Public interest disclosure assessment resources

Assessing Public Interest Disclosures

 To assess whether a matter amounts to a Public Interest Disclosure (PID) under the Public Interest Disclosure Act 2010 (the PID Act) a public sector entity needs to decide if it meets all of the following elements:

  • an appropriate disclosure
  • of public interest information
  • made to a proper authority.

The guide has been designed as a step by step checklist to help entities make a decision as to whether information meets the tests to be assessed as a PID:

The checklist can also form a record of the entity’s decision-making process.

Assessing the risk of reprisal

In order to comply with the requirements of the Public Interest Disclosure Act 2010 (PID Act) and the Public Interest Disclosure Standard No. 2/2019 – Assessing, Investigating and Dealing with Public Interest Disclosures (PID Standard 2/2019),  (PDF 257.2KB) (PDF 257.2KB) an assessment of the risk of reprisal must be completed as soon as practicable after assessing that a matter is a PID.

A risk assessment should also be conducted before referring a PID to another public sector entity.  Section 31(3) of the PID Act provides that a PID must not be referred to another public sector entity if there is ‘an unacceptable risk that a reprisal would happen because of the referral.

The guide has been designed by the Office of the Queensland Ombudsman to assist public sector entities in assessing and managing reprisal risk to parties that are involved in a PID: 

Any reasonable risk assessment strategy, such as AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines, or Queensland Treasury’s ‘A Guide to Risk Management’, may be used.

What is reprisal?

A reprisal causes detriment to another person. The PID Act defines detriment to include:

  • personal injury or prejudice to safety
  • property damage or loss
  • intimidation or harassment
  • adverse discrimination, disadvantage or adverse treatment about career, profession, employment, trade or business
  • financial loss
  • damage to reputation, including, for example, personal, professional or business reputation.


Who should a risk assessment be conducted for?

The protection against reprisal at section 40 of the PID Act is broad, so consider conducting a risk assessment for:

  • the discloser
  • witnesses or others who help with the investigation of the PID
  • anyone who could be mistakenly assumed to be the discloser.


What is the risk assessment process?

The risk assessment process includes:

  1. establishing the context – identify which party to the PID the risk assessment needs to be conducted for. Every organisation is different and risk assessment and risk management should be considered within the local context.
  2. assessing the risk – what are the possible risks? What harms could result? What would be the consequences if those harms occurred? What is the likelihood of those harms arising?
  3. managing the risk – what strategies can be implemented to eliminate, minimise or manage the risks to parties involved in the PID?
  4. monitoring and reviewing the risk management plan – the risk assessment should be reviewed on a regular basis, and the risk management plan amended as required until the management of the PID is finalised.

The officer conducting the risk assessment should consult with the discloser (or other affected party) where possible to assist in completing the risk assessment, and, where appropriate, inform the development of a risk management plan.

The risk assessment and risk management plan must be appropriately documented.  Analysing the findings of risk assessments may contribute to improved PID management practice within the entity as well as inform reviews of the entity’s PID procedure and PID management plan.

What factors could influence risk?

Assessing the risk involves considering whether reprisal may arise and the factors that may make this more or less likely.

Consider the scenario of a junior officer making a corrupt conduct allegation about their immediate supervisor, who is a senior officer in the organisation, and it seems likely confidentiality will not be maintained in the investigative process. The research indicates this kind of situation presents a higher risk.

Alternatively, a discloser who is a ‘role reporter’, that is someone who has made a disclosure of wrongdoing identified in the ordinary course of their work (for example, an auditor, investigator or occupational health and safety specialist), may be less likely to have direct contact with the subject officer and less likely to be identifiable as the source of the disclosure.

Where several people have disclosed the same information, this may have a protective effect. 

Evaluate the consequences of reprisal. What impact could it have on the discloser, the work unit and the organisation?  How serious would these outcomes be? For example, would it be a relatively minor impact that could be relatively easily rectified or corrected? Or is it more likely to have significant resource and reputational impacts?

What controls do you already have in place to manage this risk?  Is the workplace well monitored and the discloser effectively supported by a manager who has a sound knowledge of their obligations under the PID Act? 

After weighing up all the risks, potential harm and consequences, and the likelihood of reprisal occurring, assess the level of overall risk.  Where there is reasonable risk of reprisal, prepare a risk management plan.

How is the risk of reprisal managed?

Assessing the risk involves considering whether reprisal may arise and the factors that may make this more or less likely.Managing the risk of reprisal requires implementing appropriate actions to protect the discloser (or other affected party) from reprisal.  The actions should be proportionate to the risk of reprisal.  The risk management plan can be used to record the risk, the action to be taken (including timing and frequency, if relevant), who is responsible for action and the arrangements for reporting and monitoring.

In accordance with PID Standard 2/2019, as a minimum the entity should assign a PID Support Officer who is independent of the investigation of the PID to support the discloser.  The entity should also provide information about the support available to the discloser.  The same support arrangements may be appropriate for other affected parties where there is a high risk of reprisal.

What reasonable steps should be taken to protect the discloser (or other affected party) from reprisal will depend upon the particular circumstances.  In some cases proactive monitoring of the workplace may be sufficient to adequately protect the discloser (or other affected party) from reprisal. In other cases it may be necessary to consider changed supervision arrangements, reorganisation of the workspace, alternative work duties, leave arrangements, suspension of a subject officer or secondment of the discloser (or other affected party) to another location or agency.

The implementation of risk management actions needs to be monitored to ensure the planned action has been implemented and is having the expected effect.  The discloser (or other affected party) should be proactively contacted on a regular basis, at least  until management of the PID has been completed.

The risk assessment should be reviewed at critical stages in the investigation and the risk management plan amended as required.

Last updated: Tuesday, 13 February 2024 12:23:49 PM