Anonymous Whistleblowing Systems and                       CNIL and European Union Data Protection Measures               ...
Perhaps the most common mechanism                              mandates imposed by European data protectionorganizations h...
must be clearly communicated to those who                      The French Data Protection Model and     may be identified ...
Frequently Asked Questions document is now                        - the name, address, and contact detailsavailable to cla...
transfer across the boundaries of the E.U.                     disclosure, alteration, and destruction” ofpossible.       ...
and how organizations, as well              as   the                                 ®     MYSAFEWORKPLACE SUGGESTED      ...
inform the reporting party that his/her contactMSW and Organizational Compliance: It is              information will be k...
treat reported violations that are financially-        limited exceptions.11 Furthermore, MSW hasrelated. For U.S.-based o...
accused person. Due to the support provided by        Although the CNIL states that its regulationsthe investigative profe...
MSW and Organizational Compliance: Internalprocedural documents should be generated thatoutline the organization’s definit...
Upcoming SlideShare
Loading in …5

Anonymous Whistleblowing Systems and European Union Data Protection Measures


Published on

Published in: Career, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Anonymous Whistleblowing Systems and European Union Data Protection Measures

  1. 1. Anonymous Whistleblowing Systems and CNIL and European Union Data Protection Measures OVERVIEW credence to the reporting party and the potentially increased protection againstAs U.S. companies move into international retaliation that the option of anonymity, many are confronting foreign These distinct U.S./E.U. cultural differencesregulations, which seem to conflict with those resonate clearly in their respective employment-governing operations in the U.S. In the aftermath related laws and regulations.of several corporate debacles, the adoption ofthe Sarbanes-Oxley Act (SOX) in the U.S. in2002 presented new challenges to U.S. Regulationsorganizations, particularly those that are publiclytraded. The decline of public trust in the ethics of Regulated by the Securities and Exchangecorporate America had a resoundingly negative Committee (SEC), the Sarbanes-Oxley Act ofeconomic impact not just in the U.S., but 2002, among other provisions, requires publiclyworldwide. Perhaps the most internationally traded organizations to establish independentchallenging provision of SOX is the requirement audit committees to essentially provide companyfor organizations listed on U.S. stock exchanges oversight regarding financial and accounting-to provide at least one channel of related issues. In the pursuit of suchcommunication by which employees can make responsibility, the audit committee must alsoanonymous reports. Now that the SOX implement a “whistleblower” program to enablecompliance deadline has long since passed, employees, vendors, and any other stakeholdersorganizations are recognizing the special to submit complaints or knowledge of fraudulentchallenges posed by the collision of domestic activity in an anonymous and confidentialand foreign regulations, especially regarding fashion. Organizations are not only responsibleanonymous reporting by employees. for providing a mechanism by which such reports can be received, but must alsoHistorically, the U.S. has provided greater document retention and treatment activities ofemployer protection in the management of submitted complaints. Failure to comply mayemployees engaging in misconduct and criminal result in SEC-enforced sanctions, civil penalties,behavior within the organization. Other and possible de-listing from the stock 2countries, particularly those in the European exchange.Union (E.U.), take a decidedly pro-employee 1approach. In addition, cross cultural beliefs The intent of anonymous reporting channels isregarding the utility of anonymity in employee to encourage employees to report theirreporting are markedly different. While European knowledge of financial misconduct who maysensibility places great value on the rights of the otherwise fear reprisal. In this way,accused, the American perspective lends more organizations may investigate and identify potential problem areas or employees to1 Schreiber, M. E., Held, J. M., Bond, R. T. J., Dana, R., efficiently manage and prevent organizationalRunte, C., & Flower, K. (2006). Anonymous Sarbanes- losses due to employee misconduct.Oxley hotlines for multi-national companies: Compliance withE.U. data protection laws. Retrieved June 5, 2006, from 2 Sarbanes-Oxley Act of 2002. Available:Matters - Ch9.Anonymouns banesoxley072302.pdf.
