Protected Disclosure Policy (Ireland)

A Protected Disclosure Policy in Ireland sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and takes its legal force from the Protected Disclosures Act 2014.

The Protected Disclosures (Amendment) Act 2022 significantly expanded the scope of the original Protected Disclosures Act 2014. Employers with 250 or more employees were required to establish formal internal reporting channels by 1 January 2023. Employers with 50 or more employees must do the same by 17 December 2023. The Office of the Protected Disclosures Commissioner (OPDC), established under the 2022 Act, acts as an external reporting channel for workers who do not wish to report internally or where internal reporting has not been effective.

The 2022 Act greatly broadened the definition of qualifying disclosures and the categories of relevant wrongdoing that can be reported. Relevant wrongdoing includes: criminal offences; breach of legal obligations; miscarriages of justice; dangers to health and safety; damage to the environment; unlawful use of public funds; acts or omissions by a public body that are oppressive, discriminatory, grossly negligent, or constitute gross mismanagement; breaches of EU law in specific areas (financial services, product safety, transport safety, environmental protection, food safety, public health, consumer protection, privacy, and network and information security); and any deliberate concealment of any of the foregoing.

A well-drafted Protected Disclosure Policy demonstrates the organisation's commitment to ethical conduct, legal compliance, and a speak-up culture, and provides a documented framework that reduces the risk of regulatory action by the WRC, DPC, or the OPDC. Organisations should review and update their policy regularly to confirm continued compliance with the 2022 Act and any guidance issued by the OPDC.

The Protected Disclosures (Amendment) Act 2022 also introduced detailed requirements for the handling of reports — including acknowledgement of receipt within seven days, diligent follow-up, feedback to the reporter within three months, and strict confidentiality protections for the identity of the reporter. Penalisation of a worker for making a protected disclosure is unlawful under the 2022 Act, and a worker who suffers penalisation may bring a claim to the WRC or the Circuit Court and may be entitled to compensation of up to five years' remuneration, injunctive relief, and reinstatement.

A well-drafted Protected Disclosure Policy demonstrates the organisation's commitment to ethical conduct, legal compliance, and a speak-up culture. It also provides a documented framework that reduces the risk of regulatory action by the WRC, DPC, or the OPDC. Organisations should review and update their policy regularly to confirm continued compliance with the 2022 Act and any guidance issued by the OPDC. The policy should be communicated to all workers, made available on the company intranet, and included in the employee handbook and onboarding materials. Senior management buy-in and visible leadership commitment are essential to the effectiveness of any protected disclosures regime in practice. The OPDC, established under section 7A of the Protected Disclosures Act 2014 (as inserted by the 2022 Act), is hosted within the Office of the Ombudsman and can be contacted at protecteddisclosures.ie. Under section 20B of the 2014 Act (as inserted by the 2022 Act), it is a criminal offence to breach the confidentiality of a reporting person's identity, punishable on summary conviction by a fine of up to EUR 10,000 or imprisonment for up to 12 months, or on indictment by a fine of up to EUR 50,000 or imprisonment for up to three years. Workers who suffer penalisation may bring a claim to the WRC within six months (extendable to twelve months), with compensation of up to five years' remuneration available. The OPDC also has jurisdiction to receive disclosures from workers in the private sector where the employer has failed to act on an internal disclosure or where the worker has reasonable grounds to believe that disclosure to the employer would not be effective. Workers who make disclosures to the OPDC are entitled to the same protections against penalisation as workers who make internal disclosures. The policy should also address the organisation's approach to anonymous reports, clarifying whether anonymous reports will be investigated and how the organisation will communicate feedback to an anonymous reporter where it is possible to do so.

An Irish Protected Disclosure Policy is legally required for all public-sector bodies and for private-sector employers with 50 or more workers. However, it is also strongly advisable for all employers of any size who wish to foster an ethical workplace culture, reduce legal and reputational risk, and demonstrate commitment to good governance.

You need a Protected Disclosure Policy when you are: a public-sector body (government department, state agency, local authority, health service body, or other public body) of any size, which has been required to have internal reporting channels since the 2022 Act commenced; a private-sector employer with 250 or more workers, which has been required to have internal reporting channels since 1 January 2023; a private-sector employer with between 50 and 249 workers, which has been required to have internal reporting channels since 17 December 2023; a regulated financial services firm, regulated by the Central Bank of Ireland, which has additional whistleblowing obligations under the Central Bank (Supervision and Enforcement) Act 2013 and related regulations; or an employer in any sector who values ethical conduct and wishes to provide workers with a trusted channel for raising concerns before they escalate to regulators or the media.

