HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified in New Zealand)
OUR TEAM Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Paris, Luxembourg, Zurich and Geneva Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are listed in Chambers 2014 and Legal 500 as a leading law firm for Data Protection and have advised on this area of law since 1983 What I liked was the fact that the team was very willing for us to see itself as an extension of our existing in-house team. I like the way it integrated members sat alongside and guided us. That was what impressed. Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2
MONICA SALGADO Monica is a Portuguese qualified Lawyer and a Registered European Lawyer with experience assisting clients with the most varied data protection issues, both in Portugal and the UK. She has notably assisted clients preparing submitting registrations and requests for authorisation with relevant data protection authorities, analysing processor / controller agreements - including conducting previous due diligence procedures and trans border flows of personal data. provides topnotch client service Legal 500, 2011 Monica has also participated in preparing replies to subject access requests and other data protection related requests, implementing data protection compliance measures and tools, including drafting relevant data protection policies, performing data protection compliance assessments, providing data protection training and assisting businesses to comply with E-Privacy rules by conducting cookies audits, drafting cookies policies and implementing cookies consent tools. Monica is a regular speaker on Speechly's webinars and external data protection events, such as the Privacy and Data Protection Conference, and also contributes regularly to internal and external publications, including the PDP journal. Monica.Salgado@speechlys.com +44(0)20 7427 6554 3
KIRSTI LAIRD Kirsti is a New Zealand qualified lawyer who has experience advising on all aspects of UK employment law. She advises about general human resources issues, including negotiating and drafting employment contracts and service agreements for employees and directors as well as advising on grievance and dismissal procedures (including termination / settlement agreements) as well as the processes for conducting both small and large scale redundancies. She also advises clients in relation to commercial matters affecting employees, including mergers and acquisitions, restructurings, re-contracting scenarios and TUPE. She also has experience in Tribunal and High Court claims relating to employment matters, including an LLP in relation to an employment status claim by a former member. Kirsti produces our monthly Employment Newsletter, which updates our clients on news and events, including recent decisions of the Tribunals and courts on employment matters. Kirsti.Laird@speechlys.com +44 (0)207 427 6411 4
TOPICS Practical considerations when dealing with whistleblower reports in EU What to ask when analyzing a report? Looking back at the organisation s whistleblowing procedures Dealing with the report 5
YOU HAVE JUST RECEIVED A WHISTLEBLOWING REPORT Your organisation just received a whistleblowing report Now what? 6
WHAT TO ASK? Was the report submitted within the context of an employment dispute? Where was the report submitted? Was it made through the whistleblower hotline? Who submitted the report? - Employee - Supplier - Customer Was the report made in accordance with your organisation s local policy on whistleblowing? Do your whistleblowing policy and the report follow local - Whistleblower protection laws? - Whistleblowing hotline restrictions? 7
WHERE, HOW, WHO? One side England & Wales - Public Interest Disclosure Act 1998 US - Sarbanes-Oxley Act 2002 Other side Other EU member States - Comprehensive Labour laws / codes - More focus privacy in the workplace 8
UNITED KINGDOM Listed companies Sound system of internal control Bribery Act Adequate procedures in place to prevent bribery Guidance by the Ministry of Justice - include having effective whistleblowing procedures that encourage reporting suspected bribery Public Disclosure Act Affords protection to whistleblowers who: - Are workers - Disclose information about malpractice in the workplace - This malpractice has to affect the public interest - Disclose the information to the right people Protection from detriment 9
US - SARBANES OXLEY SOX mandatory Code of Ethics A confidential, anonymous reporting mechanism SOX Section 301(4) states that "Each audit committee shall establish procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. 10
EU DATA PROTECTION PRINCIPLES An individual has a right to know what data is being processed about them; Personal data has to be processed fairly and lawfully; Personal data must be kept for no longer than is necessary and must be kept accurate and up to date; Personal data must be, at all times, kept secure and where processed by a third party be managed securely; and Personal data should not be transferred outside the European Economic Area to any other country that does not have adequate protection for the rights of the individual. 11
