Whistleblower Policy (Ireland)
PROTECTED DISCLOSURES (WHISTLEBLOWER) POLICY
Organisation: [Organisation Name], [Organisation Address]
Date Adopted: [Policy Date]
This Policy is adopted by [Organisation Name] in compliance with the Protected Disclosures Act 2014, the Protected Disclosures (Amendment) Act 2022, and EU Directive 2019/1937 on the protection of persons who report breaches of Union law (the “EU Whistleblowing Directive”).
1. PURPOSE AND SCOPE
1.1 [Organisation Name] (the “Organisation”) is committed to maintaining the highest standards of integrity, transparency, and accountability. This Policy establishes a safe, confidential channel for workers to report suspected wrongdoing without fear of penalisation.
1.2 This Policy applies to all workers of the Organisation, including employees, contractors, agency workers, trainees, volunteers, shareholders, and board members, as defined in section 3 of the Protected Disclosures Act 2014.
1.3 The Organisation has [Organisation Size] and is subject to the requirements of the Protected Disclosures (Amendment) Act 2022 accordingly.
2. WHAT IS A PROTECTED DISCLOSURE?
2.1 A “protected disclosure” is a disclosure of “relevant information” that a worker reasonably believes shows one or more of the following “relevant wrongdoings” (as defined in section 5 of the Protected Disclosures Act 2014, as amended):
- A criminal offence has been, is being, or is likely to be committed;
- A person has failed, is failing, or is likely to fail to comply with a legal obligation;
- A miscarriage of justice has occurred, is occurring, or is likely to occur;
- Health or safety of any individual has been, is being, or is likely to be endangered;
- The environment has been, is being, or is likely to be damaged;
- An unlawful or improper use of public funds or resources;
- Acts or omissions by or on behalf of a public body that are oppressive, discriminatory, or grossly negligent; or
- Information that would tend to show any of the above has been, is being, or is likely to be deliberately concealed.
2.2 A disclosure is not protected if the worker making it commits a criminal offence in making the disclosure, or if the information disclosed is legally professionally privileged.
3. HOW TO MAKE A DISCLOSURE
3.1 Workers may make a protected disclosure using any of the following channels: [Reporting Methods].
3.2 Disclosures should be directed to the Designated Disclosure Officer: [Disclosure Officer Name] ([Disclosure Officer Email] / [Disclosure Officer Phone]). Where the primary officer has a conflict of interest, disclosures should be directed to: [Alternate Officer Name].
3.3 Workers may make a disclosure anonymously. The Organisation will investigate anonymous disclosures to the extent practicable, subject to the nature of the information provided.
3.4 Disclosures may be made verbally. Where a verbal disclosure is made, the Disclosure Officer shall prepare a written record and, where possible, offer the worker the opportunity to review and correct the record.
4. INVESTIGATION PROCESS
4.1 Acknowledgement: The Organisation shall acknowledge receipt of a disclosure within [Acknowledged Within] of receipt.
4.2 Diligent Follow-Up: The Disclosure Officer shall assess each disclosure and, where warranted, conduct a diligent and impartial follow-up investigation.
4.3 Feedback: The Organisation shall provide the reporting worker with feedback on the action taken or proposed (subject to confidentiality constraints) within [Feedback Within] of acknowledging the disclosure.
4.4 Confidentiality: The identity of the reporting worker and any information from which they could be identified shall be kept strictly confidential and shall not be disclosed without the worker’s explicit consent, except where disclosure is strictly necessary for a legal obligation (including criminal investigation) or for the purposes of the investigation.
4.5 Records: The Organisation shall maintain a secure register of disclosures received and shall retain records for a minimum of 5 years in accordance with the Protected Disclosures (Amendment) Act 2022.
5. EXTERNAL REPORTING CHANNELS
5.1 Workers may, at their discretion, make a disclosure directly to an external prescribed person or body without first making an internal disclosure. Workers do not lose their protected status by doing so.
5.2 Relevant external bodies include:
- Relevant sector regulator: [Sector Regulator]
- Office of the Protected Disclosures Commissioner (www.protecteddisclosures.gov.ie) — for all sectors
- Workplace Relations Commission (WRC) — for employment-related matters (www.workplacerelations.ie)
5.3 Workers may disclose to the media or public in limited circumstances as set out in section 10 of the Protected Disclosures Act 2014 (as amended).
