Feeds

Privacy rights of whistleblowers and their accused

EU Working Party reports

Next gen security for virtualised datacentres

Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party.

The EU's Article 29 Working Party on Data Protection issued its opinion this month on whistleblowing compliance. Such opinions are not binding; but they are influential and will be of interest to any organisation looking to implement a whistleblowing scheme.

The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.

Background

Whistleblowing schemes are designed to allow employees to report misconduct internally, providing an alternative to other internal management processes. They offer a safeguard against corporate wrongdoing and the employee is given certain protections to encourage use of the scheme.

But the schemes must be compliant with EU data protection rules, protecting both the whistleblower and the person accused of misconduct. Such compliance, says the Working Party, will both alleviate the risks of stigmatisation and victimisation and "generally contribute to the proper functioning of whistleblowing schemes".

The opinion

In its opinion, the Working Party does not consider employment or criminal issues raised by the schemes, but instead highlights how it believes some of the provisions of the EU Data Protection Directive should be applied. In particular it considers:

  • The legitimacy of the scheme – the scheme is only legitimate if it is necessary to comply with a legal obligation imposed by the EU or Member State or for the purpose of a legitimate interest, such as imposing good corporate governance. The US Sarbanes-Oxley Act is caught by this second requirement, but there must be adequate safeguards put in place to protect those involved in the scheme, says the Working Party.
  • Data quality and proportionality – in some circumstances it might be appropriate to limit the number of people who can report alleged misconduct, or be reported for alleged misconduct. The Working Party also provides that, to allow the data to be collected fairly, whistleblowing schemes should not allow anonymous reporting, unless under exceptional conditions. In addition, the data collected should be limited to the facts needed to verify the allegations.
  • Provision of clear and complete information on the scheme – this should let employees know that the scheme is in place and detail its purpose, functioning, confidentiality, access and rectification procedures.
  • Rights of the accused person – schemes should focus on the rights of the accused person, without damaging those of the whistleblower. The accused should be informed as soon as possible, unless this would jeopardise the investigation. The accused can object and has rights to access and rectify the data if it is incorrect.
  • Security – the data must be protected and kept confidential.
  • Management – internal management of the scheme is preferred, and should be strictly separated from other areas of the company. If management of the scheme is outsourced, the original company still remains responsible for ensuring that the data is processed in accordance with data protection rules.
  • Transfers to third countries – if that third country does not have adequate data protection rules, data can only be sent if the recipient is a member of the US Safe Harbour Scheme, has entered into an approved contract or has implemented approved binding corporate rules.
  • Compliance with notification rules – companies setting up whistleblowing schemes must notify and have their scheme approved by their national data protection regulator.

See: The Working Party Opinion (18-page / 101KB PDF)

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?