July - Managing HR data – 2 / 6 观点
The importance of whistleblower hotline programmes and protecting employees who report misconduct in the workplace is increasingly being valued globally. Legislation has been introduced to regulate this issue, not only in the EU under the EU Whistleblowing Directive (in force since 17 December 2021), but also under legislation that applies in other jurisdictions. Whistleblowers in the UK have long been protected by virtue of the Employment Rights Act 1996 (as amended by the Public Interest Disclosure Act 1998). However, the scope of the EU Directive is different and, arguably wider, than this UK legislation.
Businesses in those EU Member States that have transposed the Whisteblowing Directive, are required to establish internal and external reporting channels for receiving and investigating whistleblower complaints. The Directive also sets out the scope of activities that whistleblowers may report, for example violation of laws concerning public procurement, product safety or financial services, and it gives protection and rights to whistleblowers. Crucially whistleblowers' confidentiality must be protected. The deadline to transpose the Directive was 17 December 2021, but many jurisdictions are still working through the legislative process and have not yet finalised the implementation process. We anticipate all jurisdictions will implement the Directive by the end of 2022.
The concept of the EU Directive is mirrored in the US with the Sarbanes Oxley Act introducing similar principles that apply to publicly traded companies. The organisation's audit staff are required to set up a complaint notification system or whistleblower hotline to receive internal complaints regarding accounting and auditing matters. This forms part of a publicly listed company's overall compliance and anti-corruption programme.
As a result of this global focus, many multinational companies are encouraging whistleblowing by establishing a designated hotline or similar complaint system that enables employees and other company insiders to report misconduct. In addition to ensuring legal compliance, there are numerous business advantages to this. It enables businesses to learn about, investigate and most importantly remedy conduct that could, if not rectified, expose the business to criminal or civil liability.
We are seeing more and more multinational companies adopting whistleblowing hotlines not only in each country where a legal obligation to do so arises, but across all subsidiaries and branches where they operate.
Of course, across the EEA, organisations must comply with data protection requirements under the GDPR when processing personal information collected from whistleblowing hotlines. Similar rules apply in the UK under the UK GDPR. Common requirements include:
Contracts with third party service providers
Employers often engage third parties to operate a whistleblower hotline. This does not negate the requirement to comply with this legal framework. Rather, it is important to include clauses in the contract with the third party service provider that gives employers adequate protection. Contracts should comply with Article 28 processor requirements, including by ensuring personal data is processed in line with the employer's instructions, the data is only used for specified purposes, and security measures have been implemented.
Privacy by design
When implementing hotline systems the starting point should be to take the approach of privacy by design. This will be reinforced by ensuring the independence and integrity of those who operate the hotlines; if a third party is used then this principle applies to them too. Another way to ensure that privacy is embedded is to inform employees about the purpose of the system and to build in appropriate steps to protect privacy as required under the GDPR data minimisation principle, for example, collecting only the minimum amount of data that is relevant for the investigation or inquiry. Any employee request to access, delete or correct data collected from the hotline must also be acted on. Using defined retention periods and criteria for the personal data to be collected, encryption technology, and measures to ensure the anonymity of the reporter are also essential.
For any hotline system to be successful, organisations need to work to avoid conflicts and ensure that the culture of the workplace supports and encourages the importance of whistleblowing and protecting the anonymity and confidentiality of the whistleblower. To achieve this, senior managers and directors must lead the programme, understand it and embrace it. It is only with strong support from leadership that it is possible to reinforce the importance of having a culture that values internal reporting.
The period in which businesses are required to implement hotlines in line with the Whistleblowing Directive has been delayed but this does not mean businesses should do nothing. Now is the time to design internal reporting channels that comply with complex legal requirements, including privacy requirements which will vary between jurisdictions. The sooner the processes are implemented, the more trust will be generated among staff and the more successful the system will be. Employees should feel confident that they work in a business that has provided them with the best available platform to raise concerns in their organisations and that they and their personal data will be protected.
For more information about how Taylor Wessing can help your business implement the EU Whistleblowing Directive please click the link below.
Helen Farr looks at the data protection implications of the EU Whistleblowing Directive and whistleblower hotlines more generally.
作者 Helen Farr
Jo Joyce and Calum Parfitt look at data breach preparedness and responses from an HR perspective.
作者 Jo Joyce
Benjamin Znaty and Marc Schuler look at the importance of transparency and purpose limitation in the context of monitoring and surveillance of employees in the EU.