Guide to Whistleblowing

Contributing Editors

In this new age of accountability, organisations around the globe are having to navigate a patchwork of new laws designed to protect those who expose corporate misconduct. IEL’s Guide to Whistleblowing examines what constitutes a protective disclosure, the scope of regulations across 18 countries, and the steps businesses must take to ensure compliance with them.

Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

09. What precautions should be taken when setting up a whistleblowing procedure?

09. What precautions should be taken when setting up a whistleblowing procedure?

Flag / Icon

Australia

  • at Lander & Rogers

An entity should analyse how best to structure, draft and present their policy.

An entity should also consider other standards and guidelines to ensure the policy is as up-to-date as it can be.

Entities should take care in determining whether they are complying with all legal requirements under the Corporations Act.

ASIC Regulatory Guide 270 provides a useful overview of what should be included in the policy as follows:

  • policy's purpose;
  • who the policy applies to;
  • matters the policy applies to;
  • who can receive a disclosure;
  • how to make a disclosure;
  • legal protections for disclosures;
  • support and practical protections;
  • handling and investigating disclosures; and
  • ensuring fair treatment of all individuals.
Last updated on 23/08/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Companies should draft a clear and accessible policy that outlines the procedure. The deadlines of the procedure need to be respected and the policy should clarify which situations fall under the scope of the procedure and the fact that reports will enjoy certain protections against retaliation. To implement the procedure itself, bigger companies are advised to use a digital reporting tool as it could be too complicated to use a non-digital system for a large number of employees, which could lead to errors in the procedure and missing deadlines. There are lots of tools out there, from quite simple ones to very intelligent (but also expensive) ones. The company will have to do some market research to find the tool that meets its specific needs.

Last updated on 01/08/2022

Flag / Icon

Brazil

  • at CGM
  • at CGM
  • at CGM

Brazilian law does not explicitly govern this matter, but it is good practice that the whistleblowing procedure must:

  • clearly indicate what type of conduct is subject to whistleblowing;
  • indicate who can make a report, how, when and where to do it – it is recommended to have at least two reportinng channels and it must be clear that reports can be made in a local language;
  • allow anonymous reports;
  • guarantee, to the extent possible, the confidentiality of the proceedings;
  • list the steps of the proceedings and the responsibilities and rights of each involved party (whistleblowers, witnesses, investigators, etc);
  • guarantee non-retaliation against whistleblowers or any person contributing to the investigation; and
  • indicate possible outcomes after the conclusion of the investigation.
Last updated on 29/07/2022

Flag / Icon
Croatia

Croatia

  • at Babic & Partners
  • at Babic & Partners

The following precautions should be taken into account by the company when setting up a whistleblowing procedure:

  • Language of the whistleblowing policy – even though the WBP Act does not explicitly provide that the whistleblowing policy must be available in Croatian, the WBP Act requires that information on the internal whistleblowing procedure must be easily accessible, understandable and effective. If the whistleblowing policy is not prepared in Croatian, the company may run the risk of: the employee claiming that he or she did not properly understand the policy; or in the case of inspection or dispute, the inspection body or court holding that a policy made only in English, or a language other than Croatian, is null and void as not being easily understandable.
  • Appointment of WBP officer and deputy – given that a company must appoint a WBP officer and their deputy at the request of either the works council, union trustee, or 20% of employees of the company (if there is neither a works council nor union trustee), it is advisable that the  company provides in the whistleblower policy that any candidate should be a person of trust and competent to conduct the duties of a WBP officer.
  • WBP officer’s resources – the company must ensure that the WBP officer and their deputy have the resources required to effectively perform their duties, such as providing the officer with a personal computer or laptop and a separate email address for receiving whistleblowing reports, a direct telephone line for receiving whistleblowing reports, a dedicated office for conducting meetings with whistleblowers, and equipment for keeping records of reports.
Last updated on 29/07/2022

Flag / Icon

France

  • at Proskauer
  • at Proskauer

During the processing of the report, the procedure implemented must guarantee the confidentiality of the identity of its authors, the persons concerned and any third party mentioned within.

Moreover, the company must respect guarantees of independence and impartiality in the treatment of reports. These guarantees must be specified in a published application decree.

