Providing a whistleblowing hotline strengthens ethics and compliance programmes and helps protect staff, profits and reputation. The Ministry of Justice recommends whistleblowing hotlines as a way of proving adequate procedures are in place to protect against malpractice and comply with The Bribery Act 2010.
But ensuring your company meets the needs of different data protection, legislation and privacy laws in each country is becoming more complex. It is Expolink’s aim to help guide its clients through this maze and below are introductions to the main laws and links to documents which will help outline what needs to happen for the successful introduction of a whistleblowing hotline in key countries.
The Public Interest Disclosure Act (PIDA) came into force in July 1999 with the specific aim of protecting whistleblowers. It gives protection, in defined situations, to employees who choose not to raise the matter internally because they believe they would be victimised by raising the matter. Victimised whistleblowers are able to claim compensation at an Industrial Tribunal. Awards are uncapped and any “gagging” clauses in employment contracts are void if they conflict with the Act’s protection. The Act also covers trainees, agency staff, contractors and home workers – even when the malpractice occurs overseas. Establishing clear channels of communication for employees to disclose their concerns without fear of reprisal, victimisation or dismissal can help to protect your company from claims arising under PIDA legislation.
This Code supercedes and replaces the Combined Code issued by the Hampel Committee on Corporate Governance in June 1998. It derives from a review of the role and effectiveness of non-executive directors by Derek Higgs and a review of audit committees by a group led by Sir Robert Smith. The publication includes guidance on how to comply with particular parts of the Code: first, “Internal Control: Guidance for Directors on the Combined Code”, produced by the Turnbull Committee, which relates to Code provisions on internal control (C.2 and part of C.3 in the Code); and, second, “Audit Committees: Combined Code Guidance”, produced by the Smith Group, which relates to the provisions on audit committees and auditors (C.3 of the Code). In both cases, the guidance suggests ways of applying the relevant Code principles and of complying with the relevant Code provisions.
The Sarbanes-Oxley Act of 2002 was introduced by Senator Paul Sarbanes and Representative Michael Oxley (Sarbanes-Oxley Act 2002). Its inception was a result of one of the largest and most highly publicised corporate financial scandals ever, involving companies such as Enron and WorldCom. Since 2004, all publicly traded companies are required to present an annual report of their internal accounts to the Securities and Exchange Commission (SEC). In addition, all companies listed in the USA are required to establish procedures allowing employees to whistle blow and afford them protection of confidentiality if whistleblowing reports are made to the audit committee.
The Dodd–Frank Wall Street Reform and Consumer Protection Act was signed into law by President Barack Obama on July 21, 2010. The Act is considered the most significant change to financial regulation in the United States since the Great Depression and is a response to the financial turmoil witnessed by US and global markets in recent times. Amongst extensive changes to the financial services industry, new legislative changes for the whistleblower were put in place to expand and support the Sarbanes Oxley Act of 2002. (link to Sarbanes Oxley page) The Act comprises significant new whistleblower protections, including the creation of SEC and CFTC (Securities and Exchange Commission and Commodities Futures Trading Commission respectively) whistleblower programs and protections aimed specifically at employees dealing with consumer financial products and services.
The Act not only provides protection for whistleblowers but also a financial incentive for those willing to disclose information that provides the respective Commissions with original information about violations of securities or commodities laws. The amount paid to the whistleblower is in direct correlation with the sanctions ultimately imposed by the Commissions, providing they exceed $1,000,000 (between 10 and 30%). Whistleblowers are also afforded protection from employer counteraction and are able to bypass the traditional administrative process with the Department of Labour and bring action directly with the Federal District Court. The previous statute of limitations allowed just 90 days for the complaint to be reported; this has since been expanded to within six years after the date when the violation occurs or within three years after the date “facts material to the right of action are known or reasonably should have been known by the employee,” but not more than 10 years after the date of the violation.
