Overview of the Updated Statutory Guidance on the Protected Disclosures Act for Public Bodies
In November 2023, the Government published the revised and updated Statutory Guidance for Public Bodies and Prescribed Persons to assist them in the performance of their functions under the Protected Disclosures Act 2014 (as amended). Our November briefing is available here. In this follow up briefing we set out a detailed overview of the Guidance.
The Protected Disclosures Act 2014 was amended from 1 January 2023 by the Protected Disclosures (Amendment) Act 2022 (the “Amendment Act”).
Prior to the changes taking effect, the Government published interim guidance in November 2022 for public bodies and prescribed persons on the handling of reports made to them under the Protected Disclosures Act 2014 (as amended) (the “2014 Act”). The revised and updated Statutory Guidance for Public Bodies and Prescribed Persons (the “Guidance”) supersedes that interim guidance. The Guidance will be of significant assistance to public bodies navigating all aspects of their obligations under the protected disclosures regime.
Handling of Reports Made Under the New Protected Disclosures Regime
While the Guidance is intended to support public sector bodies in meeting their obligations under the 2014 Act, as regards the establishment and operation of internal and external reporting channels, private sector employers coming within the remit of the Amendment Act are also likely to find some of the material in the Guidance helpful.
At 150 pages, the Guidance is twice the length of the interim guidance and is quite detailed. Helpfully, the Guidance includes a table in Introduction section outlining the changes between the interim guidance and the Guidance. Of particular note, is a completely revised section on annual reporting by public bodies, prescribed persons and the Protected Disclosures Commissioner, a new Appendix B which includes a template internal reporting policy and a new Appendix C which includes a template external reporting policy.
Some of the key information contained in the Guidance is summarised below and will help inform what constitutes best practice for employers when dealing with reports made under the updated protected disclosures regime.
The Guidance states that overall responsibility for procedures for internal reporting should rest with the head of the public body. Oversight of the procedures should rest with the Board of the public body (or equivalent), while day-to-day responsibility should be delegated to an appropriate function of the public body with the requisite authority, independence, knowledge and expertise to operate the procedures correctly.
Public bodies should also consider appointing a senior individual in the organisation to ‘champion’ the protected disclosures process and to promote and drive cultural change and a change in attitudes to protected disclosures among all employees of the body. Training and awareness on protected disclosures and on the procedures should be provided to all employees, and regularly refreshed.
Bodies should ensure that the procedures are easily available to all categories of workers (including current and former employees, independent contractors, trainees, agency staff, volunteers and job candidates) and having regard to accessibility such as language and disability. In addition to providing a copy of the procedures to its workers, it is also recommended that the public body communicates the existence of the procedures appropriately.
Senior management should be kept appraised of protected disclosures received by the public body. The level of detail needed to be provided may vary from case to case, however for a disclosure that raises serious issues for the public body, senior management may need to be provided with all details of the disclosure. Only where it is absolutely necessary should this information include the identity of the reporting person.
The Guidance also contains a template internal reporting policy for public bodies. Most (although not all) of this suggested structure and wording is relevant for employers more generally. This is found at Appendix B of the Guidance.
Internal Reporting Channels and Procedures
The Guidance recommends that the following information be included in the internal reporting channels and procedures:
- A succinct policy statement confirming the Board’s commitment to creating a workplace culture that supports the making of protected disclosures and provides protection for reporting persons. These policy statements should, where relevant, make reference to, and be aligned with, any corporate policies pertinent to the workplace culture already in place in the organisation, such as: mission statements; strategy statements; people strategies, codes of governance/behaviour/ethics; environmental, and social and governance (ESG) policies.
- Encouragement to workers to provide specific factual information in any disclosure to allow the appropriate assessment and investigation of the disclosure; but workers should be informed that they are not required or entitled to investigate matters themselves to find proof of their suspicion and should not endeavour to do so.
