Assessing and managing the risk of detrimental action

People who disclose wrongdoing need to be confident they will be protected from detrimental action against them as a result of their disclosure. Such detrimental actions include bullying, harassment, denial of a promotion or workplace benefit, and dismissal. Further information on detrimental action can be found in the guideline Protections in the PID Act.

Action might also need to be taken to ensure that other people do not suffer detrimental action as a result of a PID. Of course, taking action to protect everyone against detrimental action does not prevent an agency taking reasonable management action. In the case of a person accused of wrongdoing, that includes investigating the wrongdoing, reasonable suspension from the workplace, and reasonable disciplinary action.

Under section 61(2) of the Public Interest Disclosures Act 2022 (PID Act), agencies have a duty to take steps to assess and minimise the risk of detrimental action (other than reasonable management action) being taken against any person. This includes the maker of a voluntary public interest disclosure (PID) and a public official who is the subject of the PID.

Depending on the circumstances, risks might also need to be considered in respect of other people, such as those involved in investigating alleged wrongdoing, or family members or friends of the person who made the disclosure.

The duty to undertake a risk assessment and implement risk management strategies arises as soon as an agency is aware that a PID has been made. An agency can be liable to pay damages for failing to comply with its risk management obligations under the PID Act.

This guideline explains:

• when agencies must assess the risk of detrimental action
• agencies’ risk management obligations under the PID Act
• what to consider when creating a risk management plan including who might need to be considered as part of the risk assessment, beyond the PID maker and the public official against whom allegations have been made
• agency liability for failing to assess and minimise the risk of detrimental action
• what reasonable management action is permitted.

An agency must take steps to identify, assess and minimise the risk of detrimental action (other than reasonable management action) being taken against any person as a result of a disclosure, including:

(a) the person who has made a voluntary PID, and

(b) the person(s) who are the subject of the voluntary PID (that is, the person(s) who are alleged to have engaged in serious wrongdoing).

An agency is required to undertake this risk assessment, and the management of identified risks, where:

the disclosure relates to the agency OR

the disclosure was made by a public official associated with the agency.1 Further guidance on the terms ‘relates’ and ‘associated with’ can be found in the guidelines Core concepts in the PID Act and Dealing with voluntary PIDs.

This means that more than one agency may have a duty to assess and manage the risk of detrimental action. For example, if a person from an agency makes a voluntary PID alleging wrongdoing by a person who works for another agency, both agencies are ‘responsible agencies’ for the purposes of risk assessment and have a duty to take steps to assess and minimise the risk of detrimental action. If an agency is a ‘responsible agency’, risk assessment and management steps must commence as soon as the agency is aware the disclosure has been made.² An agency is taken to be aware that a disclosure has been made as soon as one of its disclosure officers is aware, or ought reasonably to be aware, that a disclosure has been made.³

In practice, this means that a risk assessment should be undertaken as soon as possible after agencies receive, or otherwise have knowledge of, the disclosure. This is to ensure that risks are identified and steps are implemented to manage the risks at the earliest instance, before detrimental action can occur.

If an agency determines as part of its initial triage that a disclosure does not relate to the agency and the maker of the disclosure is not associated with the agency, it will not be a ‘responsible agency’. The agency may consider referring the disclosure to a relevant responsible agency. If the receiving agency considers that another agency would more appropriately deal with the disclosure, the receiving agency must first consider the risk of detrimental occurring as a result of the referral or as a result of the failure to refer.⁴ Information on referring PIDs can be found in the guideline Dealing with voluntary PIDs.

If an agency deals with a disclosure that neither relates to the agency nor was not made by a public official associated with the agency, there is no legislative obligation under section 61 of the PID Act to assess the risk of detrimental action. This will most likely occur when an integrity agency investigates a disclosure relating to an agency it oversights or the serious wrongdoing falls within its ordinary jurisdiction. While there is no requirement under section 61 of the PID Act to assess the risk of detrimental action, it is best practice to consider the risk of detrimental action occurring while still maintaining the confidentiality of the PID maker.