Companies are also required to comply with GDPR obligations. In this regard, the French Data Protection Authority (CNIL) has published a frame of reference to help public and private organisations implement whistleblowing procedures in compliance with data protection regulations (CNIL deliberation dated 18 July 2019).

Last updated on 29/07/2022

Flag / Icon

Germany

  • at Oppenhoff
  • at Oppenhoff

The reporting channels must be designed in such a way that only the persons responsible for receiving and processing the reports as well as the persons assisting them in fulfilling these tasks have access to the incoming reports. It must, therefore, be ensured that no unauthorised persons have access to the identity of the person making the report or to the report itself. This has implications for the technical design of the internal reporting channel.

Also, the persons entrusted with running the internal reporting office must indeed be independent in the exercise of their activities and the company must ensure that such persons have the necessary expertise. Therefore, smaller or medium-sized companies should especially assess whether it will be more efficient to assign an experienced external ombudsperson to receive and initially process incoming reports. However, the ombudsperson who takes the call in this case is a witness bound to tell the truth, even if this is, for example, a company lawyer.

As per the present draft bill, there is no legal obligation to design the reporting channels in such a way that they enable the submission of anonymous reports. Companies should therefore assess carefully whether they provide systems that enable anonymous reports, as this may increase the number of abusive reports and make enquiries impossible. On the other hand, some ISO standards require the receipt of anonymous reports. Therefore, should a company seek certification according to these ISO standards, the whistleblower procedure to be set up must allow for the processing of anonymous reports.

Last updated on 29/07/2022

Flag / Icon

India

  • at Khaitan & Co
  • at Khaitan & Co

Key aspects that should be borne in mind while formulating a whistleblower policy or procedure are:

  • a special or distinct committee or channel must be created for receiving and handling disclosures, giving the whistleblowing mechanism a separate institutional framework;
  • the reporting mechanism should be systematic, simple and straightforward to facilitate an early and easy disclosure of any wrongdoing. The procedure for disclosure must be easily comprehensible and should be accessible by all employees or individuals associated with the organisation;
  • the policy should provide adequate assurances and comfort regarding confidentiality of the identity of the whistleblower, continuity of association with the organisation, and the steps that the organisation will take to ensure that the whistleblower is not victimised, discriminated against or adversely impacted in any manner according to the disclosure (including facilitating legal assistance at the organisation’s cost, if necessary);
  • the policy should ensure that no action will be taken against whistleblowers who make disclosures in good faith and even allow for anonymous reporting; and
  • identification of what matters may be reported under the policy, the persons against whom such matters can be reported, the process that should be followed by the organisation, remedial measures, details of persons with whom reported information will be shared, and an overview of the mechanism for protecting whistleblowers and persons cooperating with an investigation, etc.  
Last updated on 29/07/2022

Flag / Icon

Japan

  • at City-Yuwa
  • at City-Yuwa
  • at City-Yuwa

The business operator must appoint a person in charge of handling the whistleblowing (article 11 of the Act).

The business operator may provide internal rules, including matters required under the Consumer Affairs Agency Guidelines on the Whistleblower Protection Act[1].


[1]   Consumer Affairs Agency, Guidelines for promoting appropriate and effective implementation of the due measures by the business operators based on Article 11, Paragraphs 1 and 2 of the Whistleblower Protection Act (“Consumer Affairs Agency Guidelines”) [Cabinet Office Notification No.118], , Section 4 (3)(iv) ,at p.4, last visited June 28, 2022.

Last updated on 29/07/2022

Flag / Icon
Latvia

Latvia

  • at Ellex Klavins
  • at Ellex Klavins

The whistleblowing procedure should be established to avoid potential conflicts of interest. Usually, there are one or several employees responsible for the review of whistleblowing reports, or a combination of internal and third-party whistleblowing is used. Companies should avoid situations where, for example, responsible persons might encounter a conflict of interest upon review of whistleblowing reports (ie, if there is no alternative reporting channel and employees would have to report to the perpetrator, who is also the responsible person in the company). In any case, responsible persons who review or analyse whistleblowing reports should be someone with a good reputation and trust in the company.

The principle of data minimisation and confidentiality should be observed throughout the whole procedure.

