BY: ComplyLog|January 11, 2022|Whistleblowing
The majority of businesses and municipalities in the European Union will either already be subject to compliance with the EU Whistleblowing Directive or have that legislation looming on the horizon. The EU decided to take action to protect whistleblowers following a spate of incidents, such as the LuxLeaks saga, where people uncovering illegal activity, like tax avoidance, were punished for making their reports. Among other things, the directive sets out how to investigate a whistleblower complaint in the EU.
It is important to investigate whistleblower reports thoroughly and in a manner that remains compliant with both national and EU law. Whistleblowers must trust that you will hear their complaint, protect them from retaliation and follow up in a way that seeks to eradicate criminal behaviour.
With tax avoidance and evasion causing the European Union to lose €50–70 billion in revenue (at a conservative estimate) and questions being raised about public procurement policies in the EU, whistleblowers play a key role in uncovering crimes that cost taxpayers money and endanger them or the public in general. This is why employers must take their reports seriously.
Table of Contents
III) How to investigate a whistleblower complaint
Directive (EU) 2019/1937 of the European Parliament is also known as the EU Whistleblowing Directive and features legislation that requires many businesses, public bodies and municipalities to:
Create a confidential internal reporting system for whistleblowers
It also sets out a process for escalating complaints to an external body or making a public disclosure if the reporting person is not satisfied with the way the complaint is handled.
The directive refers to breaches of European Union law, but, when transposing the EU Whistleblowing Directive, many member states extended its scope to include breaches of national law as well. Under the law, legal entities are obliged to accept and investigate reports from:
A whistleblower investigation begins when someone files a report using the organisation’s internal system. This report will centre around illegal activity that the reporting person encountered during their working engagement with the organisation.
The independent, competent individual or department tasked with performing the investigation will then look into their claims to find out if they are true and, if so, establish how wrongdoing has occurred and what must be done to correct it and bring the perpetrators to account.
Following the investigation, the individual or department must feed back their findings to the reporting person and provide clear and accessible information on how they can escalate their report to a national competent authority, if necessary. They can also issue details of any disciplinary action set to take place.
Each investigation is different, by nature of the fact there are many different types of potential wrongdoing. However, some key elements will form the basis of any investigation legal entities undertake relating to the EU Whistleblowing Directive as part of compliance programmes.
Make sure you take the following steps in order to remain compliant.
You need to understand what the report relates to in order to be able to investigate properly. Firstly, the designated investigator, which could be an individual or a department, must ascertain that they can remain impartial when investigating. For example, if the report is about wrongdoing in that department, that would compromise their independence.
You also need to decide whether to act on anonymous reports. The directive allows individual countries to determine whether companies are obliged to investigate the reports. If there is no specific law, it is up to legal entities to choose whether to process anonymous reporting.
Another consideration is whether the report falls under the scope of the directive, as implemented in the member state in which the alleged wrongdoing took place. If the report relates to a breach of national legislation, the company will not be obliged to investigate in compliance with the directive if the country has not explicitly included national law in its implementation of it. However, in order to foster a culture of openness, where whistleblowing is encouraged for the good of the majority, it makes sense to treat all whistleblowing reports in the same manner. A consistent approach makes the process more trustworthy, and it is more likely to encourage whistleblowers to come forward.
The organisation is under a legal obligation to acknowledge receipt of the whistleblower’s report within seven days. This ensures that the reporting person knows their complaint has been logged and will be investigated.
There is also a deadline of three months for contacting the reporting person and feeding back on the outcomes of the investigation. Both of these deadlines are the maximum allowable under the law. You can contact the whistleblower earlier if you wish, and this sends a message to them that you are committed to understanding and resolving their problem.
In addition to the legal deadlines for contact, the investigating team will also need to talk to the reporting person in order to glean as much information as possible about their complaint. Once you have digested the elements of the report, you should put together a list of questions to ask the whistleblower in order to fully understand their situation.
The reporting person has the right to have their identity kept confidential by the investigating team. This right also extends to their colleagues and family, as well as anyone mentioned in their report in relation to wrongdoing.