6. PROTECTION AGAINST PENALISATION
6.1 The Organisation strictly prohibits penalisation of any worker who makes, or is suspected of making, a protected disclosure. Penalisation includes dismissal, demotion, harassment, intimidation, bullying, discrimination, disadvantage, or any adverse treatment connected with a protected disclosure.
6.2 Any worker who penalises or attempts to penalise a disclosing worker will be subject to disciplinary action, up to and including dismissal.
6.3 Under section 12 of the Protected Disclosures Act 2014 (as amended), workers who suffer penalisation may bring a claim to the Workplace Relations Commission (WRC). Awards may include reinstatement and compensation of up to five years’ remuneration.
6.4 This protection extends to workers who assist, facilitate, or participate in the investigation of a disclosure.
7. FALSE AND MALICIOUS DISCLOSURES
7.1 This Policy does not protect workers who knowingly make false disclosures. Making a deliberately false or malicious disclosure may constitute misconduct and may result in disciplinary action, as well as potential civil or criminal liability.
8. GOVERNING LAW
8.1 This Policy is governed by and construed in accordance with the laws of Ireland. All rights and obligations under this Policy are subject to the Protected Disclosures Acts 2014–2022.
Authorised signatory (on behalf of the Organisation)
________________
Signature
What Is a Whistleblower Policy (Ireland)?
A Whistleblower Policy in Ireland sets out the standards, responsibilities, and procedures the organisation expects everyone to follow, and takes its legal force from the Protected Disclosures Act 2014.
The Protected Disclosures Act 2014 was a landmark piece of legislation that for the first time provided thorough statutory protection to workers who disclosed information about wrongdoing in the public interest. The 2014 Act was influenced by a series of high-profile cases in Ireland in which individuals who had reported wrongdoing suffered serious professional and personal consequences. The Act established a tiered disclosure system: workers may first disclose internally (to their employer), then to a prescribed person (an external regulator), then to a Minister of Government, and in limited circumstances more broadly — for example, to a solicitor or to the media.
The Protected Disclosures (Amendment) Act 2022 made substantial changes. It extended the scope of protected disclosures to cover breaches of specified EU law in areas such as financial services, data protection, public procurement, environmental law, food safety, and public health. It broadened the definition of 'worker' to include contractors, volunteers, board members, shareholders, job applicants, and former workers. It removed the good faith requirement as a threshold for protection and replaced it with a 'reasonable belief' standard. It mandated formal internal reporting channels for employers with 50 or more employees. It increased maximum compensation to five years' remuneration. It introduced interim relief for dismissed workers. And it established the Office of the Protected Disclosures Commissioner as a new independent public office.
The policy must comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, since the processing of personal data in connection with disclosures — including the identity of the reporting person and any person who is the subject of a report — is subject to GDPR's full data protection principles. The Data Protection Commission (DPC) has regulatory oversight of GDPR compliance in Ireland.
For employers in the financial services sector, additional whistleblowing obligations arise under Central Bank of Ireland regulations, including the Central Bank (Supervision and Enforcement) Act 2013 and various sectoral codes. These obligations dovetail with, but are not replaced by, the 2022 Act.
A well-drafted Whistleblower Policy is an essential part of any Irish organisation's governance and compliance framework, protecting both the organisation and its workers, and demonstrating a commitment to ethical business conduct and the rule of law.
The Office of the Protected Disclosures Commissioner (OPDC), established by the 2022 Act, plays an important institutional role in the Irish whistleblowing landscape. The Commissioner maintains a secure online portal for workers who cannot or prefer not to use an employer's internal reporting channel, and publishes guidance for both workers and employers on the operation of the regime. The Commissioner also publishes an annual report on protected disclosures received and their outcomes.
The Protected Disclosures Acts 2014 to 2022 sit alongside the Criminal Justice (Corruption Offences) Act 2018. Workers who report corruption offences under the 2018 Act through their employer's protected disclosures channel are entitled to full legal protection under the 2014 Act, and a whistleblower policy should cross-reference the organisation's anti-bribery policy to confirm this is clear to all staff. Solicitors advising Irish organisations on employment law and regulatory compliance consistently identify a well-designed whistleblower policy as one of the most valuable governance investments an organisation can make — enabling early detection and remediation of wrongdoing before it escalates into a regulatory investigation, media controversy, or criminal prosecution, and demonstrating to regulators and investors a genuine commitment to ethical business conduct and the rule of law in Ireland.
When Do You Need a Whistleblower Policy (Ireland)?
