Whistleblowing Policy Template | Outline & Structure

A whistleblowing policy template helps UK employers set out a safe, clear route for workers to raise concerns about wrongdoing, meet legal expectations, and reduce the risk of issues being hidden until they become crises. For smaller organisations, the biggest challenge is not so much about writing the policy, but about making sure people trust it, use it, and feel protected when they speak up.

This guide is for SMEs, charities and HR or compliance teams that need a practical, ready-to-adapt framework. It explains the key principles behind the Public Interest Disclosure Act (PIDA), how to separate whistleblowing from grievances, what concerns should be reported, and how to run a fair investigation without turning your organisation into a courtroom. You will also get a step-by-step template structure, example wording you can copy into your own document, and an implementation checklist.

For context and further reading as you adapt your template, you may find it helpful to keep open the Acas whistleblowing guidance and the GOV.UK overview of whistleblowing – what it is and who to tell.

Whistleblowing Policy Template Structure

A whistleblowing policy is a clear set of rules that explains how workers can raise concerns about wrongdoing in the public interest, how the organisation will respond, and how the whistleblower will be protected from victimisation.

A good policy does three things at once:

It makes it easy to speak up early.
It makes it hard for issues to be ignored or covered up.
It makes your response consistent, fair and defensible if you are challenged later.

In the UK, whistleblowing protection sits mainly in employment law. PIDA is not a standalone system with a single form or regulator. Instead, it amends the Employment Rights Act and creates legal protections for workers who make a protected disclosure in the right way. Your policy should therefore focus on process: who can report, what can be reported, how the organisation will handle it, and how you will prevent retaliation.

A practical template for most SMEs and charities includes these sections:

Purpose and values (why the policy exists).
Scope (who it applies to and what it covers).
What concerns qualify (with examples).
How to report (including confidential routes and who receives reports).
What happens next (triage, investigation, outcomes).
Protection and support for whistleblowers.
Record-keeping and privacy.
External reporting routes (prescribed persons and when to use them).
Review and governance (how you keep it working).

Here is a ready-to-adapt policy template you can copy into your own documents. Keep it short enough that people will read it, but specific enough that managers can use it consistently.

Purpose
[Organisation name] is committed to high standards of integrity, transparency and accountability. We encourage workers to speak up if they reasonably believe something is wrong. This policy explains how to raise concerns safely and how we will respond.

Scope – who this applies to
This policy applies to all employees, workers, agency staff, contractors, consultants, apprentices, trainees and volunteers. It also applies to anyone who performs work for, or on behalf of, [Organisation name]. Where relevant, it also applies to trustees, governors or board members.

What we mean by whistleblowing
Whistleblowing is raising a concern about wrongdoing that affects others and is in the public interest. It is different from a grievance, which is usually about an individual’s own employment position. If you are unsure which route to use, contact the Whistleblowing Officer for guidance.

What you can raise under this policy
Concerns may include (but are not limited to):

Criminal offences such as fraud, theft, bribery or corruption.
Health and safety dangers, safeguarding failures or serious neglect.
Breaches of legal or regulatory obligations.
Environmental harm or unsafe practices.
Deliberate concealment, destruction of evidence or cover-ups.

You do not need proof to raise a concern. If you raise a concern honestly and reasonably, we will take it seriously, even if the concern is not substantiated.

What is not covered
This policy is not intended for routine personal employment complaints such as pay disputes, working hours or interpersonal conflict. These should be raised through the grievance procedure, unless they are connected to wider wrongdoing that affects others.

How to report a concern
You can report a concern in any of the following ways:

Email: [dedicated whistleblowing email]
Phone: [dedicated phone number]
In person: Request a confidential meeting with the Whistleblowing Officer

If your concern involves your line manager or the Whistleblowing Officer, you can report instead to:

[Alternative contact name/role, for example Director, Trustee Chair, Non-Executive] via [alternative contact details]

If there is an immediate risk to life, safety or safeguarding, contact emergency services first, then report to us as soon as possible.

What information to include
To help us respond quickly, please include: what happened, when and where it happened, who was involved (roles if names are unknown), and any evidence you have (such as emails, screenshots, documents, or dates of relevant systems activity).

Confidentiality and anonymity
We will keep your identity confidential as far as possible. We will only share your identity where it is necessary to investigate fairly or required by law. If we need to share it, we will discuss this with you first where possible.
You may raise a concern anonymously, but anonymous reports can be harder to investigate. If you share your identity, we can usually provide better support and updates.

