Consultation is open on our Business Plan 2025-26 and 5-year Corporate Strategy and we want to hear from you about our plans to deliver an efficient and effective Ombudsman.

Take part today.

Privacy notice for whistleblowing

Whistleblowing reports often contain personal information that must be treated confidentially and awarded additional protection under UK legislation. This privacy notice sets out how we process that information to ensure whistleblowers and those subject to a whistleblowing claim understand how the information is processed.

Information we collect and why

When we receive a Whistleblowing report, we will only use the information for the purpose of investigating and resolving the claim, and where we are required by law.

The Whistleblowing Form sets out the information required to submit a disclosure. This includes:

  • the name of the person subject to the concern/s
  • details of the concern/s
  • your name and contact details (optional)

We require this information to validate and investigate your claim under the Employee Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998).

Whistleblowing claims can be submitted anonymously however this may make the disclosure difficult to investigate thoroughly. The identity of individuals may be discovered during the investigation therefore anonymity is not guaranteed. Where identity is discovered, a duty of confidentiality will apply. See the ‘Confidentiality’ section below.

Our legal basis

Our lawful basis for processing your personal data is Article 6 (e) of the UK GDPR which allows us to process your personal data in line with our public task. This is because we have a legal requirement to investigate valid Whistleblowing claims as an arm's length body of the UK Government.

If your claim includes data which is considered as special category under the UK GDPR, our lawful basis for processing this data is Article 9 (g) which relates to our statutory obligations. Our additional condition under Schedule 1 part 2 of the Data Protection Act 2018 is section 6 (Statutory and Government Purposes).

How we keep the data secure

We apply stringent and robust organisational and technical measures to ensure the security of personal and confidential information.

Personal information disclosed and created under the Whistleblowing procedure is restricted on a need-to-know basis and only accessible to the relevant individuals.

Secure and restricted areas are used to store documentation containing personal information, and permissions are reviewed on a regular basis.

We use email, Microsoft Forms and SharePoint to process and store personal data. Microsoft are registered under the UK-US Data Bridge and host personal information within the UK.


The identity of individuals submitting Whistleblowing reports will be treated as confidential and will not be disclosed to individuals outside of those required to oversee and conduct the investigation.

Where we have a legal obligation to report any claims to authorities, such as the Police due to substantiated claims of criminal activity, your identity may be disclosed to that authority dependent on their requirements to investigate.

Where a report is submitted but the disclosure has not been deemed valid under Whistleblowing legislation, the Whistleblowers identity and disclosure may be passed to the relevant department to handle in line with the relevant policy e.g. grievance policy.

You will be informed of the requirement to share your identity prior to the disclosure.

How long we retain the data

We retain records of Whistleblowing disclosures for a period of 6 years from the date of the last action on the case.

Records will be reviewed prior to deletion to ensure the retention period is sufficient for that particular case. We may need to retain the information for longer periods where there is a specific requirement such as criminal investigations, government enquiries for example.

Individual rights

The UK GDPR sets out specific rights in relation to personal data that individuals can request to be applied. These rights also apply to employees and can be viewed on the ‘Your rights’ page of our privacy notice.

To submit an individual rights request, contact

Information submitted to this mailbox is treated confidentially and is only accessible by the Information Governance (casework) team.


  • This field is for validation purposes and should be left unchanged.