  2. 2. Perhaps the most common mechanism mandates imposed by European data protectionorganizations have adopted to meet the laws.compliance requirements of SOX is theconfidential fraud hotline. Many third-party As E.U. Member States began adopting theirhotline providers also administer an internet- own data protection measures, the flow ofbased reporting portal in addition to the information across the E.U. became increasinglytraditional hotline. Regardless of the method of restricted due to conflicting mandates. Thereport intake, the option of anonymity is often passage of E.U. Directive 95/46 EC in 1995advertised and sometimes even encouraged, sought to synchronize diverging E.U. legislationwhich further assists organizations in their and all E.U. Member States are required tocompliance efforts. implement regulations consistent with the Directive and establish a supervisory bodySOX compliance, however, is not limited to only responsible for the enforcement of data 4domestic locations. Multinational companies are protection laws.required to implement such mechanismsthroughout their organization to include those The Directive principally covers the “processing”employees working in international locations. of personal data and defines the circumstancesTherefore, many organizations have under which processing is lawful and 5implemented “one-size-fits-all” reporting warranted. In order to legally process personalchannels across the organization, whether data, three conditions must be met:domestic or international. In addition, many transparency, legitimate purpose, andorganizations allow their employees to make proportionality.anonymous complaints about diverse forms ofemployee misconduct, not just those that are ♦ In order to meet the condition offinancial or accounting-related. For example, transparency, the individual whose data is tomany employee hotlines are set up to receive be processed (“data subject”) has the rightreports of sexual harassment, discrimination, to be notified of the processing and must beand unsafe working conditions. Though not given access to all personal data to bemandated by SOX, organizations are quickly processed. The Directive further outlines sixrecognizing the benefits associated with specific situations in which personal datareceiving reports of all forms of employee may be processed and the data subject hasmisconduct and are opening up their reporting the explicit right to modify any inaccuraciesmechanisms to receive such employee 6 in the data to be processed.complaints. ♦ Personal data must be collected only “…for specified, explicit and legitimate purposes…”European Union Data Protection Laws In addition, the possibility that personal data may be collected through a whistleblowingEuropean regulations are rooted in distinctly system and the purpose for such a systemdiffering cultural values related to privacy,particularly in occupational settings. As early as1978, some European countries adopted data 4 European Commission Data Protection . Available:protection legislation governing the use,, and dissemination of the “personal 5 3 Directive 95/46/EC of the European Parliament and of thedata” of any citizen. Any information that allows Council of 24 October 1995 on the protection of individualsfor the direct or indirect identification of with regard to the processing of personal data and on theindividuals constitutes personal data. Generally, free movement of such data. Available:as applied to U.S.-based corporations with operations, the receipt, investigation, 6 These circumstances include: (1) When the data subjecttreatment, and retention of any reports of provided consent for data processing, (2) when theemployee misconduct, financial or otherwise, processing is contractually required, (3) when the processingwould be subject to the restrictions and is required for legal compliance, (4) when the processing is necessary in pursuit of the public interest, (5) when the processing is for the protection of the data subject, or (6)3 Act n° 78-17 of 6 January 1978 on Data Processing, Data when processing is necessary for the legitimate interests ofFiles and Individual Liberties. Available: the data controller, unless superseded by the fundamental rights and freedoms afforded to the data subject.© 2006 Business Controls, Inc. 2 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  3. 3. must be clearly communicated to those who The French Data Protection Model and may be identified through the reporting Overarching E.U. Implications mechanism. Founded under the Act of January 6, 1978, the♦ The collection of personal data “must be Commission nationale de l’informatique et des adequate, relevant and not excessive in libertés (CNIL) is the administrative body relation to the purposes for which they are established for the enforcement of E.U. and 7 collected or further processed.” That is, State data protection laws in France. In 2005, organizations must limit the types of France enacted legislation making the information collected through reporting implementation of anonymous incident reporting mechanisms to only that information systems by any employer in France unlawful in 1 necessary to meet the purpose(s) set forth the absence of certain precautions. The specific by the implementation of the reporting provisions and dual compliance options will be mechanism (e.g. proper corporate discussed in detail below. However, in general, governance). The level of information administrative and judicial decisions in France reported must be in proportion to the dictate anonymous whistleblowing systems must purpose the collection of such information have a specific and narrow scope with regard to sets out to achieve. the type of data collected. In addition, such mechanisms must be submitted to the CNIL forSince the adoption of the E.U. Data Protection authorization prior to implementation. OtherDirective in 1995, U.S.