Query:
“We have received an internal report from an anonymous whistleblower who has provided their contact email. The report alleges systemic bullying by one individual in a specific function; and that colleagues have left because of the behaviour. There are very few facts included in the disclosure. What is the best course of action to take when assessing an anonymous report in order to ensure compliance, due diligence and the rights of all individuals are upheld. Also, how much clarification can be sought from the anonymous reporting person?”
Response:
An anonymous disclosure is one made where the identity of the reporting person is not disclosed to the recipient of the disclosure. This is distinct from a confidential disclosure where the identity of the reporting person is made to the recipient but where that identity is not shared with anyone who does not need to know the reporting person’s identity.
The Protected Disclosures Act 2014, as amended by the Protected Disclosures (Amendment) Act 2022, requires most organisations – including all public bodies and private organisations with more than 50 employees – to assess and take appropriate follow-up actions on disclosures of relevant wrongdoing made by workers. Anonymous disclosures may constitute protected disclosures and must be considered on their substance (Protected Disclosures Act 2014 (as amended), s.5; Statutory Guidance for Public Bodies and Prescribed Persons, 2023, p.29).
Under section 5A, workers who make anonymous disclosures and later suffer penalisation are entitled to the same protections under the Act (Protected Disclosures Act 2014 (as amended), s.5A).
Anonymous disclosures should not be dismissed solely because the reporting person has not identified themselves. While anonymity can make follow-up more challenging, the Statutory Guidance for Public Bodies confirms that public bodies must accept and follow up on anonymous disclosures to the greatest extent possible, and private-sector employers are encouraged to adopt this as best practice (Statutory Guidance, p.29).
Public body procedures should distinguish between anonymous and confidential disclosures (Statutory Guidance, p.29). Where the worker chooses to engage through a secure channel (for example, anonymous email, text, or a secure webform), organisations should actively encourage ongoing communication to build trust and enable effective assessment and follow-up. The reporting person should be assured that appropriate action will be taken where sufficient information is available to undertake an investigation. The organisation should clarify that its ability to provide statutory feedback and to protect the reporting person depends on the worker being willing to remain contactable through the chosen secure channel (Statutory Guidance, pp.29; ISO 37002:2021, cl.8.2).
Where the reporting person chooses to identify themselves, confidentiality must be maintained in accordance with section 16 of the Act. The reporting person’s identity should not be disclosed without their consent unless required by law, or where disclosure is strictly necessary for fair procedures in the context of an investigation (Protected Disclosures Act 2014 (as amended), s.16; Statutory Guidance, p.69).
If the identity of the worker is needed to progress an investigation, the reporting person should be informed of the reason and given an opportunity to decide whether to proceed on that basis (Protected Disclosures Act 2014 (as amended), s.16; Statutory Guidance, p.71). It should also be noted that where there is sufficient information to proceed with an investigation of the relevant wrongdoing, that the reporting person may be required to cooperate with the investigation and in doing so, be obliged to share their identity for the purposes of the investigation. This would be the case, for instance, where an allegation of criminal conduct has been made or where a mandatory reporting obligation arises from risks to children or vulnerable adults (Criminal Justice Act 2011, s.19; Statutory Guidance, p.23 and 106).
Where the employer can determine that the disclosure is made by a person likely to qualify as a “worker” under section 3 of the Act, relates to “relevant wrongdoing” under section 5, and contains information that is actionable, the same follow-up obligations apply regardless of anonymity (Protected Disclosures Act 2014 (as amended), s.3 and 5; Statutory Guidance, p.29). Organisations should acknowledge receipt of the disclosure within seven days and, where contact is maintained, provide meaningful feedback within three months, in line with section 10B of the Act (Protected Disclosures Act 2014 (as amended), s.10B).
Upon receipt of an anonymous disclosure, an initial assessment should determine whether:
- there is prima facie evidence of relevant wrongdoing;
- further information is required; or
- the report is clearly outside the scope of the Act or manifestly unfounded (Statutory Guidance, p.31; Protected Disclosures Act 2014 (as amended), s.6A).
