Whistleblowing and Ethics Hotlines: legal and governance considerations for UK and EU organisations (UK and EU)

In both the UK and the European Union, whistleblowers are afforded legal protections. However, there are significant differences between the UK and EU legal regimes concerning whistleblowing and ethical reporting. Organisations operating across both jurisdictions must understand these divergences, and ensure their systems comply with the applicable rules. 

This article considers:

• The regulatory framework for whistleblowing and ethical reporting in the UK and EU; and
• Best practice guidance to comply with legal requirements, and to promote a culture of openness and accountability. 

Whistleblowing and Ethical Reporting Laws in the UK and EU

The UK’s statutory framework for whistleblowing was introduced by the Public Interest Disclosure Act 1988 (PIDA) which amended the Employment Rights Act 1986 (ERA 1996), by inserting a new Part IVA, which remains effective today. This framework protects employees and workers who make a “protected disclosure” which, in their reasonable belief, tends to show certain categories of malpractices. These include:

• that a criminal offence has been committed, is being committed or is likely to be committed;
• that a person has failed, is failing or is likely to fail to comply with a legal obligation (including under data protection law such as the UK GDPR or the Data Protection Act 2018);
• that a miscarriage of justice has occurred, is occurring or is likely to occur;
• that the health or safety of any individual has been, is being or is likely to be endangered;
• that the environment has been, is being or is likely to be damaged; or
• that information showing any of the above has been deliberately concealed.

The law protects whistleblowers from dismissal and from being subjected to detriment in the workplace, because of a protected disclosure.

Over the years, sector-specific regulatory regimes have been developed, including:

• The Financial Services and Markets Act 2000 (FSMA) and FCA / PRA Handbook rules (SYSC 18) which require regulated firms to establish internal whistleblowing procedures for regulated financial services firms.
• The UK Corporate Governance Code 2018 which applies to premium-listed companies listed on the London Stock Exchange and recommends a mechanism for the workforce to raise concerns in confidence.

The Enterprise and Regulatory Reform Act 2013 further amended Part IVA of ERA 1996 by introducing:

• personal liability for co-workers and vicarious liability for employers;
• a requirement that disclosures must  be made in the public interest to qualify for protection; and
• removal of the requirement for disclosures to be made in “good faith” (however, employment tribunals can reduce compensation for unfair dismissal by up to 25% if a disclosure is not made in “good faith”).

Taken together, Part IVA of the ERA 1996 (as inserted by PIDA 1998 and subsequently amended), and Part V of the ERA 1996 provide the legal basis for  whistleblowing protection and claims in the UK.

The EU introduced a harmonised framework across its member states with the Whistleblowing Directive (Directive 2019/1937). The Directive mandates that member states ensure that whistleblowers have access to effective and confidential reporting channels, both internally (within an organisation) and externally (to a competent authority).  The Directive’s scope expressly includes breaches of EU data protection law, notably the GDPR (Regulation (EU) 2016/679), as well as related rules on cybersecurity and privacy.

Although not directly applicable in the UK following Brexit, the Whistleblowing Directive is relevant to:

• UK-based companies with operations or subsidiaries in the EU; or
• UK companies with EU based employees who may report under national laws implementing the Directive.

Divergence between the UK and EU regimes

The key differences between UK and EU requirements include:

• Internal reporting channels: The EU Directive requires internal reporting channels for companies with 50+ employees. In the UK, there is no general statutory obligation for all companies to establish an ethics reporting system, except in regulated sectors.
• Scope of protection: In the UK, protection applies to current and former employee and “workers” (a broad category including agency staff and freelance, secondees, homeworkers, trainees, non-executive directors and LLP members). The EU regime extends protection more widely to shareholders, volunteers, job applicants and the self-employed.
• Timelines: No specific timelines apply in the UK. The EU Directive mandates strict timelines: acknowledgement of a report within seven (7) days and feedback within a reasonable time frame, not exceeding 3 months.
• External reporting: EU member states must designate national authorities to operate external reporting channels. In the UK, whistleblowers may report their concerns externally to “prescribed persons” (such as the FCA, PRA, HSE or ICO) provided the statutory conditions are met. Disclosure to the media is protected only in limited circumstances and  as a last resort.
• Record-keeping: The EU regime requires organisations to maintain records of oral reports and physical meetings. No such general requirement exists in the UK, though record-keeping may be necessary in regulated sectors. 
• Scope of wrongdoing: The Directive primarily applies to disclosures relating to breaches of EU laws in specified public interest areas — such as financial services, environmental protection, public procurement, consumer rights and data protection. UK whistleblowing protection under PIDA applies more broadly to any qualifying wrongdoing listed in the ERA, provided the whistleblower reasonably believes the disclosure is in the public interest. 

Best practice guidance  

Organisations should adopt a proactive approach to compliance and governance by:

• Providing mandatory training to promote awareness among staff and contractors on whistleblowing rights and procedures;
• Maintaining clear policies and procedures for handling disclosures, including records of reports, follow-up and outcomes;
• Implementing a whistleblowing hotline or equivalent reporting channel;
• promoting a culture of speaking up through visible leadership commitment and regular messaging; and
• Conducting regular audits and independent reviews (including through independent third party auditors), of whistleblowing arrangements to identify and address weaknesses identifying where improvements can be made and implementing measures to address any deficiencies.

Regulated financial institutions are subject to additional FCA and PRA binding rules, including:

• Maintaining a secure and confidential channel for internal reporting;
• Taking reasonable steps to protect whistleblowers from detriment; and
• Appointing a Whistleblowers’ Champion with sufficient seniority and independence to oversee the effectiveness of arrangements.

Comments

Although UK organisations outside regulated sectors are subject to fewer mandatory requirements than those in the EU, there are clear governance, compliance and reputational benefits to implementing robust whistleblowing and ethical reporting systems. Ensuring these systems are integrated with data protection compliance, particularly where disclosures may involve the processing of personal data, is increasingly important. Aligning with EU standards where possible supports best practice and demonstrates commitment to accountability and transparency.