 of its Handbook, which applies to SMCR banking and insurance sector firms and also serves as non-binding guidance to all other firms authorised under the Financial Services and Markets Act 2000. The PRA’s rules are higher level and found in the PRA Rulebook.

The SYSC 18 requirements fall into four categories:

  • maintenance of appropriate and effective arrangements for whistleblowing;[18]
  • appointment of a whistleblowers’ champion;[19]
  • settlement agreements with workers;[20] and
  • whistleblowing obligations under the MiFID regime and other sectoral legislation.[21] Maintaining appropriate internal whistleblowing arrangements

While firms are required to establish, implement and maintain appropriate and effective arrangements for the disclosure of reportable concerns (including concerns related to suspected market abuse) by whistleblowers, neither regulator has prescribed what the arrangements should be. The regulators recognise that whistleblowing arrangements may vary between firms[22] and that firms may use third parties to provide aspects of their whistleblowing services, with appropriate quality controls and monitoring.

The arrangements that a firm has in place should allow effective escalation of reportable concerns, including to the FCA and PRA. A firm’s arrangements should also:

  • allow for disclosure to be made through a variety of means (e.g., through an online system, a telephone hotline, a third-party provider or a designated team);
  • handle a whistleblower’s request for confidentiality or anonymity;
  • include reasonable measures to ensure whistleblowers are not victimised;
  • provide feedback to whistleblowers on their concerns, where appropriate and feasible;
  • include record-keeping of reportable concerns;
  • include maintenance of up-to-date whistleblowing policies and procedures that are readily available to the firm’s employees;
  • allow for the preparation of an annual report to the firm’s governing body on the effectiveness and operation of the firm’s processes;
  • include relevant training;
  • include reporting to the FCA and PRA if firms lose an employment tribunal claim based on detriment suffered from making a protected disclosure; and
  • ensure UK employees are made aware of the FCA’s and PRA’s whistleblowing services and that they can approach either regulator direct without first raising a concern internally.[23] The whistleblowers’ champion

A key component of the SMCR is a requirement for firms to appoint a whistleblowers’ champion with responsibility for ensuring and overseeing the integrity, independence and effectiveness of the firm’s policies and procedures on whistleblowing. The FCA expects that this role will be filled by a non-executive director, if the firm has one.[24]

The FCA and PRA have not been prescriptive about how whistle­blowers’ champions should perform their role, and have acknowledged that firms are likely to take different approaches depending on their structure and size.[25] Settlement agreements with workers

The FCA’s rules require a firm to include in a settlement agreement with a worker a term making clear that nothing in that settlement agreement prevents the worker from making a protected disclosure.[26]

5.2.5 Competition and Markets Authority and whistleblowers

In exceptional circumstances, the Competition and Markets Authority (CMA) offers rewards of up to £100,000 for information about cartel activity. The rewards are provided at the discretion of the CMA subject to factors including the value of the information, the harm done to the economy and consumers, the risk the whistleblower has taken to provide the information, and the effort involved.[27] The CMA actively encourages whistleblowing and self-reporting through various campaigns, guidance[28] and its leniency regime.

5.2.6 Serious Fraud Office and online whistleblowing

The Serious Fraud Office’s (SFO) reporting service enables the reporting of information about serious fraud, bribery or corruption – whether as a whistleblower or on behalf of a company making a self-report. Whistleblowers are initially encouraged to follow the whistleblowing procedures in their own organisation if they suspect wrongdoing. If the whistleblower is not comfortable, or there are no procedures, then they should approach the SFO or another prescribed body.[29]

5.2.7 Human rights

Demonstrating respect for human rights is increasingly important for businesses. Since 2011 when the United Nations endorsed the UN Guiding Principles on Business and Human Rights (UNGPs),[30] ‘soft law’ standards encouraging companies to manage more closely their human rights risks and impacts across their operations and supply chains have proliferated. The UNGPs require businesses to avoid infringing others’ human rights and to address adverse impacts on human rights they are involved with. Their frequent adoption by companies has led to increasing non-governmental organisation, investor and wider stakeholder scrutiny.

Beyond soft law instruments, we have seen laws introduced that require companies to report on human rights. For example, section 54 of the Modern Slavery Act 2015 requires in-scope companies to produce a slavery and human trafficking statement each financial year on the steps they have taken to ensure slavery and human trafficking are not taking place in their supply chains and business.[31] Section 414CA of the Companies Act 2006[32] requires certain large companies to prepare a non-financial information statement containing information on their respect for human rights and a description of their policies in this regard.