Not only can the whistleblower be left open to retaliation if their identity is leaked, but so can those accused of wrongdoing. As such, the process must be completely confidential to ensure the investigation can be concluded properly before you make decisions on how to resolve the issue. This protection of whistleblowers is key to the directive.
If you decide that there has been a potential breach then you should investigate the whistleblower report thoroughly to establish the exact facts. This involves following up on evidence and interviewing witnesses and those accused of wrongdoing.
It is essential that you properly investigate reports, as allowing illegal activity to go unchecked in an organisation brings many potential issues:
Once you establish that there has been a breach of the law within your organisation, you can take corrective action. This might involve instigating disciplinary procedures against an employee or employees, as well as informing the authorities.
You should also review your systems and attempt to understand how the illegal activity could have occurred in the first place. Once this is established, you can take measures to prevent it from happening again. You might also want to run a security audit of the organisation as a whole to check that there are no vulnerabilities anywhere else.
If it turns out that a reporting person has knowingly made a false claim, you should report them as they can be issued with ‘effective, proportionate and dissuasive penalties’.
When you report back to the whistleblower, you should also inform them of their options going forward. They can issue a report to an external reporting channel and, if they are still not satisfied, make a public disclosure in the press or on social media.
Once a whistleblower makes their report, as long as they were acting in good faith, they must be protected from retaliation by legal entities. In fact, the burden of proof is reversed in cases where a reporting person believes they suffered as a direct result of making their report. The person accused of retaliation must prove that either they did not commit the act or that the act was completely unconnected to the report.
You should implement policies and disciplinary action to dissuade anyone involved in the organisation from retaliating against the whistleblower through intimidation, bullying, termination of contract, demotion, passing over for promotion or any other similar action. If retaliation against them occurs, you must provide the whistleblower with access to appropriate remedial action and additional measures.
The ideal whistleblowing channel is one that fulfils the requirements of the directive. It should be confidential, compliant with GDPR, accessible only by authorised personnel, able to be used by all employees and others covered by the directive and allow for follow-up in order to help conduct an investigation. Here are some examples of internal reporting channels:
|Type of Channel||How it Works|
|Postbox||Reports are posted in a physical postbox in an office as part of internal reporting procedures. Remaining anonymous is difficult as it is very public, and it is no good for remote workers.|
|Email is in common usage and available around the world, so this works for employees. However, this requires those receiving the emails to keep them organised and confidential.|
|Telephone||In order for a whistleblowing hotline to work, it must be available 24 hours a day, which requires highly trained staff to be on call at all times. Also, taking notes might mean they miss or forget vital information and risk falling foul of privacy laws.|
|Digital Whistleblowing System||To make a confidential report, whistleblowers use an online tool that is protected from unauthorised access. It provides a dashboard to keep organisations informed of the status of cases and ensures they do not miss deadlines for compliance.|
|Face-to-Face Meeting||Whistleblowers can make their reports to an individual in a face-to-face meeting. This method relies on the representative of the organisation taking thorough and accurate notes and being impartial.|
The investigator should be an individual or department that is designated as a competent, impartial function as part of company policy. Your whistleblower policy should state who will look into whistleblowing reports.
You must send an acknowledgement of receipt within seven days of the report being filed and feed back to the whistleblower after three months. This is deemed a reasonable timeframe. Although this can be extended to six months where necessary due to the complexity of the case.
Companies with more than 50 employees, public sector institutions, authorities and municipalities with 10,000 or more inhabitants will all be affected by the EU Whistleblowing Directive. However, businesses and government organisations with between 50 and 249 staff have until 17th December 2023 to implement their reporting systems.
You should investigate reports in a thorough and fair manner, within a reasonable period of time. It is essential to keep information confidential, as well as prevent unauthorised access to it and retaliation against reporting persons.
Now that you know how to investigate a whistleblower complaint, it may be helpful to look into ways to automate the process. A digital whistleblowing platform like IntegrityLog can help you speed up the submission and investigation of whistleblowing reports. It keeps you compliant with the EU Whistleblowing Directive and minimises the amount of time you spend on the administrative work surrounding the process.
You can try a free demo of IntegrityLog for your organisation today to see how it can streamline your whistleblowing processes.