Leaks in the pipeline – top tips on whistleblowing

As the recent Severn Trent whistleblowing case demonstrates (when one of Severn Trent’s employees revealed that the company was providing misleading data to the water regulator, OFWAT) “whistleblowing” is now a term very much in the public eye and workers are becoming more and more aware of their rights.  Indeed a recent survey of 2,000 employees conducted by YouGov on behalf of the British Software Alliance found that nearly a third of employees are more likely to take action on discovering inappropriate or illegal activity at work compared with three years ago.

So we all know the term, but why should employers care and what’s the law behind it?

Following various financial scandals, such as Enron, and the introduction of the Sarbanes-Oxley Act in the US in 2002, employers have been increasingly concerned to have whistleblowing procedures in place.  It is not hard to see why.   Sarbanes-Oxley requires publicly held US companies and their EU-based affiliates, and non-US companies listed on one of the US stock markets, to establish procedures for the receipt, retention and treatment of complaints received about accounting/auditing matters and internal controls.  Failure to comply leads to onerous sanctions.  Further, the UK’s own combined code for corporate governance has encouraged corporates to think seriously about whistleblowing. 

In the UK, under the Public Interest Disclosure Act 1998 (“PIDA”) if an employee discloses wrongdoing in his organisation and, for example, is dismissed because he has done so, the employer will be liable to an uncapped compensation award in the Tribunal.

PIDA

Initially implemented after a number of public disasters in the early 1990s, PIDA (which inserts provisions into the Employment Rights Act 1996) puts in place a framework of protection against detriment or dismissal for workers who blow the whistle in good faith.

PIDA aims to give workers comfort that they can raise their concerns safely with their employer without fear of reprisal, and aims to allow employers the opportunity to deal with the alleged wrongdoing internally.  Although workers can make disclosures direct to an external body they have to meet strict conditions first or they lose their protection.

PIDA gives protection not just to employees, but to workers.  No service qualification is necessary.  A worker will have a whistleblowing claim if he makes a protected disclosure as stipulated under PIDA, and suffers a detriment or dismissal by his employer because the disclosure was made.

A qualifying disclosure is a disclosure which in the reasonable belief of the worker tends to show one or more of the following:-

• a criminal offence;
• a failure to comply with a legal obligation;
• a miscarriage of justice;
• the health and safety of any individual is endangered;
• the environment is being damaged; or
• information relating to any of the above areas is being deliberately concealed.

Breach of a legal obligation is not surprisingly the most used category, as it is so wide in scope as the case-law has shown (e.g. Parkins v Sodexho Limited 2002 IRLR 109).  This case highlighted that the legislation catches any breach by an employer of its legal obligations, so that breach of the employer’s own contractual duties to employees are included.  In other words if an employee raises a concern that the employer is breaching its own contract with him that will be a protected disclosure.  Although arguably this is not the point of the legislation and this decision has been criticised, the legislation does not specifically require a disclosure to be in the public interest.

For a qualifying disclosure to become a protected disclosure it must be made in one of the stipulated ways in PIDA.  As the purpose of PIDA is for matters to be resolved internally within the organisation, the easiest way to make a protected disclosure under PIDA is to the employer in good faith.  However in some circumstances (for example an exceptionally serious disclosure) where the strict conditions in PIDA are met, the disclosure may be made directly to an external/other body.

The disclosure must be made in good faith (e.g. as the case law has shown, not with an ulterior/personal motive, and not maliciously).  One case (Mehaoua v Demipower Limited ET 2201 602/04) showed that, in the absence of any satisfactory explanation, a delay of one year in raising a concern of fraud indicated a lack of good faith. 

A worker can only bring a claim against his employer if he can show he has been treated to his detriment because he made the disclosure.  If the principal reason for dismissal is the fact the employee made the protected disclosure the dismissal will be automatically unfair.  However unlike normal unfair dismissal, the compensatory award is uncapped.

So what should you do?

• Set up a whistleblowing policy.  This can feature in your Staff Handbook as a non-contractual policy.  Ensure the policy is accessible and well-publicised, and that your managers have received proper training about it.
• In the policy encourage employees to raise any concerns they have that the company or their colleagues have failed to adhere to its or their obligations in some way.
• Give examples of the type of malpractice the company is concerned about (e.g. commission of a criminal offence, fraud/corruption, accounting irregularities, health and safety issues, contravention of any codes/obligations of any body which regulates the business of the company).
•  Explain that if the employee’s concern relates to any internal procedure/action which affects the employee’s employment directly that should be raised through the company’s grievance procedure.
• Set out the internal procedure you want to be followed in a whistleblowing situation.  Explain that whistleblowing made in bad faith will result in disciplinary action.
•  Give appropriate assurances about confidentiality.  However avoid guarantees as this could impede an investigation and resolution of the matter.

Whistleblowing and data protection

However, when concentrating on implementing a whistleblowing policy do not forget your data protection duties.  The “Article 29 Working Party”, the EU Working Party set up to consider the compatability between whistleblowing policies and EU data protection rules recently issued its opinion.

It is outside the scope of this article to examine the Working Party’s opinion in detail but here are a few points in summary:-

• The Working Party emphasised that the rights of the accused must also be protected. Even where whistleblowing schemes are not explicitly required by the laws of a Member State, the schemes may in any event be in the legitimate interest of a company.  (Where the Member State has specific laws requiring a whistleblowing procedure the procedure will have legal approval in any event (although data protection rules about proportionality must still be followed)).
• The Working Party emphasised the need for proportionality in all whistleblowing schemes.  For example it strongly discouraged anonymous reporting. This is important as many employers in the UK have set up anonymous reporting structures.  The Working Party suggests that confidential reporting (that is not revealing the identity of the whistleblower to the accused) is appropriate (though in the event of whistleblowing in bad faith the identity should be revealed to the accused so that he can take action against the whistleblower if desired).
• Where the whistleblowing procedure has been outsourced by the employer to a third party (which many employers have opted for) the employer must ensure that the third party is contracted to protect data properly.
• Where the policy will lead to a transfer of personal data outside the EU, the employer needs to ensure that the entity receiving the data has adequate levels of data protection (e.g. it has signed up to the Safe Harbor Scheme (if in the US), or it has entered into a contract or a set of binding corporate rules).