Last updated on 29/07/2022

Flag / Icon
Lithuania

Lithuania

  • at Ellex Valiunas

When setting up an internal channel for reporting breaches, it is worth considering who will be responsible for its administration, the investigation of information and how the confidentiality of individuals will be protected.

Last updated on 29/07/2022

Flag / Icon
Luxembourg

Luxembourg

  • at Castegnaro
  • at Castegnaro

As follows:

  • The establishment of channels for the receipt of reports that are conceived, set up and managed securely and guarantee the confidentiality of the identity of the author of the report and any third party mentioned, and protect these channels from unauthorised persons;
  • an acknowledgement of receipt sent to the author of the report within seven days of receipt of the report;
  • designation of an impartial person or service competent to follow up on reports;
  • diligent follow-up by the designated person or service;
  • a reasonable time to provide feedback, not exceeding three months from the acknowledgement of receipt of the report or, failing that, three months from the end of the seven-day period following the report; and
  • provision of clear and easily accessible information on the report procedures and their use to the competent authorities.
Last updated on 29/07/2022

Flag / Icon
Nigeria

Nigeria

  • at Bloomfield LP

The precautions that must be put in place when setting up a whistleblowing procedure are anonymity of the whistleblower, effective and reliable processes for investigating anyone accused of unethical conduct and protection of the whistleblower, among others.

Last updated on 29/07/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

The completeness, integrity and preservation of the complaint, the confidentiality or anonymity of the complainants and the confidentiality of any third parties mentioned in the complaint must be guaranteed. Unauthorised access must also be prevented.

Last updated on 29/07/2022

Flag / Icon

Romania

  • at STALFORT Legal. Tax. Audit.
  • at STALFORT Legal. Tax. Audit.

The big challenge is to create a system that would strike a balance between better protection and an increased incentive for the whistleblower to notify breaches. As mentioned in question 7, employers need to make a thorough analysis and decide whether to handle the whistleblowing channel from within the company or outsource it to a specialised provider that is known in the Romanian market and trusted by employees.

Last updated on 16/08/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas
  • at Cuatrecasas

Some requirements must be met in the implementation of whistleblowing procedures: easy-to-follow guidelines, confidentiality, and good practice for monitoring, investigation and whistleblower protection.

These precautions are bolstered by sections 18 and 20 of the Constitution. These sections consolidate the rights to privacy, information and freedom of speech that influence Law 3/2018 on Data Protection and the guarantee of Digital Rights, and the Draft.

Last updated on 29/07/2022

Flag / Icon

Sweden

  • at Lindahl
  • at Lindahl
  • at Lindahl

Businesses should ensure that personal data processed through a whistleblowing channel is handled according to the GDPR and the Whistleblowing Act, meaning the personal data controller should implement sufficient technical and organisational safety measures to protect personal data.

Further, employees and other impacted persons should, as a general rule, be informed upfront of any processing of personal data that may take place.

Last updated on 02/08/2022

Flag / Icon

United Kingdom

  • at Proskauer
  • at Proskauer
  • at Proskauer

The Department for Business Innovation and Skills guidance on whistleblowing recommends, as best practice, several practical considerations when setting up a whistleblowing procedure, including, but not limited to:

  • employers should provide training to all workers on how disclosures should be raised and to managers on how to deal with disclosures;
  • organisations should ensure that there are a range of alternative persons who a whistleblower can approach if a worker feels unable to approach their manager; and
  • any clauses in any settlement agreements or non-disclosures agreements (including confidentiality clauses in the employment contract) must not prevent workers from making disclosures in the public interest.
Last updated on 29/07/2022

Flag / Icon

United States

  • at Proskauer
  • at Proskauer

Key elements of an effective whistleblowing procedure include:

  • repeated and consistent messaging from senior leadership regarding the employer’s commitment to creating a “culture of compliance” and encouraging employees to bring forth good-faith complaints without fear of retaliation;
  • policies and procedures for receiving, investigating and addressing employees’ complaints;
  • policies and procedures for receiving, investigating and addressing complaints of retaliation;
  • anti-retaliation policies and related training for employees and managers; and
  • program oversight through ongoing monitoring and periodic audits.

Employers should continuously review and update their policies and procedures to ensure that they keep pace with developments in the business, legal and regulatory landscape.

Last updated on 29/07/2022