Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party.
The EU's Article 29 Working Party on Data Protection issued its opinion this month on whistleblowing compliance. Such opinions are not binding; but they are influential and will be of interest to any organisation looking to implement a whistleblowing scheme.
The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.
Whistleblowing schemes are designed to allow employees to report misconduct internally, providing an alternative to other internal management processes. They offer a safeguard against corporate wrongdoing and the employee is given certain protections to encourage use of the scheme.
But the schemes must be compliant with EU data protection rules, protecting both the whistleblower and the person accused of misconduct. Such compliance, says the Working Party, will both alleviate the risks of stigmatisation and victimisation and "generally contribute to the proper functioning of whistleblowing schemes".
In its opinion, the Working Party does not consider employment or criminal issues raised by the schemes, but instead highlights how it believes some of the provisions of the EU Data Protection Directive should be applied. In particular it considers:
- The legitimacy of the scheme – the scheme is only legitimate if it is necessary to comply with a legal obligation imposed by the EU or Member State or for the purpose of a legitimate interest, such as imposing good corporate governance. The US Sarbanes-Oxley Act is caught by this second requirement, but there must be adequate safeguards put in place to protect those involved in the scheme, says the Working Party.
- Data quality and proportionality – in some circumstances it might be appropriate to limit the number of people who can report alleged misconduct, or be reported for alleged misconduct. The Working Party also provides that, to allow the data to be collected fairly, whistleblowing schemes should not allow anonymous reporting, unless under exceptional conditions. In addition, the data collected should be limited to the facts needed to verify the allegations.
- Provision of clear and complete information on the scheme – this should let employees know that the scheme is in place and detail its purpose, functioning, confidentiality, access and rectification procedures.
- Rights of the accused person – schemes should focus on the rights of the accused person, without damaging those of the whistleblower. The accused should be informed as soon as possible, unless this would jeopardise the investigation. The accused can object and has rights to access and rectify the data if it is incorrect.
- Security – the data must be protected and kept confidential.
- Management – internal management of the scheme is preferred, and should be strictly separated from other areas of the company. If management of the scheme is outsourced, the original company still remains responsible for ensuring that the data is processed in accordance with data protection rules.
- Transfers to third countries – if that third country does not have adequate data protection rules, data can only be sent if the recipient is a member of the US Safe Harbour Scheme, has entered into an approved contract or has implemented approved binding corporate rules.
- Compliance with notification rules – companies setting up whistleblowing schemes must notify and have their scheme approved by their national data protection regulator.
See: The Working Party Opinion (18-page / 101KB PDF)
Copyright © 2006, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.