The purpose of the whistleblowing scheme is to detect and expose fraud, bribery, theft, and other acts of wrongdoing in the workplace. The confidentiality is important in order to encourage individuals to report their concerns without a fear of retaliation e.g. in a form of firing or harassment. Although the EU Whistleblower Directive (2019/1937) profoundly concentrates on safeguarding whistleblowers there are also other stakeholders to be acknowledged especially related to the processing of personal data. There are a few specific rules related to processing of personal information, but mainly EU Whistleblowing Directive just refers to the General Data Protection Regulation (“GDPR”).
Why the data protection rules are important in the context of whistleblowing schemes? The personal data in a report can be related to whistleblowers, accused persons, persons under investigation, witnesses or other individuals. All these stakeholders can be affected. Unauthorized disclosures or leaks may have adverse consequences all individuals in question. Documents may contain names, contact details, data relating individuals’ activities, such as working relations and economic or social behaviour or other information that can result indirect identification. Depending on the report it can also contain information clearly not relevant to the allegations such as health data. The processing contains sensitive personal information i.e. criminal offences or related data. From the accused persons’ perspective there is a risk of stigmatization and victimization even before they are aware that they have been incriminated or the facts are investigated. There is also possibility of false statements sometimes made even maliciously. The data protection rules and principles are to protect individuals’ rights, but also there to help creating reliable and secure whistleblowing schemes.
Accountability applies to all operations that process personal information incl. whistleblowing schemes. This means that you need to be prepared to demonstrate that organization respect data protection obligations. When preparing and planning to establish a whistleblowing channel for the organization it is worthwhile to pay attention to these outlined issues and ensure that the procedure and the life cycle of personal data is designed from the collection to the deletion.
Choose technical and organizational measures needed to mitigate the risks and ensure data security and confidentiality esp. grant the internal access strictly on a need to know basis i.e. necessity.
Clearly specify the purpose of the whistleblowing process in a guidance or a policy in order to avoid abuse and excessive, unnecessary information.
If using service providers for acquiring a whistleblowing channel or otherwise handling reports or conducting investigations, select partners that are trustworthy, trained and have a good knowledge of all data protection requirements, not just data security. Ensure that necessary Data Processing Agreements (“DPAs”) with the data processors are in place.
Be transparent and inform each category of individuals. Notice that in all cases providing just a general privacy notice may not be sufficient and that the deferral of information must be decided a case by case and documented whether reasons for any restriction.
Set up retention times and process for deletion or anonymization taking into consideration that there are reports that do not lead and those that lead to the investigation.
Conduct a Data Protection Impact Assessment (“DPIA”) for whistleblowing scheme and investigations.
Create a good practice with internal rules and choose trained persons to handle the reports ensuring individuals’ rights are secured along the procedure. Data must be adequate, relevant and non-excessive in relation to the purposes for which collected and processed. Persons that handle reports and make initial assessments or start investigations are in a significant role related to these issues.
Be prepared to handle the requests of individuals and case by case analysis to balance all interests involved.
EU Member States are required to implement the EU Whistleblower Directive into their national laws. After national laws we will have the overall understanding of the rules that must be applied to these schemes. At some point it is most likely that we will have a revised guidance from the European Data Protection Board (“EDPB”) and supervisory authorities. In the meantime, the opinion of the Article 29 Data Protection Working Party adopted 2006 on whistleblowing schemes is worth reading.