Most recently, several European countries and the European Union itself have introduced or are considering mandatory regimes with substantive requirements on conducting due diligence, some of which even extend to value chain relationships.[33]

Businesses have realised that, to fulfil their obligations to respect human rights under the UNGPs and comply with applicable legislative regimes, they need to review their policies and procedural frameworks to ensure they understand their potential human rights risks and impacts. Many companies have implemented whistleblowing policies to support the management of human rights and supply-chain risk, which is recommended in Home Office guidance.[34] It is best practice for a whistleblowing mechanism to be open to all workers (including contractors) rather than just employees. Companies have therefore increasingly opened up their processes to those in their supply chains, particularly where they are involved in high-risk activities or jurisdictions.

It is also important to recognise the potential human rights consequences if the procedures do not contain sufficient whistleblower protections. This can include the rights to privacy and freedom of speech, protected under Articles 8 and 10 of the European Convention on Human Rights (ECHR), or, in the worst case, the right to life (ECHR, Article 1). Human rights considerations should underpin the design and operation of an effective whistleblowing regime, and companies should ensure that, in implementing procedures to identify human rights impacts and risks in their operations and supply chain, they are not creating new ones.

5.3 The corporate perspective: representing the firm

5.3.1 Responsibility for whistleblowing among senior managers under SMCR

When representing a regulated firm involved in a whistleblowing investigation, regard must be had both to the firm’s compliance with the systems and controls requirements outlined above and to individual managers’ personal SMCR obligations.

The SMCR requires most individuals employed in the UK banking and insurance sectors to adhere to the FCA’s and PRA’s Individual Conduct Rules.[35] Senior managers must also comply with the Senior Manager Conduct Rules, while non-executive directors (who are not themselves senior managers) are subject to Senior Manager Conduct Rule 4 as well as the Individual Conduct Rules. On 9 December 2019, the SMCR was extended to certain other financial services firms, including asset management firms and non-bank mortgage lenders. Certain individual rules may require the relevant individuals to disclose information to the regulators. In the context of whistleblowing, this means that information received via internal whistleblowing channels may, in turn, need to be escalated to the appropriate regulator.

Following HM Treasury’s consultation published in July 2021[36] and response published in June 2022,[37] the government intends to create an SMCR for financial market infrastructures (FMIs)[38] to enhance the accountability of senior managers and improve governance arrangements at FMIs. The proposed regime will closely mirror the existing SMCR for other parts of the financial services sector and will be supervised by the Bank of England. Individual Conduct Rules

The FCA/PRA Individual Conduct Rule 3 stipulates that relevant individuals must be open and co-operative with the FCA, the PRA and other regulators with appropriate jurisdiction. The FCA’s Code of Conduct Handbook (COCON) provides specific guidance as to what this rule requires.

COCON 4.1.10 provides guidance that there is no duty on a person to report information directly to the regulator concerned unless they are one of the persons responsible in the firm for reporting matters to the regulator (although if a person takes steps to influence the decision not to report or acts in a way that is intended to obstruct the reporting of the information to the regulator, they will be treated as if they had taken on responsibility for deciding whether to report that matter).

Those operating a whistleblowing function will not automatically assume direct responsibility for escalating reportable concerns to the regulator. However, firms should ensure that appropriate arrangements are in place so that those responsible for regulatory reporting are informed on a timely basis of issues likely to be of interest to the regulator identified through the whistle­blowing channels. Senior Manager Conduct Rules

The FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect. While there is overlap between FCA/PRA Senior Manager Conduct Rule 4 and Individual Conduct Rule 3, COCON 4.2.26 makes clear that these are distinct obligations, with Senior Manager Conduct Rule 4 requiring proactive disclosure rather than just accurate responses to regulatory enquiries. COCON 4.2.28 clarifies that senior managers (or non-executive directors) need not report information outside the scope of their responsibility. However, once they become aware of the information (including through whistleblowing) they should make enquiries to satisfy themselves that it is being dealt with by the appropriate individual. Approved persons

Since December 2019, solo-regulated firms previously governed by the approved persons regime have been governed by the SMCR.

5.3.2 Whistleblowing in adequate or reasonable systems and controls Bribery Act 2010 and adequate procedures

Under section 7 of the Bribery Act 2010, a company can be criminally liable for failing to prevent bribery by one of its associated persons.