Note: Allegations of bullying or harassment may amount to relevant wrongdoing where they indicate a breach of legal obligations, such as under the Safety, Health and Welfare at Work Act 2005. However, in such cases it may be necessary to identify the complainant or alleged victim/s to allow for the respondent to answer any allegations put to them in accordance with fair procedures (Protected Disclosures Act 2014 (as amended), s.16; Statutory Guidance, p.54-56 and 70).
In addition to or inclusive of any questions set out in your organisation’s assessment or investigations procedures, it will be important to record or ask for details of:
- the specific wrongdoing/s alleged
- dates and approximate timeframes;
- individuals, roles or functions involved;
- witnesses or other people affected; and
- consequences of the alleged behaviour.
- desired outcomes
If a formal investigation is initiated, fair procedures and natural justice must apply. The person concerned (e.g. someone alleged to be engaged in or implicated in the wrongdoing) should be informed of the substance of the allegations and given a fair opportunity to respond, while the reporting person’s confidentiality or anonymity is preserved as far as possible (McKelvey v Iarnród Éireann [2018] IESC 44; Statutory Guidance, p. 55-56 and 70; ISO 37002:2021, cl.8.4.1).
Even where information is limited, a risk assessment to the reporting person should be undertaken. This should address any breach of confidence or penalisation of the same person. Where possible, such a risk assessment should be gathered with the consent of the reporting person. Any needless speculation around the identity of the reporting person should also be avoided.
In legal proceedings under the Act, there is a statutory presumption that a disclosure is protected unless shown otherwise, and a presumption that penalisation suffered by a worker who has made a protected disclosure was caused by that disclosure unless the employer can show that the act or omission was based on duly justified grounds (Statutory Guidance, p.66; Protected Disclosures Act 2014 (as amended), s.12(7C)). Organisations should therefore monitor for retaliation where the reporting person’s identity becomes known and take steps to prevent and address penalisation (ISO 37002:2021, cl.8.3.2; TI Internal Whistleblowing Systems Principles, 2022, p.36).
Records of the disclosure and all follow-up actions should be kept securely, in a restricted-access system, consistent with data protection, freedom of information and record retention requirements (Protected Disclosures Act 2014 (as amended), s.16C; Statutory Guidance, p. 46-48; ISO 37002:2021, cl.7.5). It is important to retain records even where the disclosure was initially anonymous, as the reporting person may later identify themselves and allege penalisation.
References
Legislation and statutory guidance
- Protected Disclosures Act 2014 (as amended by the Protected Disclosures (Amendment) Act 2022).
Available at: https://www.irishstatutebook.ie/eli/2014/act/14/enacted/en/html - Statutory Guidance for Public Bodies and Prescribed Persons (Department of Public Expenditure, NDP Delivery and Reform, 2023).
Available at: https://www.ipoi.gov.ie/en/about-us/protected-disclosures-act-2014/2023-statutory-guidance-final.pdf - Safety, Health and Welfare at Work Act 2005.
Available at: https://www.irishstatutebook.ie/eli/2005/act/10/enacted/en/html
Relevant Case law
- Baranya v Rosderra Irish Meats Group [2023] IECA.
Judgments available at: https://courts.ie/judgments - McKelvey v Iarnród Éireann [2018] IESC 44.
Judgment available at: https://www.courts.ie/view/judgments/0bab2d8d-b98d-458f-8414-4071856f23af/62b7df7b-d62e-4a7f-9f29-21e1110340d8.html
Standards and best-practice guidance
- Transparency International, Internal Whistleblowing Systems – Best Practice Principles (2022).
Available at: https://images.transparencycdn.org/images/2022_Internal-Whistleblowing-Systems_English.pdf - Transparency International Ireland, Speak Up Safely resources.
Available at: https://transparency.ie/resources/speak-up-safely-guide - ISO 37002:2021, Whistleblowing management systems – Guidelines.
Overview: https://www.iso.org/standard/65035.html
Originally published 01 December 2025. This helpdesk answer is for general information only. It is not legal advice and should not be relied upon as such. We strongly recommend that those dealing with protected disclosures should obtain legal advice if they are in any doubt about a specific course of action.
Additional links and resources may be added as they become available. If you think we’ve missed anything, please let us know! Feedback may be directed to support@transparency.ie.