- Confirmation that no reporting person will be penalised simply for getting something wrong so long as the reporting person had a reasonable belief that the information disclosed showed, or tended to show, wrongdoing, along with confirmation that motivation is irrelevant when determining whether or not a report is a disclosure protected by the Amendment Act. The procedures should also state that a report made in the absence of a reasonable belief will not be entitled to the protections of the 2014 Act and could result in disciplinary or legal action being taken against the reporting person.
- Information setting out what types of report may not qualify as a protected disclosure, such as where (i) the report concerns interpersonal grievances; (ii) it is the function of the worker or employer to detect wrongdoing; (iii) it is mandatory for a worker to make such a report due to mandatory obligations in other legislation; (iv) the report is made by a non-worker or the general public.
- A statement that the worker must make a report in the manner set out in the Amendment Act to gain the protections of the Amendment Act and that higher standards apply when the protected disclosure is made externally.
- A clear statement that it is solely the responsibility of the worker to satisfy themselves that they and their report meet the criteria for protection under the 2014 Act. To this end, the procedures should signpost the worker to places where they can seek further information.
- Confirmation that it is preferable in most circumstances to disclose to the employer and, if that is not appropriate, to use one of the options of either prescribed persons, the Minister or the Protected Disclosures Commissioner. The procedures should explain that there are specific – and more onerous – conditions that must be met for a worker to receive protection if they report to a person other than their employer, a responsible person, a prescribed person, the Commissioner, a legal adviser or a Minister.
- Information in relation to the external remedies available to workers who believe they have been penalised for making a protected disclosure.
- A dedicated email address for receiving written reports or a dedicated phone number/voicemail system for receiving oral reports or both, as appropriate. Access to the email inbox or voicemail system used must be restricted solely to persons designated to receive and handle reports. Other methods for receiving reports can include: online forms, mobile applications, postal addresses and internal mailboxes as well as in-person reporting.
- The information that should be included in the initial acknowledgement. The acknowledgment should endeavour to set expectations early as to what will happen – and when – after the report is made and to set the boundaries for the reporting person’s involvement in the follow-up process. In particular, the acknowledgement should provide further information about the protected disclosures process and enclose or link to the procedures that will apply to the handling of the report. Information should be provided in relation to the protection of the identity of the reporting person and protection from penalisation. The acknowledgement should signpost the reporting person to any advice or support services that may be available to them (e.g. the Transparency International Ireland helpline, any employee assistance services, their trade union, etc.).
- Confirmation that an initial assessment or screening process must be undertaken when a report is made. This need not be solely carried out by the designated person, but can be delegated to another authorised person, as appropriate.
- Information in relation to feedback, namely the type of feedback that will be provided, as well as the type of feedback that will not be provided, and that the reporting person may request in writing further feedback at three-month intervals.
- The measures that will be taken to protect the identities of reporting persons and persons concerned. The measures should address such matters as document security, IT, digital and manual filing in the context of fulfilling the confidentiality obligation in the individual public body and within its systems.
- The definition of penalisation in the Amendment Act which is very comprehensive (but not exhaustive).
- A clear statement that the organisation will not tolerate any form of penalisation or threat of penalisation against a worker who has made a protected disclosure (or any person connected with the reporting person). This statement should include a commitment that the organisation will take an appropriate action – including disciplinary action, if required – against any worker who penalises a reporting person.
- How and to whom a complaint of penalisation should be made and the process by which such complaints would be handled.
Information Which Should be Included in a Report
The Guidance recommends at Appendix A that the following information should be included in a report (and that such recommendation be contained in the procedures):
- that the report is a protected disclosure and is being made under the procedures;
- the reporting person’s name, position in the organisation, place of work and confidential contact details;
- the date of the alleged wrongdoing (if known) or the date the alleged wrongdoing commenced or was identified;
- whether or not the alleged wrongdoing is still ongoing;
- whether the alleged wrongdoing has already been disclosed and if so, to whom, when, and what action was taken;
- information in respect of the alleged wrongdoing (what is occurring/has occurred and how) and any supporting information;
- the name of any person(s) allegedly involved in the alleged wrongdoing (if any name is known and the worker considers that naming an individual is necessary to report the wrongdoing disclosed); and
- any other relevant information.