An Irish Whistleblower Policy is needed by any organisation that employs workers or engages contractors in Ireland, because the substantive protections against penalisation under the Protected Disclosures Acts 2014–2022 apply to all workers regardless of employer size. However, the formal mandatory obligations to have a documented internal reporting channel apply specifically to private sector employers with 50 or more employees and to all public sector bodies.
You need a Whistleblower Policy if your organisation: employs 50 or more workers and is therefore mandatorily required by section 6A of the Protected Disclosures Act 2014 (as inserted by the 2022 Act) to establish, maintain, and operate a secure internal reporting channel meeting specified requirements; is a regulated financial services entity subject to Central Bank of Ireland oversight, where additional obligations to have a whistleblowing reporting channel arise under sectoral rules, including the Central Bank (Supervision and Enforcement) Act 2013 and the European Union (Capital Requirements) Regulations 2014; is a public sector body of any size, which must operate an internal reporting channel regardless of employee numbers; operates in a sector with heightened regulatory scrutiny — such as healthcare, pharmaceuticals, construction, financial services, or public procurement — where regulators may inquire about the existence and operation of a whistleblower reporting channel as part of a compliance assessment; has experienced a whistleblowing report and wishes to confirm that it handles the report in a manner consistent with the Act and that it protects itself against a penalisation complaint before the Workplace Relations Commission (WRC); or wishes to demonstrate to investors, insurers, and counterparties that it operates to high governance standards.
For organisations with fewer than 50 employees that are not in a regulated sector, the 2022 Act does not currently mandate a formal internal reporting channel, but the protections against penalisation still apply if a worker makes a protected disclosure. In practice, having a simple, clear whistleblower policy — even a short document that identifies who reports should be made to, confirms the confidentiality of reports, and prohibits retaliation — is strongly advisable for all employers. The WRC has been clear in its decisions that the absence of a functioning reporting channel is not a defence to a penalisation claim, and it may be treated as an aggravating factor when assessing compensation.
Solicitors advising Irish companies on employment law compliance, and corporate governance advisers working with company boards, regularly include a whistleblower policy in the list of essential governance documents alongside a code of conduct, an anti-bribery policy, a data protection policy, and an equal opportunities policy.
What to Include in Your Whistleblower Policy (Ireland)
A thorough Irish Whistleblower Policy should contain several key provisions to confirm compliance with the Protected Disclosures Acts 2014–2022 and to give workers clear, practical guidance on how to make a report and what protections they enjoy.
The purpose and scope clause should explain why the policy exists (to comply with the Protected Disclosures Acts 2014–2022 and to foster an open, ethical culture), and should specify who is covered — not just employees, but also contractors, temporary workers, volunteers, board members, shareholders, and former workers, all of whom may qualify as 'workers' under the 2022 Act.
The definition of protected disclosure clause should explain in accessible, plain-English language what constitutes a protected disclosure under section 5 of the 2014 Act: a disclosure of relevant information made by a worker who reasonably believes it tends to show one or more of the categories of wrongdoing listed in the Act, including criminal offences, regulatory breaches, health and safety dangers, environmental damage, misuse of public funds, and breaches of specified EU law. The policy should confirm that workers need not have direct evidence — a reasonable belief based on available information is sufficient.
The internal reporting channel clause must specify how reports are to be made: to a designated disclosure recipient (typically a compliance officer, a board audit committee, or a specific confidential reporting email address), and should provide for a secure, confidential alternative channel (such as an anonymous hotline or an online portal) for workers who are not comfortable reporting to their line manager. For organisations mandated by the 2022 Act to have a formal channel, the clause must confirm that reports will be acknowledged within seven days, that feedback will be provided within three months, and that all reports will be recorded in a secure register.
The confidentiality clause must confirm that the identity of the reporting person will be kept strictly confidential and will not be disclosed without their consent, except as required by law. The clause should also address the confidentiality of the person who is the subject of the report, pending the outcome of the investigation. Breach of confidentiality is a criminal offence under the 2022 Act.
The anti-retaliation clause must make unequivocally clear that the organisation prohibits any form of penalisation — dismissal, demotion, harassment, discrimination, or any other adverse treatment — of a worker who makes a protected disclosure. The clause should set out the remedies available to workers who are penalised: a complaint to the WRC within six months, which may result in reinstatement, re-engagement, or compensation of up to five years' remuneration; and the right to apply to the Circuit Court for interim relief within 21 days of dismissal.
The investigation process clause should outline the steps the organisation will take to investigate a report: initial assessment by the disclosure recipient, appointment of an independent investigator where appropriate, notification to the subject of the report in accordance with fair procedures requirements, completion of the investigation within a reasonable timeframe, and communication of the outcome to the reporting person.
