What you should know about whistleblowing procedures
Whistleblowing procedures provide safe channels for staff or other informants to report fraud, corruption or serious wrongdoings in organisations. In the course of such a procedure, the processing of personal data (also known as personal information) will be necessary; for example, information relating to those suspected of wrongdoing as well that of the informants and/or other third parties such as witnesses. EU institutions and bodies are obliged to have clear whistleblowing procedures in place. The obligation is placed on them by the EU Staff Regulations which state that officials who become aware of a possible illegal activity should report it without delay.
What are the main data protection issues?
Confidentiality - The information on the whistleblower and the accused person should be treated with the utmost confidentiality. This is also an important element for encouraging staff to report on any wrongdoing.
Data quality - It is important not to process more personal data than necessary. How? By only collecting relevant - and not more information than necessary - in the first place. In practice this means, an initial check of the information reported and keeping only the information that is relevant to the case.
Right of information - It is not enough to provide a general privacy notice on the website of an organisation, the persons involved should be informed on the way their personal data will be processed as soon as practically possible. The personal information in a whistleblowing report can relate to whistleblowers, the person under investigation, witnesses or other individuals that are mentioned. However, it is possible that informing the accused person at an early stage may jeopardise the investigation. In these cases, the sharing of specific information with the accused might need to be deferred. Deferral of information should be decided on a case by case basis and the reasons for any restriction should be documented.
Right of access - It is necessary to balance all interests involved in such a request, including of the whistle blower and the person(s) accused.
Retention period - The reports that do not lead to an investigation should not be kept as long as the reports where an investigation has been launched.
Data security - Given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistle blowers and the persons accused, special care must be taken over the technical and organisational measures needed to mitigate the risks and ensure data security.
The following non-exhaustive list is a selection of documents for further reading:
Example of EDPS prior check Opinion:
EDPS prior check opinion on the whistleblowing procedure of the European Ombudsman (case 2014-0828)