United Kingdom
Jamaica
India
The mention of the UK Data Protection and Digital Information Bill in the King’s speech on 7th November 2023 in the UK’s parliament, and the news reports the following day about doctors thinking whistleblowing damages careers in the aftermath of the Lucy Letby case, brought the intersection of data protection to the forefront of my mind.
In an age where data is king, the protection of personal information has become a paramount concern. This concern sits at a nexus with whistleblowing – the act of reporting wrongdoing or misconduct within an organisation or to the public. Whistleblowers play a vital role in exposing fraud, corruption, health and safety violations, human rights abuses and even data protection breaches. However, whistleblowers face many risks and challenges such as retaliation, discrimination, harassment, legal action and social isolation. They need adequate protection and support to ensure that they can report both safely and effectively. Effective data protection underpins this process.
Often driven by a sense of duty or moral obligation, whistleblowers play a vital role in shedding light on issues that might otherwise remain hidden. Their actions can lead to societal change, legislative amendments, legal actions and improvements in organisational practices.
In the EU, the governing legislation is the Whistleblower Directive, and it specifically prohibits any form of retaliation, discrimination or harassment against whistleblowers, as well as providing effective remedies for them, and sanctions for those who violate their rights. Furthermore, whistleblowers have to be given information, advice, support and assistance throughout the reporting process. In the UK, the legislation is the Public Interest Disclosure Act 1998.
One of the key aspects to be considered is the protection of the personal data of all parties involved in the whistleblowing process. This includes the whistleblower themselves, and the reported person, as well as any witnesses, and any other persons whose data may be disclosed as part of a whistleblowing investigation. The whistleblower is entitled to confidentiality, as are any witnesses, but so too is the person being reported.
It is imperative that the personal data of the whistleblower is protected. The individuals who step forward to expose malpractices may face various risks ranging from potential retaliation within the organisation to broader societal repercussions. Protection of their personal data is a crucial aspect of ensuring their safety and well-being.
To comply with both the Whistleblowing Directive and the GDPR, organisations must ensure that they respect all of these rights and principles when they process the personal data of individuals in a whistleblowing report. This means that they have to:
Inform all data subjects about their data processing activities in a clear and transparent manner;
Obtain consent from whistleblowers before disclosing their identity or personal data to third parties, unless they can identify another legal basis for doing so;
Limit the collection and use of personal data to what is strictly necessary and relevant to investigating the reported wrongdoing;
Verify the accuracy and validity of personal data collected from whistleblowers and any other sources relevant to the investigation, and correct or delete any errors or inaccuracies;
Store all the personal data securely and confidentially, and delete it when it is no longer needed for the investigation or any follow up legal action;
Protect the personal data from unauthorised or unlawful access, disclosure, use, alteration or destruction by use of appropriate technical and organisational measures;
What does all this mean for those who run a whistleblowing programme in an organisation? First and foremost you need to remember that you’re processing not just the information of the whistleblower , but also that of any witnesses or third parties who may be part of the wider whistleblowing process. It is key to remember that you should only gather and keep as much information as you need to. That can prove challenging, especially when you take into account that the organisation has no idea what information it will be provided with as part of a whistleblowing report.
The answer is to have robust data protection policies in place and consistent working practices for all those who may receive a whistleblowing report. In practice this means that those involved know what information to gather and who to forward any reports to, for further action.
What do you need to do?
- Anonymity and Confidentiality
There should be secure and confidential channels for reporting, enabling whistleblowers to disclose information without revealing their identities. Anonymity shields the whistleblower from potential reprisals and ensures their safety.
- Encryption and Secure Communication
Use of secure platforms and encrypted communication tools means that the information shared remains protected from unauthorised access. Employing robust cyber security measures prevents data breaches that could compromise the identities of those involved in the whistleblowing process.
- Culture
Cultivating an organisational culture that values integrity and the protection of whistleblowers fosters an environment where individuals will feel safe to come forward without fear of repercussions.
Whistleblowing stands as a cornerstone in exposing wrongdoing within organisations, but it is crucial from an ethical point of view and equally from a legal perspective, to protect the personal data of each and every individual impacted in the process. Implementing such safeguards offers protection to all involved in the whistleblowing process , and helps foster a culture where transparency and accountability thrive. By implementing robust measures and employing secure solutions, the protection of all parties in the whistleblowing process can be assured meaning the whistleblower feels empowered to speak up without fear, leading to a more ethical and transparent society.