Protected Disclosures Act 2022 In New Zealand: Employer Whistleblowing Duties

If you employ people (even just one or two), there's a good chance you'll deal with a "whistleblowing" issue at some point - whether it's a complaint about bullying, a concern about safety, or an allegation of something more serious like fraud.

In New Zealand, the main law you need to know is the Protected Disclosures (Protection of Whistleblowers) Act 2022 (often shortened to the Protected Disclosures Act 2022). This Act sets out how workers can disclose "serious wrongdoing", who they can disclose it to, and what protections can apply.

For small business owners, the key is this: you don't need a big corporate compliance team to handle protected disclosures properly - but you do need a clear, fair process and the right policies so you can respond consistently from day one (and, for some organisations, formal written procedures may be required).

What Is The Protected Disclosures Act 2022 (And When Does It Apply To Your Business)?

The Protected Disclosures Act 2022 is designed to encourage people to speak up about serious wrongdoing in or by an organisation, without being punished for doing so.

It applies across the public and private sectors, and it can be relevant to businesses of any size. While not every private-sector employer is legally required to have a standalone whistleblowing policy, it's usually safest to assume the Act may apply to your workplace and to have a workable way to receive and manage disclosures.

What Counts As A "Protected Disclosure?"

A disclosure may be protected if it meets the requirements under the Act - in plain terms, it's generally when a worker:

• has information or a reasonable belief about serious wrongdoing in or by the organisation; and
• reports it through an appropriate channel (for example, internally in line with the organisation's procedures, or externally to an "appropriate authority") in the way the Act contemplates.

Not every workplace complaint is automatically a "protected disclosure". But in practice, it's often wise to treat disclosures carefully and take advice early - because what starts as "a complaint" can quickly become a protected disclosure issue, a personal grievance, or both.

What Is "Serious Wrongdoing" Likely To Mean For Employers?

The Act uses the concept of "serious wrongdoing". While the details matter, typical examples employers might see include allegations involving:

• serious risks to health and safety at work (for example, unsafe machinery, hazardous practices, or deliberate ignoring of safety requirements);
• serious unlawful, corrupt, or fraudulent conduct (for example, theft, false invoicing, bribery, or manipulating accounts);
• serious misuse of public money (more common for public sector or government-funded organisations);
• conduct that poses a serious risk to the maintenance of law, including serious criminal activity.

Even if the allegation turns out to be unfounded, your response still matters. The compliance "win" is usually in handling the disclosure properly: documenting steps, protecting people from retaliation, and investigating fairly.

Who Can Make A Protected Disclosure (And What Protections Do They Have)?

A big part of complying with the Protected Disclosures Act 2022 is understanding who might be protected when they speak up - and what you need to avoid doing as an employer.

It's Not Just Full-Time Employees

The Act uses a broad concept of "worker" (and it can extend beyond current permanent staff). Depending on the circumstances, the people who raise concerns could include:

• permanent employees (full-time or part-time);
• casual staff;
• former employees; and
• other "workers" engaged in your business (for example, some contractors, secondees, trainees or volunteers may be covered, depending on the relationship and context).

Because staff structures can vary a lot in small businesses, it's helpful to make sure your onboarding documents and policies set expectations early - including how concerns should be raised and how they'll be handled. Your Employment Contract is often the best place to align on reporting pathways and standards of conduct.

Key Protections You Need To Respect

Where a disclosure is protected under the Act, protections can include:

• protection from retaliation (for example, dismissal, demotion, reduced hours, threats, or other disadvantage because they disclosed);
• confidentiality obligations (their identity may need to be protected, but there are exceptions - for example, where disclosure is necessary for a fair investigation, required by law, or needed to prevent serious risk);
• immunity-type protections for the act of making the disclosure in certain circumstances (this is nuanced and fact-specific, and it doesn't necessarily protect someone from consequences for their own separate wrongdoing).

From a business owner's perspective, the biggest risk area is often accidental retaliation - for example, changing shifts "because it's awkward now", or excluding someone from meetings. Even if your intention isn't punitive, it can look that way later.

What Are Your Employer Obligations When Someone Blows The Whistle?

When you receive a disclosure that could fall under the Protected Disclosures Act 2022, your obligations are less about "getting the legal labels perfect on day one" and more about having a safe, fair, and well-documented process.

1) Take It Seriously And Acknowledge Receipt

Start by acknowledging the report quickly and calmly. You don't need to agree with it immediately - but you do need to show you're not ignoring it.

A simple process can include:

• confirming you've received the disclosure;
• explaining the next steps (including that you may need to make enquiries);
• explaining confidentiality boundaries (don't promise absolute secrecy if it might not be possible or appropriate).

2) Protect The Person From Retaliation (Even If You're Unsure Yet)

Small business workplaces are close-knit, and it can be hard to keep things contained. But you should still take practical steps to reduce the risk of "blowback", such as:

• limiting who knows the details (only those who need to know);
• reminding managers/supervisors that retaliation is not acceptable;
• monitoring for subtle disadvantage (rostering, workload allocation, performance management timing).

This is also where having consistent workplace rules helps, because you can point back to documented expectations rather than "making it up as you go". A clear Workplace Policy can make your response more consistent and defensible.

3) Assess Whether It Needs A Formal Investigation (And Who Should Run It)

Some disclosures can be dealt with quickly (for example, a clear safety hazard that can be fixed immediately). Others need a structured investigation.