It is a defence for a company to show that it had adequate prevention procedures in place.[39] Such procedures are likely to include procedures for the reporting of bribery including ‘speak up’ or ‘whistleblowing’ procedures.[40] Criminal Finances Act 2017 and reasonable procedures

Under sections 45 and 46 of the Criminal Finances Act 2017, a company can be criminally liable for failing to prevent the facilitation of tax evasion offences by its associated persons.

It is a defence for a company to show that it had reasonable prevention procedures in place. Such procedures are likely to include protection for whistleblowers.[41]

5.3.3 Changing regulatory expectations

In November 2018, the FCA published examples of good practice and areas for improvement with respect to policies and procedures, the role of the whistleblowers’ champion and the annual whistleblowing report and training.[42]

In May 2019, the FCA published its industry feedback with respect to wholesale banking.[43] It identified several practices as examples of ‘encouraging’ whistleblowing initiatives implemented by firms, including:

  • engagement by managers directly with whistleblowers to understand fully what they would like to achieve and a sustained effort to manage appropriately the whistleblower’s expectations;
  • outsourcing of analysis on all whistleblowing cases to ensure fair and confidential treatment; and
  • discreet monitoring for a minimum of three years following a whistleblowing event, to ensure a whistleblower was not treated badly as a consequence of their disclosure.

As part of its continued focus on culture, the FCA is particularly interested where whistleblowing allegations are raised against those designated as senior managers or material risk takers, being those with the greatest potential to cause harm to a firm’s customers or the markets in which it operates. A number of firms have undertaken to notify the FCA of such allegations immediately on receipt and before investigation.

The FCA has also made clear that it views a lack of diversity and inclusion and non-financial misconduct as obstacles to creating an environment in which it is safe to speak up.[44] Whistleblowing acts as an important barometer for the FCA and PRA to test an organisation’s culture and purpose. In its efforts to encourage individuals to speak up, the FCA launched the ‘In confidence, with confidence’ campaign in March 2021.[45] As part of the campaign, the FCA published a number of resources including a digital toolkit[46] for industry bodies, consumer groups and whistleblowing groups to encourage individuals to have the confidence to step forward and an employee leaflet[47] that encourages and guides individuals in reporting their concerns directly to the FCA. The FCA has also recently begun to publish quarterly whistleblowing data to increase transparency surrounding whistleblowing reports.[48]

Outside the financial services sector, listed companies are required under the UK Corporate Governance Code 2018 to ensure that members of the workforce can raise concerns in confidence (and anonymously if they wish). The board should ensure that arrangements are in place for the proportionate and independent investigation of such matters and for follow-up action.

5.3.4 Practical considerations Effective reporting channels and protecting anonymity

A whistleblowing policy should detail the process of making internal disclosures and should be disseminated across the organisation through regular communications and training that encourage a ‘speak up’ culture. Ideally there should be a range of channels through which disclosures can be made.

In June 2020, Protect published its second edition of ‘Silence in the City’, an analysis of the experience of whistleblowing in the financial services sector. The study found that steps taken in the sector to embed trust in internal whistleblowing arrangements were working, with 93 per cent of whistleblowers raising their concerns internally (a significant increase from the 78 per cent in their first report).[49] Despite this progress, there is significant work to be done to embed processes that protect the identity of whistleblowers. Protect found that 70 per cent of whistleblowers were either victimised, dismissed or felt that resignation was the only option available to them.[50] Conduct of the investigation

Internal investigations involving whistleblower allegations require careful handling because of the reputational and employment law consequences that may follow if a whistleblower is not afforded the required legal protections.

Consideration should be given as to whether to offer whistleblowers independent legal representation.

Where possible the whistleblower should be kept informed about the progress of the investigation, although care should be taken not to take any steps that might result in a loss of privilege or confidentiality. Expectations should be effectively managed and care taken not to promise outcomes that may not be deliverable. For example, a whistleblower’s desire to remain anonymous may place constraints on the extent to which the allegations can be investigated. Data protection

A whistleblowing process will inevitably involve the processing of personal data and so must comply with the Data Protection Act 2018 and the UK GDPR.[51] The United Kingdom generally takes a more relaxed approach to this issue than many EU jurisdictions, in part because of the statutory framework set out in the ERA. However, it is still important to ensure that the whistleblowing process, and any subsequent investigation, complies with the UK GDPR. Particular issues to consider include keeping the whistle­blowing information secure and limiting access to it, setting an appropriate retention period, not collecting excessive amounts of personal data, being alert to the right of individuals to access a copy of their personal data and, at least in general terms, being transparent about the operation of the whistleblowing process. It may also be necessary to conduct a data protection impact assessment.[52] Interaction with regulatory obligations