-based multinational provisions mandate that individuals accused oforganizations face significant challenges across misconduct must have access to the dataall E.U. Member States, as all E.U. Member retained by the organization and must have theStates have separate data protection laws and opportunity to correct any inaccuracies once theregulatory enforcement agencies. Such data has been sufficiently preserved forcircumstances require a comprehensive investigative or evidentiary purposes.evaluation of existing SOX compliance protocolsimplemented internationally and the local It is important to understand the adoptions of thegoverning regulations. CNIL regarding the compliance expectations of U.S.-based multinational companies becauseRecent discussions between relevant U.S. and many of the existing data protection laws acrossE.U. regulatory agencies revealed that, though the E.U. resemble those in France and areU.S. and E.U. legislation appears to conflict on rooted in very similar philosophical values.its face, there are no critical inconsistencies Many E.U. countries, including Germany and theexpressly precluding whistleblower compliance United Kingdom, are rapidly adoptingmechanisms from being implemented in E.U. approaches comparable to those in France 1 regarding the use of anonymous incidentMember States under E.U. data protection law.Much of the work required for resolution of U.S. reporting systems in those Member States.and E.U. regulations lies in ensuring Therefore, such specialized and dual U.S. andimplementation of such systems are tailored to E.U. compliance is not likely to remain limited tomeet the applicable legal requirements. U.S.-based operations in France.Consequently, traditional “one-size-fits-all”systems are a solution of the past and may, infact, expose organizations to legal liability that Striking a Balancecould have been prevented. Recognizing the need to come to some compromise between U.S. and E.U. regulations regarding the use of anonymous whistleblower systems, the CNIL recently published guidelines establishing suggested compliance techniques7 Article 29 Data Protection Working Party. (2006). Opinion to assist multinational organizations confronting1/2006 on the application of EU data protection rules to 8 these apparent conflicts. In addition, ainternal whistleblowing schemes in the fields of accounting,internal accounting controls, auditing matters, fight against 8bribery, banking and financial crime. Available: Commission nationale de l’informatique et des libertés (CNIL). (2005). Guideline document. Available:06/wp117_en.pdf© 2006 Business Controls, Inc. 3 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  4. 4. Frequently Asked Questions document is now - the name, address, and contact detailsavailable to clarify previously confounding of the person responsible for 9interpretations of the law. The CNIL has compliance in general,ultimately determined that whistleblowing - the name, address, and contact detailssystems, such as those mandated in the U.S. of the person responsible for the right tounder SOX, are “neither allowed nor banned access personal data,under the provisions of the French Labor - the name, address, and contact details 8Code.” Furthermore, the CNIL does not prohibit of the person whom the CNIL canthe use of a third-party service supplier, as long contact, andas the service provider contractually agrees to - a purpose section indicating whatcomply with French and European data service provider or software is utilized,protection laws. However, these decisions were how many persons are covered by thebased upon reporting mechanisms collecting program, implementation year, andonly certain types of personal data, specifically whether data will be transferred outside“…in the fields of accounting, financial audit, of the E.U. (and if so, a list of the 9fight against bribery or banking areas…” In countries involved must be included).addition, data of a particularly serious nature,outside of financially-related incidents, may be ♦ Standard Authorization: Organizationscollected. Seriousness is defined as any facts wishing to implement an anonymousthat “affect the vital interests of the company or incident reporting system to collect data 9its employees’ physical or mental integrity.” outside the scope of that described aboveSome examples of serious issues that would be (e.g. financially related concerns) and thatconsidered acceptable data include threats to does not expressly meet the CNIL’sthe safety of employees, moral and sexual requirements must submit a completeharassment, discrimination, threats to public application to the CNIL for examination at ahealth, and insider trading. plenary session of the CNIL. The CNIL is mandated to review the application withinRegardless, the organization wishing to two months of the filing, provided that noimplement SOX-compliant anonymous reporting additional information is needed by the CNILmechanisms in France is required to have that to make a determination.system authorized by the CNIL. The CNIL hasestablished two authorization processes,depending upon the type of facts the The Governance of Cross-Border Dataorganization is requesting authorization to Transfer – Safe Harborcollect and process. In addition to the mandates and regulations♦ Single/Unique Authorization: This described above, organizations implementing authorization procedure was established to anonymous incident reporting systems expedite the process and allow E.U.