CONFLICT BETWEEN SOX AND EU DATA PROTECTION LAWS Breach SOX or breach Data Protection laws? Anonymity of the reports High potential to cause significant harm or distress to the reported individuals Transfer of personal data outside the EEA - At least to the parent company in the US Use of hotline providers - controller & processor relationship - Written agreement - Mandatory controller actions - Strict instructions from the controller High potential to process sensitive personal data - Criminal offences or suspicions thereof and criminal convictions 12
EU SOLUTION Art. 29 Working Party issued guidelines Setting out the recommendations for legitimate SOX whistleblower hotlines - Confidentiality preferred rather than anonymity - Specific data retention periods - Specific matters that may be reported - Specific individuals that may be reported Most EU member States have either issued guidelines or follow this Article 29 Opinion however there are still differences between all the member States! 13
DIFFERING STANCES OF EU MEMBER STATES Compulsion Mandatory or voluntary reporting? Anonymity Allowed, restricted, or completely prohibited? Scope limitation All matters may be reported or are there restricted matters? All personal data or restricting sensitive personal data? All individuals may report or just employees may report? How should the report be investigated? As per the parent company s policy or following a local mandatory procedure? How long should the reports be kept for? 14
OTHER DIFFERENCES BETWEEN EU MEMBER STATES Notification requirements Notification, exemption or approval request? - May depend on the scope of the policy policies that are too broad will tend to require approval Permission to transfer personal data outside the EEA Different formalities: - Exemption still applies - Exemption falls - Approval required Specific requirements of local regulators Need to see the policy? Labour/Employment law requirements Works Council approval / consultation? 15
EU PRIVACY IN THE WORKPLACE European Convention of Human Rights Article 8-1. Everyone has the right to respect for his private and family life, his home and his correspondence. - 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. ECHR Case law this right includes right to privacy in the workplace Very relevant throughout Europe 16
WHISTLEBLOWING POLICY Consider the whistleblowing policy! Do you have one? Is a policy necessary / advisable? Different approaches depending on the: - Country - Type of company / industry - Type of whistleblowing facilities Tailor it to your specific needs 17
POLICY & LOCAL LAW Is the policy compliant with local law? Does the whistleblowing policy impose limitations / restrictions: - on what can be reported? - on who can report? - on what can be reported? How was the policy rolled out? - Data Protection Authorities - Works Councils - Translated in local language - Display the policy or just intranet? Whistleblowing procedures - Is there a third party hotline provider? - What is the internal procedure to investigate? 18
CONSIDERATIONS FOR COMPLIANT WHISTLEBLOWING HOTLINES IN THE EU Remember country by country specifics! One size does not fit all ethical hotlines must be tailored to meet local requirements Narrow scope of reports Anonymity should be a last resort Strict retention periods should be observed Third party vendors need to be contractually controlled and guided 19
WHY ALL THIS MATTERS WHEN YOU RECEIVE A WHISTLEBLOWING REPORT? Organisation may be fined for non compliance with local Data Protection laws Organisation may be fined for non compliance with local Labour / Employment laws on - privacy in the workplace - workers representation Whistleblowing detriment cases can be costly to defend - Liability is uncapped - Significant legal costs - Significant management time diverted from core business. Other costs internal costs reputational damage and loss of public trust - Share price, turnover, profits - Legal advice to prevent future loss - Forensic examination - Greater marketing push to improve public image - Business disruption 20
DEALING WITH THE REPORT Decision on procedure: Is it to be investigated as a whistleblower report? Is it to be followed up as an internal HR matter? Process / consequences different! 21
DEALING WITH THE REPORT Decide who will investigate Local subsidiary or parent company? Specific investigation procedure, grievance or other procedures? Investigative actions Consider your monitoring policy and procedures Different approaches for different countries Care Protection from detriment Warn whistleblowers of what can happen with their report Especially when, how and why could the reported individuals become aware of the report Reconfigure your procedures if noncompliant! 22
FURTHER INFORMATION For more information please contact: Monica Salgado Data Protection & Information Security team +44 (0)20 7427 6554 Monica.Salgado@speechlys.com Kirsti Laird Employment team +44 (0)20 7427 6411 Kirsti.Laird@speechlys.com 23