Principle 11/Fundamental Rule 7

Firms must deal with their regulators in an open and co-operative way and proactively disclose anything relating to the firm of which the regulators would reasonably expect notice. Information that comes to light via a whistleblowing report may therefore have to be escalated to the relevant authority. In accordance with the FCA’s Supervision Manual, firms must notify the FCA of matters having a serious regulatory impact. This includes any matter that could have a significant adverse impact on the firm’s reputation.[53]

Proceeds of Crime Act 2002

Those in receipt of whistleblower reports will need to consider whether the information disclosed triggers any money laundering reporting obligation under the Act (for those in the regulated sector) or it is necessary to seek a defence against money laundering from the NCA to deal with certain property.

Considerations for listed companies

When receiving whistleblowing reports, listed companies should also have regard to their disclosure obligations under the Disclosure Guidance and Transparency Rules and the UK Market Abuse Regulation.[54] In accordance with section 2.2 of the rules and Article 17(1) of the regulation, for example, listed companies must disclose inside information to the market as soon as possible. Cross-border considerations

Exchange of information in relation to whistleblowers or disclosures

Data protection issues will need to be considered in the context of any transfer of data overseas.

Territorial application of UK whistleblower legislation

An employment tribunal can only hear a whistleblowing claim under the ERA against a British employer brought by an employee working abroad if there is a stronger connection with Britain or British employment law than with the country in which they are working. In Foreign and Commonwealth Office (FCO) v. Bamieh,[55] the Court of Appeal held that an employment tribunal had no territorial jurisdiction to hear whistleblowing detriment claims brought by an FCO employee working in Kosovo against co-workers who were also employed by the FCO and working in Kosovo. The focus should be on the relationship between the claimant and the co-workers rather than on the relationship between the co-workers and the employer. The individuals concerned having a common employer is not sufficient to give the tribunal jurisdiction.

5.4 The individual perspective: representing the individual

5.4.1 Legal risks associated with whistleblowing

A decision to make a whistleblowing disclosure can have far-reaching consequences and requires a careful assessment of the legal risks. Despite the protections afforded by the ERA, whistleblowers may be exposed to the risk of criminal investigation or prosecution if they are personally implicated in the conduct disclosed. Those in regulated professions may be vulnerable to regulatory or disciplinary action by their regulators or professional bodies. Where the matter potentially spans more than one jurisdiction, individuals will need to remember that different jurisdictions apply different whistleblower protection standards. Advice on local employment and possibly criminal laws should be sought where necessary.

Whistleblowers might also commit criminal offences in the course of obtaining information to support their disclosures. Such offences might include securing unauthorised access to computer material,[56] unlawfully obtaining personal data,[57] unlawful interception of communications,[58] theft or even fraud. Whistleblowers may also be vulnerable to civil actions for breach of confidence.

5.4.2 Serious Organised Crime and Police Act 2005: immunity and leniency

Where an individual faces criminal liability, they may be able to obtain immunity from prosecution. Section 71 of the Serious Organised Crime and Police Act 2005 (SOCPA) empowers most criminal prosecutors to offer an individual immunity from prosecution by issuing a written immunity notice. This power is used rarely and only in very exceptional circumstances.

As an alternative, section 73 of SOCPA provides that if an offender pleads guilty and offers assistance to an investigator or prosecutor, the sentencing court may pass a reduced sentence to reflect that assistance.

5.4.3 Professional obligations

Regulated professionals may have a duty to report certain information to the appropriate regulator. For example, FCA/PRA Senior Manager Conduct Rule 4 requires senior managers and non-executive directors to disclose appropriately any information of which the FCA, PRA or other regulator with appropriate jurisdiction would reasonably expect notice.

