Feeds

Privacy rights of whistleblowers and their accused

EU Working Party reports

Choosing a cloud hosting partner with confidence

Workplace whistleblowing schemes that exist to catch office thieves, crooked accountants or general misconduct and skullduggery, present data protection issues that have become the subject of new guidance from an EU Working Party.

The EU's Article 29 Working Party on Data Protection issued its opinion this month on whistleblowing compliance. Such opinions are not binding; but they are influential and will be of interest to any organisation looking to implement a whistleblowing scheme.

The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.

Background

Whistleblowing schemes are designed to allow employees to report misconduct internally, providing an alternative to other internal management processes. They offer a safeguard against corporate wrongdoing and the employee is given certain protections to encourage use of the scheme.

But the schemes must be compliant with EU data protection rules, protecting both the whistleblower and the person accused of misconduct. Such compliance, says the Working Party, will both alleviate the risks of stigmatisation and victimisation and "generally contribute to the proper functioning of whistleblowing schemes".

The opinion

In its opinion, the Working Party does not consider employment or criminal issues raised by the schemes, but instead highlights how it believes some of the provisions of the EU Data Protection Directive should be applied. In particular it considers:

  • The legitimacy of the scheme – the scheme is only legitimate if it is necessary to comply with a legal obligation imposed by the EU or Member State or for the purpose of a legitimate interest, such as imposing good corporate governance. The US Sarbanes-Oxley Act is caught by this second requirement, but there must be adequate safeguards put in place to protect those involved in the scheme, says the Working Party.
  • Data quality and proportionality – in some circumstances it might be appropriate to limit the number of people who can report alleged misconduct, or be reported for alleged misconduct. The Working Party also provides that, to allow the data to be collected fairly, whistleblowing schemes should not allow anonymous reporting, unless under exceptional conditions. In addition, the data collected should be limited to the facts needed to verify the allegations.
  • Provision of clear and complete information on the scheme – this should let employees know that the scheme is in place and detail its purpose, functioning, confidentiality, access and rectification procedures.
  • Rights of the accused person – schemes should focus on the rights of the accused person, without damaging those of the whistleblower. The accused should be informed as soon as possible, unless this would jeopardise the investigation. The accused can object and has rights to access and rectify the data if it is incorrect.
  • Security – the data must be protected and kept confidential.
  • Management – internal management of the scheme is preferred, and should be strictly separated from other areas of the company. If management of the scheme is outsourced, the original company still remains responsible for ensuring that the data is processed in accordance with data protection rules.
  • Transfers to third countries – if that third country does not have adequate data protection rules, data can only be sent if the recipient is a member of the US Safe Harbour Scheme, has entered into an approved contract or has implemented approved binding corporate rules.
  • Compliance with notification rules – companies setting up whistleblowing schemes must notify and have their scheme approved by their national data protection regulator.

See: The Working Party Opinion (18-page / 101KB PDF)

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Security for virtualized datacentres

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.