Maintaining confidentiality when dealing with voluntary PIDs

Confidentiality requirements for voluntary PIDs

Public officials and agencies must not disclose information identifying or tending to identify a person as the maker of a voluntary PID unless the disclosure is permitted by the PID Act.¹

Information tending to identify the maker of a voluntary PID is known as ‘identifying information’. It can include the maker’s name, their role, their contact details or other things which either on their own, or when combined with other information relevant to the disclosure, might reveal someone as having made a PID.

In some cases, specific information in the PID itself, or the very fact that a PID has been made, may tend to identify the maker of a PID as someone who has made a PID. For example, if there is only one person who could possibly have witnessed or reported the information disclosed in the PID.

There may be circumstances where it is reasonable, or unavoidable, for identifying information to be disclosed. The PID Act recognises this and provides that identifying information about the maker of a voluntary PID can only be disclosed by a public official or an agency in the following circumstances:

• the maker consents in writing to disclosure of the identifying information

• it is generally known that the person is the maker because they have voluntarily self-identified as the maker

• the public official or agency reasonably considers, after consulting with the maker, that disclosure of identifying information is necessary to protect a person from detrimental action

• it is necessary to disclose the identifying information to a person whose interests are affected by the PID

• the identifying information has previously been lawfully published

• the identifying information is disclosed to a medical practitioner or psychologist for the purposes of the practitioner or psychologist providing medical or psychiatric care, treatment or counselling to the individual disclosing the information

• the identifying information is disclosed for the purpose of court or tribunal proceedings

• the disclosure of the identifying information is necessary to deal with the disclosure effectively

• it is otherwise in the public interest to disclose the identifying information.²

An agency’s PID policy must identify its procedures for maintaining confidentiality in relation to voluntary PIDs and protecting the identity of the makers of voluntary PIDs.³

Important note: The confidentiality obligation under the PID Act does not apply to mandatory or witness PIDs. However, where possible and provided it does not hinder with an investigation, it is best practice for agencies to maintain confidentiality of a maker’s identity even if they have made a mandatory or witness PID, or some other type of complaint.

__________

^1. Public Interest Disclosures Act 2022, s 64.
^2. Public Interest Disclosures Act 2022, s 64(2).
^3. Public Interest Disclosures Act 2022, s 43(1)(e).

Steps an agency should take when determining how it will maintain confidentiality

Agencies should be proactive in their approach to maintaining confidentiality. This involves regularly re-assessing the likelihood of a PID maker’s identity becoming known throughout the course of the matter or investigation.

Agencies should undertake the following 4 steps to assist in understanding whether confidentiality is likely to be maintained and what strategies can be implemented to protect the PID maker’s identifying information:

• Step 1 - Assess if confidentiality can be maintained.
• Step 2 - Develop and implement strategies to maintain confidentiality.
• Step 3 - Develop proactive strategies to respond if confidentiality is unable to be maintained or is lost.
• Step 4 - Keep the PID maker informed and supported.

More detailed guidance for each of these 4 steps is provided below.

Step 1 - Assess if confidentiality can be maintained

As soon as possible after a voluntary PID has been made, the person assessing the PID should talk to the maker about the duty to maintain confidentiality under the PID Act, whether their identifying information is likely to be able to be kept confidential in the circumstances and the risk if identifying information does become known.

To establish the likelihood that their identifying information can be kept confidential, the PID maker should be asked:

• who they have spoken to about the serious wrongdoing and what was their reaction

• whether they have raised the serious wrongdoing with the person(s) believed to have engaged in that serious wrongdoing, and what was their reaction

• whether they have told anyone they intended to make a disclosure, or that they have made a disclosure. If they have, who did they tell and what was their reaction

• is there any information in the PID that only they, or a small group of people, would have been aware of. If so, is there another way that information could be obtained.

Further factors that should be considered when determining whether confidentiality can be maintained include:

• is it obvious or easily identifiable who made the disclosure based on the information provided?

• can the issues raised in the report be investigated without disclosing information that would identify or tend to identify the maker?

• is the investigation likely to require obtaining information from witnesses or can the investigation be conducted from documentary evidence? If witnesses will be required to provide evidence, is the witness list a large one or can this be limited to only essential witnesses

• what is the likelihood that the subject of the disclosure can identify who made the disclosure?

• what is the risk of the subject of the disclosure threatening to take, or taking, detrimental action if they identify who made the disclosure?

• do any of the exceptions to the requirement that a PID maker’s identifying information be kept confidential under the PID Act apply?

In some cases, it may be possible to keep confidential both the fact that a PID has been made and the PID maker’s identity. In other cases, it may only be possible to keep the PID maker’s identity confidential and not the fact that a PID has been made.

There may also be cases where an agency might reveal that a PID has been made and the PID maker’s identity.

Where possible, agencies should attempt to keep both the fact that a PID has been made and the PID maker’s identity confidential, because if staff are unaware that a PID has been made then they are less likely to speculate or become aware of the PID maker’s identity.

