Whistleblower Report: Details to submit (and Collect) and How a Whistleblowing Tool Can Help

by: Michelle Thompson

More and more companies in the EU learn the ins and out of receiving a whistleblower report. Knowing which information your employees should prepare before they submit the whistleblower report is important. The data your organization or business collects during the initial report will be key to how you conduct your whistleblower investigation but it may also contain sensitive information and will be subject to privacy protection rules.

Information to Submit for a Whistleblower Report

Employees who witness misconduct should understand what information is relevant to their whistleblower report and be aware of what should not be included in their report. The first step is to identify the wrongdoing, describe what is occurring, and explain how they know. A credible whistleblower report must document the facts and include a summary describing what the employee has witnessed.

Presumably, whistleblowers will have been made aware of which laws, rules, or regulations the business is subject to. Knowing how the EU Directive works and who qualifies for whistleblower rights and protection will also be important as it may determine whether the employee will be willing to take the risk of disclosing the incident. There are several questions whistleblowers should ask themselves before they begin the report:

What law, rule, or regulation has been violated? This may require reviewing company policies or doing some research about national and EU laws related to your particular workplace.  

What are the facts in the case? Who was/is involved? When did it occur? Where did it happen? What happened? Where there any witnesses? Was the manager informed?  

These details will likely be used during the whistleblower investigation process and should be accurate and succinct.

Challenges to Making the Whistleblower Report

What if you don’t have the authorization to access relevant information or facts? In this case, you should determine who does and who needs to know about the wrongdoing. Employees should first report their concerns to the proper authority or manager. They should refrain from conducting their own investigations. The internal chain of command may fail if no action is taken when the manager is made aware of the incident. In this case, the whistleblower should make the report to an external authority such as a government regulator.

If an employee is unsure how to proceed, an internal reporting tool or hotline can be useful. The tool can provide guidance to the employee throughout the reporting process and capture relevant information about the incident which can be used during the whistleblower investigation. In a survey conducted by the UK Institute of Business Ethics, researchers found that 43% of employees who are aware of wrongdoings don’t report them. Your employee and your organization may benefit from the option of receiving whistleblower reports anonymously without forcing employees to share their identities. The decision will probably be based on your business’s ability to maintain confidentiality and any potential risk of retaliation.

The incident may have taken place in a Member State that doesn’t allow anonymous reporting. In this case, identity-related information will need to be shared with the person receiving the report. Some form of contact information is usually needed to follow up with the whistleblower during an investigation. The use of a tool like the NorthWhistle app can facilitate communication without revealing private details about a person’s identity. Any data that supports the allegation can be provided at the time of disclosure.

Avoid processing too much personal information

Any information in the report that is not relevant to the review or whistleblower investigation of the case should not be processed or stored. For example, an employee submits a whistleblower report about a co-worker who committed fraud and inadvertently reveals that the witness suffers from a heart condition. The details about the colleague’s health are irrelevant to the case and should be returned to the sender or redacted from the file before sharing the report with others.

The EU Whistleblower Directive recommends the whistleblowing process be aligned with existing data protection procedures or rules already in place. At a minimum, the business must ensure the following:

  • Confidentiality of the information received is maintained.
  • A reasonable effort is made to protect the whistleblower’s identity and that of any others involved.
  • Only information relevant, necessary, and adequate to the case should be collected.
  • A determination about what personal information means and a policy for applying the definition to all people involved.

The business should also make it clear to employees what level of access the person disclosing wrongdoing and any others involved in the whistleblower investigation will have access to. If access is restricted, a clear policy must be developed, and the reason documented. Individuals, organizations, and corporate entities may formally request information if legal proceedings are initiated. In this case, third-party information should never be revealed and should be redacted from the file. The business will also need to develop internal IT security measures to protect the data collected and should have a pre-determined retention period for the data it stores during the reporting and investigation processes.

Define What ‘Personal Information’ Means

A clear definition of ‘personal information’ is needed and should be applied to any date related to a person identified in the report (or easily identifiable). The EU General Data Protection Regulation (GDPR) has established rules on how to ensure privacy and data safety. The rules define personal information (data) as anything that relates to an identifiable individual. For instance, a report that describes the private activities of a witness is probably not relevant to the workplace incident and the receiver must protect these details.  

Your business or organization may deal with five types of personal information:

  1. Private personal information associated with a person’s life such as their passwords or voting decisions.
  2. Sensitive personal information such as their ethnic or religious background, political affiliations, past critical records, sexual orientation, or biometric information.
  3. Health information such as a disability, allergy, or injury, medical history or records, and prescriptions.
  4. Financial information such as banking statements, credit or debit card passwords, or tax details.
  5. Identity-related information such as date of birth, social security number, or contact information.

In most cases, a whistleblower report will identify the person who has allegedly committed the wrongdoing and the people who witnessed the incident.

How can a whistleblowing tool help manage sensitive information?

A strong whistleblowing tool can help you manage the sensitive information you collect in the context of a whistleblower report. Northwhistle is GDPR and EU Directive compliant and imbeds features such as consenting to share personal information and accessing guidelines for national and EU whistleblower rights and protection.

Whistlebower tools provide a simple internal reporting system that guides the employee by prompting them to provide specific details about the incident. As more EU Member States adopt the EU rules, companies are asked to stay up-to-date and compliant with the regulations. While anonymity is not required, maintaining confidentiality is. Using features such as voice anonymization can help prevent retaliation against whistleblowers while still capturing vital information about illegal activities such as money laundering and fraud.