Free, confidential whistleblowing advice
Call us on 020 3117 2520 or email us


Member Login

Is now the time to introduce criminal sanctions?

Recently, some in the whistleblowing community have suggested that there should be explicit criminal sanctions for those who victimise whistleblowers. In this blog Protect legal adviser Kate Austins discusses these proposals and argues that other techniques would be more effective in protecting whistleblowers. 

The Public Interest Disclosure Act (“PIDA”) states that victimisation of whistleblowers at work is unlawful but does not expressly impose criminal or civil sanctions on those who carry out the victimisation. Instead sanctioning those individuals is left to regulator-specific enforcement actions mainly against members of professional bodies and those who have professional obligations.  Is this sufficient to protect those individuals who, rightly, highlight wrongdoing in the workplace in the interests of the public? 


The impact of victimisation 

At Protect, we hear first-hand from our free confidential Advice Line about the victimisation faced by whistleblowers once they blow the whistle at work.  This can range from bullying, harassment from co-workers and managers, to being dismissed or forced to resign. 

Worryingly, Protect’s research Silence in the City 2 shows that 70% of whistleblowers who contact us were either victimised, dismissed or felt resignation was the only option open to them having blown the whistle, when reported 58% say that these reports were ignored by their employer.1 Victimisation goes further than just the victim sending out a strong message to others that speaking up is neither encouraged nor tolerated. 

The Public Interest Disclosure Act protection acts as a sword, not a shield, i.e. the law will only allow the awarding of compensation as a remedy rather than providing anything that prevents victimisation from occurring. The tribunal also lacks the power to make recommendations and press an organisation to change their practices. 

The question is whether criminal sanctions are better placed to give more proactive whistleblowing protection and provide that robust shield.   


Other countries’ response to this problem 

 As part of a wider review of Australian whistleblower legislation, new civil and criminal penalties on individuals who victimise or threaten to victimise a whistleblower were brought in to reflect the seriousness of the offence and to act as a deterrent.2  The offences could include six months in prison for illegally breaching the confidentiality of a whistleblower3 or two years for threatening or actually causing detriment to a whistleblower.4 So far there has been no prosecutions under this updated legislation. Across the EU, countries are implementing the whistleblowing directive and some, such as France, are introducing criminal sanctions.  It’s early days in : you can’t conclude that the new legislation is having the deterrent effect anticipated, but it may indicate that it is too difficult to obtain prosecution under the legal test set out. 


The existing sanctions framework in England and Wales 

The UK approach is for certain regulators to put in place professional obligations which prohibit and punish victimisation.  

In the financial sector, the FCA and the PRA imposes strict rules on regulated individuals and organisations, sanctioning those that breach these rules.5 The fit and proper person test assesses individuals who perform a controlled or senior management function and their fitness and propriety for the work, which notably includes non-financial misconduct (e.g. discriminatory behaviour, sexual harassment etc.). This obliges regulated individuals to take proper and ethical action in response to a whistleblower.6 Failure to comply entitles the FCA to take disciplinary action in the form of written warnings, suspension, dismissal or reduction or recovery of pay.7 FCA regulated firms are also required to have appropriate whistleblowing arrangements in place to ensure that concerns are dealt with appropriately and confidentially. 

We have seen one infamous example of sanctions against an individual who victimised a whistleblower. Jes Staley was fined £642,340 by the FCA and PRA for his conduct in trying to identify a whistleblower. His employer, Barclays Bank, also cut £500,000 from his bonus. Barclays itself was not held responsible by the UK regulators, however was fined £15m by the US financial authorities.  This is a stark example of personal sanctions against an individual who victimised an individual and despite this being a notable example, the sanctions imposed only amounted to approximately a 20% pay cut for the victimiser.  The FCA and PRA also imposed a “voluntary requirement”8 on Tokio Marine Kiln Insurance and Tokio Marine Syndicates9 which demanded detailed reporting and attestations about their whistleblowing procedures for three years. The voluntary requirement notice10 specifically requests a report including measures taken to prevent actual or perceived whistleblower detriment. This is an example of the regulators in the financial sector taking action to ensure that, among other things, the prevention of victimisation of whistleblowers is a specific requirement.

