The reporting system in the Whistleblower Directive has three levels: 1) internal reporting channel, 2) reporting channel maintained by a public authority and 3) public disclosure of information. The primary reporting channel is the organization’s internal, confidential reporting channel. Employees and other stakeholders defined in the Directive may anonymously report suspected or observed misconduct to the internal reporting channel. The reporting channel will be run, and the reports will be handled by an impartial and independent person or unit such as the compliance team or the HR department. It is up to the organization to decide whether it sets up the internal reporting channel by itself or whether the reporting channel service is purchased from an external service provider. The key is, that the employees and other stakeholders trust the person/team in charge of the reporting process and feel that they can safely report any misconduct they observe. The reporting channel allows organizations to receive information about issues at early stage and provides an opportunity for early intervention. In addition to the internal reporting channel, reports can also be made to a channel maintained by a public authority. Reports to the external reporting channel may be made either directly, or in situations where reporting to the internal reporting channels has not led to any actions. In certain special cases defined in the Directive, an employee/stakeholder may also disclose the information to the press.
The Whistleblower Directive requires clear procedures for processing and investigating any received reports. The handling of the reports becomes mandatory and certain minimum requirements will be required. Companies and public sector organizations are required to take actions and draw up guidelines to ensure that the received reports and any related information are stored in accordance with the Data Protection Regulation and other privacy laws. The reporting channel is only one element of the companies’ and organizations’ compliance program and one tool in the promotion of responsible corporate culture. In order to function properly and to improve ethical and responsible behavior, the companies’ codes of conduct and other policies and guidelines must be in order. The employees must know what kind of behavior and actions are expected from them and what kind of actions are not acceptable. Stakeholders on the other hand, must be able to assess whether the company operates responsibly and in compliance with laws and regulations.