Whistleblowing Policy Template: A Complete Guide + Free Template for HR [2025]

A whistleblowing policy is both a legal requirement and a practical tool. For organizations with 50 or more employees in the EU, it is mandated by Directive 2019/1937. For UK organizations, it is the foundation of legal protection under PIDA and the primary evidence that the organization takes protected disclosures seriously.

A policy that exists but is never read — buried in the employee handbook, written in legal language, never communicated — provides almost no protection to anyone. A policy that is clear, specific, accessible, and actively communicated does three things: it tells employees what they can report and how; it tells managers how to respond; and it creates the documented framework that protects the organization in any subsequent legal challenge.

This guide covers what every section of a whistleblowing policy must include, the legal requirements by jurisdiction, and a complete template you can adapt for your organization.

---

What Must a Whistleblowing Policy Cover?

Under EU Directive 2019/1937, a whistleblowing policy must make available to employees:

• The types of conduct that can be reported
• How and where reports can be made (internal channels, external channels)
• That anonymous reports are accepted (where national law permits)
• What the reporting process looks like — acknowledgment timelines, investigation process, feedback timelines
• What protection reporters receive from retaliation
• How the organization handles the data in reports (GDPR compliance)
• Who manages reports and how conflicts of interest are handled

Under UK PIDA, there is no legal requirement for a written policy, but the absence of one is regularly cited in tribunal cases as evidence of organizational failure to take protected disclosures seriously. The policy is the primary evidence of your intent and process.

---

Complete Whistleblowing Policy Template

The following template is designed for organizations operating in the UK and/or EU. Sections marked [EU DIRECTIVE] are legally required for EU-regulated organizations. Sections marked [BEST PRACTICE] are strongly recommended for all employers. Adapt to your specific circumstances, jurisdiction, and organizational structure.

---

WHISTLEBLOWING POLICY

[Organization Name] Policy Owner: [HR Director / Chief Compliance Officer] Date of Last Review: [Date] Next Review Date: [Date + 12 months] Applies to: All employees, contractors, agency workers, volunteers, and individuals performing work-related activities for [Organization Name]

---

1. Purpose and Scope [EU DIRECTIVE + BEST PRACTICE]

[Organization Name] is committed to operating with integrity and maintaining a workplace where concerns about misconduct, illegal activity, or ethical violations can be raised safely and without fear of retaliation.

This policy applies to all workers (including employees, contractors, agency workers, and volunteers) and to any individual who has a work-related connection to [Organization Name], including former employees raising concerns about conduct during their employment.

This policy applies to concerns about matters of public interest — it is not intended to replace standard grievance procedures for personal employment disputes. Where a concern relates solely to the individual's own employment situation, the grievance procedure applies.

---

2. What Can Be Reported [EU DIRECTIVE + BEST PRACTICE]

You can report any concern about:

Legal violations and criminal activity

• Fraud, corruption, bribery, or financial misconduct
• Theft of company assets, customer data, or intellectual property
• Falsification of records, accounts, or regulatory submissions
• Money laundering or tax evasion

Health, safety, and environmental matters

• Workplace safety violations that create risk of injury
• Environmental breaches or unauthorized discharges
• Near-miss incidents that indicate systemic safety failures
• Concealment of safety incidents or adverse events

Workplace misconduct

• Harassment, bullying, or discrimination based on protected characteristics
• Sexual harassment or assault
• Retaliation against employees who have raised previous concerns
• Conflicts of interest that have not been disclosed

Regulatory and compliance matters

• Breaches of data protection law (GDPR / UK GDPR)
• Violations of sector-specific regulatory requirements
• Failure to comply with legal obligations or court orders
• Deliberate concealment of any of the above

This is not an exhaustive list. If you have a concern about something not listed above that you believe involves serious misconduct, illegal activity, or a significant risk to the public interest, please report it. When in doubt, report it — it is better for HR to assess a concern that turns out not to qualify than for a genuine problem to go unreported.

What this policy does not cover This policy does not apply to personal employment disputes — disagreements about pay, hours, working conditions, or management decisions that do not involve a matter of public interest. These should be raised through the [Grievance Procedure / link].

---

3. How to Make a Report [EU DIRECTIVE]

Anonymous digital reporting (recommended) [Organization Name] operates an anonymous reporting platform. You can submit a report by:

• Scanning the QR code displayed at [locations]
• Visiting [reporting link, e.g. voxwel.com/report/[orgname]]

No account is required. No login. Reports are encrypted and cannot be traced back to you. You can include attachments — documents, images, screenshots — to support your report.

After submitting, you will receive a reference number. You can use this reference number to check the status of your report and to receive updates from HR without your identity being revealed.

In person You may report concerns in person to:

• [Designated Whistleblowing Officer Name and Role]
• [Alternative Officer — required where the concern involves the primary officer]
• [External reporting contact if applicable]

Telephone You may report concerns by calling [number] between [hours].

In writing You may submit a concern in writing to [email or address], marked Confidential and addressed to [Designated Officer].

External reporting You may also report concerns externally to relevant regulatory authorities without first raising them internally. These include [list relevant regulators for your sector and jurisdiction — FCA, HSE, ICO, Environment Agency (UK); ESMA, EBA, sector-specific bodies (EU)]. Reporting externally does not affect your legal protections under this policy.

---

4. What Happens After You Report [EU DIRECTIVE]

Acknowledgment: We will acknowledge receipt of your report within 24 hours (and in no more than 7 days as required by EU Directive 2019/1937).

