BY: ComplyLog|January 11, 2023|Whistleblowing
The economic benefits of encouraging whistleblowers are staggering. The European Commission suggests that the “loss of potential benefits due to a lack of whistleblower protection, in public procurement alone” is between €6 and €10 billion a year.
At the same time, the EU Whistleblowing Directive is about to come into force in the European Union, protecting people who witness and report breaches of union law during the course of their work.
So, what whistleblower rights and protections will the directive bring in order to make reporting persons feel more comfortable coming forward with details of wrongdoing?
This article explores what constitutes a whistleblower, which breaches they can report, the legislation in place to protect them from retaliation and how they can make their report in order to protect the public interest.
Table of Contents
I) Employees and the EU Whistleblowing Directive
II) Whistleblower rights and protections
A whistleblower, also known as as ‘reporting person’, is described by the directive as:
“a natural person who reports or publicly discloses information on breaches acquired in the context of his or her work-related activities”
For the purposes of the EU Whistleblowing Directive, this includes:
In order to be protected under the new directive, they do not have to be proved correct when their report on criminal behaviour is investigated. However, they must have believed the information they gave to be true at the time of making the report.
The legislation allows whistleblower protection for reporting violations of EU law in the following fields:
Within these areas, it could relate to fraud, bribery, corruption or any other criminal offence.
However, member states are allowed to extend the scope of the directive to cover other aspects of union rules as well as areas of national law. Groups such as Transparency International are calling on governments in member states to allow whistleblowers protection when reporting breaches of domestic legislation, too.
Businesses in the EU will not only have to study the bloc’s directive but also their country’s individual rules on whistleblowing when they are implemented. This will help them understand the exact scope of the regulations within those borders.
Protection for the reporting person applies from the moment they make a qualifying disclosure about a breach of EU laws in the areas mentioned above (or in any other areas stipulated in that country’s own laws). This must be reported in good faith, with them believing the information to be true, and through internal, external or public channels in any method laid out by the directive. These are termed protected disclosures and allow the whistleblower to enjoy the protections laid down in the act.
Whistleblowers are encouraged to report internally within the organisation in the first instance but, if they feel that they cannot for any reason, there are other options:
|Internal report||Made to the organisation where the alleged offence took place, through a reporting system, either oral or written, that must protect their confidentiality.|
|External report||Made to a competent authority, such as a trade union or an NCA, through a reporting system, either oral or written, that must protect their confidentiality.|
|Public disclosure||If there is an imminent specific danger to the public interest or national security, in an emergency or in the event of dissatisfaction with internal and external reporting, the whistleblower can make a public disclosure online, in the press or by social media.|
Whistleblowers have the following rights and protections as a result of the EU Whistleblowing Directive.
The reporting person has a right to confidentiality when they make a report. This is extended to their family members and colleagues who have supported them in making their report. Any party named in the report in relation to committing a criminal activity should also have their identity kept confidential throughout the investigation process.
Companies should provide access to free legal advice for any whistleblower making a report in the prescribed manner. This should be comprehensive and impartial. It should guide them through the procedures relating to the making and investigation of the reports as well as the remedies to which they are permitted.
For the purposes of the directive, ‘retaliation’ refers to demotion, blacklisting, harassment, dismissal, limited career opportunities or any other ‘punishment’ for making a report. In the event that the organisation, or a worker within that organisation, retaliates against the whistleblower, there are protections and remedial measures available. They include:
Even if there are nondisclosure agreements or confidentiality agreements in place, or if the report relates to classified information, the reporting person will not be held liable or face sanctions. They are still allowed to disclose the facts that they believe to be true and that fall within the scope of the whistleblowing legislation in their country.
If companies or individuals take legal action in court, for defamation, copyright infringement or at an employment tribunal, for example, the whistleblower is still afforded legal protection by using the directive in their defence in this particular case.
The reporting person has a right to receive confirmation of receiving their report within seven days of making it. They must also receive a “diligent follow-up” within three months.
If the whistleblower is unsatisfied with the investigation through the internal reporting channel, they can move to the external authority, which has three months to reply. Following this, they can then escalate the issue to the public realm.
The EU Whistleblowing Directive will eventually require all organisations employing over 50 staff and municipalities with more than 10,000 citizens to implement an internal reporting system for whistleblowers. They can choose to run one or more different channels, which must allow for written or oral reporting.
There are a number of considerations to make when choosing the right reporting channels for a business, particularly when it comes to considering how they will enable you to protect the rights of whistleblowers under the directive. For example, asking reporting persons to drop their reports into a mailbox might negate their right to confidentiality because, by its nature, the box would be situated in a public place where someone could see them making the report.
An effective, efficient and compliant reporting channel is an online system such as IntegrityLog. It allows whistleblowers to access it from anywhere at any time, enter their details and be certain that their information will be kept securely in a confidential manner.
Whistleblowing reports are subject to the General Data Protection Regulation (GDPR), which means that the reporting channel you use should take this into consideration and allow you to easily maintain compliance.
With solutions where an operator is required to take notes, such as on a telephone hotline, there is a double risk. The operator could collect more data than is necessary and struggle to restrict access to the information to unauthorised parties.
IntegrityLog only collects the necessary data and ensures unauthorised people do not access the information held in the report. In addition, when using just one channel, it is easier to comply with GDPR’s Right to Be Forgotten, which requires the anonymising or destruction of data in some circumstances. If you have multiple channels, it becomes more difficult to ensure you have erased all the relevant data.
It is up to individual member states to decide whether businesses and public bodies must accept anonymous reports. If there is no specific ruling, organisations can choose whether or not to allow them. If an anonymous report is made and the reporting person’s identity is later revealed, they will also qualify for the protections described above.
What kind of whistleblowing channel needs to be implemented?
The whistleblowing channel or channels should allow for oral, written or both types of reporting. They could include face-to-face interviews, a special email, a phone line, an online compliance tool or anything else that allows for reporting in these methods.
Retaliation against a whistleblower can include:
It can also include any other type of discrimination, prohibition and detrimental treatment, complaints and personal grievances from colleagues, and abuse of authority by management.
There are no penalties for whistleblowers under the EU Whistleblowing Directive, provided they made the report in the belief that what they said was the truth. Whistleblowers are protected by law from negative acts of whistleblower retaliation performed as punishment for making their report. Organisations have a legal obligation to ensure this is so.
It is the duty of organisations affected by the EU Whistleblowing Directive to understand the whistleblower rights and protections within the union. They should put in place systems to make sure all reports remain confidential, the follow-up responses are sent in due time and no retaliation is entered into. In addition, there is a requirement to provide an internal reporting channel that not only allows for whistleblowing but also complies with data protection laws.
IntegrityLog is GDPR-compliant, secure and even provides a dashboard that informs the investigation team when they have a deadline approaching. Try IntegrityLog for free today.