A good three-tiered regime will work quite simply. Any reasonable suspicion internally should automatically be protected. Any direct disclosures to a regulator or an integrity agency should be automatically protected, whether they've gone internally or not. Disclosures to third parties, whether they're unions, civil society organizations, or the media, should be protected in any circumstances where either those internal or regulatory disclosures were not adequately dealt with and there are reasonable grounds for concluding that after a reasonable time, or where the court or tribunal can be reasonably satisfied that there was no safe mechanism, either internally or to the regulator, for somebody to disclose.
If a person has reasonable concerns that there was no safe way to disclose internally or to a regulator, that person should be entitled to a public-interest defence if he or she is prosecuted for a breach of confidence or any other remedy. It needs to be quite an expansive regime to actually work.