________________

^1. Public Interest Disclosures Act 2022, s 61(1).

^2. Public Interest Disclosures Act 2022, s 61(1).

^3. Public Interest Disclosures Act 2022, s 61(3).

^4. Public Interest Disclosures Act 2022, s 61(3).

Agencies should conduct a risk assessment that identifies risks of detrimental action and develop a risk management plan with steps to protect the PID maker, the subject(s) of the PID, and any other persons who may be at risk. This duty to minimise the risk of detrimental action under the PID Act applies in addition to the existing obligations of agencies to take all reasonable steps to ensure a safe work environment for all workers under work health and safety legislation.

Risk assessments and risk management must be ongoing

Risk assessment and management must take place as soon as an agency becomes aware that a disclosure has been made. However, risk assessment is not static and should be continuously monitored and revised/updated as new risks arise.

Who undertakes the assessment?

The person in the agency who assesses the disclosure (to determine whether it is a PID) will generally also be the person who will conduct an initial detrimental action risk identification and assessment and develop a risk management plan. Responsibility for risk assessment and management may continue with that person, or transfer to a more senior or well-placed officer (for example the senior PID disclosure officer for the agency or a senior workplace risk officer).

If the disclosure proceeds to an investigation, it is best practice that the person responsible for assessing and managing risk is not involved in conducting the investigation. This promotes the investigator’s independence and impartiality, by allowing them to focus on making findings about the allegations raised by the PID, while a separate person responsible for risk management focuses on identifying and managing the risks of detrimental action to all impacted persons during the investigation and any subsequent outcomes.

The investigator will, however, need to keep that person updated about any information or situation arising during the investigation that could impact the risk of detrimental action being taken against any person. Necessary changes to the risk management plan should be made in response to these updates.

Stages when risk assessment is undertaken

The risk management plan can identify the stages of the process of managing the PID as follows:

Stage 1: Assessment of the disclosure and initial information gathering to develop the risk management plan and determine the appropriate action to manage the disclosure.

Stage 2: If an investigation of allegations of wrongdoing or misconduct is conducted, the investigation.

Stage 3: After the findings of the investigation have been made and any outcomes implemented.

There may also be key review points during each of the above stages. For example, during an investigation, after the alleged misconduct is put to the subject of the disclosure for their response, information may become known to the subject of the disclosure which creates a heightened risk of detrimental action occurring to the actual or suspected PID maker. This will require an agency to reconsider whether further risk management strategies need to be implemented at that stage.

Keeping documentation secure

All documents relating to risk assessment and risk management should be securely stored with access restricted to people who have an operational need to be aware of the risks.

Anonymous disclosures

Under the PID Act, a disclosure will be anonymous if there is no reasonably practicable way of communicating with the maker, even if their name is known. Agencies still need to conduct a risk assessment and develop a risk management plan in relation to anonymous disclosures. The risk assessment should consider whether the identity of the maker can be readily ascertained or would likely be ascertained during an investigation, and any associated risks of detrimental action to any person. In these matters, the risk assessment should also particularly consider the risk that others may be assumed to be the PID maker given the content of the disclosure, and whether they are at risk of detrimental action. Further guidance can be found in the guideline Dealing with anonymous voluntary PIDs.

Agencies can follow the six-step process set out below as a framework to guide their approach to:

• assessing the risks of detrimental action arising from a disclosure, and
• determining what steps should be taken to minimise those risks and protect persons from detrimental action.

Each stage contains key considerations for the agency in undertaking the risk assessment. It should not be considered an exhaustive list.

Step 1 – Identifying the relevant persons to consider in the risk assessment

In conducting the risk assessment, an agency must take steps to identify and manage the risk of detrimental action being taken against:

1. the PID maker

2. the subject(s) of the disclosure, and

3. any other persons.⁵

Some steps taken to seek to protect one person may impact others.

Accordingly, the risk assessment and consequent management plan is best undertaken in a holistic manner, considering the potential risks to all persons.