However, if this is not possible agencies may also consider, given the circumstances, that it is appropriate to:

• Inform staff within the relevant unit or team that a PID has been made, without disclosing the identity of the PID maker. Staff should also be informed that they should not speculate who has made the PID and remind staff that it is a criminal offence to take detrimental action. This may be appropriate in circumstances where it is evident that only a small number of people could have made the PID.

• Keep the fact that a PID has been made confidential. For example, in circumstances where an investigation could plausibly have been triggered by a different mechanism such as an audit or observation.

Agencies must still develop further strategies to protect the PID maker’s identifying information even if one of the above decisions is made.

Step 2 - Develop and implement strategies to maintain confidentiality

It is the responsibility of everyone who is involved in the handling of the PID to take steps to maintain the confidentiality of information that would tend to identify the PID maker. This includes the recipient of the PID, the disclosure officer(s) who received the PID, the investigator, any advisors (such as legal counsel) and any decision-makers on the outcome of the investigation and the appropriate corrective action.

Agencies need to have appropriate governance, case management and record keeping systems and procedures to facilitate the maintenance of confidentiality.

Agencies must develop a proactive response to maintaining confidentiality. The strategies suggested below are standard strategies that should be used when conducting any workplace investigation:

• Limiting the individuals who are aware of the PID maker’s identity or of identifying information. This means ensuring that only people with an operational need to know have access to the relevant records and information. It also means that when deciding on who the witnesses are, an investigator should start by requesting evidence of the witness who is most likely to provide the most relevant and credible information. This may allow the investigator to limit the number of witnesses (and therefore the number of people aware of the matter) and actively re-evaluate who they need to obtain evidence from.

• Considering whether the information provided by the PID maker could have been obtained in another way (such as through an audit) so that when any adverse information is put to the person(s) accused of the serious wrongdoing, the identity of the PID maker can be protected.

• Reminding public officials who are aware that the PID maker made a PID that they have a legal obligation to keep the maker’s identifying information confidential. This includes reminding witnesses and the person(s) alleged to have engaged in the serious wrongdoing of this obligation.

• Appropriately restricting access to relevant files to ensure that only a limited number of necessary people have access.
  Assessing whether anyone who is aware of the PID maker’s identity might have a motive to take detrimental action against them or impede the progress of any investigation into the PID.

• Actively communicating with the PID maker on an ongoing basis to identify risks of their identity being known (including through self-disclosure) and providing appropriate support to them.

Investigators should have an investigation plan which minimises the possibility of identifying information which tends to identify the PID maker being revealed. The plan should consider the order in which evidence is gathered and witnesses are interviewed, how interviews will take place and how investigation files will be managed (including access restrictions). Investigators should also regularly assess the likelihood that identifying information will be disclosed during the investigation and have risk mitigation responses in place.

Step 3 - Develop proactive strategies to respond if confidentiality is unable to be maintained or is lost

If identifying information of a maker is unlikely to remain confidential, agencies must adopt a proactive approach to managing the risk of detrimental action against the PID maker. The risk of a PID maker’s identity being known can change during the course of an investigation, which is why it is important for risk assessments to be conducted regularly while a PID is being handled.

It may be that the identity of the PID maker cannot be maintained for the disclosure to be dealt with effectively, or it may become legally necessary that identifying information be revealed to the person who is under investigation.

Strategies that can be implemented include:

• Consulting the maker of the PID by:
  • seeking their informed consent to disclose their identifying information
  • explaining why it is necessary for their identifying information to be revealed
  • clearly articulating what identifying information will be revealed, how and to whom
  • seeking their input into what support mechanisms they need and providing that support
  • seeking their input into whether they are at risk of detrimental action if the identifying information is revealed and explain how that risk will be mitigated.

• Informing public officials that may be aware of the disclosure that the PID Act applies and reminding them that:
  • they have a duty to maintain confidentiality under the PID Act
  • bullying, harassment and other types of detrimental action will not be tolerated
  • it is an offence to take or threaten to take detrimental action, and what detrimental action is
  • that the taking of detrimental action and the failure to maintain confidentiality may amount to misconduct which could lead to a disciplinary outcome.

• Reviewing the agency’s risk management plan to ensure strategies in place adequately address the risk of detrimental action occurring.

Step 4 - Keep the PID maker informed and supported

Agencies should be cognisant that once a person has made a PID, they may feel isolated as they are unable to discuss the PID with others. They may also be concerned that their identity will be revealed and have concerns for their safety.

Agencies should arrange support for PID makers that allows them to obtain updates on the matter, understand what they can expect from the process and seek support and assistance as and when they need it. This may require an integrated approach between the area handling the PID, their manager (if appropriate), the human resources section and any external providers (such as an Employee Assistance Program).

If the PID maker is concerned about being contacted in the workplace, agencies should also seek secure contact details from the maker such as personal phone numbers or personal email accounts that the maker alone has access to.

PID makers should also be made aware of the following:

• That despite agencies taking steps to protect identifying information, it is always possible that identifying information may be disclosed, and preparing them for this possibility.

• They should report any negative changes in behaviour of other staff or any different or unfair treatment that they have experienced, which they believe may be linked to their making of the PID.

