The NZ Protected Disclosures Act 2022: an employer's guide

If you run an organisation in New Zealand, the Protected Disclosures (Protection of Whistleblowers) Act 2022 shapes what you have to do when a worker raises a concern about serious wrongdoing. It replaced the Protected Disclosures Act 2000 on 1 July 2022. The 2022 Act broadens the definition of serious wrongdoing, clarifies worker protections, gives every public sector organisation a statutory obligation to maintain internal procedures, and gives workers more room to disclose outside the organisation when internal channels fail.

This article is a practical walkthrough for employers. It is not legal advice; consult a qualified practitioner for advice on your specific circumstances.

Who the Act applies to

The Act applies to every organisation in New Zealand: public sector, private sector, local government, Crown entities, and state-owned enterprises. There is no carve-out for small businesses when it comes to protecting the disclosure itself. A discloser who raises a concern about serious wrongdoing is protected regardless of the size of their employer.

What changes is the obligation to have formal internal procedures. Section 29 places that obligation on every public sector organisation alone. The Act imposes no equivalent obligation on private sector organisations of any size. Public sector procedures must be published widely and republished at regular intervals (s 29(3)). Private sector organisations are not legally required to maintain formal procedures, but doing so is best practice and the only credible way to operationalise the Act's confidentiality and anti-retaliation duties.

The Act uses "discloser" rather than "worker", and the definition (s 8) is deliberately wide. A discloser is any individual who is, or was formerly:

• An employee
• A homeworker (within the meaning given in s 5 of the Employment Relations Act 2000)
• A secondee to the organisation
• Engaged or contracted under a contract for services to do work for the organisation
• Concerned in the management of the organisation, including a current or former member of the board or governing body
• A member of the Armed Forces (in relation to the New Zealand Defence Force)
• A volunteer working for the organisation without reward or expectation of reward

Trainees and interns qualify if they fit one of the above categories (typically as employees, contractors, or volunteers). A disclosure made by any of these people about the organisation they work (or worked) for qualifies for protection if the other requirements are met.

What counts as "serious wrongdoing"

This is the single most important concept in the Act. Not every workplace grievance counts as a protected disclosure. Only allegations about serious wrongdoing do. Section 10 of the Act says serious wrongdoing includes any act, omission, or course of conduct in (or by) any organisation that is one or more of:

• An offence
• A serious risk to public health, public safety, the health or safety of any individual, or the environment
• A serious risk to the maintenance of law, including the prevention, investigation, and detection of offences, or the right to a fair trial
• An unlawful, corrupt, or irregular use of public funds or public resources
• Oppressive, unlawfully discriminatory, or grossly negligent conduct, or gross mismanagement, done by an employee of a public sector organisation, or by a person performing or purporting to perform a function or duty (or exercising a power) on behalf of a public sector organisation

Two things are worth noting. First, the s 10 list uses "includes", so it is inclusive rather than closed; conduct that fits the spirit of a limb may qualify even if not perfectly captured. Second, the "oppressive, discriminatory, or grossly negligent" limb is narrower than it looks: it applies specifically to public sector conduct. The other limbs apply to any organisation, so a private sector worker can blow the whistle on an offence committed by their employer.

If a concern doesn't meet the threshold of serious wrongdoing (for example, an interpersonal grievance, or an allegation of unfairness that doesn't rise to oppression), it isn't a "protected disclosure" under the Act. That doesn't mean the concern should be ignored. A well-run speak-up programme will still handle it through a normal complaints pathway.

How a disclosure can be made

Under the 2022 Act, a worker has three routes for making a protected disclosure.

1. Internally, to their own organisation

This is the default. A worker can raise the concern directly with the organisation, typically following whatever internal procedure the employer has published. The Act doesn't require the worker to try the internal route first, but in practice most disclosers start here.

2. To an "appropriate authority"

Section 25 defines appropriate authority. It includes the head of any public sector organisation, any officer of Parliament, the membership body of a regulated profession with the power to discipline its members, and the persons or bodies listed in the second column of Schedule 2. Schedule 2 maps types of concern to relevant authorities, including:

• The Ombudsman (whistleblowing and protected disclosures generally)
• The Controller and Auditor-General (use of public funds and resources)
• The Commissioner of Police (criminal offences)
• The Director of the Serious Fraud Office (serious or complex fraud)
• The Inspector-General of Intelligence and Security
• The Inspector-General of Defence
• The Health and Disability Commissioner (health and disability services)
• The Privacy Commissioner (privacy of individuals)
• The Independent Police Conduct Authority (police conduct)
• WorkSafe New Zealand (work health and safety)
• The Financial Markets Authority and Reserve Bank of New Zealand (financial services and conduct)
• The Commerce Commission (competition and consumer law)
• The Human Rights Commission

The discloser gets to choose. They do not need their employer's permission and they do not need to have exhausted internal channels first. Importantly, Ministers and members of Parliament are explicitly excluded from the appropriate-authority list under s 25(1)(e).

