Mr. Pat Keane:

To be clear, there are strong protections under the Protected Disclosures Act. Section 14 provides immunity from civil liability for making a protected disclosure. It is stronger than what is in the directive, under which there is not an absolute immunity from civil liability. Rather, someone can merely offer the fact that he or she has made a permissible complaint as a defence in a court case. The only exception we have relates to the Defamation Act, which I understand has to do with the constitutional right to a person's good name. We also have protections to the effect that, where someone has made a protected disclosure, it does not constitute a criminal offence. If I were to make a protected disclosure, I would not breach any of the legal obligations that I am subject to as a civil servant under the Official Secrets Act, for example.

We have strong protections in terms of NDAs. They are in section 23 of the Protected Disclosures Act, under which it is clear that:

Any provision in an agreement is void in so far as it purports— (a) to prohibit or restrict the making of protected disclosures,

(b) to exclude or limit the operation of any provision of this Act,

(c) to preclude a person from bringing any proceedings under or by virtue of this Act, or

(d) to preclude a person from bringing proceedings for breach of contract in respect of anything done in consequence of the making of a protected disclosure.

This section effectively voids any NDA that a person is told to sign. As such, this matter is covered. Indeed, our provisions are stronger in some areas than what is required under the directive.

Regarding discretionary areas, I can go through a few points. Along with the other documentation, we submitted to the committee a preliminary draft regulatory impact assessment. It set out some of our thinking in this regard and probably contains a great deal more detail, if the Senator wishes to examine it. However, I will go through a couple of aspects.

One of the areas where there is a certain amount of discretion is that of anonymous reporting, which is one of the more difficult areas we have had to handle. It is probably fair to say that we got a great deal of feedback on this during the public consultation. It was finely balanced between people who thought it was a great idea and people who thought it was not such a great idea. It is difficult to judge which side of the fence to fall on. In the end, we felt that one of the major challenges in handling an anonymous disclosure is that it can cause administrative difficulties. For example, it is necessary under the directive that reports be made by a person who has a workplace relationship with the organisation. If someone makes a disclosure anonymously, that relationship cannot be verified. Therefore, it becomes a question of whether the rules on how reports must be treated in terms of acknowledgement, follow-up and feedback apply. On the other hand, modern technology has made two-way communication with an anonymous person easier than in the past when a letter might have arrived in the post with no signature on it and there was no way of following up on it. However, not knowing the identity of the reporting person can make it much more difficult to follow up on a matter, especially if there is no means of making further contact to, for example, get clarification or more information.

Another point is that a person might believe that he or she is safer when making an anonymous report, but protecting someone from harm can sometimes be difficult, for example, if the incidents described are specific enough that the accused person figures out who reported him or her and subjects that person to harassment. The informer might not be aware of this and the situation could be made much worse. There is also a small risk that allowing anonymous reporting can enable employees to harass colleagues by submitting untrue or defamatory reports. Without knowing the identity of the person making the report, it is difficult to punish false reporting.

There are also a number of legal issues because Irish legislation in some places specifically prohibits some organisations from following up on anonymous disclosures. This is mainly due to the fact that disclosures may be related to judicial matters, which require providing the right to a fair hearing where the identity of the discloser must be known. Examples of that are the regulations we made under the Companies (Auditing and Accounting) Act 2003 and the Standards in Public Office Act 2001. The flip side to this is that there are also some laws that specifically permit anonymous disclosures, particularly in respect of financial services money laundering.

We acknowledge that a number of organisations find accepting anonymous reports to be beneficial. Notwithstanding that, we have come to the view that a blanket requirement to follow up on all anonymous disclosures would be problematic for many organisations. It appears to us that the best way to approach this is for anonymous disclosures to be taken on a case-by-case basis. We are providing that it be at the discretion of each organisation to set a policy on anonymous reporting. That is the route we will take with the Bill.

I will be brief in responding to some of the other questions that were asked. We have been asked about the establishment of internal reporting channels and whether they should apply to some entities with fewer than 50 employees. There are already certain exemptions in the directive around financial services, oil and gas safety, and aviation and other areas of transport safety. We are of the view that this could be explored on a sector-by-sector basis. We are providing in the Bill that the Minister can, subject to a risk assessment, make an order classifying a certain sector of the economy as having a lower threshold for having formal internal channels and procedures. At the previous meeting, a couple of suggestions were made about accountancy bodies and some digital companies. There could be merit in that and it is something that we could consider, but we believe that a blanket approach would be disproportionate. It would probably represent a significant compliance burden for small organisations and would not suit small builders, for example, a builder and two mates in a van, the local sweet shop, etc. A blanket obligation is probably not workable in that regard.