• What they must do to maintain their own confidentiality, most importantly by not discussing their disclosure with other colleagues. Not only can this place the PID maker at risk of detrimental action, it can also make it difficult for agencies to implement appropriate risk mitigation strategies.

• They should not post anything about the disclosure or investigation on social media such as Facebook and Instagram. This includes information about making a disclosure, the substance of the disclosure or anything defamatory about the subjects of the disclosure.

  By doing this, the maker may reveal that they have made a PID and may no longer be entitled to have their confidentiality maintained. Protections afforded to makers when they make a disclosure in accordance with the PID Act are not extended to the same disclosure if it is repeated in a manner that does not accord with the PID Act, such as a public disclosure on social media.

  This means that a PID maker who also uses their social media to negatively comment about another person's conduct may not be protected against legal action for defamation in respect of the social media comments.

Practical difficulties in maintaining confidentiality

Even where an agency or relevant public official takes steps to ensure that identifying information is not disclosed, there is always a risk from the time a PID is first received and while it is being dealt with, that identifying information may be revealed, either lawfully or unlawfully. Identifying information might be disclosed:

• When the PID is communicated to a manager⁴:

  If someone receives a PID in their role as a manager under the PID Act, they must communicate the PID to a disclosure officer. While managers may be inclined to seek advice from someone who is not a nominated disclosure officer (such as their own manager or human resources person) about what they should do with the disclosure, they need to ensure they only speak to a nominated disclosure officer to maintain the confidentiality of the PID maker.

• When the PID is referred to the appropriate area for assessment and handling of the PID:
  Each agency will have their own procedures for how a PID is dealt with once it has been received by a disclosure officer for that agency. These will be set out in the agency’s PID policy. In some agencies the disclosure officer who receives the disclosure will be responsible for assessing it and determining how it should be handled. In others, the disclosure may be referred to an area responsible for handling PIDs.

  Regardless of what procedures are followed, disclosure officers must ensure that PIDs are only communicated to other disclosure officers who have an operational need to know, that all communications are secure, and that the content of the PID or the fact that the PID has been made is not discussed with anyone unauthorised to receive that information. The section responsible for handling PIDs should have appropriate secure record-keeping and case-management practices in place to ensure confidentiality is maintained.

• When gathering information about the PID:
  When serious wrongdoing is reported, an agency may decide to investigate the alleged serious wrongdoing. When conducting an investigation, the appointed investigator will seek to gather evidence to establish what occurred. Evidence may be gathered by interviewing possible witnesses and the person(s) alleged to have engaged in the serious wrongdoing. This process can cause people in the workplace to become aware or suspect that a PID has been made. Once this happens, it can be expected that there could be speculation – misguided or otherwise – by other staff about who made the disclosure. People might also take detrimental action against the person believed to have made the disclosure.

  It is imperative that witnesses and the persons alleged to have engaged in the serious wrongdoing, do not inappropriately speak about the matters they have been asked to provide evidence on and that, where possible, investigators aim to ask questions in a way that does not reveal identifying information about the maker of the PID. If this is not possible, the investigator should consider whether any of the exceptions in section 64 of the PID Act apply and ensure they keep accurate records of any decision made to reveal identifying information. They should also ensure the PID maker is aware that support mechanisms are put in place and that a risk assessment of possible detrimental action is undertaken and acted upon.

• In the course of providing procedural fairness:
  During an investigation, there will be a requirement for the person alleged to have engaged in serious wrongdoing to be provided with an opportunity to put forward their version of events and to respond to the allegations made against them before any adverse findings can be made.

  To enable a person to respond to the allegations against them, it will be necessary for them to be told the substance of what has been alleged against them in sufficient detail to permit them to answer those allegations. It may also be necessary to inform them of the evidence which supports the making of an adverse finding against them.

  While putting the allegations and the evidence to them, identifying information of the PID maker may be revealed. As above, investigators need to consider how best to put the information to the person under investigation without doing so, and if it is not possible, consideration should be given to whether one of the exceptions in section 64 of the PID Act apply.

• When the PID maker has previously voiced their concerns:
  Makers of a disclosure may have already voiced their concerns and intentions to make a report, either generally within the workplace, to colleagues and supervisors, or to management. This can present a challenge for investigators and those responsible for protecting the PID maker from detrimental action as their confidentiality cannot be maintained.

  Furthermore, there is no obligation to maintain confidentiality if the PID maker has voluntarily made it known that they have made the PID. However, attempts should still be made to limit the number of people who know about the PID. This is because there can be serious implications on the integrity of the investigation and the reputation of the person(s) accused of the serious wrongdoing.

• Changes to the workplace:
  Depending on the circumstances, the maker of the PID may need or wish to be absent from their usual place of work once a disclosure has been made. Consideration may also be given to whether the person the subject of the disclosure should remain in the same team or work location. Any changes to work location must be lawful and should be made in consultation with the agency’s human resources (or equivalent) section.

  Changes to the workplace, when combined with knowledge that an investigation is underway or other speculation, may lead to the identity of the PID maker being known or suspected. Sound investigative practices need to be undertaken to ensure that only necessary persons are aware of the matter and of the investigation.

__________

^4. Public Interest Disclosures Act 2022, s 15 for definition of manager.