The CQC puts similar professional standards of conduct of directors11 and registered managers12; they must refuse registration if the manager in question does not comply with the regulations.  The CQC requires service providers and managers to have an effective system for identifying, receiving, handling and responding to complaints from people using the service.13 The CQC has the power to prosecute providers for breach of this regulation or refuse to register for failure to comply. Protect is not aware of the number of prosecutions achieved under this power however please see the CQC’s annual report for its recorded whistleblowing statistics14. We saw in 2020 the CQC downgrade West Suffolk Hospital to “requiring improvement.”  for having tried to track down an anonymous whistleblower. The CQC expressly asked the Trust to “take definitive steps to improve the culture, openness and transparency throughout the organisation.”15 



Would explicitly creating further civil and/or criminal sanctions for victimising a whistleblower go too far?  Victimisation is already prohibited by PIDA, on top of the regulatory sanctions listed above. The Employment Rights Act and laws on harassment16, defamation17, assault18 already exist to prohibit victimising behaviour. If there was to be a specific criminal offence in relation to whistleblowing, our fear is some organisations may justify inaction after a disclosure due to a potential police investigation.   

A more effective approach may be placing a positive duty on employers to ensure that individuals can safely raise concerns at work. This should include a positive obligation on employers to establish protective measures for those raising whistleblowing concerns, measures to prevent detrimental treatment which would form part of a Whistleblowing Code of Practice on employers.   Either Regulators or a Whistleblowing Commissioner can enforce this positive obligation without the need for a whistleblower to bring a claim, with the size of the fine issued to an organisation tied to their turnover if the Code is breached. Finally, courts should have the to apply a 25% increase in the damages recoverable by a worker where an employer has failed to comply with the proposed Code. 



1 75% of people who expeience victimisation raise this with their employer. 

2Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019, accessible atTreasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 ( 

3Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 Section 14ZZW. See note 2 above. 

4Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 Section 4ZZY. See note 2 above.  

5 – The FCA’s annual report for 2020-2021 states that it received 1,046 whistleblower reports, including 894 qualifying disclosures. Of these, in 15 cases the FCA “took significant action to mitigate harm”, in 135 cases the FCA “took action to mitigate harm”, 145 cases were relevant for data but did not result in specific action, 97 cases were not relevant but a majority of cases, 654 cases “were still being assessed to determine their outcome.” Read the report here: Annual Report and Accounts 2020/21 ( 

6The Senior Manager and Certification Regime (“SM&CR”) for senior managers and non-executive directors obliges those with significant power in the financial sector to act with integrity, be open and co-operative with the FCA and other regulators, observe proper standards of market conduct and take reasonable steps to ensure that the business of the firm for which they are responsible complies with the relevant regulatory requirements. 

7 Fitness and Propriety | FCA 


9While the FCA did not conduct any investigation into Tokio Marine, this voluntary requirement was imposed following Tokio Marine’s own disclosures to the FCA about the outcome of their independent investigation into whistleblowing allegations. 

10 This is also a noable sanction because in signing a voluntary requirement a firm agrees not to accept any new business until the issues are resolved. 

11 – Regulation 5: Fit and proper persons: directors | CQC Public Website 

12 – Regulation 7: Requirements relating to registered managers | CQC Public Website 

13 – Regulation 16: Receiving and acting on complaints | Care Quality Commission ( 

14 –

15 – See Protect’s blog about this case here: 

16 Protection from Harassment Act 1997. Accessible here: Protection from Harassment Act 1997 ( 

17Defamation Act 2013. Accessible here: Defamation Act 2013 ( 

18Offences against the Person Act 1861. Accessible here: Offences against the Person Act 1861 ( 

All Blog Posts