The EU's Article 29 Working Party on Data Protection issued its
opinion this month on whistleblowing compliance. Such opinions are
not binding; but they are influential and will be
of interest to any organisation looking to implement a
whistleblowing scheme.
The Working Party reported that cultural differences around the
EU have made it impractical to issue general guidance at this
stage. It has therefore chosen to focus on those areas that need
guidance most – especially those affected by new legislation such
as the US Sarbanes-Oxley Act, which penalises
firms that do not comply with whistleblowing rules.
Background
Whistleblowing schemes are designed to allow employees to report
misconduct internally, providing an alternative to other internal
management processes. They offer a safeguard against corporate
wrongdoing and the employee is given certain protections to
encourage use of the scheme.
But the schemes must be compliant with EU data protection rules,
protecting both the whistleblower and the person accused of
misconduct. Such compliance, says the Working Party, will both
alleviate the risks of stigmatisation and victimisation and
“generally contribute to the proper functioning of whistleblowing
schemes”.
The opinion
In its opinion, the Working Party does not consider employment
or criminal issues raised by the schemes, but instead highlights
how it believes some of the provisions of the EU Data Protection
Directive should be applied. In particular it considers:
- The legitimacy of the scheme – the scheme is only legitimate if
it is necessary to comply with a legal obligation imposed by the EU
or Member State or for the purpose of a legitimate interest, such
as imposing good corporate governance. The US
Sarbanes-Oxley Act is caught by this second requirement, but there
must be adequate safeguards put in place to protect those involved
in the scheme, says the Working Party.
- Data quality and proportionality – in some circumstances it
might be appropriate to limit the number of people who can report
alleged misconduct, or be reported for alleged misconduct. The
Working Party also provides that, to allow the data to be collected
fairly, whistleblowing schemes should not allow anonymous
reporting, unless under exceptional conditions. In
addition, the data collected should be limited to the facts needed
to verify the allegations.
- Provision of clear and complete information on the scheme –
this should let employees know that the scheme is in place and
detail its purpose, functioning, confidentiality, access and
rectification procedures.
- Rights of the accused person – schemes should focus on the
rights of the accused person, without damaging those of the
whistleblower. The accused should be informed as soon as
possible, unless this would jeopardise the investigation.
The accused can object and has rights to access and rectify the
data if it is incorrect.
- Security – the data must be protected and kept
confidential.
- Management – internal management of the scheme is preferred,
and should be strictly separated from other areas of the company.
If management of the scheme is outsourced, the original
company still remains responsible for ensuring that the
data is processed in accordance with data protection rules.
- Transfers to third countries – if that third country does not
have adequate data protection rules, data can only be sent if the
recipient is a member of the US Safe Harbour Scheme, has entered
into an approved contract or has implemented approved binding
corporate rules.
- Compliance with notification rules – companies setting up
whistleblowing schemes must notify and have their scheme approved
by their national data protection regulator.
