Whistleblowing and Raising Concerns Policy

1. What the regulation says

The whistleblowing protections that underpin this policy come from the Public Interest Disclosure Act 1998 and the Employment Rights Act 1996. The CQC regulation this policy operationalises is Regulation 17 (good governance):

Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part. (Reg 17(1): the umbrella duty)

assess, monitor and improve the quality and safety of the services provided in the carrying on of the regulated activity (including the quality of the experience of service users in receiving those services) ... assess, monitor and mitigate the risks relating to the health, safety and welfare of service users and others who may be at risk which arise from the carrying on of the regulated activity. (Reg 17(2)(a) and (b): quality and risk)

The full text of the regulation is at https://www.legislation.gov.uk/uksi/2014/2936/regulation/17. Where this policy and the regulation diverge, the regulation wins.

2. Plain-English summary

You have to run effective systems and processes to comply with everything else in Part 3. The regulation lists six things those systems must enable in particular: quality assessment and improvement, risk management, accurate service-user records, accurate employment and management records, seeking and acting on feedback, and continually evaluating and improving how you process all this. A safe, well-understood route for people to raise concerns about unsafe, unlawful or poor practice, with protection from victimisation, is part of how a service evidences good governance, surfaces risk early, and meets its whistleblowing duties under employment law.

3. Purpose

The purpose of this policy is to make sure that people working in or with [Service Name] can raise concerns about unsafe, unlawful, dishonest or poor practice without fear of victimisation.

The service wants concerns to be raised early, listened to properly and acted on. Speaking up is part of safe care and good governance.

This policy supports Regulation 17 good governance, Regulation 12 safe care and treatment, safeguarding duties, the duty to protect people from abuse and improper treatment, and whistleblowing protections under employment law.

4. Policy warning

No person must be bullied, threatened, victimised, dismissed, disadvantaged, ignored or treated unfavourably because they raised a genuine concern.

A manager who suppresses, ignores or retaliates against a concern may be subject to disciplinary action.

A concern about abuse, neglect, unsafe care or criminal conduct must not be treated as an ordinary grievance only. It must be assessed for safeguarding, regulatory, professional or police escalation.

5. Scope

This policy covers concerns about:

• unsafe care or treatment
• abuse or neglect
• poor safeguarding practice
• failure to follow care plans or risk assessments
• falsification of records
• medicine errors or concealment of errors
• inadequate staffing or unsafe deployment
• bullying, harassment or discrimination affecting safety or culture
• fraud, theft or financial abuse
• breach of legal duties
• criminal offences
• cover-ups
• risks to health and safety
• professional misconduct
• failure to notify CQC or other bodies where required
• poor governance
• deliberate concealment of information

This policy is not intended to replace the grievance procedure for personal employment complaints, unless the issue also raises wider public-interest, safety, legal or governance concerns.

6. What is whistleblowing?

Whistleblowing is raising a concern about wrongdoing, risk or malpractice that affects others or the public interest.

A protected disclosure may relate to:

• a criminal offence
• failure to comply with a legal obligation
• miscarriage of justice
• danger to health and safety
• damage to the environment
• deliberate concealment of information about any of these

The person raising the concern does not need to prove the concern before speaking up. They must raise it honestly and with a reasonable belief that the information tends to show wrongdoing or risk.

7. Principles

The service will:

• take concerns seriously
• act promptly
• protect people using the service
• protect the person raising the concern from victimisation
• keep the person informed where appropriate
• maintain confidentiality as far as possible
• escalate safeguarding and regulatory matters properly
• keep clear records
• learn from concerns raised
• act against malicious or knowingly false allegations where appropriate

8. How to raise a concern internally

A concern may be raised with:

• line manager
• Registered Manager
• Nominated Individual
• provider director or owner
• safeguarding lead
• clinical lead
• HR lead where available
• another senior person where the usual route is not appropriate

Concerns may be raised verbally or in writing.

Where the concern is raised verbally, the manager receiving it must make a written record and check that the record is accurate.

9. Anonymous concerns

The service will consider anonymous concerns.

Anonymous concerns may be harder to investigate, but they must not be ignored.

The manager must assess:

• seriousness of the concern
• risk to people using the service
• whether there is enough information to investigate
• whether immediate protective action is needed
• whether safeguarding or external reporting is required

10. Confidentiality

The service will keep the identity of the person raising the concern confidential as far as reasonably possible.

Confidentiality cannot be guaranteed where disclosure is necessary to protect people, comply with legal duties, investigate properly, or cooperate with safeguarding, police, CQC or professional-regulator processes.

The person raising the concern should be told if their identity may need to be disclosed, unless doing so would increase risk or compromise an investigation.

11. Immediate action

Where a concern suggests that people using the service may be at immediate risk, the manager must act without delay.

Immediate action may include:

• checking on the safety of the person affected
• removing a staff member from duty
• restricting duties
• increasing supervision
• arranging clinical review
• securing records
• preserving evidence
• making a safeguarding referral
• contacting police
• notifying CQC
• contacting a professional regulator
• contacting DBS where appropriate

Immediate action must be recorded.

