In 2024, a medium-sized logistics company in the East Midlands was fined £180,000 for employing workers without the right to work. The civil penalty was substantial, but the detail that made the case notable was in the enforcement report: three employees had raised concerns internally, over a period of eleven months, about workers on site who appeared to be using someone else's documents. None of the concerns were investigated. Two were dismissed by a supervisor as "not our problem." One was never escalated beyond the shift manager who received it.
When the Home Office arrived for an enforcement visit — prompted by intelligence that may well have come from one of the same employees who had tried to raise the issue internally — the company had no defence. The compliance failure was not just that they had employed illegal workers. It was that their own employees had tried to tell them, and nobody listened.
This pattern — internal knowledge preceding external enforcement — is not unusual. It is, in fact, the norm. According to the Association of Certified Fraud Examiners (ACFE), tips from employees are the single most common method by which occupational fraud is detected, accounting for 43% of all cases globally. More than internal audits. More than management review. More than external inspections.
The same principle applies to employment compliance. The people who see the gaps first are not regulators. They are the employees who work alongside the unchecked worker, who notice the documents that do not look right, who see the new starter who never produced their passport.
The question is whether your business has created the conditions for those people to speak up — and whether anyone acts when they do.
The legal framework: Public Interest Disclosure Act 1998
The Public Interest Disclosure Act 1998 (PIDA) provides legal protection for workers who make disclosures about wrongdoing in their workplace. A worker who makes a "qualifying disclosure" — a disclosure of information that the worker reasonably believes shows a criminal offence, a failure to comply with a legal obligation, a miscarriage of justice, a danger to health and safety, environmental damage, or a deliberate concealment of any of these — is protected from dismissal or detriment as a result of that disclosure.
The protections apply to:
- Employees
- Agency workers
- Contractors
- Trainees
- Home workers
- Anyone working under a contract personally to do work
For employment compliance, the relevant category is a failure to comply with a legal obligation. Employing someone without the right to work is a breach of the Immigration, Asylum and Nationality Act 2006. Reporting this breach to an employer — or, if the employer fails to act, to a regulator — is a qualifying disclosure protected by PIDA.
This means that an employee who reports a suspected right to work compliance failure cannot lawfully be dismissed or subjected to any detriment (such as demotion, reduced hours, bullying, or exclusion) as a result of that report. If they are, the employer faces an automatic unfair dismissal claim with no qualifying period of employment and uncapped compensation.
Why employees stay silent
Despite the legal protections, employees frequently do not report compliance concerns. The reasons are consistent across sectors and organisation sizes.
Fear of retaliation. The legal protection against retaliation exists precisely because retaliation is common. Employees — particularly those in junior or precarious positions — fear that reporting a concern will lead to negative consequences: being labelled a troublemaker, being excluded from opportunities, being managed out. The protection offered by PIDA is a remedy after the fact. It does not prevent the retaliation from happening. For many workers, the prospect of an employment tribunal is not an adequate substitute for the security of staying quiet.
Uncertainty about whether it matters. Many employees who notice something that seems wrong are not sure whether it constitutes a compliance failure. A colleague who started without showing documents — is that the company's fault or the colleague's? A new worker whose English is poor and whose documents someone else presented — is that suspicious or just how things work? The gap between noticing something and being confident it is worth reporting is wide enough for most concerns to fall into.
Lack of a clear reporting channel. In many businesses, there is no obvious way to report a compliance concern. The employee could tell their line manager — but their line manager may be part of the problem. They could go to HR — but HR may be the department that failed to conduct the check in the first place. They could email the compliance officer — if they knew the company had one. Without a clear, accessible, confidential reporting mechanism, the friction of reporting outweighs the motivation.
Loyalty and social dynamics. Reporting a concern about a colleague's right to work status feels like informing on someone. In workplaces with strong team bonds — particularly in sectors like care and hospitality where staff work closely together — the social cost of being seen as a whistleblower is high. The person you report may be a friend. The person affected by the report may be someone the team depends on.
Cultural and language barriers. In diverse workforces, cultural norms around reporting authority figures vary significantly. Workers from countries where reporting to authorities carries personal risk may be deeply reluctant to raise concerns, even when the legal framework protects them. Language barriers compound this — explaining a nuanced concern in a second language through unfamiliar channels is daunting.
The intersection with Fair Work Agency enforcement
The Fair Work Agency has consolidated the enforcement functions previously split across multiple bodies. Critically, the FWA accepts intelligence from workers, former workers, and members of the public. This is not a passive inbox — the FWA is designed to act on information received.
This changes the calculus for businesses. Previously, a worker who could not get their employer to act on a compliance concern had limited options. They could report to HMRC (for minimum wage issues), the GLAA (for gangmaster licensing), or the Employment Agency Standards Inspectorate — assuming they knew which body to contact and what the concern related to.
Now, the FWA provides a single point of contact for a wide range of employment compliance concerns, including right to work failures. A worker who raises a concern internally and is ignored can go to the FWA. A worker who is afraid to raise the concern internally can go to the FWA directly.