CNIL is an organisation in France that regulates the approval of whistleblowing schemes (amongst other things) for organisations and companies either based or operating in France. The use of whistleblowing hotlines and reporting in France is restricted to accounting, auditing, financial misconduct or corrupt practices such as bribery, collusion or conflicts of interest.
Faced with an increasing number of applications over the past couple of years by companies wanting to provide a whistleblowing hotline which covered issues that fell outside of the standard scope of the Single Authorization of 2005 (referred to as “AU 004”), in its deliberation on 30th January 2014, CNIL has widened the scope of reporting permitted under AU-004 on whistleblowing/hotlines. The decision relies on the “legitimate interests of the data controller” principle under the data protection rules.
CNIL has broadened the scope of the Single Authorization by accepting, in addition to the matters mentioned in the above paragraph, the following new matters, which are often mentioned in companies’ codes of ethics:
In addition CNIL has broadened the legal grounds that may prove the legitimacy of the implementation of a whistleblowing system under the Single Authorization, as these legal grounds can now include both a legal or regulatory obligation under French or a foreign law as well as the legitimate interests of the data controller.
It has furthermore clarified the position regarding anonymous reports and by taking into account the provisions of SOX relating to anonymous reporting, CNIL now accepts that it needs to be more tolerant towards anonymity. It has thus moved the focus of its requirements from “identification of the whistleblower” to “conditions for anonymous reporting”. As before, the system should not encourage anonymous reporting. Identification of whistleblowers remains the default position and anonymity is accepted on an exceptional basis. There is, however, no longer a requirement for the system to be designed so that whistleblowers must identify themselves. There are two conditions for accepting an anonymous report; Processing of an anonymous report requires implementing additional precautions such as a pre-screening of the report by its initial recipient to determine whether the report can or should effectively be used or disseminated more broadly; and the seriousness of the reported facts must be established and the factual elements must be sufficiently detailed.
You can apply to register your whistleblowing scheme online via www.cnil.fr
An acknowledgement receipt (“récépissé”) is then sent to your company or organisation. This constitutes an authorisation of the notified system as well as, if relevant, an authorisation of the international data transfers taking place in the context of running the whistleblowing system.
The Code of Corporate Governance in the Netherlands stipulates the following as regards whistleblowing provision:
“The management board shall ensure that employees have the possibility of reporting alleged irregularities of a general, operational and financial nature in the company to the chairman of the management board or to an official designated by him, without jeopardising their legal position. Alleged irregularities concerning the functioning of management board members shall be reported to the chairman of the supervisory board. The arrangements for whistleblowers shall in any event be posted on the company’s website.”
The Belgian Privacy Commission recently issued a recommendation with respect to the compatibility of whistleblowing schemes with the Belgian Private Data Protection Law of 8 December 1992.
In this recommendation, the Belgian Privacy Commission indicated that since the Private Data Protection Law applies as soon as personal data is processed by automatic means or is filed or is intended to be filed, it will apply to almost all whistleblowing schemes. The Commission outlined a number of basic principles, which should at least be respected by whistleblowing schemes to be compatible with the Private Data Protection law. These principles are more detailed than the earlier recommendations of the Article 29 Working Party and relate to (i) honesty, legitimacy, purposefulness of the scheme, (ii) proportionality, (iii) accuracy of the personal data, (iv) transparency, (v) security of the processing operations and filing, (vi) rights of all persons involved (whistleblower, reported person and third parties), and (vii) registration of the database if the data will be automatically processed or at the request of the Belgian Privacy Commission.
The recommendations of the Belgian Privacy Commission are not binding but have an important persuasive authority and are normally followed by the courts. Therefore, their practical impact is significant and the basic principles can be used as a guideline for companies wishing to implement whistleblowing schemes in Belgium.
Article 29 Data Protection Working Party offers an opinion and guidance on how internal whistleblowing schemes can be implemented in compliance with the EU data protection rules enshrined in Directive 95/46/EC.2. This document only forms an opinion and is not legislatively mandatory.