9. How we will respond
We will acknowledge your report within [2] working days. We will assess the concern, decide next steps, and tell you whether we will investigate within [10] working days where practicable.
We may:

Ask for more information.
Start a formal investigation.
Take immediate action to reduce risk.
Refer the issue to HR, safeguarding, compliance or a specialist team, where appropriate.

Investigation
We will investigate proportionately and fairly. Investigations may involve reviewing documents and systems, interviewing witnesses, and obtaining specialist advice. We will keep records of our steps and findings. Where allegations involve individuals, we will follow fair processes and may run a separate disciplinary procedure if required.

Updates and outcomes
We will provide you with periodic updates while the case is open, at least every [20] working days, where practicable. We may not be able to share full details of action taken, especially where it involves confidential HR matters or legal constraints.

Protection from retaliation
We do not tolerate retaliation against anyone who raises a genuine concern. Retaliation includes dismissal, demotion, loss of work opportunities, bullying, or any disadvantage linked to the disclosure. Anyone who retaliates may face disciplinary action.
If you believe you are being treated unfairly because you raised a concern, tell the Whistleblowing Officer immediately.

Records and privacy
We will store whistleblowing records securely and limit access to those who need it. We will keep records for [X years] unless a longer period is necessary for legal or regulatory reasons. We will handle personal data in line with our data protection arrangements and staff privacy notice.

External reporting
We encourage concerns to be raised internally where possible. However, you may be able to raise concerns with certain external bodies in specific circumstances. A list of prescribed people and bodies is available on GOV.UK. We recommend taking advice before making an external disclosure.

Policy owner and review
The policy owner is [Name/Role]. This policy will be reviewed at least annually and after any significant incident or learning event.

You will see each of these ideas unpacked under the headings below.

Whistleblowing Policy Template Structure

What is Whistleblowing at Work?

Whistleblowing is when someone reports wrongdoing at work that affects other people, such as colleagues, customers, service users, the public, or the organisation itself. It is not the same as a complaint about a personal employment dispute, even though the two can overlap.

In plain English, whistleblowing is about raising a concern because it is the right thing to do, and because the issue has a wider impact. That might include unsafe practices, fraud or a cover-up. If you want a clear, simple definition to use in your policy, Acas describes whistleblowing as reporting wrongdoing at work that affects others and is in the public interest. It is a useful framing for staff because it avoids legal jargon.

Your policy should also explain that whistleblowing can be:

A one-off report (e.g. a single incident of bribery).
A pattern report (e.g. repeated safety breaches).
A concern about a risk that has not yet caused harm (e.g. a near miss being concealed).

Many problems become crises because people notice early warning signs but do not know how to raise them safely. Your policy should make ‘early reporting’ a positive, normal act, not a dramatic last resort.

PIDA 1998 Protected Disclosures Explained

PIDA is the shorthand most people use, but the legal mechanics sit in the Employment Rights Act 1996 (as amended by PIDA). The concept to understand is a ‘protected disclosure’.

In practice, a disclosure is protected when:

The worker discloses information (not just an allegation) that they reasonably believe tends to show certain types of wrongdoing.
The disclosure is made in the public interest.
The worker makes the disclosure to the right person, and in some cases meets extra conditions (e.g. when going wider than the employer).

Your policy does not need to reproduce legislation. It should translate the legal idea into a simple set of statements that help staff decide whether the policy is the right route.

You can also include a short ‘what protection means’ section. For most workers, the key protections are about not being dismissed or treated badly because they raised a protected disclosure. Acas provides a helpful overview of who is covered by whistleblowing protections and what those protections mean.

A practical point for smaller employers is to avoid making the policy so legalistic that staff worry about ‘getting the definition wrong’. The best policies invite people to raise concerns in good faith, even if later the issue turns out not to meet the legal test. You can capture this with wording like:

We encourage you to raise genuine concerns. If you raise a concern honestly, we will take it seriously, even if the concern is not ultimately substantiated.

That sentence reduces fear and encourages early reporting.

Whistleblowing vs Grievance: The Differences

Confusion between whistleblowing and grievances is one of the biggest reasons policies go unused. If staff do not know which route to use, they may pick neither.

A grievance is usually about the individual’s own employment situation. Common grievance topics include:

Pay, working hours and holiday disputes.
Bullying and harassment directed at the individual.
Disciplinary decisions.
Performance management issues.
Interpersonal conflict within a team.

Whistleblowing is usually about wrongdoing that affects others or the wider public interest, such as:

Criminal offences (including fraud and bribery).
Health and safety risks.
Environmental harm.
Miscarriages of justice.
Breaches of legal obligations.
Covering up any of the above.

The tricky bit is overlap. For example, a worker may experience bullying after refusing to falsify records. That is both a grievance and a whistleblowing concern. Your policy should explain what happens in these cases.