In March 2018, the Solicitors Regulatory Authority (SRA) issued a warning notice to legal professionals in relation to the use of NDAs,[59] which sets out the obligations that exist when a law firm is considering an NDA with a person who has made a complaint about misconduct within a law firm, or when legal professionals are advising clients on NDAs with individuals. The warning notice states that legal professionals (and those responsible for managing complaints within law firms) should ensure that they do not:

  • use NDAs in circumstances in which the subject of the NDA may, as a result of its use, feel unable to notify the SRA or other regulators or law enforcement agencies of conduct that might otherwise be reportable;
  • fail to notify the SRA of misconduct, or a serious breach of regulatory requirements, by any person or firm, including wrongdoing by the firm or harassment or other misconduct towards others such as employees or clients; or
  • use NDAs as a means of improperly threatening litigation or other adverse consequences, or otherwise exerting inappropriate influence over people not to make disclosures that are protected by statute, or reportable to regulators or law enforcement agencies.

Inappropriate use of NDAs may constitute a breach of the SRA’s Standards and Regulations and lead to disciplinary action.

Further SRA guidance[60] reiterates the SRA’s previous warning that those regulated by the SRA must not attempt to prevent anyone from making a complaint or providing information to the SRA, or any other body exercising regulatory, investigatory or prosecutorial functions in the public interest.

5.4.4 Practical questions To whom to blow the whistle

An individual will need to carefully consider whether to blow the whistle externally because this may result in the loss of statutory protection. To be a protected disclosure, the whistleblower must make a qualifying disclosure to an appropriate person or organisation.

In most cases, disclosures should be made to the employer. However, in some circumstances, individuals may be protected if they disclose information externally.

Parliament has approved a list of ‘prescribed persons’ to whom a worker or an employee can make a disclosure, provided they believe the information is substantially true and concerns a matter within that person’s area of responsibility. They include the FCA, the PRA, the SFO, the NCA, HMRC, the Health and Safety Executive and the CMA. There is no requirement to alert the employer beforehand.

Where the worker or employee reasonably believes a third party (such as a client or supplier) is responsible for the wrongdoing, they can report it to that third party without telling the employer.

Disclosure to other external sources (e.g., the media) is protected only if the individual believes that the information is substantially true and they do not act for gain. Unless the matter is ‘exceptionally serious’, they must have already disclosed it to the employer or a prescribed person (or believe that, if they did, evidence would be destroyed or they would suffer reprisals). Disclosure to that person must also be reasonable. Requests to sign an NDA

Any request to sign an NDA purporting to prevent an individual from raising whistleblowing concerns should be resisted and will be unenforceable. Challenges to unfair treatment of whistleblowers

An individual who is a worker or employee and who is subjected to unfair treatment by their employing or engaging entity or by other employees or co-workers may have a claim in the employment tribunal against individuals and the entity.


[1] Alison Wilson and Sinead Casey are partners, Elly Proudlock is counsel and Nick Marshall is a managing associate at Linklaters LLP. The authors wish to acknowledge the contribution of Peter Binning, a partner at Corker Binning, and Elisabeth Bremner, a partner at CMS Cameron McKenna Nabarro Olswang LLP, for their contributions to a previous version of this chapter.

[2] For example, the Zeebrugge ferry disaster in 1987, the Clapham rail crash in 1988 and the collapse of the Bank of Credit and Commerce International in 1992.

[3] Introduced by the Public Interest Disclosure Act 1998 (PIDA).

[4] In Clyde & Co LLP v. Bates van Winkelhof (2014) UKSC 32, the Supreme Court held that a former equity partner of a law firm incorporated as a limited liability partnership (LLP) was a worker under s.230(3) Employment Rights Act 1996 (ERA) and therefore eligible to bring a whistleblowing claim against the LLP.

[5] In Gilham v. Ministry of Justice (2019) UKSC 44, the Supreme Court found that a district judge falls within the definition of ‘worker’ under the ERA. It would amount to unlawful discrimination based on occupational status contrary to Article 14 (read with Article 10) of the European Convention on Human Rights if such a reading were not given to the definition of ‘worker’.

[6] Woodward v. Abbey National Plc (2006) EWCA Civ 822.

[7] Enterprise and Regulatory Reform Act 2013, s.17 amended the ERA at s.43B(1).

[8] (2017) EWCA Civ 979.

[9] Babula v. Waltham Forest College (2007) EWCA Civ 174.

[10] ERA, s.47B(1A)-1(E).

[11] [2018] EWCA Civ 2321.

[12] [2020] EWHC 901 (QB).

[13] Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting on breaches of European Union law.

[14] Previously known as Public Concern at Work. See https://protect-advice.org.uk/.

[15] The Whistleblowing Bill was introduced by Mary Robinson MP, Chair of the All-Party Parliamentary Group: https://bills.parliament.uk/bills/3150/news.

