How do I ensure confidentiality of the whistleblower under the Whistleblowing Directive?

The Whistleblowing Directive imposes strict requirements to keep the identity of the whistleblower confidential. According to studies members of staff will only be inclined to make a report of misconduct if they are reassured that their identity will be protected.

Under the Whistleblowing Directive the identity of the whistleblower must not be disclosed. Only in very exceptional circumstances can the identity of the whistleblower be revealed given the whistleblower has consented to this. This will be so in the context of investigations by national authorities or judicial proceedings. The same level of protection should be given to the person reported on considering the risks of stigmatization and victimization involved for that individual.

The Whistleblower Directive requires organizations to adopt and implement clear policies and procedures to guarantee this confidentiality. The implementation of this confidentiality obligation will require more than just including the right wording in your policies. The confidentiality must be guaranteed for both oral and written reports. This will require you to think of the appropriate technical and organizational measures internally, yet also externally if you are relying on the services of a third party service provider for oral reports made via telephone or for written reports via a whistleblower software tool.

Furthermore, this confidentiality should not just be guaranteed at the time the report is made, yet also throughout the report handling period. How will you ensure that the identity of the whistleblower is kept confidential in all communications concerning the report. This will be particular complex given the multiple means of communication within organizations (e.g. e-mail, WhatsApp, Teams, etc.). Report handlers may need to be subjected to stronger obligations of confidentiality.

Also, in smaller organizations the confidentiality should not only relate to the identity of the whistleblower, but also to other possible identifying information and information know to only few individuals. Access to information should be granted on a need-to-know basis.

Finally the same confidentiality concern pops up again at the end of the procedure, or thus once after the closure of report. What measure do you have in place at the end of the procedure, to anonymize or delete data which could potentially lead to the re-identification of the whistleblower?

This obligation of confidentiality is not be confused with the possibility of anonymous reporting by whistleblowers. The Whistleblowing Directive leaves it up to the Member States to decide whether legal entities in the private or public sector are required to accept and follow up on anonymous reports. Although anonymous reports may encourage more victims or witnesses of misconduct to speak up and report the misconduct, it could also result in a higher risk of false reports. The Whistleblowing Directive does require that anonymous whistleblowers who are identified in the process shall qualify for protection, provided that they meet the conditions for protection.

Would you like to read more? Our next post on this topic will address the question on whether organizations who already have a whistleblowing tool in place need to take action. In case you would like to receive further information on this topic or need our assistance, please do not hesitate to reach out to us.

#Whistleblowing Directive #GDPR #employment #EYLaw #digitallawteam