Dealing with a Protected Disclosure Informally
The Guidance states that public bodies should recognise that workers may raise concerns informally at first rather than immediately using the formal internal channels. Where the line manager is comfortable doing so, the Guidance states that these concerns can be addressed by the line manager in the first instance. It states that should a worker raise such concerns with a line manager, there is no obligation to follow the requirements in the Amendment Act regarding formal acknowledgment, follow-up, feedback, etc, since these reports are not being made through the formal channel. The line manager may need to follow up on the concern and provide feedback to the worker, but this can be done in a more informal manner. However, despite a concern being raised in an informal manner with a line manager, the worker may still be entitled to the protections of the Amendment Act. Line managers should have basic awareness of the Amendment Act and the protections it provides, and should be able to direct a worker to the formal internal reporting channel if necessary.
The Guidance notes that care should be taken when assessing whether a potential protected disclosure concerns the worker exclusively. If the potential protected disclosure refers to information that could also apply to other workers, or other workers could also be affected, then it may be a relevant wrongdoing for the purposes of the Amendment Act. If a body is unclear as to whether a report is an interpersonal grievance exclusively affecting a reporting person, a complaint concerning the worker exclusively, or a protected disclosure, they should consider seeking legal advice.
The Guidance states that any person to whom a report is made or transmitted must keep a record of every report made to them, including anonymous reports. Records management policies may need to be reviewed and updated to ensure that records related to protected disclosures are held and managed in a manner compatible with the requirements of the Amendment Act.
If a recorded telephone line or voice messaging system is used, a recording or transcript of the report may be kept, with the consent of the reporting person. If the call is not recorded, minutes of the call may be made. If a meeting takes place in person, subject to the consent of the reporting person, a recording of the meeting may be made by the person receiving the report. If the meeting is not to be recorded, accurate minutes should be taken. The reporting person should be given the opportunity to check, rectify and agree by way of signature the transcript or minutes of the call or meeting.
For anonymous disclosures, the person receiving the report shall record in a manner they deem appropriate, the receipt or transmission of the disclosure, and such information relating to the disclosure that the person receiving the report considers necessary and appropriate for the purposes of the Amendment Act, should the person making the report be subsequently identified and penalised.
Records should be retained for no longer than is necessary and proportionate to comply with the provisions of the Amendment Act or any other legislation. Public bodies are obliged to consult with the National Archives as regards appropriate practices for the retention, disposal and archiving of records relating to protected disclosures.
The Guidance states that it is important that the designated person has sufficient seniority, authority and autonomy within the organisation to be able to effectively follow-up on reports independently and impartially. This is a matter for individual public bodies but it is recommended that the role of designated person be assigned to a person or persons in an area of the organisation responsible for internal corporate governance, compliance etc.
An alternative designated person or point of contact should also be provided in case circumstances arise such that it is inappropriate that the primary designated person be involved in the process. Specific training in the receipt, handling and follow-up of reports of disclosures, as well as the requirements of the Amendment Act, should be provided to designated persons.
The designated person should always ensure that the identity of the reporting person is only ever shared on a ‘need to know’ basis and only where it is necessary to carry out proper follow-up of a report. Where action is to be taken following a protected disclosure, it is recommended that a process is put in place for consulting with the reporting person and, where possible, for gaining the informed consent of the reporting person, prior to any action being taken that could identify them.
The Guidance states that if an investigation is required, the public body should consider the nature and extent of the investigation. This could consist of an informal approach for less serious wrongdoings, a detailed and extensive investigation of serious wrongdoings, or an external investigation by another body. The assessment process should also consider the extent to which the reporting person may be at risk of penalisation because of their report and what actions may need to be taken to mitigate this risk.
It is important to note that some matters may be of such seriousness that the investigation will more appropriately be carried out externally or by professional experts in a particular area. In some cases the matter may need to be reported to, and investigated by, An Garda Síochána or another body with the statutory power and function of investigation of particular matters.