3. To a Minister of the Crown, or in narrow cases the Speaker

Section 14 lets a discloser take a protected disclosure to a Minister where the discloser believes on reasonable grounds that the receiver of the original protected disclosure has not acted as required by s 13, or has not dealt with the matter so as to address the serious wrongdoing. In narrow cases involving an officer of Parliament, the Office of the Clerk, or the Parliamentary Service, the disclosure may instead go to the Speaker of the House.

The Act does not list members of Parliament generally as appropriate authorities, and it does not create a direct public or media disclosure pathway. A discloser who goes to the media would need to argue they remain within s 14 or rely on general law.

Protections for the discloser

If a disclosure meets the Act's requirements, the discloser has several overlapping protections:

• Confidentiality (s 17). Every receiver of a protected disclosure must use their best endeavours to keep confidential information that might identify the discloser. The narrow exceptions are: the discloser consents, or there are reasonable grounds to believe release is essential for an effective investigation, to prevent serious risk to public or individual health or safety or the environment, to comply with natural justice, or for law enforcement.
• Protection from retaliation (s 21). An employer must not retaliate, or threaten to retaliate, against an employee because the employee intends to make or has made a protected disclosure. Retaliation gives the employee a personal grievance under s 103(1)(k) of the Employment Relations Act 2000, the same statutory pathway used for unjustified dismissal.
• Less-favourable-treatment protection (s 22). Treating a discloser less favourably than other employees on the basis of the disclosure is also unlawful, even where the conduct does not meet the s 21 retaliation threshold.
• Immunity from civil, criminal, and disciplinary proceedings (s 23). Neither a discloser who makes a protected disclosure nor a receiver who refers one under s 16 is liable to any civil, criminal, or disciplinary proceeding because of making or referring the disclosure. The immunity overrides any contrary law, contract, internal procedure, oath, or practice.
• No contracting out (s 24). A confidentiality clause in an employment agreement, or any equivalent contractual mechanism, cannot be enforced in a way that prevents a worker from making a protected disclosure.

What public sector internal procedures must cover

If your organisation is in the public sector, s 29 sets out what your internal procedures must include. The procedures must:

1. Comply with the principles of natural justice
2. Set out a process consistent with s 13 (which prescribes how a receiver should respond to a protected disclosure within 20 working days)
3. Identify who in the organisation a protected disclosure of serious wrongdoing in or by the organisation may be made to
4. In relation to a protected disclosure, include: a reference to the s 21 prohibition on retaliation; a reference to the s 22 prohibition on less-favourable treatment; a description of when disclosures may be referred under s 16; a description of how the organisation will provide practical assistance and advice to disclosers; and a description of how the organisation will meet its s 17 confidentiality duty

Section 29(3) also requires the organisation to publish information about the existence of the procedures and adequate information about how to use them widely, and to republish at regular intervals. In practice that means the intranet, the employee handbook, the induction pack, and a visible reminder at moments where speaking up is most likely (incident reviews, performance check-ins, exit interviews).

Practical steps for employers

If you already had a whistleblowing or speak-up policy under the 2000 Act, it probably needs a refresh rather than a rewrite. The practical actions that matter most:

• Update the policy document itself. Align the language with the 2022 Act's definition of serious wrongdoing, update the list of appropriate authorities, and make sure the confidentiality and retaliation sections reflect the current law.
• Name real people, not just roles. A policy that says "you can make a disclosure to a manager" is weaker than one that names the Chief People Officer, the Head of Risk, and a board-level protected disclosures officer by role and explains how to reach each.
• Offer a channel that supports anonymity. The Act protects a discloser's identity, but in practice workers are most likely to speak up when they can choose whether to give their name at all. A dedicated anonymous reporting channel (a secure digital platform, a post box, or a phone line) makes the promise credible.
• Train managers on how to respond. Most disclosures come through line managers, not formal channels. Managers need to know what to do when someone tells them something that might be a protected disclosure: how to preserve confidentiality, what not to promise, and who to escalate to.
• Commit to a response timeframe. Section 13 provides statutory guidance that within 20 working days of receiving a protected disclosure, the receiver should acknowledge it, consider whether it warrants investigation, check whether the disclosure has been made elsewhere, and deal with it (by investigating, acting or recommending action, or referring under s 16). Where 20 working days is impracticable, the receiver should inform the discloser of the expected timeframe and provide updates. Section 13(3) makes clear this is guidance only and does not confer a legal right, but in practice it sets the operating standard you will be measured against.
• Review case data annually. Board-level reporting on volume, themes, and outcomes of disclosures is the single most effective way to catch patterns early and show the workforce that speaking up leads somewhere.

How Elker supports compliance

Elker is a speak-up and case management platform that handles the full lifecycle of a protected disclosure: secure multi-channel intake with optional anonymity, structured investigation workflow, two-way messaging that preserves anonymity during follow-up, and board-level reporting on themes and outcomes. Cybersecurity and access controls follow secure-by-design and privacy-by-design principles, and Elker is ISO 27001 certified and SOC 2 attested. For NZ organisations subject to the Protected Disclosures Act 2022, Elker provides the practical machinery to run a compliant internal procedure and resolve disclosures quickly and fairly. The policy work itself still sits with your legal and people teams. Australian owned and operated, Elker serves clients globally across languages and cultures.