When deciding how to investigate, ask:

• Is there an immediate safety risk that needs urgent action?
• Do we need to preserve evidence (emails, CCTV footage, access logs, financial records)?
• Is there a conflict of interest if the owner/manager investigates?
• Is the allegation serious enough to require an external investigator?

Conflicts of interest are a common issue in small teams. If the concern involves a manager, or someone close to the decision-maker, you'll want a process that can't be criticised as biased later. Having a Conflict Of Interest Policy can help you manage this from a practical "business operations" angle.

4) Keep Records (But Be Careful With Privacy)

Good record-keeping is one of your best protections if the situation escalates into an employment dispute or external investigation.

At the same time, a protected disclosure often involves sensitive personal information. That means you should also consider your privacy obligations under the Privacy Act 2020, including:

• only collecting information you genuinely need;
• storing it securely and limiting access;
• being careful about what you put in writing (assume it may be requested later).

If you collect or store personal information about staff (which you almost certainly do), your business should also have a workable Privacy Policy and internal privacy practices that match what you actually do day to day.

How Do You Set Up A Whistleblowing Process That Works In A Small Business?

It's easy to assume "whistleblowing procedures" are only for big organisations. In reality, small businesses often benefit from them more - because when something goes wrong, there's less buffer, fewer managers, and usually more interpersonal pressure.

A good small business process is simple, clear, and realistic to follow.

Step-By-Step: A Practical Protected Disclosures Process

1. Nominate a receiving person (for example, the director, an independent manager, or an external contact).
2. Create a clear reporting pathway (email address, form, or written report option).
3. Explain confidentiality (what you will do to protect identities, and when disclosure may be necessary).
4. Explain what happens next (assessment, investigation, timeframe, possible outcomes).
5. Set expectations about behaviour (no retaliation, no bullying, no victimisation).
6. Document and review your process after each incident.

In many businesses, this sits neatly inside a dedicated whistleblowing policy (and links into your general workplace behaviour rules). A tailored Whistleblower Policy can be a straightforward way to show you take protected disclosures seriously, while also making the process easier for your managers to follow.

Plan For "What If It Becomes A Bigger Issue?"

Sometimes a disclosure uncovers something broader - like a culture problem, ongoing harassment, or systematic non-compliance.

It's worth thinking ahead about how you'll manage:

• urgent risks (especially health and safety issues);
• data security concerns (for example, if the issue relates to system access or mishandling information);
• communications to staff (to prevent rumours while protecting confidentiality);
• customer or supplier impacts (if relevant).

If a disclosure involves a potential privacy breach or cyber incident, having a practical response document can make a huge difference. A Data Breach Response Plan can help you respond quickly and consistently if personal information becomes part of the issue.

Common Mistakes Employers Make Under The Protected Disclosures Act 2022

Most businesses don't get into trouble because they had "bad intentions". They get into trouble because they reacted quickly, informally, and without a process - especially when emotions are running high.

Here are some of the biggest pitfalls we see for employers dealing with protected disclosures.

1) Treating It As "Just A Complaint" And Shutting It Down

If someone is raising a concern that could amount to serious wrongdoing, brushing it off can escalate the issue and increase your risk of a dispute.

Even where the disclosure isn't ultimately protected, a poor response can still create:

• a personal grievance risk (for example, unjustified disadvantage);
• health and safety risk (if the issue involves hazards and you don't address them);
• reputational risk (especially if the concern is later raised externally).

2) "Investigating" By Gossip Or Informal Chats

In small teams, it's tempting to ask around casually. The problem is that casual enquiries can:

• spread the allegations beyond those who need to know;
• identify the whistleblower (even if you didn't intend to);
• create a perception of bias or a "witch hunt".

A basic plan and a documented approach are usually safer than informal conversations.

3) Retaliation (Including Subtle Retaliation)

Retaliation doesn't always look like termination. It can look like:

• cutting shifts or hours;
• excluding someone from projects;
• unreasonable performance management that starts right after a disclosure;
• changing reporting lines without good reason.

If changes are genuinely needed for operational reasons, document the reasons clearly and keep your approach consistent with your usual management processes.

4) Forgetting Your Other Legal Obligations

The Protected Disclosures Act 2022 doesn't operate in a vacuum. Depending on what's been raised, you may also need to consider:

• Employment relations obligations (fair process, good faith, natural justice principles);
• Health and safety duties (under the Health and Safety at Work Act 2015);
• Privacy obligations (under the Privacy Act 2020);
• Criminal issues (if alleged wrongdoing involves theft or fraud, you may need to consider reporting to the appropriate authority).

This is one of those areas where getting advice early can save you a lot of time and stress later, especially if the disclosure is serious or involves senior staff.

Key Takeaways

• The Protected Disclosures Act 2022 is NZ's key whistleblowing law and is relevant for employers, including small businesses.
• A disclosure may be protected when it relates to serious wrongdoing and is made through an appropriate channel (including, in some cases, to an "appropriate authority"), so it's important to treat reports carefully from the start.
• Your biggest practical obligations are to respond promptly, manage confidentiality, prevent retaliation, and investigate fairly where required.
• A simple internal process (and a clear whistleblower policy) can help your managers handle disclosures consistently and reduce legal risk - and some organisations (particularly in the public sector) may have clearer statutory requirements to maintain and publish procedures.
• Protected disclosures often overlap with other obligations, including employment law, health and safety, and privacy, so it's worth getting tailored advice when issues are serious or sensitive.
• Documenting your steps and decisions is crucial - it helps show you acted reasonably and can protect your business if the issue escalates.

If you'd like help putting a whistleblowing process in place, updating your policies, or responding to a protected disclosure, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.