- internationally must be cognizant of restrictions compliant organizations to implement SOX- regarding the cross-border transfer of data compliant anonymous reporting originating in the E.U. to countries outside of the mechanisms in a timely manner. The CNIL E.U. Many organizations may find it necessary should receive a filing acknowledgement for U.S. management representatives or audit 1 within one to two weeks of submission. committee members to be made aware of and even investigate employee misconduct occurring The single authorization process, known as in the E.U. that is reported through their a unilateral commitment to comply, is an whistleblower system. However, portions of the internet-based process that requires the E.U. Directive 95/46 EC discussed above also organization to submit the following limit the ability to transfer personal data outside information: of the E.U. and explicitly prohibit data transfer to countries that do not adequately meet E.U. privacy protections. After negotiations between E.U. and U.S. officials, the Safe Harbor9 Commission nationale de l’informatique et des libertés Arrangement was delineated to make data(CNIL). (2006). Frequently asked questions. Available:© 2006 Business Controls, Inc. 4 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  5. 5. transfer across the boundaries of the E.U. disclosure, alteration, and destruction” ofpossible. personal information retained by the 10 organizationSafe Harbor went into effect in 2000 andprevents multinational organizations from ♦ Data Integrity: Organizations must takeexperiencing business interruptions as a result reasonable steps to ensure the dataof seemingly conflicting, yet equally applicable, collected is that which is necessary to meet 10cross-border regulations. Organizations can the purpose for which it was collected and tojoin the Safe Harbor by a self-certification ensure that it is accurate and reliable.process, renewed annually, in which they agreeto comply with the requirements of Safe Harbor ♦ Enforcement: Adequate and non-and publicly declare that they do so. In order to burdensome recourse mechanisms mustjoin, there are seven Safe Harbor requirements exist for the appropriate investigation andto which organizations must comply: resolution of individual complaints and damages awarded where applicable under♦ Notice: Organizations must notify individuals the relevant law. In addition, there must be that they may collect and use personal a means for verifying organizational information, the purpose for which they adherence to the Safe Harbor principles as would do so, and any third parties with well as accountability for problems resulting whom their information may be shared. In from a failure to comply. Furthermore, addition, individuals must be provided with a consequences for failure to comply must be means by which they can contact the “sufficiently rigorous” to encourage 10 organization. consistent compliance.♦ Choice: Individuals must be given the Organizations reap many benefits for joining the opportunity to authorize the organization to Safe Harbor and maintaining their compliance. disclose personal data to third parties or to First and foremost, perhaps, is the ability to use the information in a manner diverging ensure seamless and efficient organizational from the purposes for which the information communication internationally. In addition, Safe was originally collected. Harbor participation satisfies the adequacy standard for all 25 E.U. Member States, who all♦ Onward Transfer: In order to transfer have very similar data protection regulations. personal information to a third party, the Also, prior approval for data transfers will be organization must first apply the Notice and automatically approved or waived and, subject Choice principles and must further ensure to limitations, all complaints made by E.U. that the third party also subscribes to Safe citizens against U.S. companies will be heard in Harbor principles. In so doing, the the U.S. organization may obtain written agreement from the third party that it provides at least the same level of privacy protection as the applicable regulations dictate.♦ Access: With some exceptions, individuals must be granted access to the information the organization retains about them and must have the opportunity to modify, delete, or otherwise edit inaccuracies.♦ Security: Reasonable precautionary measures must be undertaken to prevent “the loss, misuse, and unauthorized access,10 U.S. Department of Commerce. (n.d.) Welcome to SafeHarbor. Available:© 2006 Business Controls, Inc. 5 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  6. 6. and how organizations, as well as the ® MYSAFEWORKPLACE SUGGESTED MySafeWorkplace solution, comply. COMPLIANCE TECHNIQUESWith the advent of the recent CNIL regulations Scope of incidents reported and necessaryregarding whistleblower protocols, much of the filing proceduresliterature has focused on compliance overlapbetween SOX and CNIL regulations. For Professional, or external, whistleblower systemsmultinational organizations, this may initially should be authorized by the CNIL prior toappear as a burdensome task. However, it implementation. The types of incidents reportedappears the discrepancy lies within company- upon will direct the authorization process. Yourspecific compliance strategies and organization may choose to adopt only a SOX-implementation choices versus a direct conflict type focused code of conduct and whistleblowerof laws. So what should an organization do? mechanism. If this is the choice, yourOrganizations should ascertain how E.U. data organization may file with the CNIL through theprotection laws apply to those states in which online CNIL single authorization process with no 1the organization operates. Organizations further subsequent CNIL review. This processshould carefully follow any developments in will require submission of the followingregard to whistleblower statutes in each of those information: