New Zealand: An overview of the 2022 Whistleblowing Act
The Protected Disclosure Act 2000 ('the Protected Disclosure Act') was passed by the New Zealand Parliament ('Parliament') more than 20 years ago to strengthen whistleblower protection. Following a review of whistleblower protections, the Protected Disclosures (Protection of Whistleblowers) Bill ('the Act') was published and came into effect on 1 July 2022. OneTrust DataGuidance considers the impact of the Act and its key provisions.
Background to the Act
The Act aims both to improve and continue the purpose of the Protected Disclosure Act, which is to facilitate the disclosure and investigation of serious wrongdoing in the workplace and provide protection for employees and other workers who report concerns. Nonetheless, a report by the New Zealand Education and Workforce Committee ('the Committee') outlines that the Act addresses problems within the Protected Disclosure Act, including:
- clarifying the definition of serious wrongdoing and extending its application to cover private sector use of funds and authority;
- enabling people to report serious wrongdoing directly to an appropriate authority at any time, while clarifying the ability of the appropriate authority to decline or refer to the disclosure;
- strengthening protection for disclosers by specifying what a receiver of a disclosure should do;
- clarifying internal procedure requirements for public sector organisations and requiring them to state how they will provide support to disclosers; and
- clarifying the potential forms of adverse conduct disclosers may face.
Key provisions of the Act
Section 9 of the Act provides a disclosure of information is a protected disclosure, if the discloser:
- believes on reasonable grounds that there is, or has been, serious wrongdoing in or by the discloser's organisations; and
- discloses information about that in accordance with this Act; and
- does not disclose it in bad faith.
Furthermore, Section 10 of the Act clarifies serious wrongdoing as any act, omission, or course of conduct in or by any organisation that is, among other things, one or more of the following:
- a serious risk to:
- public health;
- public safety; or
- the environment;
- a serious risk to the maintenance of law including:
- the prevention, investigation, and detection of offences; and
- the right to a fair trial; or
- unlawful, corrupt, or irregularly uses public funds or public resources; or
- oppressive, unlawfully discriminatory, or grossly negligent, or gross mismanagement done by;
- an employee; or
- a person performing a function or duty or exercising a power on behalf of a public sector organisation or the Government.
The Act also outlines the procedures and steps required for the Act's application, detailing disclosers are entitled to protection where disclosures are made in accordance with the Act, but also where a disclosure is made in accordance with any internal procedure, to the head or deputy head of the organisation concerned, or where a protected disclosure is made to an appropriate authority at any time (Section 11 of the Act). However, the Act clarifies that a discloser is entitled to protection, even if (Section 11(4) of the Act):
- they are mistaken and there is no serious wrongdoing;
- they do not refer to the Act when making the disclosure;
- they technically fail to comply with Sections 11 or 14 of the Act as long as they have substantially complied; or
- they make the disclosure to another person, as long as such disclosure is done;
- on a confidential basis; and
- this is done for the purposes of seeking advice about whether or how to make a protected disclosure in accordance with the act.
Furthermore, the Act adds that another discloser, who discloses information in support of the Act, is entitled to protection if the discloser does not do so in bad faith and discloses in accordance with the above requirements of Section 11 of the Act (Section 12 of the Act).
In addition, Section 13 of the Act sets out that within 20 working days of receiving a protected disclosure, the receiver of the disclosure must:
- acknowledge to the discloser the date the disclosure was received;
- consider the disclosure and whether it warrants investigation;
- check with the discloser whether the disclosure has been made elsewhere and its outcome;
- deal with the matter by, among other things, investigating the disclosure, addressing any serious wrongdoing, or referring the disclosure; and
- informing the discloser with reasons about what the receiver has done or is doing to deal with the matter.
Nonetheless, Section 13 of the Act also provides actions for the receiver to take when it is impracticable to complete the above actions within 20 working days. Furthermore, Section 15 of the Act establishes that the receiver of a protected disclosure may decide that no action is required, and if so, must inform the discloser with reasons including that the requirements of Sections 8 and 10 of the Act are not met, the length of time between the alleged serious wrongdoing and disclosure makes an investigation impracticable or undesirable, or the matter is better addressed by other means.
In addition, receivers may refer a protection disclosure to appropriate authorities, and where a receiver is an appropriate authority, they may refer to the organisation concerned or another appropriate authority. However, the receiver must consult the discloser and intended receiver before referring a protected disclosure, and following referral, the organisation or authority that has received referral becomes the receiver. Although, where an appropriate authority refers a disclosure to the organisation concerned, the organisation must inform the authority what has been done or is being done with the matter (Section 16 of the Act).
On interaction between receivers and disclosers, the Act specifies that employers must not retaliate against a discloser who is an employee, and that a person must not treat another less favourably because of a protected disclosure (Section 20 of the Act). Section 21 of the Act builds on the former requirements in providing that an employer must not retaliate, or threaten to retaliate, against an employee because the employee intends to make or has made a protected disclosure, alongside detailing the circumstances that will be considered retaliation.
More generally, Sections 17 and 18 of the Act outline the requirements of receivers to comply with confidentiality and privacy requirements under both the Search and Surveillance Act 2012 and Privacy Act 2020 respectively. Notably, a receiver must keep confidential information that may identify a discloser, unless (Section 17 of the Act):
- the discloser consents to the release of the identifying information; or
- there are reasonable grounds to believe that the information is essential:
- for the effective investigation of the disclosure;
- to prevent serious risk to public health, public safety, the health or safety of any individual, or the environment;
- to comply with the principles of natural justice; or
- to an investigation by a law enforcement or regulatory agency for the purpose of law enforcement.
However, as a clarification, the Act notes that before releasing confidential information, the receiver must either consult the discloser about the release or, if practicable, consult the discloser, dependent on the reason for disclosing the confidential information (Section 17 of the Act).
Finally, as noted above, the Act entered into force on 1 July 2022, replacing the Protected Disclosure Act. Further, going forward the Ombudsman may provide information and guidance to any person on matters regarding the Act, including information and guidance about the circumstances in which anonymous disclosure may be made, and other advice or assistance about the duty to confidentiality.
Harry Chambers Privacy Analyst