This means that the business's internal reporting culture directly affects its enforcement risk. If employees feel they can raise concerns internally and those concerns will be investigated, the business has an early warning system. If employees feel they cannot — because the channels do not exist, because retaliation is likely, because concerns are dismissed — they may go directly to the FWA instead.
The difference between an internal concern that is investigated and resolved, and an FWA enforcement visit triggered by external intelligence, is the difference between a process improvement and a £45,000 penalty.
Building an effective speak-up culture
A speak-up culture is not built by publishing a whistleblowing policy and putting a poster in the break room. It is built through consistent action over time, demonstrating that concerns are welcome, protected, and acted upon.
Create clear reporting channels
Employees must know how to raise a concern. The channel must be:
- Accessible — available to all workers, including agency staff, part-time workers, and those without corporate email
- Confidential — the reporter's identity must be protected from the subject of the concern and from anyone not directly involved in the investigation
- Independent — ideally, the channel should not report solely to the person's line management. An external helpline, a designated compliance officer outside the reporter's chain of command, or a confidential email address monitored by a senior manager all provide alternatives
- Available in multiple languages — in workplaces with a diverse workforce, reporting channels must accommodate language barriers
The Modern Slavery Helpline and Crimestoppers provide external reporting options that employees should be aware of. But internal channels should be the first resort, because they give the business the opportunity to act before an external body does.
Protect reporters visibly
Legal protection under PIDA is necessary but not sufficient. Employees need to see that reporting is safe — not just in law, but in practice. This means:
- Publicising the policy. Everyone should know the whistleblowing policy exists and what it covers. Include it in induction training, display it in common areas, and reference it in staff communications.
- Training managers. Frontline managers are the most common recipients of informal concerns. They must know how to receive a concern appropriately: take it seriously, record it, escalate it through the defined channel, and never retaliate or dissuade the reporter. A manager who dismisses a concern — even casually — sends a message to every employee who hears about it.
- Demonstrating outcomes. When a concern is raised and investigated, the reporter should be informed of the outcome (to the extent confidentiality allows). If the concern led to a change — a process improvement, a corrective action, a check being conducted — that demonstrates the system works.
- Disciplining retaliation. If any manager or colleague retaliates against a person who raised a concern, that retaliation must have consequences. Visible consequences.
Act on what you hear
This is the point where most businesses fail. The channel exists. The policy is published. A concern is raised. And then nothing happens.
The concern sits in someone's inbox. The investigation is delayed because it is awkward. The line manager assures the compliance team that "it's been sorted" without providing evidence. The reporter hears nothing back. They conclude that reporting is pointless. The next concern goes unreported.
Acting on concerns means:
- Investigating promptly. Every compliance concern should be investigated within a defined timeframe — not when someone gets around to it.
- Documenting the investigation. What was the concern? Who investigated it? What did they find? What action was taken? This creates an audit trail that demonstrates due diligence.
- Taking corrective action. If the investigation reveals a compliance gap — a missing right to work check, an expired visa not followed up, an agency worker not verified — fix it immediately and review whether the gap exists elsewhere.
- Feeding back to the reporter. Close the loop. The person who raised the concern deserves to know it was taken seriously, even if they cannot be told every detail of the outcome.
Treat concerns as intelligence, not accusations
The framing matters. A compliance concern is not an accusation against an individual. It is a data point about a potential process failure. When a worker reports that a new colleague started without showing documents, the issue is the process, not the person.
Framing concerns as intelligence — information that helps the business identify and fix gaps — removes much of the social stigma. It is not "informing on a colleague." It is "flagging a gap in our process." This framing encourages reporting by reducing the perceived personal cost.
When compliance silence becomes a liability
The failure to create effective internal reporting channels is not just a cultural problem. It is a legal and commercial risk.
Regulatory expectation. The FWA and other enforcement bodies increasingly expect businesses to have internal compliance monitoring and reporting mechanisms. During a compliance visit, inspectors may ask what systems you have for staff to raise concerns and how those concerns are investigated. An absence of any such system signals a compliance culture that is reactive at best.
Tribunal risk. If an employee raises a compliance concern, is ignored or retaliated against, and then the business is fined for the exact compliance failure that was reported, the subsequent employment tribunal will be unforgiving. The compensation for whistleblowing dismissal is uncapped, and the narrative — "they tried to warn us and we fired them" — is devastating in any forum.
Investor and client scrutiny. Institutional investors, large clients, and public sector procurement processes increasingly ask about whistleblowing and compliance culture as part of due diligence. The absence of a credible speak-up framework is a red flag.
The compliance culture vs compliance theatre distinction. A business that has a whistleblowing policy it has never used, reporting channels nobody knows about, and a track record of ignoring concerns has compliance theatre. A business that actively encourages, receives, investigates, and acts on compliance concerns has a compliance culture. When enforcement arrives, the distinction is immediately visible.
Certifyd's Right to Work Portal creates a verifiable, auditable compliance record for every worker — reducing the compliance gaps that whistleblowers have to report in the first place. When every check is documented, every expiry is tracked, and every record is accessible, the system catches what people might otherwise have to flag.