Feeds

Privacy rights of whistleblowers and their accused

EU Working Party reports

Beginner's guide to SSL certificates

Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party.

The EU's Article 29 Working Party on Data Protection issued its opinion this month on whistleblowing compliance. Such opinions are not binding; but they are influential and will be of interest to any organisation looking to implement a whistleblowing scheme.

The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.

Background

Whistleblowing schemes are designed to allow employees to report misconduct internally, providing an alternative to other internal management processes. They offer a safeguard against corporate wrongdoing and the employee is given certain protections to encourage use of the scheme.

But the schemes must be compliant with EU data protection rules, protecting both the whistleblower and the person accused of misconduct. Such compliance, says the Working Party, will both alleviate the risks of stigmatisation and victimisation and "generally contribute to the proper functioning of whistleblowing schemes".

The opinion

In its opinion, the Working Party does not consider employment or criminal issues raised by the schemes, but instead highlights how it believes some of the provisions of the EU Data Protection Directive should be applied. In particular it considers:

  • The legitimacy of the scheme – the scheme is only legitimate if it is necessary to comply with a legal obligation imposed by the EU or Member State or for the purpose of a legitimate interest, such as imposing good corporate governance. The US Sarbanes-Oxley Act is caught by this second requirement, but there must be adequate safeguards put in place to protect those involved in the scheme, says the Working Party.
  • Data quality and proportionality – in some circumstances it might be appropriate to limit the number of people who can report alleged misconduct, or be reported for alleged misconduct. The Working Party also provides that, to allow the data to be collected fairly, whistleblowing schemes should not allow anonymous reporting, unless under exceptional conditions. In addition, the data collected should be limited to the facts needed to verify the allegations.
  • Provision of clear and complete information on the scheme – this should let employees know that the scheme is in place and detail its purpose, functioning, confidentiality, access and rectification procedures.
  • Rights of the accused person – schemes should focus on the rights of the accused person, without damaging those of the whistleblower. The accused should be informed as soon as possible, unless this would jeopardise the investigation. The accused can object and has rights to access and rectify the data if it is incorrect.
  • Security – the data must be protected and kept confidential.
  • Management – internal management of the scheme is preferred, and should be strictly separated from other areas of the company. If management of the scheme is outsourced, the original company still remains responsible for ensuring that the data is processed in accordance with data protection rules.
  • Transfers to third countries – if that third country does not have adequate data protection rules, data can only be sent if the recipient is a member of the US Safe Harbour Scheme, has entered into an approved contract or has implemented approved binding corporate rules.
  • Compliance with notification rules – companies setting up whistleblowing schemes must notify and have their scheme approved by their national data protection regulator.

See: The Working Party Opinion (18-page / 101KB PDF)

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Special pleading against mass surveillance won't help anyone
Protecting journalists alone won't protect their sources
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.