The data protection clause should confirm how personal data processed in connection with disclosures is handled in compliance with GDPR (Regulation (EU) 2016/679) and the Data Protection Act 2018, including the legal basis for processing under GDPR Article 6(1)(c) (compliance with a legal obligation) or Article 6(1)(f) (legitimate interests), the retention period for investigation records (minimum five years under section 6A of the Protected Disclosures Act 2014 as amended by the 2022 Act), and the rights of data subjects in relation to that data. The Data Protection Commission (DPC) at 21 Fitzwilliam Square South, Dublin 2, D02 RD28 is the Irish supervisory authority and enforces GDPR compliance, with powers to impose fines of up to €20 million or 4% of global annual turnover under GDPR Article 83.
The register and reporting obligations clause should confirm that employers mandated by the Protected Disclosures (Amendment) Act 2022 to have an internal reporting channel must register the channel with the Office of the Protected Disclosures Commissioner (OPDC) and comply with annual reporting requirements. The Commissioner publishes an annual report on the operation of the protected disclosures regime. The Workplace Relations Commission (WRC) at Tom Johnson House, Haddington Road, Dublin 4 adjudicates penalisation complaints under section 11 of the 2014 Act, with appeals to the Labour Court under section 14. The Circuit Court of Ireland has jurisdiction to grant interim relief within 21 days of dismissal under section 11A of the 2014 Act. The Central Bank of Ireland imposes additional whistleblowing channel requirements on regulated financial services entities under the Central Bank (Supervision and Enforcement) Act 2013, the European Union (Capital Requirements) Regulations 2014, and the Market Abuse Regulation (Regulation (EU) 596/2014). The Criminal Justice (Corruption Offences) Act 2018, enforced by An Garda Síochána and the Director of Public Prosecutions, provides additional protections for workers who report corruption offences. The forms-legal.com Whistleblower Policy (Ireland) template covers the mandatory elements under the Protected Disclosures Acts 2014–2022.
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 6EU – GDPR
- GDPR Article 83EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Whistleblower Policy (Ireland) (Ireland) [Legal document template]. Forms Legal. https://forms-legal.com/ireland/business/policies/whistleblower-policy-ireland
"Whistleblower Policy (Ireland) (Ireland)." Forms Legal, 2026, https://forms-legal.com/ireland/business/policies/whistleblower-policy-ireland.
@misc{formslegal-whistleblower-policy-ireland,
author = {{Forms Legal}},
title = {Whistleblower Policy (Ireland) (Ireland)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ireland/business/policies/whistleblower-policy-ireland}},
note = {Free legal document template. Based on Companies Act 2014}
}Also available for these jurisdictions:
Frequently Asked Questions
A 'protected disclosure' is defined in section 5 of the Protected Disclosures Act 2014 (as substantially amended by the Protected Disclosures (Amendment) Act 2022) as a disclosure of 'relevant information' (whether or not the information is also a personal grievance) made by a worker who reasonably believes that the information tends to show one or more of the specified categories of wrongdoing listed in section 5(3) of the Act. The categories of wrongdoing are broad and include: a criminal offence committed or likely to be committed; a failure to comply with a legal obligation (other than one arising from the worker's contract of employment); a miscarriage of justice; a danger to health or safety of any individual; damage to the environment; unlawful or improper use of public funds or resources; oppressive, discriminatory, or grossly negligent conduct by a public body; deliberate concealment of any of the foregoing. The 2022 Amendment Act, which transposed the EU Whistleblowing Directive (Directive (EU) 2019/1937), significantly extended the scope of protected disclosures to include breaches of specified European Union law across a wide range of areas including financial services, anti-money laundering, public procurement, product safety, food safety, environmental law, public health, and consumer and data protection. Workers need not have direct evidence of the wrongdoing — the key threshold is a 'reasonable belief' based on information known to the worker at the time of the disclosure.