legal nature of organization; name,E.U. Member States and consider establishing address, and contact details of the entityrelationships with the appropriate local data responsible for the implementation; name, 1protection authorities. Furthermore, address, and contact details for the personorganizations should consider the following responsible for compliance in general; name,convenient guidelines to minimize the address, and contact details for the personpossibilities of violating relevant data protection responsible for the right to access personal data; 1laws : name, address, and contact details for the person whom the CNIL can contact. In addition,♦ Consult with appropriate data protection the notification must include a section that personnel prior to establishing whistleblower iterates which software is used, how many protocols. persons are concerned with the whistleblower system, the year of its implementation, and♦ Ensure employees’ due process rights are whether data will be transferred to countries maintained. outside of the E.U. (Chapter 8). Once the on-line application is received, the CNIL will send an acknowledgement receipt approximately two♦ Ensure that the implemented compliance weeks from the time of submission. Once programs include methods beyond standard received, the organization can implement its whistleblower practices, to include such whistleblower hotline immediately without any options as employee training. additional review by the CNIL.♦ Ensure that data alleging wrongdoing is The other option is for an organization to adopt a preserved for only as long as necessary and more inclusive whistleblower system, which that this data is stored separately from the encompasses broader reporting than that of individual’s personnel file, unless the SOX-related issues. This will require the allegations result in some form of organization to undergo the standard CNIL disciplinary action. review process, which typically consists of a case-by-case review by the CNIL regarding the♦ Ensure that the appropriate steps are taken legitimacy of the program’s purposes, the to guarantee proper transfer of data outside “proportionality” of the contemplated program as 1 of the E.U. (e.g. Safe Harbor certification). well as its transparency to all parties involved. Approval may take months.These recommendations, based on bestpractices, will help organizations be compliantwith applicable state laws and regulations. Thefollowing details more specific CNIL regulations© 2006 Business Controls, Inc. 6 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  7. 7. inform the reporting party that his/her contactMSW and Organizational Compliance: It is information will be kept confidential. Inultimately the organization’s decision if they addition, if reporting via the internet, MSW haswould like to implement a broad or narrow the technical capabilities to insert a customizedwhistleblower system. The MSW system has the landing page that outlines the necessarycapability to accommodate both. Under the organizational information, to includesingle authorization code for CNIL, titration of confidentiality information and CNILonly SOX-related incident reports is the most regulations, if appropriate.efficient compliance strategy. These mayinclude, but are not limited to, financial,banking, accounting, anti-bribery, or other vital Reporting is not mandatory in the E.U.corporate interests related to such categories. The CNIL indicates that a whistleblower system should not be “compulsory” for employees.MSW provides an all-inclusive list of Contrary to this tenet, SOX regulations stipulateapproximately 60 incident types to all client that employees must report violations or riskorganizations, in turn allowing the organization discipline if they do not report obvious or knownto limit the incidents types. infringements. If an organization has locations in both the U.S. and the E.U., this discrepancy between the two regulations may be a burden inAnonymity cannot be required or “actively regard to communication and implementation ofencouraged” the whistleblower services. One proposed compromise is that organizations not “require”Anonymity is allowed by CNIL as long as it is not reporting, but instead state that they “expect” 9made compulsory and is not actively violations to be reported. In E.U. Memberencouraged by the company. Furthermore, the States, it should be communicated to thereporting party has a choice regarding his/her employees that there will be no adverse actionsanonymity. CNIL requests that, prior to taken against employees who do not use thesubmission of the report, the reporting party be hotline.informed that he/she will not suffer or beretaliated against for the report. Furthermore, MSW and Organizational Compliance: MSWthe reporting party’s identity must be kept does not have authority to dictate whetherconfidential and not disclosed to third parties employees “should” or “must” reportsuch as the incriminated person and theemployee’s line supervisor. The CNIL believes organizational violations, as it simply serves asnon-anonymous reports offer the following a repository for the receipt of reports, allowingadvantages: 1) to avoid or at least limit false further follow-up by appropriate organizationaland/or intentionally slanderous accusations; 2) members and the reporting party. Althoughto organize the protection of the whistleblower MSW is able and willing to consult onagainst retaliation; 3) to ensure a better handling implementation and communication strategies, itof the report, with the option of requesting is ultimately the responsibility of theadditional details on the alleged facts from the organization to organize a strategic method for 2author of the report. the implementation and communication regarding the intended required usage of theMSW and Organizational Compliance: MSW is system.unique in that it employs three anonymityoptions: do not care about anonymity, remaincompletely anonymous, and remain anonymous Cross-Border data transfer obligations iftoward your organization. MSW accepts a personal data is transmitted outside of theneutral stance regarding anonymity and does E.U. member country to the U.S.not encourage a reporting party to select acertain option. Moreover, if reporting via SOX rules and regulations require the chairmantelephone, MSW has the capability to verbally of the audit committee to receive, handle, and© 2006 Business Controls, Inc. 7 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  8. 