Increased regulatory focus on whistleblower protection domestically and internationally—most notably by the U.S Securities and Exchange Commission (“SEC”), the U.S. Department of Justice (“DOJ”), and the Parliament and Council of the European Union (“EU”)—has forced organizations across sectors to revisit their whistleblower protection protocols generally.
In so doing, organizations are confronted with the additional challenge of ensuring that information collected during a report (and subsequent investigation) is sufficiently protected from unauthorized access or public disclosure. Under both the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”) and the EU’s recently adopted whistleblower directive, organizations are legally required to ensure that no adverse action is taken against a potential reporter. This becomes nearly impossible to do when information concerning a whistleblower’s report and his or her identity is compromised. To meet the requirements of domestic and international regulators, organizations should take the following four (4) steps to mitigate the potential for inadvertent or intentional whistleblower data disclosure.
1. Ascertain what information is collected by the organization’s existing compliance protocols.
The starting point for any organization’s assessment and evaluation of its whistleblower protection practices is a meticulous examination of its current personal data collection activities. Organizations should review precisely what information is collected either by third parties on their behalf, or by the compliance professionals tasked internally with receiving and responding to reports of suspected malfeasance. This review encompasses examining in detail the intake questionnaire utilized for the specific purpose of soliciting information in conjunction with a report of a potential ethical infraction or legal violation. This review also includes auditing past intake reports to gain a complete understanding of what information the organization requests and under what circumstances.
The initial assessment should examine the organization’s retention practices in both theory and practice. For instance, while many organizations have adopted formal policies governing the retention and destruction of certain categories of information, what the company policy provides and what the organization actually does often vary considerably. To that end, the task of the compliance professional is to thoroughly document current organizational practices and to note any discrepancies between those practices and the organization’s retention policies. This inquiry will become relevant later on in the process when the organization must make important decisions concerning its revamped data collection process.
2. Conduct a Data Privacy Impact Assessment (“DPIA”).
Under Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (General Data Protection Regulation or “GDPR”) Article 35, “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms natural persons, the [data] controller shall . . . carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” Under Article 35(3)(a) specifically, such an assessment is also required in any instance where the processing of personal data involves automation and is likely to produce legal effects concerning the natural person. The prevalence of web-based intake systems for the receipt of internal reports indisputably qualifies as an activity that involves some element of automation. Although ideally, the DPIA should be conducted either by, or in conjunction with the organization’s designated Data Protection Officer (“DPO”)—especially for organizations subject to GDPR—the compliance function of the organization will make a significant contribution to the DPIA as a whole.
The DPIA is predicated on a holistic assessment of the “envisaged processing operations,” which includes four (4) distinct components.
- Systematically describe the processing operation to be undertaken and the purposes of the processing, including the “legitimate interest” pursued by the controller. In the case of internal reporting, the legitimate interest is easily established. Because both the US and EU require the reporting of potential legal violations, the legitimate interest pursued by the organization in this instance is the fulfillment of a basic legal obligation.
- Include an assessment of the “necessity and proportionality” of the processing operations concerning the purpose. Put simply, the burden is on the organization to ensure that the personal data it collects is necessary and narrow enough to meet the purpose of the processing operation, but nothing more. While many organizations continue to collect personal details that have little or no relevance to the internal report itself, sound data collection practices in a highly dynamic regulatory environment militate in favor of data minimalism, not maximalism.
- Assessment “the risks to the rights and freedoms of data subjects” affected by the collection and processing scheme. To the extent that the organization’s data collection and processing activities are narrowly tailored to the purpose mentioned above, then the corresponding risk to the rights of data subjects may well be negligible. However, for organizations prone to collect more controlled data than is necessary for the implementation of an effective internal reporting system, the risk is considerable.
- Implement effective “safeguards, security measures and mechanisms to ensure the protection of personal data”. This can help an organization properly position itself to either avoid collecting unnecessary personal data altogether or promptly delete such data once received. The ‘safeguards, security measures and other mechanisms’ element necessarily entails an inquiry into the mechanics involved in data retention and disposition. Here, the current state analysis conducted above can help an organization determine what measures must be taken to safeguard the confidentiality of information received from would-be whistleblowers. If, for example, the current state analysis concludes that whistleblower information is stored in a location that is easily accessible by an organization’s broader employee base, then a remedial measure to be noted in the DPIA is the relocation of such information to a more remote location with restricted access rights.
3. Refine organizational policies and procedures to collect only relevant personal data and to omit extraneous requests for unnecessary information.
A DPIA is effective only if the results of that assessment are put into action. Accordingly, once the DPIA is concluded, the security protocols and other safeguards outlined in Step 4 of the DPIA process must be implemented and followed to the letter. Existing organizational policies and procedures should be amended to reflect the unique requirements associated with the collection, processing, retention and destruction of whistleblower information. For instance, Article 17 of the EU’s whistleblower directive requires that all personal data “which are manifestly not relevant for the handling of a specific report shall not be collected, or if accidentally collected, shall be deleted without undue delay.” Organizations subject to the new EU directive’s requirements should ensure that the sum and substance of the data protection principles delineated in that directive are reflected in any revision of the organization’s data protection policies.
4. Retain relevant information; encourage the prompt deletion of the rest.
Information concerning a report that has been verified and subjected to additional legal action should be retained per requirements specific to the jurisdiction. However, information concerning unsubstantiated reports should be subject to the organization’s document retention and destruction policies, and in most instances deleted without undue delay. In this regard, it should be noted that the EU is much more aggressive than U.S. regulators in requiring organizations to promptly dispose of such reports. If the data contained in unsubstantiated whistleblower claims are needed for reporting, auditing, or other purposes, all personal data should be anonymized and a generic description of the report maintained.
The protection of whistleblowers is a growing international priority. As the number of successful enforcement actions grows based upon information provided in large part by these parties, organizations can anticipate additional scrutiny. To avoid having the identity of a whistleblower compromised and sensitive personal details disclosed, the organization must be proactive in its data protection practices.