The PID maker and the subject(s) alleged to have engaged in the wrongdoing can usually be readily identified. Depending on the particular circumstances, consideration may also need to be given to risks to other people. This could include for example:

• family members or others associated with the PID maker
• where it may be known or suspected that a PID has been made in the workplace, but the identity of the PID maker is not generally known, there may be a risk to others in the workplace in a similar position to the PID maker who might be (wrongly) suspected of having made the PID
• witnesses who participate in the investigation, and
• the investigator.

When assessing the risk of detrimental action being taken against people other than the PID maker and the subject of the disclosure, agencies may consider the following:

The relationship between the PID maker, the subject of the disclosure and potential witnesses – has there been any previous conflict or threats made?

• The location where the PID maker, their family and witnesses reside – is this in a rural or geographically isolated area where there are close community relationships?
• The organisational structure of the business area/unit in which the PID maker works, reporting lines and responsibilities.

Step 2 - Initial information gathering and desktop assessment

In the second step, upon becoming aware of a disclosure, agencies should gather and review information readily available (for example from agency files and records) to seek to ascertain:

• the context in which the disclosure has been made
• persons that may be involved in any potential investigation (or likely to be involved in an investigation), and
• any current business processes impacting the PID maker, the subject of the disclosure and any potential witnesses.

Information that may be gathered includes:

• Organisational structure charts, roles and reporting lines of the PID maker, the subject of the disclosure, persons named in the disclosure, and other persons currently working in the same area/business unit (identified persons).
• Any current business processes within the area/business unit impacting all or any of the identified persons, and the status of those processes. For example, performance management, disciplinary action, performance appraisal, restructure and merit appointment processes.
• Is there a history of conflict or grievances within that area/business unit?
• Information about the relationship between the PID maker and subject of the PID – do they have a previous history of workplace issues, complaints or grievances?
• Are there any social/personal relationships outside work between persons in that business unit? If so, what is the nature of the relationship?

The information should be gathered in a way that preserves the confidentiality of the PID maker, the subject of the disclosure and the content of the PID as far as possible. Only information necessary to conduct the risk assessment should be sought – on a ‘need to know’ basis.

Where another person within the agency holds relevant information, they should only be told the minimum details necessary to facilitate the provision of the information to the person conducting the risk assessment. The PID maker and subject of the disclosure should not specifically be identified.

Step 3 - Gathering information from the PID maker

An agency must undertake a risk assessment and take steps to minimise the risk of detrimental action occurring as soon as the agency is aware a PID has been made. For the purpose of undertaking the assessment, the agency can communicate with the PID maker without breaching confidentiality. However, until the subject of the disclosure is informed of allegations against them that form part of the PID, agencies will not have an opportunity to communicate with the subject of the PID in order to inform the risk assessment. The initial risk assessment will therefore need to rely upon the information provided by the PID maker and otherwise gathered.

Consider the following approach in communicating with the PID maker:

• Explain the PID process to the maker and ascertain what outcome the maker expects.
• Explain to the PID maker that information will be sought from them so that the agency can understand what risk there is of detrimental action being taken against them.
• Ask the PID maker relevant questions to identify likely risks, including: ο Have they made the disclosure to anyone else?
  • Does anyone else know that they have made a disclosure?
  • Who else knows about the matter? ο What is the nature of the relationship between them and the subject(s) of the disclosure? ο What is the size and location of their business unit?
  • Is the subject of the disclosure within their business unit, structurally and/or physically?
  • What is the nature of the relationship between the subject(s) of the disclosure and others within the work unit?
  • Have they received any threats or unfair treatment?
  • Do they have any concerns about possible detrimental action, and what are those concerns?
  • Is there any person the maker considers could take detrimental action against them?
  • Do they require support and if so, what support do they require?

Step 4 - Identify the risks of detrimental action being taken against relevant persons

Relevant things to consider to identify the risk of detrimental action being taken against relevant persons include:

• What information was received from the PID maker.
• Who is currently working in the same area/business unit as the PID maker.
• Does the subject of the PID work in the same business unit, either as a manager, colleague or within the same reporting line?
• Is there a history of conflict or grievances within that business unit?
• Do the maker of the disclosure and the subject of the PID have a previous history of workplace or interpersonal issues?
• Are there any social relationships outside of work between persons in that business unit?
• Is identifying information of the maker likely to be revealed during management or investigation of the matter? Further guidance can be found in the guideline Maintaining confidentiality when dealing with voluntary PIDs.