Having a clear and accessible protected disclosure policy is important for several practical reasons. First, it reduces the risk that workers will make public disclosures (to the media or on social media) without first using internal channels, which can cause significant reputational damage. Research consistently shows that workers are more likely to use internal reporting channels when they trust that the employer will handle their reports confidentially, investigate them properly, and protect them from retaliation. Second, a policy that complies with the 2022 Act reduces the risk of legal claims — a worker who is penalised for making a protected disclosure may receive up to 5 years' compensation from the Workplace Relations Commission. Third, many corporate governance frameworks, investor requirements, and public procurement rules require businesses to have a documented and effective whistleblowing policy. Fourth, the Workplace Relations Commission (WRC) and other enforcement bodies may take the existence and quality of a protected disclosure policy into account when assessing employer compliance.

In the experience of the Workplace Relations Commission (WRC) and the OPDC, organisations with well-publicised, accessible, and consistently applied protected disclosure policies attract fewer external complaints and regulatory investigations. Employees who trust their employer's internal process are more likely to raise concerns internally — giving the organisation the opportunity to investigate and remediate — rather than going directly to regulators or the media. Research by Transparency International Ireland has consistently shown that whistleblower-friendly cultures are associated with lower levels of fraud, corruption, and compliance failures. Investing in a strong protected disclosure policy is therefore both a legal requirement and sound risk management.

A thorough Irish Protected Disclosure Policy should include the following key elements to comply with the Protected Disclosures Acts 2014 and 2022 and the EU Whistleblower Directive.

The purpose and scope clause explains the purpose of the policy — to encourage workers to report suspected wrongdoing safely and confidentially — and identifies who is covered: employees, contractors, agency workers, volunteers, trainees, board members, shareholders, former workers, and job applicants, consistent with the expanded definition of workers in the 2022 Act.

The definition of a protected disclosure clause explains what constitutes a relevant wrongdoing under the Protected Disclosures Acts — including criminal offences, failures to comply with legal obligations, health and safety risks, environmental damage, miscarriages of justice, misuse of public funds, and cover-ups — and clarifies that the worker need only have a reasonable belief that the information tends to show a relevant wrongdoing.

The internal reporting channels clause describes the specific channels through which workers can make a report — for example, an online reporting portal, a designated email address, a dedicated phone line, or a named compliance officer or reporting manager. The clause must confirm that reports will be kept confidential and that access to the reporting system is restricted to authorised personnel.

The acknowledgement and feedback clause states the timeframes for acknowledging receipt of a report (within 7 days) and providing feedback on the action taken or proposed (within 3 months, extendable to 6 months in justified cases), as required by the 2022 Act and the EU Whistleblower Directive.

The external reporting channels clause identifies the external reporting options available to workers — including prescribed persons (sectoral regulators), the Office of the Protected Disclosures Commissioner (OPDC), and, in certain limited circumstances, public disclosure.

The confidentiality clause explains the employer's obligations to protect the identity of the reporting person and the circumstances (if any) in which identity may need to be disclosed — for example, to comply with a legal obligation or at the request of the reporting person. It references the criminal liability under section 20A of the 2014 Act for breaches of confidentiality.

The anti-penalisation clause states that the employer prohibits penalisation in all its forms — dismissal, demotion, harassment, threats, or any other adverse treatment — and sets out the process for workers to raise penalisation concerns, including the right to apply to the Workplace Relations Commission for interim relief within 21 days of dismissal.

The GDPR and data protection clause explains how personal data in connection with protected disclosures is processed, the legal basis for processing (compliance with a legal obligation under Article 6(1)(c) GDPR), the retention period, and who has access to the data — in compliance with the GDPR and the Data Protection Acts 1988 to 2018 as supervised by the Data Protection Commission (DPC).

The review clause commits the employer to reviewing the policy periodically — at least annually — and updating it to reflect any changes in the law or the employer's reporting procedures. The review should incorporate lessons learned from any disclosures received during the year and any updates to guidance from the Office of the Protected Disclosures Commissioner (OPDC) or the Workplace Relations Commission (WRC). The policy should also be tested periodically through staff surveys or consultation with employee representatives to assess whether workers are aware of the policy, trust the process, and feel confident making a disclosure without fear of penalisation. The forms-legal.com Protected Disclosure Policy (Ireland) template covers the mandatory elements under Companies Act 2014.