Whistleblowing In New Zealand: Protected Disclosures Act 2022 Guide

Most small business owners don’t set out to build a workplace where problems get hidden. But in the real world, issues can pop up - a safety shortcut, a privacy slip, questionable accounting, bullying, or a breach of industry rules.

Whistleblowing is essentially what happens when someone inside (or connected to) your business speaks up about serious wrongdoing. In New Zealand, the Protected Disclosures (Protection of Whistleblowers) Act 2022 (often called the Protected Disclosures Act 2022) sets out how certain disclosures can be made, which organisations must have internal procedures, and what protections may apply to the person speaking up.

If you employ people (or use contractors), it’s worth understanding the basics. Getting this right isn’t just “legal compliance” - it’s also a practical risk management tool that can help you fix problems early, protect your culture, and reduce the chance of a situation escalating into a costly dispute.

This article provides general information only and does not constitute legal advice. If you’re dealing with a specific disclosure or workplace issue, it’s best to get tailored advice.

What Counts As Whistleblowing (And When Does The Protected Disclosures Act Apply)?

In a business context, “whistleblowing” usually means an individual reporting serious concerns about wrongdoing in an organisation.

Not every complaint is automatically “whistleblowing” under the Protected Disclosures Act 2022. The Act is focused on serious wrongdoing and disclosures made in a particular way by eligible people (for example, workers such as employees and contractors) to the right person or body.

What Is “Serious Wrongdoing”?

Under the Protected Disclosures Act 2022, a disclosure is generally about serious wrongdoing where, for example, it involves:

• Unlawful, corrupt, or irregular use of public funds or resources (this is often most relevant to the public sector and organisations connected to public money).
• Conduct that poses a serious risk to public health, public safety, the environment, or the maintenance of law (for many small businesses, health and safety issues can fall into this bucket).
• A serious offence.
• Gross negligence or serious misconduct by people in positions of authority (depending on the context).

The exact definition is technical and can depend on the facts (including whether the wrongdoing relates to a public sector organisation or a private organisation performing public functions). From a small business perspective, the key point is this: if someone raises a concern that could be “serious wrongdoing”, you should treat it carefully and avoid knee-jerk responses.

Is Every Workplace Complaint A Protected Disclosure?

No. Many concerns are better handled through your normal people processes - for example:

• personal grievances and employment disputes
• performance issues
• ordinary interpersonal conflict
• “business as usual” complaints about rosters, workloads, or management style

Those matters can still be serious and need addressing properly, but they don’t always fall under the whistleblower legislation NZ businesses often think of.

That’s why it’s smart to have a clear pathway for:

• employment issues (handled through fair processes and good documentation), and
• protected disclosures (handled through a confidential, structured whistleblowing process where appropriate).

A well-drafted Employment Contract and workplace policies can help set expectations early, so you’re not building the plane mid-flight when a report comes in.

Why Whistleblowing Should Matter To Small Business Owners

It’s easy to assume whistleblowing is something that only large corporates deal with. In reality, small businesses often feel the impact more sharply because you have:

• smaller teams (so confidentiality can be harder to maintain)
• less HR capacity (so processes can be ad hoc unless you plan ahead)
• key-person risk (if the disclosure involves a manager or owner)
• higher reputational sensitivity in local communities and niche industries

If you handle whistleblowing poorly, you can end up with overlapping risks:

• employment law risk (e.g. claims around disadvantage, retaliation, or unjustified dismissal)
• health and safety risk (if the concerns are about unsafe work and you don’t act)
• privacy risk (if personal information is mishandled during the report or investigation)
• brand and commercial risk (loss of customers, suppliers, or investor confidence)

On the flip side, when you treat whistleblowing as part of good governance, it can:

• help you detect issues early
• reduce harm (and the cost of fixing it later)
• support a healthier workplace culture where staff feel safe to raise concerns
• create a paper trail showing you took reasonable steps (which often matters if things escalate)

What Does The Protected Disclosures Act 2022 Mean For Business Owners?