Workers who make a protected disclosure under the Protected Disclosures Acts 2014–2022 are entitled to a thorough set of legal protections against retaliation. Section 11 of the 2014 Act (as amended) prohibits penalisation of a worker for having made, or for being believed to have made, a protected disclosure. 'Penalisation' is defined broadly in section 3 to include: dismissal, demotion, reduction in pay or hours, suspension or lay-off, imposition of a financial penalty, coercion, intimidation, harassment, ostracism, discrimination, disadvantage, or any adverse change in the worker's terms and conditions. Under section 12 of the 2014 Act, any purported dismissal of a worker in connection with a protected disclosure is automatically unfair under the Unfair Dismissals Acts 1977–2015. This is a significant protection because it removes the usual qualifying period of one year's service before an unfair dismissal claim can be brought — a worker can claim unfair dismissal from day one of employment if dismissed in connection with a protected disclosure. The maximum compensation available at the Workplace Relations Commission (WRC) for penalisation (other than dismissal) is five years' remuneration (increased from two years by the 2022 Act). For dismissal, the maximum compensation before the WRC or the Labour Court is also five years' remuneration.
The Protected Disclosures (Amendment) Act 2022, implementing the EU Whistleblowing Directive (Directive (EU) 2019/1937), introduced mandatory requirements for employers in the private and public sectors to establish formal internal reporting channels. For private sector employers, the obligation to have a formal internal reporting channel (meeting the specifications in section 6A of the 2014 Act as inserted by the 2022 Act) applies to organisations with 50 or more employees. This obligation came into force on 17 December 2023 for private sector employers with 50 or more workers (organisations with 50–249 employees were given until that date under transitional provisions; organisations with 250 or more employees had to comply from 1 January 2023). The mandatory requirements under section 6A include: providing written acknowledgement of reports within seven days of receipt; designating a person or function to administer the channel, with sufficient independence and authority; accepting reports orally or in writing; diligently following up reports; providing feedback to the reporting person within three months (or six months in duly justified cases); maintaining secure records of all reports received for a minimum of five years; ensuring the identity of the reporting person is kept confidential and not disclosed without consent; and processing personal data in the report in compliance with GDPR. For public sector bodies, the obligation applies regardless of size — all public bodies must have a formal internal reporting channel.
The intersection of the Protected Disclosures Acts 2014–2022 and the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), as implemented in Ireland by the Data Protection Act 2018, creates a complex compliance environment for organisations operating whistleblower reporting channels. Personal data processed in connection with a protected disclosure — including the identity of the reporting person, the identity of any person who is the subject of a disclosure, and any other personal data contained in the report — is subject to the full rigour of GDPR. Under GDPR Article 5, such data must be processed lawfully, fairly, and transparently; collected only for the specified purpose of investigating the disclosure; kept accurate and up to date; retained no longer than necessary; and processed securely. The legal basis for processing will typically be compliance with a legal obligation (Article 6(1)(c)) where the employer is mandatorily required by the 2022 Act to operate an internal reporting channel, and/or legitimate interests (Article 6(1)(f)) where the employer is not mandatorily required but has chosen to operate a channel. The processing of special categories of personal data (such as health data, trade union membership, or criminal convictions data) that may appear in disclosures requires a specific condition under GDPR Articles 9 and 10.
The Office of the Protected Disclosures Commissioner (OPDC) was established by the Protected Disclosures (Amendment) Act 2022 as part of a significant overhaul of Ireland's whistleblowing architecture. The Commissioner, who holds an independent statutory office, has two primary functions. First, the Commissioner maintains a secure online portal through which workers may make protected disclosures to a prescribed person where no internal reporting channel is available or appropriate to use, or where the worker reasonably believes that the internal channel is not functioning adequately. Under the 2014 Act (as amended), workers may first make disclosures internally (to their employer), then to a 'prescribed person' (an external regulator listed in a Schedule to the Act, such as the Revenue Commissioners, the Central Bank of Ireland, or the Health and Safety Authority), and then more broadly if the first two avenues are unavailable or inadequate. The Commissioner's office serves as the catch-all prescribed person where no other prescribed person is appropriate. Second, the Commissioner publishes guidance for workers and employers on the operation of the protected disclosures regime and maintains a register of organisations that have formal internal reporting channels. Employers required to have an internal reporting channel under the 2022 Act must register with the Commissioner and comply with reporting obligations.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Anti-Bribery Policy (Ireland)
A corporate anti-bribery and corruption policy compliant with the Criminal Justice (Corruption Offences) Act 2018 for Irish organisations.
Code of Conduct (Ireland)
A workplace policy document setting out expected standards of employee behaviour and professional conduct in Ireland.
Employee Handbook (Ireland)
A comprehensive workplace policy document covering employment terms, procedures, and employee rights in Ireland.
Privacy Policy (Ireland)
A GDPR-compliant policy document explaining how personal data is collected, used, and protected by an Irish organisation.
Employment Agreement (Ireland)
A standard full-time employment contract setting out the terms and conditions of employment in Ireland.