“Confidentiality is the essence of being trusted.”
- Billy Graham
The new EU-wide whistleblowing directive takes action in December 2021 and requires organisations of certain size to implement an electronic way to report misconducts without compromising their anonymity. In this blog post, we'll be looking at the different aspects one should take into account when evaluating the confidentiality of possible whistleblowing solutions.
In order to comply with the upcoming European Union whistleblower directive, one of the considerations for organisations is to make sure the identity of the whistleblower stays confidential throughout the reporting and investigation. The size of penalties or sanctions for breaching this duty will be determined by national legislation of the EU-member states before 2021. However, the whistleblower legislations of outside EU-countries already signal that these punishments are not minor. For example, India’s PID Bill imposes a penalty of imprisonment and fine for revealing the identity of the whistleblower.
To preserve the confidentiality of the whistleblower, three separate considerations need to be taken into account: organisational measures or how the whistleblower channels should be set and managed; behavioral measures or how the whistleblower should be instructed and communicated with; and technical measures or how to avoid breaches of information both externally and internally.
Organisational measures for confidentiality
One of the main drivers in the directive is that organisations must not hinder or attempt to hinder the reporting of cases. Thus the discoverability of the whistleblowing channel should be easy and the use of the channel needs to be intuitive.
To make sure whistleblowers trust the channel, organisations should also be clear and understandable with the language they use, let the whistleblower know who receives the reports and explain that the communication is confidential. Remember, a person tipping of wrongdoing or potential crime may be fearful, cautious and uncertain. They might have even kept the issue with them for a long time.
Trustworthiness of the channel creates an environment where confidentiality can begin. To avoid issues going unreported, the channel should also be updated frequently to make sure no information is outdated.
Technical measures for confidentiality
Certain channels like email are more difficult to keep confidential by nature and the more severe the issue, the bigger the threshold for reporting it unless the technical side of confidentiality is also taken into account. To preserve the confidentiality of your whistleblowing channel, IP-addresses must not be stored and metadata information of images and attachments should be removed. Also for the dialogue between whistleblower and investigators, the credentials of the whistleblower need to be anonymous.
All of the above technical measures are also good reasons why intranet or website forms are rarely enough: whistleblowers may find it difficult to trust that IT-department doesn’t have access to their reports or to identify the whistleblower with IP-details, if someone higher up in the hierarchy asks them to do so.
One more technical requirement for the whistleblowing channel should be to take into account that the email notifications that are sent from the system do not include contents of the case. Instead the email should just notify that message has been received and direct the user to log in to the system to view the message.
Behavioral instructions for confidentiality
How your organisation’s employees, internal or external investigators and the whistleblower behave and communicate in the channel obviously has an impact on confidentiality. In the whistleblowing channel front page, in the form and in the protected dialogue page, the whistleblower should be instructed to avoid using personal details in order to preserve their anonymity. These instructions could include not to use names or other personally identifiable information.
Many companies have shared computers and devices in common spaces. Using such devices increases the risk of confidentiality being breached. Best option is not to report whistleblowing cases through those computers but the second best option is to instruct using incognito mode in the browser. This way other users cannot see previously visited web pages.
Like said, proper whistleblower channels should provide the whistleblower anonymous credentials for protected dialogue. It’s a good practice to explain the whistleblowers to store these credentials carefully so that others can’t see them.
When evaluating the confidentiality of a whistleblowing channel, one should remember to take all three aforementioned dimension into account: organisational measures, technical measures and behavioral instructions. If one fails, so does the confidentiality of the whole process.
An external solution provider can help your organisation with all of them, and especially with the technical measures. If you're contemplating whether you should build a whistleblowing channel internally, read our tips on whether you should build or buy SaaS.On the other hand, if you're looking for an electronic whistleblowing channel that is in line with the new EU directive, ticks all the boxes for anonymity, enables real dialogue, has built-in investigation features and more, have a look at our incy.io | Whistleblowing module and contact us for more information!
We're a tech company with a passion for helping our customers adapt to the fast changing VUCA world. We're doing that by developing easy-to-use SaaS products that make gathering, managing and analysing field information as easy as possible for the end users. Remove gatekeepers, go horizontal and learn from your mistakes before they actually happen. More info at planbrothers.io