For many private businesses, the Protected Disclosures Act 2022 is mainly relevant because it sets expectations around how protected disclosures can be made and the protections that can apply when someone reports serious wrongdoing in the required way.

It’s also important to know that not every organisation has the same legal duties under the Act. In particular, public sector organisations generally have clearer requirements to have internal procedures for receiving and dealing with protected disclosures. Many small private businesses are not legally required to have a whistleblowing policy under the Act - but having a sensible internal process is still a strong risk-management step.

1. Be Ready To Receive A Protected Disclosure

If someone believes they have information about serious wrongdoing, they may choose to disclose it to their organisation (where the Act’s process applies) or, in some cases, to an “appropriate authority” (which can include certain regulators or oversight bodies, and in some circumstances the Ombudsman).

From a practical standpoint, it’s still a good idea to set up an internal pathway so your team knows:

• who they can report to (ideally more than one option)
• how to report (verbally, in writing, and whether anonymous reporting is available)
• what information to include
• what will happen next

In small businesses, one common challenge is the disclosure being about the owner or a direct manager. If you don’t provide alternative reporting options, people may go external first - which reduces your ability to resolve things quickly and quietly.

2. Protect The Whistleblower (And Avoid Retaliation)

A central theme of whistleblower protections in New Zealand is protecting people from retaliation when they speak up through the proper channels.

While the details depend on the situation (including whether the disclosure is a protected disclosure under the Act), as a practical baseline you should assume that if someone makes a report in good faith, you need to:

• avoid any conduct that could look like punishment for speaking up
• keep information confidential where possible
• manage workplace behaviours so the reporting person isn’t isolated, bullied, or sidelined

This is where things can get tricky in practice. Even subtle actions - reduced shifts, exclusion from meetings, “cold shoulder” culture - can turn a manageable disclosure into a larger employment dispute.

If your team structure is changing at the same time for genuine business reasons, it’s worth getting advice early. For example, if you’re reducing staff hours or making role changes while a disclosure is active, you’ll want to manage the process carefully and document your reasons clearly.

3. Handle The Disclosure Fairly And Promptly

Even if your business ultimately finds no wrongdoing occurred, you should still approach a disclosure with a fair process. That usually means:

• acknowledging receipt of the disclosure (where the reporter is known)
• assessing whether it appears to relate to “serious wrongdoing” and whether it may fall within the Act
• deciding whether it should be investigated internally, referred externally, or directed to an appropriate authority
• keeping good records of steps taken and decisions made

In many cases, you’ll also need to think about employment process fairness at the same time - particularly if an investigation may lead to disciplinary action.

How Do You Set Up A Whistleblowing Process That Works In A Small Business?

Small businesses don’t need a 40-page governance manual to handle whistleblowing properly. What you do need is a simple, consistent process that your team can actually follow.

Here’s a practical approach that works for many SMEs.

Step 1: Decide Who Can Receive Disclosures

A good starting point is to nominate:

• a primary contact person (often the owner, director, or operations manager)
• a secondary contact person (for example another director, a senior leader, or an external adviser)

This reduces the risk that disclosures get stuck if the issue involves the primary contact.

Step 2: Put Your Process In Writing (And Keep It User-Friendly)

A short policy is often enough if it clearly covers:

• what whistleblowing is (in plain English)
• examples of reportable concerns
• how to make a disclosure
• confidentiality expectations
• how you’ll assess and respond
• how you’ll protect the person reporting
• how you’ll handle false or bad-faith complaints (carefully - you don’t want to deter genuine reports)

If you already have a staff handbook, the whistleblowing process is often best placed there, alongside conduct and reporting pathways. A tailored Staff Handbook can help pull these processes into one consistent set of expectations.

Step 3: Align Your Whistleblowing Process With Privacy Requirements

Whistleblowing almost always involves sensitive information - names, allegations, witness accounts, messages, documents, and investigation notes. That means privacy compliance matters.