The Guidance states that the incorporation of a detailed and prescriptive investigative process in the procedures may impede the public body’s ability to respond flexibly and in a responsive way to reports of wrongdoing. Specific timeframes as part of the investigation process may also create a difficulty as the nature of protected disclosures are such that they will range from being quite simple and relatively easy to assess/investigate to being quite complex and cumbersome, thus requiring a much more substantial period of time to carry out an investigation.
Provision of Feedback
The Amendment Act defines feedback as the provision to the reporting person of information on the action envisaged or taken as follow-up and the reasons for such follow-up. Follow-up is defined as meaning any action taken by the recipient of a report, or a person to whom the report is transmitted, to assess the accuracy of the information and, where relevant, to address the wrongdoing reported. Therefore, follow-up includes the assessment and investigation of the report of a disclosure and actions taken to address the wrongdoing. The Guidance states that the overriding requirement when providing feedback is that no information is communicated that could prejudice the outcome of the investigation or any action that ensues by undermining the right to fair procedures enjoyed by the person against whom a report or allegation is made.
The extent of the feedback will depend on the report itself.
In order to comply with the obligation to protect the identity of the reporting person under the Amendment Act, the Guidance cautions that it is generally unlikely to be permissible for the identity of the reporting person to be disclosed to an individual who is the subject of an allegation. The designated person will need to consider this when determining whether a protected disclosure can be investigated and the nature of any investigation. Internal reporting channels must be designed in such a way so as to protect not only the confidentiality of the identity of the reporting person but also any third party mentioned in a report.
Bodies under the aegis of Government Departments
In relation to opening up internal channels to subsidiary organisations, the Guidance suggests that Government Departments may wish to consider whether workers in bodies under their aegis should be able to make protected disclosures concerning wrongdoing in the aegis body to the parent Department. Careful consideration should be given to this on a body-by-body basis. Departments should bear in mind that the purpose of the Act is not only to allow for the reporting of wrongdoing but also that said reports should be received only by those in a position to determine if an alleged wrongdoing has indeed occurred and take corrective action to address the wrongdoing. In particular, bodies that are statutorily independent of their parent should consider implementing their own internal channels as, in such situations, the utility of making the Department’s internal channel available to staff in such bodies may be questionable.
Outsourcing of Internal Reporting Channels
The 2014 Act provides that internal reporting channels can be “provided externally by a third party authorised in that behalf by an employer”. It is a matter for individual public bodies to decide if their reporting channels should be outsourced or not.
Regardless of whether the internal channel is operated in-house or by an external provider, it remains the statutory responsibility of the public body to ensure its internal reporting channel is designed, established and operated in a secure and confidential manner and handles all reports in accordance with the provisions of the 2014 Act.
Preventing and dealing with penalisation
The Guidance sets out that public bodies should be proactive in their approach to protecting reporting persons from penalisation. Protection of the reporting person should begin as soon as their report is received and continue throughout the assessment and follow-up process and following the closure of the report.
In practical terms, the Guidance calls on bodies to (i) have appropriate policies and procedures for dealing with penalisation; (ii) ensure that senior management and the Board (where one exists) implement policies and procedures for dealing with penalisation; (iii) provide training on protected disclosures and internal procedures; (iv) implement a process for assessing reports, including risk assessments of the potential exposure of the reporting person to penalisation; (v) protect the identity of reporting persons; (vi) promptly address complaints of penalisation.
Annual Reporting – 1 March Deadline
The 2014 Act imposes statutory obligations on public bodies, prescribed persons and the Commissioner to provide certain information to the Minister every year by 1 March. These reports must include information on the number of reports made in each preceding calendar year.
The Guidance set out the format that public bodies and prescribed persons respectively must use when reporting to the Minister. The Minister will subsequently publish the information reported by public bodies, prescribed persons, and the Commissioner in aggregate form. The Guidance provides templates and instructions to assist those under an obligation to provide information to the Minister.
If you require further information on this topic please contact a member of the Employment Group.
The authors would like to acknowledge the contribution of Anthony O’Shea, Trainee to this briefing.
The content of this briefing is provided for information purposes only and is not legal or other advice.