Initial assessment: The designated officer will assess the report to determine the appropriate response. This may involve preliminary enquiries before a full investigation is initiated.

Investigation: Where warranted, a formal investigation will be conducted by an independent investigator with no conflict of interest in the matter. Investigation timelines vary depending on complexity, but we aim to complete investigations within [60 / 90] days.

Feedback: We will provide you with feedback on the action taken or planned within 3 months of acknowledging your report (as required by EU Directive 2019/1937). Where your report was made anonymously, feedback will be provided through the anonymous reporting channel.

Confidentiality: The identity of anyone who makes a report will be kept confidential and will not be disclosed without their consent, except where disclosure is required by law or is necessary and proportionate for the purposes of the investigation.

Limitations on outcome communication: Due to confidentiality obligations to all parties, we may not always be able to share the full outcome of an investigation with the reporter. We will tell you that the matter has been addressed and describe the general action taken without disclosing information that would breach the confidentiality of others involved.

---

5. Protection for Reporters [EU DIRECTIVE + PIDA]

[Organization Name] prohibits all forms of retaliation against anyone who makes a report under this policy in good faith, including:

• Dismissal, redundancy, or termination of contract
• Demotion, performance management, or withholding of promotion
• Change of duties, hours, location, or pay
• Negative references or performance reviews
• Exclusion from training or development opportunities
• Harassment, intimidation, or social exclusion
• Any other form of detrimental treatment connected to the making of a report

Under UK PIDA, workers who make a qualifying protected disclosure and suffer detriment as a result can bring an employment tribunal claim. Compensation for detriment is uncapped. Dismissal for making a protected disclosure is automatically unfair and does not require any minimum service period.

Under EU Directive 2019/1937, workers are protected from all forms of retaliation listed above. Where retaliation is alleged, the burden of proof shifts to the organization — we must demonstrate that any adverse treatment was not connected to the report.

If you experience or suspect retaliation, report it immediately using the same channels listed in Section 3. Retaliation is treated as a serious disciplinary matter and will be investigated promptly.

Good faith reporting: This protection applies to reports made in good faith — meaning you reasonably believed the information was true when you reported it. You do not need to be certain that misconduct occurred. You are not protected if you knowingly make a false report.

---

6. Confidentiality and Data Protection [EU DIRECTIVE + GDPR]

All reports made under this policy are treated as strictly confidential. Information about a report will only be shared with those who need to know for the purposes of assessment, investigation, and resolution.

Data protection: Information gathered in connection with a report is processed in accordance with [Organization Name]'s Privacy Policy and the UK GDPR / EU GDPR as applicable.

Personal data gathered during the investigation will be:

• Used only for the purposes of the investigation and any subsequent proceedings
• Kept securely with access restricted to those directly involved in the case
• Retained for no longer than [3–5 years / the period required by applicable law]
• Deleted or anonymized when no longer required

Anonymous reporters: Where a report is made anonymously, [Organization Name] will take all reasonable steps to ensure that the investigation process does not inadvertently reveal the reporter's identity. Anonymous reporters may communicate with the investigation team through the anonymous channel throughout the process.

---

7. Roles and Responsibilities [EU DIRECTIVE]

Designated Whistleblowing Officer: [Name, Role] The primary contact for receiving and managing reports. Responsible for initial assessment, investigator appointment, and reporter communication.

Alternative Designated Officer: [Name, Role] Receives reports where the concern involves the primary Designated Officer, or where the primary officer is unavailable.

Investigating Officers: Independent managers or external investigators appointed on a case-by-case basis. Will not be the same person as the Designated Officer or the disciplinary decision-maker.

HR Director: Overall responsibility for this policy, its implementation, and its regular review.

All managers: Responsible for receiving concerns raised with them appropriately — directing to the Designated Officer, maintaining confidentiality, and not taking retaliatory action against reporters.

---

8. Policy Review [BEST PRACTICE]

This policy will be reviewed annually and updated to reflect changes in legislation, case law, or organizational practice. The next scheduled review is [date].

Questions about this policy should be directed to [HR email / Designated Officer].

---

After the Template: Making the Policy Work

A policy document does nothing by itself. The following steps determine whether the policy is used.

Communicate it actively. Send it to all employees when adopted or updated. Include it in onboarding materials. Reference it in all-hands communications. Do not assume employees will find it in the handbook.

Make the reporting link visible. Post the QR code in break rooms, common areas, and wherever employees spend time away from their managers. A policy that employees know about but can't easily act on provides the same cultural signal as no policy.

Train managers specifically. Managers who receive verbal concerns from employees must know what to do: how to listen without prejudging, when and how to refer to HR, what confidentiality requires, and that they personally face disciplinary consequences for retaliation.

Review annually. Employment law changes. The EU Directive's national transpositions are still being refined. Your own investigation experience may reveal gaps in the policy's scope or process. A stale policy is worse than a current one.

---

VoxWel: The Reporting Channel Your Policy Needs

A policy without infrastructure is a promise without delivery. VoxWel provides the anonymous reporting channel that makes your whistleblowing policy operational — the QR code, the web link, the encrypted submission, the two-way anonymous messaging, the automated acknowledgment, and the audit trail that demonstrates compliance.

Setup takes under 24 hours. Your policy and your platform are live the same week.

Start a 14-day free trial at voxwel.com.

---

VoxWel is an anonymous employee reporting platform for HR and compliance teams. Learn more at voxwel.com.