Under the Privacy Act 2020, you generally need to handle personal information in a way that is lawful, fair, and secure. From a practical standpoint, that means:

• limit who can access the disclosure and investigation materials
• store documents securely (and avoid forwarding them around informally)
• be careful when interviewing staff (don’t overshare information that doesn’t need to be shared)
• think ahead about what you will disclose to the person complained about

If you collect and store personal information about staff, customers, or users (for example through your website or an internal system), having a clear Privacy Policy and internal privacy processes makes these moments much easier to manage.

Step 4: Train Your Managers (Because They’re Often The First To Hear About It)

In many workplaces, a staff member doesn’t start by submitting a formal written disclosure - they start by mentioning something to a supervisor.

So your frontline managers should understand:

• how to spot when a complaint might be a protected disclosure
• what they should (and shouldn’t) promise
• how to escalate it quickly and confidentially
• how to avoid “off the record” handling that can create risk later

This can be as simple as a one-page internal guide and a short training session.

Step 5: Decide How Investigations Will Be Run

Not every disclosure needs a full external investigation - but you should decide in advance what you’ll do when:

• the allegations are serious
• senior leadership is involved
• there’s a health and safety risk
• there’s a potential criminal issue
• there’s a high risk of bias (or perceived bias)

Sometimes the most sensible move is to engage an independent investigator or get legal advice early so your process stays fair and defensible.

Common Whistleblowing Mistakes Businesses Make (And How To Avoid Them)

Most whistleblowing problems don’t come from the disclosure itself - they come from how the business responds.

Here are some common pitfalls we see, and what you can do instead.

Mistake 1: Treating It Like Gossip Or A “Personality Issue”

If someone raises a concern that could amount to serious wrongdoing, treating it casually can backfire fast. Even if you think the claim is unlikely, you still need to assess it properly.

What to do instead: acknowledge it, protect confidentiality, and follow a set process so your response is consistent.

Mistake 2: Accidentally Retaliating (Even If You Don’t Mean To)

You might think you’re managing a team restructure, performance issue, or roster adjustment - but if it happens soon after someone speaks up, it can look like retaliation.

What to do instead: keep clear written records of legitimate business reasons and get advice before taking action that affects the whistleblower’s role.

Mistake 3: Over-Sharing Information During The Investigation

In a small team, it can be tempting to “clear the air” by explaining what’s going on. But over-sharing can:

• breach privacy
• increase interpersonal conflict
• expose the whistleblower’s identity (even indirectly)

What to do instead: operate on a “need to know” basis and keep investigation documentation secure.

Mistake 4: Not Having The Right Legal Foundations In Place

Whistleblowing complaints often overlap with employment issues, privacy issues, and contractual obligations.

What to do instead: make sure your key legal documents are set up properly from day one, including employment agreements, policies, and confidentiality protections. In some businesses, a simple Confidentiality Clause can help set expectations about sensitive business information and investigation materials (while still allowing lawful reporting pathways).

Key Takeaways

• Whistleblowing is when someone reports serious wrongdoing in an organisation, and the Protected Disclosures Act 2022 can apply when disclosures meet certain criteria (including who makes the disclosure and who it’s made to).
• Not every workplace complaint is automatically a protected disclosure, but if an issue could involve serious wrongdoing, you should treat it carefully and follow a fair process.
• For many small private businesses, having a whistleblowing process is a practical safeguard (even where internal procedures aren’t strictly mandatory under the Act), while public sector organisations generally have clearer requirements to maintain internal procedures.
• Privacy compliance matters during whistleblowing reports and investigations - limit access, store documents securely, and be cautious about what is shared internally.
• The biggest risk is often not the disclosure itself, but an unstructured response (especially retaliation, poor documentation, or over-sharing information).
• Strong legal foundations - including well-drafted contracts and workplace policies - make whistleblowing issues far easier to manage when they arise.

If you’d like help putting a whistleblowing process in place, updating your workplace policies, or managing a sensitive disclosure as a business owner, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.