Step 5 - Develop strategies to mitigate the identified risks of detrimental action

Confidentiality, monitoring and supervision

• Strategies should be developed to maintain confidentiality over the PID maker’s identifying information, or to limit the number of people who are aware of the disclosure in circumstances where it is obvious from the matters raised in the disclosure who has made the disclosure.
• Strategies should similarly be developed to keep the identity of the subject of the disclosure confidential. The fact that allegations have been made and are being investigated should not be disclosed to others, except to the extent necessary to conduct an investigation of the allegations and to determine any outcomes. However, in some circumstances it may be appropriate to inform the head of human resources or the PID maker’s manager of an investigation if it would assist in managing the risk of detrimental action which may be heightened during the investigation period.
• Determine what information can be given to staff (such as colleagues and managers) about any interim changes made to the work arrangements of either the PID maker or the subject of the disclosure. Consideration should also be given to whether disclosing the reason for the changes may increase the risk of detrimental action as a result of the disclosure, prejudice the investigation or breach each person’s reasonable expectation of confidentiality in their employment.
• Actively monitor whether confidentiality has been maintained while a matter is ongoing. Decide who should be monitoring confidentiality and potential breaches. Prior to appointing someone to this role, the agency should consult with the PID maker about which person they would be comfortable with undertaking this task. For example, would the PID maker be comfortable if their manager was aware of the disclosure? Likewise, once the subject is aware of the disclosure, a similar process should be undertaken.
• The person responsible for risk management should regularly check in with the PID maker and provide the PID maker with information on who they can report to if they receive a threat or if they consider detrimental action is occurring. When the subject of the disclosure is made aware of the PID and allegations comprising the PID, similar check-ins should be undertaken with them.

General strategies

• In some circumstances, a general risk minimisation strategy may be appropriate, where the head of an agency or a business unit issues a reminder to staff that the agency supports the making of PIDs, does not tolerate detrimental action and that anyone who takes detrimental action against a PID maker or other person in relation to the PID may be committing a crime. However, the particular circumstances must be considered, including whether such a communication could identify that a PID has been made and whether the PID maker is already known or their identity remains confidential.

Specific strategies – changes to work arrangements

• Where risks are identified, consider temporary changes that may be made to working arrangements to reduce the risk of detrimental action being taken against any person. These can include:
  • working from home/remotely
  • changes in rosters ο changes in work location
  • secondment to a different business area/unit
  • adjusting supervision arrangements
  • granting a period of leave.
• Changes should only be put in place if: ο they are reasonably necessary to specifically address the identified risks of detrimental action, or ο considering the seriousness of the allegations, it is appropriate to make changes to work arrangements of the person(s) the subject of the disclosure while the allegations are being investigated.
• Whether the changes to work arrangements will apply to the PID maker or the subject(s) of the disclosure will depend on all of the circumstances, including the nature of the allegations, what concerns about detrimental action have been identified, the operations of the business area/unit, whether the subject(s) of the disclosure have been made aware of the PID and allegations, and whether the person(s) affected agree or object to the temporary changes.
• Measures involving changing the work arrangements of a PID maker should be taken cautiously. They could themselves constitute detrimental action if they are not taken lawfully, reasonably and if possible, with their agreement. Unliteral changes made without the genuine consent of the PID maker may also contravene employment obligations that otherwise apply. Depending on the nature of the change, it may draw unnecessary attention to the PID maker and increase risks of detrimental action against them.
• At the stage it is determined that an investigation will be conducted into allegations raised by a PID, a separate assessment should be made of whether the subject(s) of the disclosure will be suspended from the workplace during the investigation. This assessment will be impacted by relevant policies, legislation and industrial instruments that otherwise apply to a person’s employment. Accordingly, the agency may need to obtain legal advice when considering implementing a temporary suspension.
• If it is determined that the subject(s) will be suspended during the investigation, the initial risk assessment and strategies should be reviewed and updated as appropriate. For example, temporary changes that may have been made to the PID maker’s work arrangements when the disclosure was initially received (such as a period of leave or working from home as agreed to by them) may no longer be necessary to adequately protect them from risks of detrimental action (at least by the subject of the disclosure).