A workable approach is:

If the primary issue is wrongdoing affecting others, use the whistleblowing route.
If the primary issue is personal treatment, use the grievance route.
If both apply, we may run coordinated processes to protect the whistleblower and address the personal impact.

You can also add a short decision guide:

If you are reporting wrongdoing that affects customers, colleagues, service users or the public, use whistleblowing.
If you are reporting an issue about your own employment, use the grievance policy.
If you are unsure, contact the Whistleblowing Officer for guidance.

That keeps it simple without forcing staff to become legal experts.

What Concerns Should be Reported

A strong policy lists the types of issues you want people to report, plus examples tailored to your organisation. Avoid vague statements like ‘any wrongdoing’. People respond better to concrete cues.

Typical whistleblowing concerns include:

Fraud, theft or financial irregularities.
Bribery, corruption or conflicts of interest being hidden.
Unsafe practices, poor safeguarding or serious breaches of health and safety.
Breaches of law or regulatory requirements.
Data protection or cybersecurity failures that create risk to others.
Modern slavery risks in your supply chain.
Environmental harm, illegal dumping or unsafe disposal.
Serious misconduct, including cover-ups or deliberate falsification of records.

For charities and care organisations, you may also include:

Misuse of charitable funds.
Abuse or neglect of beneficiaries.
Serious safeguarding failures.
Misreporting to funders or regulators.

A practical way to improve reporting quality is to tell people what ‘good information’ looks like. For example:

What happened (facts, not assumptions).
When and where it happened.
Who was involved (roles, not gossip).
What evidence exists (emails, documents, photos).
Whether the issue is ongoing or urgent.

Also include a boundary: the policy is not for malicious allegations or knowingly false claims. Keep the wording balanced so it does not scare people. For example:

We will not tolerate deliberate false allegations. However, we will support anyone who raises a concern honestly and reasonably.

Who the Policy Applies To

One of the most common gaps in SME policies is failing to say who can use the process. You want to capture the people most likely to see problems early, including those outside your payroll.

Your policy should state clearly that it applies to:

Employees (permanent, temporary, fixed-term).
Workers and casual staff.
Agency workers.
Contractors and consultants.
Apprentices and trainees.
Volunteers (particularly in charities).
Trustees and governors (where relevant).
Suppliers and service providers, if you choose to offer them a reporting route.

You can keep the legal detail light by using ‘workers and others who perform work for us’ as a broad phrase, then listing examples.

If you want to be explicit, you can signpost that legal protection under whistleblowing law applies to many worker categories and starts from the beginning of employment. Acas provides a clear list of who is protected in practice.

Also clarify geographic scope. If you have staff abroad, state whether they can use the same route and whether different local laws apply. Many SMEs keep the same internal route, then seek advice for complex cross-border cases.

Confidential Reporting Routes

Confidential routes are the difference between a policy that exists and a policy that is used. When people fear retaliation or social fallout, they need options.

For smaller organisations, confidential reporting does not have to be expensive. What matters is that the route is trusted, monitored and independent enough to feel safe.

Common options include:

A named Whistleblowing Officer (often HR lead, compliance lead or a senior manager) with a dedicated email address.
A second route to a director, trustee chair or non-executive for cases involving senior management.
A phone line that goes to a small, trained group rather than a general inbox.
An external hotline provider, particularly for regulated firms or larger SMEs.

If you are setting up a basic system quickly, a good minimum is two routes:

Route A: Whistleblowing Officer (confidential email and phone).
Route B: Alternative contact (director, trustee or board member) if Route A is involved.

Your policy should also explain confidentiality in practical terms:

We will keep your identity confidential as far as possible.
We will only share your identity if it is necessary to investigate or required by law.
If we need to share it, we will discuss this with you first, where possible.

That wording is honest and avoids promising absolute secrecy that you cannot guarantee.

Can Whistleblowers Stay Anonymous?

Anonymity is possible, but it comes with trade-offs. A good policy should be supportive without over-promising.

If someone reports anonymously, you may struggle to:

Ask follow-up questions.
Test credibility and context.
Provide updates.
Protect the whistleblower from retaliation, because you do not know who they are.

However, anonymous reports can still be valuable, especially if they include evidence. Many organisations therefore accept anonymous reports but encourage confidential named reports where possible.

Example policy wording:

You may raise a concern anonymously. We will consider anonymous disclosures, but they can be harder to investigate and we may be limited in the action we can take. If you share your identity, we will protect your confidentiality as far as possible and support you throughout the process.

If you use an external hotline, you can offer ‘two-way anonymous messaging’, where the reporter gets a case ID and can respond to questions without revealing their identity. For SMEs, this can be a good balance if budget allows.

