Not all whistleblowing channels qualify under the Act. Here is how to tell the difference.

Why this decision is harder than it looks

The Protected Disclosures Act 2022 requires a qualifying internal reporting channel. What it does not do is specify exactly what that channel must look like in practice. The legal language - confidential, accessible, with acknowledgement and follow-up timelines - describes the outcomes the channel must deliver. It does not prescribe the technology or the mechanism.

This leaves HR Directors with a genuine decision to make. And that decision is complicated by the fact that several options that appear to qualify do not hold up under scrutiny - not legally, and not in terms of whether employees will actually trust and use them.

The options most organisations consider - and how they hold up

An HR email address or inbox

This is the most common first instinct, and it does not qualify. An email sent from a work account to an HR inbox is identifiable by sender. Even if HR commits to confidentiality, the employee knows - or suspects - that the email could be traced. The Act requires confidentiality to be structural, not promised. It also requires automated acknowledgement timelines and an audit trail that an email inbox cannot reliably provide.

A third-party phone hotline

Phone-based whistleblowing hotlines do technically qualify under the Act. They provide confidentiality and are operated by an independent third party. The problem is usage. Phone hotlines carry connotations - they feel serious, formal, and consequential in a way that makes employees hesitate to use them for anything below a severe threshold. The data on hotline usage consistently shows low volume, which means the channel is capturing a small fraction of the concerns it is supposed to surface. A compliant channel that nobody uses is compliance on paper only.

An annual survey with an anonymous option

This does not qualify. The Act requires a continuous channel, not a periodic one. An annual survey also does not provide the confidentiality, acknowledgement, or follow-up mechanisms the Act specifies. It was not designed for this purpose and cannot be retrofitted to serve it.

A suggestion box or general feedback form

Suggestion boxes - physical or digital - do not qualify. They typically have no confidentiality mechanism, no designated responsible person, no acknowledgement timeline, and no audit trail. They are also not trusted by employees for anything sensitive, which means they capture only the most innocuous feedback.

The five criteria that actually matter

When evaluating any internal reporting channel against the requirements of the Act - and against the practical question of whether employees will use it - five criteria determine whether it will do the job:

• Structural anonymity, not promised anonymity. Employees should be able to verify for themselves that their submission cannot be traced. This means no login, no cookies tied to identity, no IP logging, and no routing through the organisation's own systems. A policy statement promising confidentiality is not the same thing.
• Independence from the employer's IT infrastructure. If the channel is hosted on the organisation's own servers, administered by its IT team, or accessed through corporate credentials, employees will - rationally - assume the employer can see what is submitted. Independence needs to be structural and verifiable.
• Automated acknowledgement and follow-up tracking. The Act requires written acknowledgement within seven days and follow-up within three months. These need to be logged and auditable, not managed manually through an email inbox that might miss something.
• A designated responsible person with a clear process. Disclosures need to go to a specific, named individual or function. The channel needs to route submissions appropriately and track what has been done with them.
• Accessibility without friction. The channel must be accessible to all employees without requiring account creation, app download, or technical knowledge. The lower the barrier, the higher the usage - and usage is what makes the channel valuable rather than merely compliant.

What to look for in a digital channel

Digital channels - web-based portals, QR code systems, intranet widgets - are increasingly the preferred approach for organisations looking to meet the Act's requirements while providing something employees will actually use. The key questions when evaluating any digital option:

• Is it hosted independently of the organisation's own infrastructure?
• Does it require any form of login or authentication that could link a submission to an individual?
• Does it log IP addresses or set persistent cookies?
• Does it automatically generate acknowledgement records?
• Does it provide a dashboard or audit trail that HR can access without being able to identify the submitter?
• Is it accessible via mobile without app download?
• Can it be accessed through a QR code as well as a URL, to reach employees who are not at a desk?

A channel that answers yes to all of these questions - and that has been designed from the start with both legal compliance and employee trust in mind - is the practical definition of what the Act intends when it requires a formal internal reporting channel.

The compliance floor versus the useful channel

The Act sets a floor. Meeting that floor is necessary. But the organisations that get the most value from their internal reporting channel are the ones that go beyond it - that treat the channel not as a compliance obligation but as a genuine intelligence tool. A channel that employees trust enough to use regularly surfaces concerns before they become crises, manager problems before they cause attrition, and strategic blind spots before they become expensive decisions.

The choice of channel is, ultimately, a decision about what kind of information your organisation is willing to hear - and how early you want to hear it.