Feeds

Privacy rights of whistleblowers and their accused

EU Working Party reports

High performance access to file storage

Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party.

The EU's Article 29 Working Party on Data Protection issued its opinion this month on whistleblowing compliance. Such opinions are not binding; but they are influential and will be of interest to any organisation looking to implement a whistleblowing scheme.

The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.

Background

Whistleblowing schemes are designed to allow employees to report misconduct internally, providing an alternative to other internal management processes. They offer a safeguard against corporate wrongdoing and the employee is given certain protections to encourage use of the scheme.

But the schemes must be compliant with EU data protection rules, protecting both the whistleblower and the person accused of misconduct. Such compliance, says the Working Party, will both alleviate the risks of stigmatisation and victimisation and "generally contribute to the proper functioning of whistleblowing schemes".

The opinion

In its opinion, the Working Party does not consider employment or criminal issues raised by the schemes, but instead highlights how it believes some of the provisions of the EU Data Protection Directive should be applied. In particular it considers:

  • The legitimacy of the scheme – the scheme is only legitimate if it is necessary to comply with a legal obligation imposed by the EU or Member State or for the purpose of a legitimate interest, such as imposing good corporate governance. The US Sarbanes-Oxley Act is caught by this second requirement, but there must be adequate safeguards put in place to protect those involved in the scheme, says the Working Party.
  • Data quality and proportionality – in some circumstances it might be appropriate to limit the number of people who can report alleged misconduct, or be reported for alleged misconduct. The Working Party also provides that, to allow the data to be collected fairly, whistleblowing schemes should not allow anonymous reporting, unless under exceptional conditions. In addition, the data collected should be limited to the facts needed to verify the allegations.
  • Provision of clear and complete information on the scheme – this should let employees know that the scheme is in place and detail its purpose, functioning, confidentiality, access and rectification procedures.
  • Rights of the accused person – schemes should focus on the rights of the accused person, without damaging those of the whistleblower. The accused should be informed as soon as possible, unless this would jeopardise the investigation. The accused can object and has rights to access and rectify the data if it is incorrect.
  • Security – the data must be protected and kept confidential.
  • Management – internal management of the scheme is preferred, and should be strictly separated from other areas of the company. If management of the scheme is outsourced, the original company still remains responsible for ensuring that the data is processed in accordance with data protection rules.
  • Transfers to third countries – if that third country does not have adequate data protection rules, data can only be sent if the recipient is a member of the US Safe Harbour Scheme, has entered into an approved contract or has implemented approved binding corporate rules.
  • Compliance with notification rules – companies setting up whistleblowing schemes must notify and have their scheme approved by their national data protection regulator.

See: The Working Party Opinion (18-page / 101KB PDF)

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.