How to Write Reporting Procedures

Reporting procedures should be short enough that people will follow them. Put the most important steps in plain language, then provide detail for managers and investigators separately.

A simple reporting procedure can be structured like this:

Step 1 – Raise the concern
Explain what you have seen and why you are concerned. Provide facts, dates and any evidence you can.

Step 2 – Choose a reporting route
List the confidential routes, including an alternative route if the concern involves your line manager or the Whistleblowing Officer.

Step 3 – What to include
Provide a short checklist of what information helps.

Step 4 – What happens next
Explain acknowledgement, triage and investigation at a high level.

Step 5 – Support and protection
Explain confidentiality, non-retaliation and who to contact if the person experiences negative treatment.

To make the procedure practical, give people options for how to report:

Email (preferred for audit trail).
Phone (for urgent concerns or those needing discussion).
In person (by appointment, with a note of the discussion recorded afterwards).
Online form (if you have one).

Also define urgency. For example:

If there is an immediate risk to life, safety or safeguarding, call emergency services first, then notify us as soon as possible.

This prevents delays when speed matters.

Investigation Process Step by Step

An investigation process must be fair, timely and proportionate. For SMEs, ‘proportionate’ means you do enough to reach a reasonable conclusion without draining the organisation for months.

A clear step-by-step process might look like this.

Step 1 – Acknowledge and log
Acknowledge receipt within a set period (for example, 2 working days). Create a case record and assign a case owner.

Step 2 – Triage and immediate risk controls
Decide if urgent action is needed, such as stopping a process, securing records or safeguarding measures. Decide whether the concern is whistleblowing, grievance or both.

Step 3 – Plan the investigation
Define scope, key questions and who will investigate. Identify conflicts of interest. Decide whether you need external support (for example, legal advice, HR, safeguarding lead or specialist investigators).

Step 4 – Gather evidence
Collect documents, systems data and witness accounts. Keep evidence handling secure. Avoid ‘fishing expeditions’ that spread rumours.

Step 5 – Interview and fact-find
Speak to the whistleblower if possible, then relevant witnesses. Keep notes. Give people a fair chance to respond, especially if allegations are serious.

Step 6 – Review findings and make recommendations
Decide whether the concern is substantiated, partly substantiated or not substantiated. Identify control weaknesses and corrective actions, even if wrongdoing is not proven.

Step 7 – Decide outcomes
Outcomes may include training, process changes, disciplinary action, supplier action, regulator engagement, or referral to law enforcement. Make sure outcomes are proportionate and documented.

Step 8 – Close and learn
Provide the whistleblower with an outcome update, as far as confidentiality allows. Record lessons learned and update controls.

A good policy also clarifies the boundary between investigation findings and disciplinary decisions. Many organisations set it out like this:

The investigation establishes facts. If disciplinary action is required, we will follow our disciplinary procedure.

This helps keep the investigation objective.

Protecting Whistleblowers from Retaliation

Protection is the heart of whistleblowing. Without it, your policy becomes a branding exercise rather than a safety mechanism.

Your policy should define retaliation or victimisation in simple terms, including:

Dismissal, demotion or threats.
Loss of shifts, unfair workload or exclusion.
Bullying, harassment or social isolation.
Negative performance reviews linked to the disclosure.
Blocking training, promotion or opportunities.
Any other disadvantage because someone raised a concern.

Then state your commitment:

We do not tolerate retaliation. Anyone who victimises a whistleblower may face disciplinary action.

You also need practical measures, especially for SMEs where teams are small and anonymity is hard.

Consider including:

A named support contact (not the investigator) for welfare check-ins.
A plan for managing contact between the whistleblower and those involved.
Temporary role changes only with the whistleblower’s agreement where possible.
Reminders to managers that normal performance management must be evidence-based and documented.

It can also help to build a ‘speak-up culture’ message into leadership communications, so whistleblowing is treated as responsible behaviour, not disloyalty.

Timeframes and Update Expectations

One of the fastest ways to destroy trust is silence. People raise concerns, then hear nothing for weeks. A policy should set realistic timeframes and commit to updates, while keeping flexibility for complex cases.

A workable set of timeframes for SMEs is:

Acknowledge receipt within 2 working days.
Confirm whether the concern will be investigated, and next steps, within 10 working days.
Provide periodic updates at least every 20 working days while the case is open.
Aim to conclude investigations within 6 to 12 weeks, depending on complexity.

Do not promise a fixed end date. Instead, promise communication:

We will keep you updated. If timelines change, we will explain why.

We may not be able to share full details of action taken, especially where this involves confidential HR processes or legal constraints.