Other steps

• If detrimental action has occurred or may occur, consider seeking approval to apply for an injunction. Further information can be found in the guideline Protections in the PID Act.
• Ensure accurate and comprehensive written records are kept about allegations of different or unfair treatment.

Step 6 - Re-assess the risks during the process

As noted above, risk assessment is not static. The risk profile should be continuously monitored and revised/ updated as necessary in light of new information and at different steps of the process.

Review and update the initial risk assessment and risk management plan:

• when new information is revealed
• if an investigation is conducted, during the conduct of the investigation, and
• after the findings of the investigation have been made and any outcomes are implemented.

For example, upon completion of an investigation, is there a possibility someone could take detrimental action against a person because they are dissatisfied with the outcome of the investigation (namely, the corrective action implemented), or, where the investigation finds no wrongdoing, because they consider the PID maker made a false disclosure?

Factors relevant to the PID maker

When the disclosure is first received, it should be explained to the PID maker that they should not discuss the disclosure or investigation with anyone except the people involved in managing the matter or, if they have a complaint about how the PID is being managed, an integrity agency. Further guidance can be found in the guideline Updating the makers of voluntary PIDs and providing supports.

Factors relevant to the subject of the disclosure

An agency’s duty to take steps to assess and minimise the risk of detrimental action being taken against the subject of the disclosure does not remove the agency’s ability to take reasonable management action in respect of the subject. Such action can include suspension from the workplace, making a reasonable decision to investigate allegations of misconduct, and taking reasonable disciplinary action (including termination of employment).

Agencies must ensure the subject of the PID is ‘presumed innocent’ while their alleged conduct is under investigation and they are afforded procedural fairness with respect to any investigation or disciplinary action. Agencies should consider how affording the subject with procedural fairness will take place, including providing them with sufficient information about the allegations to enable them to respond, without potentially putting witnesses or the PID maker at risk. This is particularly important in circumstances where it is not otherwise obvious who has made the PID or who has provided information during the investigation.

Communication with impacted persons

Agencies should communicate with the following persons at the time they are first aware of the PID:

1. the PID maker at or after the time they make their initial disclosure

2. the subject of the disclosure at the time the allegations are disclosed to them, and

3. other persons such as witnesses and the investigator at the time they participate in the process.

At the time they are first aware of the PID, persons at risk of detrimental action should be informed of the following:

• relevant information about detrimental action, by referring them to the agency’s PID policy, the Ombudsman’s guidelines and the PID Act, and
• details of any available employee assistance programs.

Consider also asking the following questions to assist in identifying risks of detrimental action:

• Do they have concerns that someone may take detrimental action against them, and if so, what are those concerns? What person(s) and why?
• Have they have already received threats or unfair treatment?
• Do they require support and if so, what support they require?

Whether legal advice should be obtained

Strategies identified to seek to mitigate detrimental action, such as suspension, may also raise separate risks under policies, legislation and industrial instruments that otherwise apply to a person’s employment. Agencies should consider obtaining legal advice when making employment related decisions to ensure compliance with employment and work, health and safety legislation.

Under section 62 of the PID Act, agencies are liable for injury, damage or loss suffered as a result of a failure to take steps to assess and minimise the risk of detrimental action.

The person who suffers detrimental action can commence proceedings in court and can recover damages against the agency, including exemplary damages if ordered by the court.

In order to defend this claim, the agency must prove that it did not fail to comply with its risk management obligations or if it did fail to comply with its obligations, that the injury, damage or loss was not suffered as a result of the agency’s failure.⁹

__________

^9. Public Interest Disclosures Act 2022, s 62(3).