Whistleblowing systems are used by companies as part of their risk management measures. Some companies are even required by law to introduce an anonymous whistleblowing system. A well known example of such a requirement is the Sarbanes Oxley Act, which applies to all companies listed on US stock markets, as well as their subsidiaries in Europe.
The Art. 29 Data Protection Group, which functions as an independent advisory committee of the European Union, formulated an opinion based on the data protection guideline 95/46/EG, demanding the introduction of anonymous whistleblowing systems, which, when fulfilled, allow the companies to meet both the SOX and European data protection requirements.
Even the German Data Protection Act (BDSG) contains regulations regarding the use of a whistleblowing system.
Permissibility of Procedures for Reporting Irregularities
The use of a whistleblowing system is permissible in the fulfillment of a legal obligation (Article7, letter c) (compare. § 28 Paragraph 1 S. 1 BDSG), for example as an internal control procedure for the banking sector, or in the fight against the bribing of foreign officials according to an OECD agreement. SOX is, however, not a law in the sense of § 28 Paragraph 1 S. 1 BDSG.
According to Article 7, letter f, a report system can also serve to realize a legitimate interest, i.e. to ensure the proper functioning of organizations. The permissibility is regulated accordingly in the BDSG: According to § 28 Paragraph 1 S. 1 No. 1 and 2 BDSG, the assessment and use of personal data is permitted if this serves for the protection of the concerned person’s legitimate interests or the purpose of a contract. The behavior that is reported, however, must exhibit a clear relationship to employment (limiting number of topics). Employees’ adherence to the law and their supervision serves employment contract purposes, specifically the orderly and financially successful course of events in the creation of wealth.
Limiting Number of Topics
The verification of compliance using existing laws justifies the collection of personal data. However, only reports regarding offences and breach of duties, particularly those regarding irregularities in the areas of accounting, internal accounting examinations, as well as inquiries regarding auditing and fighting corruption and those regarding banking and financial crimes, should be permitted. This standard is achieved through the use of topic lists and filter functions.
Protection for the Whistleblower
In order to serve the purpose for which a system for reporting irregularities was set up and to encourage people to use the system and report facts that can demonstrate inappropriate behavior or illegal activities within the company, it is essential that the person submitting the report is adequately protected by guaranteeing his anonymity and hindering third parties from discovering his identity
Anonymity as an Option
Confidentiality alone does not fulfill the anonymity requirements specified by SOX and for this reason the preservation of the whistleblower’s anonymity is essential. Nevertheless, in addition to purely anonymous reports, the whistleblower should also be able to state his name.
Secured Access of Data
According to Article 17 of Guideline 95/46/EG, the company or organization that is responsible for a system used to report irregularities must take the necessary technical and organizational steps in order to guarantee the data’s security when it is collected, circulated and stored. The aim is for the data to be protected from unintentional or unlawful destruction, unintentional loss and unauthorized transmission, as well as from unauthorized access. It must be ensured that reports cannot be carelessly read by a third party, for example by encoding the data.
Minimizing Abuse (Denunciations)
Unjustified accusations should be prevented and recognized as soon as possible. A plausibility test, for instance, can be made by subjecting whistleblowers to additional questioning.
Internal Reception and Data Processing
Access Restrictions for Examiners
Reported data should be accessible to the smallest possible group and remain within the company, if possible, so that there is no data transfer. Access to data should therefore be authorized to specific individuals and not out sourced to an external call center, especially not to third countries that cannot guarantee an adequate level of data protection (this includes the USA). The system used to report irregularities should be strictly separated from other divisions in the company, for instance the personnel department.
Independent Data Storage, Separation and Personal Files
All data should be stored in a special case data bank, whereby there can be no connection to the company’s personnel department or its data bank.
Irrevocable Deletion of Reports following Discontinuance or Conclusion of Investigations
Once investigations have been concluded or discontinued, all data must be irrevocably and promptly deleted, as a rule, within two months (compare § 35 Paragraph. 2 No. 3 BDSG).
Allocation of Clear and Comprehensive Information about the System
According to Article 10 of the Data Protection Guidelines, for processing purposes, the responsible party must inform those concerned of the system’s existence, purpose and manner of operation, as well as of the recipients of the reports and of the concerned party’s access, information and rectification rights with regard to the data that concerns them.
Obligation to Notify
According to Article 10 of Guideline 95/46/EG, the concerned parties must be informed when their personal data is compiled by a third party (compare § 33 Paragraph 1 S. 1 BDSG). The obligation to notify, however, becomes obsolete when such notification would jeopardize the purpose of business. The purpose of business in this sense is the clarification of the criminal accusation that would be jeopardized by the notification.
All specified criteria are met in practice by the BKMS® System.