[17] FCA Handbook, SYSC 18.3.1(1)R; and, for example, PRA Rulebook Whistleblowing rule 2A.2(1) of the General Organisational Requirements section for CRR firms.

[18] FCA Handbook, SYSC 18.3.

[19] ibid., SYSC 18.4.

[20] ibid., SYSC 18.5.

[21] ibid., SYSC 18.6.

[22] Whistleblowing in deposit-takers, PRA designated investment firms and insurers – SS39/15 (Supervisory Statement, October 2015, updated July 2018).

[23] Retail and Wholesale Banking: review of firms’ whistleblowing arrangements (Policy Statement, November 2018).

[24] FCA Handbook, SYSC 18.4.1(4)G.

[25] Whistleblowing in deposit-takers, PRA designated investment firms and insurers – FCA CP15/4, PRA CP6/15 (FCA/PRA Consultation Paper, February 2015).

[26] FCA Handbook, SYSC 18.5.1R. A pro forma clause is provided in SYSC 18.5.2.

[27] The Competition and Markets Authority’s (CMA) published policy on rewards for information about cartels is available at https://www.gov.uk/government/publications/cartels-informant -rewards-policy/rewards-for-information-about-cartels.

[30] UN High Commissioner for Refugees, Guiding Principles on Business and Human Rights, 2011, available at https://www.ohchr.org/documents/publications/GuidingprinciplesBusinesshr_eN.pdf.

[31] This requirement has since been replicated by similar regimes or proposals in other jurisdictions, such as Australia.

[32] Inserted by The Companies, Partnerships and Groups (Accounts and Non-Financial Reporting) Regulations 2016 published in 2016 as part of the UK government’s implementation of Directive 2014/95/EU of the European Parliament, commonly known as the ‘EU Non-Financial Reporting Directive’ or ‘NFRD’.

[33] Such requirements were originally introduced in France with the 2017 devoir de vigilance and have been replicated in other jurisdictions. For example, a law on child labour due diligence has been introduced in the Netherlands and the European Commission published in February 2022 its own proposal for a mandatory human rights diligence regime, which if passed as drafted, would introduce a human rights due diligence obligation for a range of EU and non-EU companies operating in the European Union. At the time of writing, this is expected to be finalised in 2023.

[35] See Code of Conduct (COCON) 2.1, FCA Handbook.

[38] Financial market infrastructures are institutions that underpin the UK’s economy and financial system and act as conduits between many other types of institution making up the financial services system. The government proposes that central counterparts and central securities depositories be covered under the initial regime implemented while payment systems recognised under the Banking Act 2009 form part of a later regime.

[39] Bribery Act 2010, s.7(2).

[40] Ministry of Justice, The Bribery Act 2010: Guidance, p. 22, para. 1.7, available at https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf.

[42] Retail and Wholesale Banking: review of firms’ whistleblowing arrangements (first published 14 Nov. 2018), available at www.fca.org.uk/publications/multi-firm-reviews/retail-and -wholesale-banking-review-firms-whistleblowing-arrangements.

[43] See ‘Progress and challenges’ Industry Feedback for 2018/2019 Wholesale Banking Supervision (FCA, May 2019).

[48] This data tracks the number of whistleblowing reports received by the FCA and the type of allegations involved such as treating customers fairly, culture or compliance: https://www.fca.org.uk/data/whistleblowing-quarterly-data-2021-q4#:~:text= Whistleblowing%20allegations,treating%20customers%20fairly.

[50] id.

[51] The UK GDPR means the EU General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, s.3. The substantive obligations under the UK GDPR are broadly the same as those under the EU GDPR.

[52] In particular, the UK Information Commissioner has identified whistleblowing hotlines as a type of processing that might necessitate a data protection impact assessment. See ‘Examples of processing “likely to result in high risk”’, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection -impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/.

[53] See FCA Supervision Manual 15.3.1(2)R.

[54] See Disclosure Guidance and Transparency Rules, FCA Handbook, Disclosure Guidance and Transparency Rules sourcebook.

[55] (2019) EWCA Civ 803.

[56] Computer Misuse Act 1990, s.1.

[57] Data Protection Act 2018, ss.170 and 196. There is a specific public interest defence to s.170 of the Data Protection Act 2018 under s.170(2)(c).

[58] Investigatory Powers Act 2016, s.3(1).

Unlock unlimited access to all Global Investigations Review content