That honesty prevents disappointment later.

Record-Keeping and Data Protection

Whistleblowing cases involve sensitive personal data. Your policy must explain how you record, store and share information, and how you balance confidentiality with fairness.

Start with a simple statement:

We will keep records of whistleblowing reports, investigations, evidence and outcomes. We will store information securely and limit access to those who need it.

Then cover practical points:

Where records are stored (e.g. a restricted HR or compliance folder).
Who can access them (case owner, Whistleblowing Officer, senior decision-maker, and advisers).
How long records are kept (set a retention period, such as 6 years, unless legal needs require longer).
How you protect identities (redaction where possible, limited circulation of documents).
How you manage subject access requests and legal disclosure risks (without going into heavy legal detail).

You should also link the policy to your privacy information and broader data protection approach, such as your staff privacy notice and the general principles explained on GOV.UK data protection guidance. If you operate in a regulated environment, you may also signpost the ICO guidance for whistleblowers as a useful external reference.

A practical tip that helps SMEs: separate ‘investigation working notes’ from ‘final decision records’. Notes can include hypotheses and dead ends. Final records should be factual, clear and defensible.

Escalation and External Reporting

Most organisations want concerns raised internally first, because it gives you a chance to fix issues quickly. However, the law also recognises that sometimes workers may disclose externally in protected ways, such as to prescribed persons.

Your policy should:

Encourage internal reporting where appropriate.
Explain that workers can disclose to certain external bodies in specific circumstances.
Provide signposting to official lists so workers choose the right route.

The simplest way to do this is to link to the GOV.UK page listing prescribed people and bodies for whistleblowing and the general GOV.UK guide on who to tell and what to expect.

You can also include examples relevant to your sector, without trying to be exhaustive:

Financial services concerns may be relevant to the Financial Conduct Authority.
Data protection concerns may be relevant to the Information Commissioner’s Office.
Health and safety concerns may be relevant to the Health and Safety Executive.
Charity governance concerns may be relevant to the Charity Commission.

Be careful with wording. Avoid implying you can restrict external reporting. Instead, state your preference and your commitment to respond internally.

Also include a clear internal escalation route for serious cases, such as:

If the concern involves the CEO, the Whistleblowing Officer will escalate to the Chair or a nominated trustee.
If the concern involves the Chair, it will be escalated to an independent trustee or board member.
If there is a risk of criminal conduct, we may seek advice and consider reporting to law enforcement or regulators.

That shows governance, which matters in audits and investigations.

Whistleblowing Policy Implementation Checklist

A template is only useful if it is implemented. SMEs often ‘launch’ a policy once, then never revisit it. The result is predictable: staff forget it exists, managers handle concerns informally, and trust erodes.

Use this checklist to make the policy real.

Leadership and culture

Assign a senior owner (director, trustee or senior manager).
Publish a short leadership statement supporting speak-up culture.
Confirm retaliation will not be tolerated, and enforce it.

Routes and roles

Appoint a Whistleblowing Officer and an alternative route.
Create dedicated contact details (email and phone).
Decide whether you will use an external hotline provider.

Training and awareness

Brief all staff on what whistleblowing is and how to report.
Train managers on how to respond calmly and record concerns.
Train investigators on evidence handling and confidentiality.

Process and documentation

Create a simple reporting form or email template.
Create an investigation plan template and a case log.
Define timeframes and update frequency.
Set retention periods and secure storage locations.

Protection and support

Define what retaliation looks like and how to report it.
Assign a welfare contact separate from the investigator.
Plan how you will manage team dynamics in small teams.

Testing and review

Run a tabletop exercise using a realistic scenario.
Review the register of cases quarterly for trends.
Update the policy annually or after any major incident.

External signposting

Add links to Acas guidance and GOV.UK whistleblowing information.
Add the link to prescribed persons so staff can find the right body if needed.

If you do only one thing, make it the ‘two-route rule’ plus manager training. Those two steps remove the biggest barriers to speaking up.

Whistleblowing Policy Implementation Checklist

Conclusion

A whistleblowing policy template is valuable because it turns “I’m worried about something” into a safe, predictable process. For UK SMEs and charities, the most defensible policies are the ones that are simple, practical and used. They define what concerns qualify, give at least two confidential routes, set fair investigation steps, protect whistleblowers from retaliation, and keep people updated so trust does not drain away.

If you want your policy to work day to day, focus on three outcomes: staff know where to report, managers know how to respond, and leadership actively protects people who speak up. Get those right and you reduce the risk of hidden issues becoming crises, while building a culture where concerns surface early, when they are easiest to fix.

In this article