12. Investigation

The Registered Manager or another suitable senior person must decide how the concern will be investigated.

The investigation must be proportionate to the concern and may include:

• speaking with the person raising the concern
• speaking with people using the service
• reviewing records
• speaking with witnesses
• reviewing rota, staffing or training records
• reviewing CCTV or digital records where lawful and relevant
• checking incident, complaint or safeguarding history
• seeking external advice
• making safeguarding, police or professional referrals

Where the Registered Manager is implicated, the concern must be escalated to the Nominated Individual, provider representative or external body.

13. External reporting

The service recognises that staff may raise concerns externally where appropriate.

External bodies may include:

• CQC
• local safeguarding authority
• police
• professional regulator
• Health and Safety Executive
• Information Commissioner's Office
• commissioner or local authority
• prescribed person under whistleblowing legislation

Staff do not have to raise concerns internally first where they reasonably believe external reporting is appropriate.

14. Protection from victimisation

The service will not tolerate victimisation of a person who raises a concern.

Victimisation may include:

• dismissal
• demotion
• reduced hours
• bullying
• isolation
• threats
• poor treatment
• denial of training
• unfair disciplinary action
• poor references
• hostility from colleagues
• pressure to withdraw the concern

Any allegation of victimisation must be investigated and may result in disciplinary action.

15. Malicious or knowingly false allegations

The service recognises that most concerns are raised in good faith.

Where a person knowingly makes a false allegation maliciously, the service may take action under the conduct policy.

A concern that is not substantiated is not the same as a malicious concern.

16. Feedback to the person raising the concern

Where possible, the service will tell the person raising the concern:

• that the concern has been received
• who is handling it
• whether immediate action has been taken
• when they can expect an update
• when the matter has been closed

The service may not be able to share confidential information about other people or employment action.

17. Records

The service must keep records of:

• concern raised
• date received
• person receiving it
• risk assessment
• immediate action
• investigation plan
• evidence reviewed
• outcome
• external referrals
• action taken
• feedback provided
• learning identified
• closure decision

Records must be stored securely.

18. Learning and governance

The Registered Manager must review concerns for learning.

The review must consider:

• whether the concern revealed a service risk
• whether similar concerns have been raised before
• whether staff feel safe to speak up
• whether action is needed on culture
• whether policies or training need updating
• whether the risk register or action plan needs updating

Whistleblowing themes must be reviewed through governance without identifying individuals unnecessarily.

19. Staff training

Staff must be told how to raise concerns during induction and through periodic refresher training.

Training must cover:

• what concerns should be raised
• who to speak to
• right to raise concerns externally
• protection from victimisation
• safeguarding escalation
• confidentiality limits
• emergency escalation

Managers must be trained in how to receive and act on concerns.

20. Related policies

This policy should be read with:

• Safeguarding Policy
• Incident Reporting, Investigation and Learning Policy
• Complaints Policy
• Staff Conduct and Disciplinary Policy
• Grievance Policy
• Duty of Candour Policy
• Risk Management Policy
• CQC Statutory Notifications Policy
• Record Keeping Policy
• Equality and Diversity Policy

21. Audit

The Registered Manager must review the use and effectiveness of this policy at least annually.

The review must consider:

• number and type of concerns raised
• response times
• themes
• staff awareness
• whether staff feel safe to raise concerns
• whether any person reported victimisation
• whether concerns led to action or learning

22. Review

This policy will be reviewed annually, or sooner following a serious concern, safeguarding matter, CQC finding, staff survey result, employment-law change, or evidence that staff do not feel safe to speak up.

23. Sources and further reading

This template is based on CQC's guidance for providers and managers, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and other topic-specific legislation and guidance listed below. It is a starting point for adaptation, not a substitute for legal, clinical, HR, safeguarding or specialist professional advice.

• Public Interest Disclosure Act 1998 (https://www.legislation.gov.uk/ukpga/1998/23)
• Employment Rights Act 1996 (https://www.legislation.gov.uk/ukpga/1996/18)
• CQC Regulation 17: Good governance
• GOV.UK whistleblowing guidance
• GOV.UK list of prescribed persons for whistleblowing (https://www.gov.uk/government/publications/blowing-the-whistle-list-of-prescribed-people-and-bodies)
• CQC route for raising a concern or whistleblowing to CQC
• Protect (whistleblowing charity) guidance
• Professional duty to raise concerns (relevant professional regulator guidance, for example GMC, NMC, GDC or HCPC)
• Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (https://www.legislation.gov.uk/uksi/2014/2936/regulation/17)

24. When to seek further advice

Seek specialist advice where the issue involves serious harm, safeguarding, deprivation of liberty, restraint, children, professional misconduct, controlled drugs, radiation, termination of pregnancy, infection outbreak, water safety, employment dismissal, DBS barring referral, or regulatory enforcement.

25. Document control

This sample policy template was issued by Verivius. It is a template, not a substitute for legal advice or the tenant's own policy-development process. Where this template and live law or regulator guidance diverge, the live source wins.