All templates
Company PoliciesPolicy

Whistleblowing Policy template

A whistleblowing policy is the written route for workers to report suspected wrongdoing inside {{org.name}} — illegality, danger, fraud, cover-ups — safely and to the right person, so problems surface early instead of festering or leaking. It exists for concerns about the organisation and its impact on others, not for personal workplace disputes.

Free to use
UK-focused
Updated 11 July 2026

Most serious organisational failures were visible to someone on the inside long before they became public. The point of this policy is to make speaking up feel routine and safe: a named route, a promise of protection, and visible evidence that concerns are taken seriously.

This template covers what to report, how to raise a concern openly, confidentially, or anonymously, how {{org.name}} investigates, the protection whistleblowers get, and when going to an outside regulator is appropriate.

The template

Full text, ready to adapt.

Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.

Whistleblowing Policy

Policy · Company Policies

1. Purpose and scope

This policy explains how anyone working for {{org.name}} — employees, workers, agency staff, contractors, and volunteers [adjust to your workforce] — can raise a concern about suspected wrongdoing within the business.

It does not replace other procedures: complaints about your own employment or treatment belong in the grievance procedure or the bullying and harassment policy, and customer complaints follow the complaint handling procedure. Where a concern contains both elements, we will separate them and handle each under the right policy.

2. Policy statement

{{org.name}} wants wrongdoing reported, however uncomfortable that is. We would always rather hear about a problem from our own people than from a regulator, a journalist, or a court. Anyone who raises a genuine concern under this policy will be supported and protected, even if the concern turns out to be mistaken.

3. What to report under this policy

  • Criminal activity, including theft, fraud, or bribery.
  • Failure to comply with a legal or regulatory obligation.
  • Danger to the health and safety of any person — staff, customers, or the public.
  • Damage to the environment.
  • A miscarriage of justice.
  • Misuse of personal data or serious breaches of confidentiality.
  • Deliberate concealment of any of the above.

4. How to raise a concern

  1. 1Report the concern to [whistleblowing officer — name/role]. If the concern involves that person, go to [alternative senior name/role] instead.
  2. 2Raise it in writing or verbally — a conversation is a valid report and will be written up and confirmed back to you.
  3. 3Give what facts you can: what you saw or heard, dates, people involved, and any documents. You are not expected to investigate or prove anything yourself.
  4. 4Say whether you want to be identified, kept confidential, or remain anonymous. Anonymous reports are accepted, but they limit how well we can investigate and mean we cannot update or protect you directly.

5. How {{org.name}} handles concerns

  1. 1Acknowledge the concern within [number] working days.
  2. 2Make an initial assessment and decide the response: internal investigation, escalation to [owner/board], or referral to the police or a regulator.
  3. 3Appoint an investigator with no involvement in the matter, who gathers evidence proportionately and confidentially.
  4. 4Keep the person who raised the concern updated where possible — timescales and, as far as confidentiality allows, the outcome.
  5. 5Record the concern, the investigation, and the outcome in [confidential register/location], and fix any process gap the case exposed.

6. Protection and confidentiality

Nobody who raises a genuine concern under this policy will be dismissed or suffer any detriment for doing so — no demotion, victimisation, lost hours, or exclusion. Retaliating against a whistleblower is a disciplinary offence at {{org.name}}, and serious retaliation is gross misconduct.

We keep the identity of the person raising the concern confidential wherever we can. Deliberately false or malicious reports — as opposed to honest concerns that prove unfounded — are dealt with under the disciplinary procedure.

7. External disclosures

We hope anyone with a concern raises it internally first, so we can act quickly. However, workers have the legal right to make a protected disclosure to a prescribed person — the relevant regulator for the subject matter, such as the HSE for safety concerns or the ICO for data concerns. GOV.UK publishes the full list.

Nothing in this policy, any contract, or any settlement agreement prevents a worker from making a protected disclosure.

8. Records and review

The whistleblowing register is held by [name/role], access-restricted, and retained in line with our data retention policy. [Owner/board] reviews anonymised themes [frequency] so patterns are spotted.

This policy is reviewed [frequency, e.g. annually] and after every concern raised under it. Owner: [name/role]. Next review due: [date].

Make it yours

How to adapt this template.

1

Name a whistleblowing officer and a genuinely independent alternative — the alternative route is the one that matters when the concern involves leadership.

2

Decide how anonymous reports can reach you in practice (a letter, a form, a voicemail box) and state it in the policy.

3

Brief managers that concerns may reach them first, and that their only job at that moment is to listen, record, and pass it to the named officer.

4

Publish the policy where staff actually look — induction, handbook, noticeboard — not only in a policy folder.

5

Test the route once a year: walk a hypothetical concern through the steps and check every named person still exists and knows their part.

A document is not a system

Turn this template into trained, proven behaviour

A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.

Whistleblowing Policy template FAQs

Is a whistleblowing policy a legal requirement in the UK?

Not for most private employers — some regulated sectors must have arrangements, but there is no general statutory duty to have the document. The legal protection for whistleblowers under the Public Interest Disclosure Act 1998 applies whether or not you have a policy, so a clear internal route is strongly in the employer's interest: it makes internal reporting the easy first choice.

What is the difference between a grievance and a whistleblowing concern?

A grievance is about your own employment — your treatment, terms, or working relationships. A whistleblowing concern is about wrongdoing that affects others or the public: illegality, danger, environmental damage, or cover-ups. The distinction matters because whistleblowing engages specific statutory protection and a different procedure.

Is a whistleblower protected if the concern turns out to be wrong?

Yes. Protection under the Public Interest Disclosure Act 1998 rests on a reasonable belief that the disclosure is in the public interest and tends to show wrongdoing — not on being proved right. Deliberately false reports are different and are not protected.

Can workers go straight to a regulator instead of reporting internally?

Yes — disclosures to prescribed persons such as the relevant regulator can be protected, and no policy or contract can lawfully prevent a protected disclosure. Most organisations still encourage internal reporting first because it lets problems be fixed fastest.

Can a concern be raised anonymously?

Yes, and this template says how. Be honest in the policy about the trade-off: anonymous concerns are harder to investigate, cannot receive updates, and the organisation cannot actively protect someone it cannot identify. Confidential — named but protected — is usually the better option.