Protected Disclosures (Protection of Whistleblowers) Act 2022
|
|
| Regulator |
State Services Commission |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
External — Whistleblower protection obligations. HR and governance process external to the platform. |
Outside platform boundary
Whistleblower protection obligations. HR and governance process external to the platform.
The Protected Disclosures (Protection of Whistleblowers) Act 2022 replaced the Protected
Disclosures Act 2000 and strengthened the framework for reporting serious wrongdoing in
New Zealand. It applies to both public and private sector organisations.
The Act requires organisations to establish an internal disclosure channel — a mechanism
through which workers can report serious wrongdoing without fear of retaliation. Key
obligations include: designating an appropriate person to receive disclosures, investigating
disclosures in a timely manner, protecting the confidentiality of the person making the
disclosure, and protecting workers from retaliation (including demotion, dismissal, and
harassment) as a result of making a protected disclosure.
For a licensed bank, an additional consideration arises: some disclosures may concern the
conduct of senior management or the board. An effective whistleblower programme must ensure
that management cannot access reports that may concern their own conduct.
Compliance register
This register maps the material obligations under the Act to the platform controls and
institutional processes that satisfy them.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Internal disclosure channel (ss.9–12)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Establish and maintain an internal disclosure channel — a mechanism through which workers can make a protected disclosure |
🤖 Automated |
GOV-008 |
MOD-151 (GATE) — whistleblower submissions are received through an isolated intake channel with no management routing; cases are delivered directly to the Board Audit Committee role and identity protection is enforced at the data layer. Column-level encryption on submitter identity fields; accessible only to the board_audit_committee role — management roles cannot view whistleblower cases, enforced at the database layer |
🔨 |
| Designate an appropriate person to receive protected disclosures |
🏛 Institutional |
GOV-008 |
The designated recipient is the Board Audit Committee, implemented through the role-based access control in MOD-151. The designation decision and governance structure are institutional |
🔨 |
| Inform workers about the internal disclosure channel and how to make a protected disclosure |
🏛 Institutional |
GOV-008 |
Worker communication and training is institutional (Chief People Officer). MOD-151 provides the intake mechanism; awareness of its existence is institutional |
— |
Confidentiality protection (ss.16–18)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Protect the identity of the person making the disclosure — confidentiality must be maintained throughout the investigation |
🤖 Automated |
GOV-008 |
MOD-151 (GATE) — column-level encryption on submitter identity fields; accessible only to the board_audit_committee role. Management roles are structurally prevented from accessing whistleblower case records at the database layer — this is a deliberate and noteworthy control. A management-level user with full platform access cannot view the identity of a whistleblower or any case detail |
🔨 |
| Retain confidentiality of the subject of the disclosure unless and until the investigation requires otherwise |
🏛 Institutional |
GOV-008 |
Confidentiality of the subject matter is an institutional investigation governance obligation. MOD-151 (LOG) — all case records are available only to the board_audit_committee and internal_audit roles; no case can be deleted |
🔨 |
Investigation obligations (ss.12–15)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Investigate a protected disclosure in a timely, appropriate, and thorough manner |
🏛 Institutional |
GOV-008 |
Investigation process is institutional — owned by the Board Audit Committee (or delegated investigator). MOD-151 (GATE) — all P1 incidents require documented root cause and resolution action before closure; whistleblower cases follow the same structured case workflow with mandatory resolution documentation |
🔨 |
| Notify the person making the disclosure of the outcome of the investigation where practicable |
🏛 Institutional |
GOV-008 |
Outcome notification is an institutional obligation. MOD-151 records the case outcome and supports the communication, but the decision to notify and the content of the notification are institutional |
🔨 |
| Consider referral to an appropriate authority (e.g. FMA, RBNZ, Police) where the disclosure discloses serious wrongdoing that warrants external investigation |
🏛 Institutional |
GOV-008 |
Referral to an external authority is an institutional decision (Board / General Counsel). MOD-151 (LOG) — all case decisions, resolutions, and referral records are retained and cannot be deleted |
🔨 |
Protection from retaliation (ss.19–24)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Protect a worker who makes a protected disclosure from any detrimental treatment — including demotion, dismissal, harassment, or disadvantage |
🏛 Institutional |
GOV-008 |
Anti-retaliation protection is an institutional HR and governance obligation. MOD-151's access controls provide structural protection by ensuring that management cannot identify the whistleblower in the first place, making targeted retaliation structurally harder |
🔨 |
| Establish a process for workers to raise concerns if they believe they have experienced retaliation |
🏛 Institutional |
GOV-008 |
Anti-retaliation grievance process is institutional (Chief People Officer / General Counsel). Not platform scope |
— |
| Obligation |
Owner |
Platform evidence input |
| Board Audit Committee — designated recipient of whistleblower disclosures; case governance |
Board Audit Committee |
MOD-151 case console; column-level encrypted case records |
| Investigation governance — timely, appropriate investigation of all disclosures |
Board Audit Committee / General Counsel |
MOD-151 case workflow and resolution documentation |
| Anti-retaliation governance — ensuring no detrimental treatment of whistleblowers |
Chief People Officer / General Counsel |
MOD-151 access controls provide structural protection; HR process handles formal complaints |
| Worker communication and training — informing workers of the disclosure channel |
Chief People Officer |
Institutional LMS and communications |
| Referral to external authority where appropriate |
Board / General Counsel |
MOD-151 case records and referral documentation |
| Annual review of whistleblower programme effectiveness |
Board Audit Committee |
MOD-151 case statistics and outcome data |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
| Internal disclosure channel |
3 |
1 |
0 |
2 |
| Confidentiality protection |
2 |
1 |
0 |
1 |
| Investigation obligations |
3 |
0 |
0 |
3 |
| Protection from retaliation |
2 |
0 |
0 |
2 |
| Total |
10 |
2 (20%) |
0 |
8 (80%) |
The platform's primary control — MOD-151 column-level encryption with board_audit_committee
role restriction — is a notably strong structural control. It prevents management from
identifying whistleblowers at the database layer, not merely at the application layer. This is
a meaningful compliance differentiator given the risk that disclosures may concern senior
management conduct.
All attributed modules are currently build_status: Not started.
| Policy |
Title |
| GOV-008 |
Whistleblower Protection Policy |
| PPL-006 |
Whistleblower & Protected Disclosure Policy |
Official documentation
Policies referencing this standard
- GOV-008 — Whistleblower Protection Policy
- PPL-006 — Whistleblower & Protected Disclosure Policy
Compiled 2026-05-22 from source/entities/regulations/nz-protected-disclosures-act.yaml