Last updated:

July 10, 2020

What are Protected and Public Interest Disclosures?

Protected Disclosures (PD) became Public Interest Disclosures (PID) on 1 January 2020. They are reports of improper conduct or detrimental action within the Victorian public sector (VPS).

Under the Public Interest Disclosures Act 2012 (Vic) (PID Act), people who report improper conduct and detrimental action in the VPS are offered legal protection. Once a report is investigated it becomes known as a Public Interest Complaint. These complaints were previously known as ‘Whistleblower’ complaints.

The Independent Broad-based Anti-corruption Commission (IBAC) plays a central role in the administration of the PID Act. Extensive information and resources to assist individuals and organisations to make, receive and understand protected disclosures is available on IBAC's website.

Records of improper conduct or detrimental action within the public sector, regardless of whether or not they become public interest complaints, must be managed in accordance with the recordkeeping standards issued by PROV. This includes retention and disposal authorities (see below ‘What about disposal?’ for further details) .

How should records of Public Interest Disclosures be managed?

The PID Act contains confidentiality provisions that organisations and staff must comply with. These provisions exist to ensure that the content of the disclosure, and the identity of the person who made it, are kept confidential - unless one of the exceptions in the PID Act applies. 

Records that attract the confidentiality provisions of the PID Act must be stored and handled in such a way that prevents unlawful disclosure. If you are unsure about whether any records your organisation holds are subject to these provisions, it is recommended that you seek advice from IBAC or the applicable investigating body (for example, Victorian Ombudsman).

It is important to be aware that records relating to a disclosure alleging detrimental action or misconduct by a person in a public office which do not constitute a public interest disclosure, may still be subject to confidentiality obligations under other Acts or Standards. For example, IBAC may determine that a disclosure does not constitute a public interest disclosure, but still investigate the matter pursuant to its investigatory powers in the IBAC Act 2011 (Vic). This could give rise to confidentiality obligations in respect of records relating to the complaint that are similar to those under the PID Act.

IBAC requires public interest disclosures to be captured and managed in secure information management systems.

The Victorian Protective Data Security Framework (VPDSF) developed by the Office of the Victorian Information Commissioner (OVIC) should be used to identify, assess and manage security risks regardless of whether your organisation is required to apply it or exempt.

Under the VPDSF organisations are required to use valuation criteria called Business Impact Levels (BILs) to determine the value of the official information it holds (which may be in the form of physical or digital records), and to identify the appropriate protective marking to be assigned reflecting the confidentiality of the information. The outcome of this assessment will inform what security measures (if any) should be applied to protect the information.

Controls must be designed and applied to processes and systems to ensure that PD / PID records (and associated complaints records) are protected from unauthorised activity and can be trusted as credible evidence (PROS 19/05 Create Capture and Control Standard). This includes:

  • authenticity and reliability controls must be designed into processes and systems to ensure that records can be trusted and relied upon as credible and verifiable evidence. Authentic and reliable records:
    • are created through routine and repeatable processes
    • are of undisputed origin
    • can be trusted to be genuine
  • protection and security controls must be designed and implemented to ensure records are only accessed, amended, used, released or disposed of, as authorised

Records of improper conduct and detrimental action should be stored securely in a way that protects the identity of the person who made the report and the details of the situation regardless of whether or not a formal investigation was conducted. This includes:

  • keeping mobile devices secure
  • ensuring that only those with the appropriate security clearance are able to identify, access and view the records
  • deleting scanned documents from multiple function devices (MFD) hard drives
  • avoid file and folder names that identify individuals

The PROS 07/01 Retention and Disposal Authority for Records of Common Administrative Functions specifies that ‘investigations into disclosures made under the Whistleblowers Protection Act 2001 (Vic)’ are permanent records, which must be retained as State Archives.

As the Whistleblowers Protection Act 2001 (Vic) (WP Act) has been repealed and replaced by the PID Act, PROS 07/01 should be applied to records relating to the PID Act in the same way as it applies to records relating to the WP Act.