8. treat reported violations that are financially- limited exceptions.11 Furthermore, MSW hasrelated. For U.S.-based organizations, these the technical capabilities to educate theindividuals are typically located in the U.S. When professional call center agents handlingnon-financially related reports (e.g. sexual hotline report intake so they can effectivelyharassment) are submitted via the whistleblower educate reporting parties on the organizationalsystem, CNIL regulations deem it appropriate tonot necessitate the review by U.S.-based audit report recipients. In addition, MSW facilitatescommittee members. However, this does not online communication between thealways preclude them from receipt and review of organization and the reporting party such thatthe report, as even routing employment the organization may post information to theconcerns could have a potential impact on reporting party regarding the recipients of 9financial or accounting statements. specified reports.Data transfer outside of the E.U. is acceptableunder E.U. data protection laws if appropriate 9 Prompt notification to the “incriminated”cross-border data protections are utilized. The person requiredU.S. entity receiving the information must haveimplemented a cross-border transfer solution. CNIL purports that the “incriminated” personCurrent options include: 1) consent of the must be notified by the person in charge as soonindividual affected, which oftentimes is as data is collected about him/her. (V-9-16).unreasonable; 2) data protection agreement; Pursuant to Article 39 of the data protection act,and 3) obtain certification for the U.S. Safe information provided to the “incriminated” personHarbor, which is administered by the U.S. cannot contain the confidential informationDepartment of Commerce and enforced by the pertaining to the whistleblower, nor does it needFederal Trade Commission. Pursuant to the to contain the entirety of information initiallyCNIL, it is important to notify the reporting party provided. There is a delay exception whenif the information is transferred outside of the protective measures need to be taken, in theE.U., and also inform them of the receipts of the case of prevention of destruction of This may include, but is not limited to, securing, copying, or performing forensic analysis on 9MSW and Organizational Compliance: MSW appropriate computer systems. This delaycomplies with the E.U. data protection law in exclusion may alleviate concerns regarding theregard to cross-border transfer of information. notification to the alleged suspect prior toMSW was Safe Harbor certified on January 6, employing proper investigatory techniques.2005. Safe Harbor certification provides the Nevertheless, contacting the alleged suspect is a basic principle of the data protection laws in allfollowing benefits: 1) All 25 Member States of E.U. countries and will require, at the very least,the European Union will be bound by the some disclosure to the incriminated person. 9European Commission’s finding of adequacy;2) Companies participating in Safe Harbor will MSW and Organizational Compliance:be deemed adequate and data flow to those Developing and implementing a sound policy forcompanies will continue; 3) Member State notifying “incriminated” individuals accused ofrequirements for prior approval of data wrong doing is the obligation of thetransfers either will be waived or approval will organization. This policy should outline thebe automatically granted; and 4) Claims method of contact and describe whatbrought by European citizens against U.S. information should typically be shared with thecompanies will be heard in the U.S. subject to 11 Extracted from on June 8, 2006.© 2006 Business Controls, Inc. 8 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  9. 9. accused person. Due to the support provided by Although the CNIL states that its regulationsthe investigative professionals of MSW’s parent only apply to whistleblower mechanisms that areorganization, Business Controls, Inc., MSW has “automated,” a succinct definition of whatthe capability to consult with organizations and defines “automated” is difficult to find. Some documents speculate that exclusion of mail,provide suggested sample procedures, if deemed drop-boxes, or even individual email makesappropriate. Furthermore, MSW is the central 9 appropriate sense. Nevertheless, one cannotrepository for obtaining and retaining all deny the all-encompassing presence ofinformation submitted from the initial report (to electronic means for the receipt, retention,include name of suspected individuals) and dissemination, and response of such inquiries,subsequent updates. The organization may also regardless of the original submission method. Inutilize MSW’s message board capabilities to light of the implications found within the CNILdocument and retain communication with the research and regulations, it is safe to presume“incriminated” individual. that implementation of any whistleblower service, regardless of the available report intake mechanisms is subject to CNIL regulations.Accused individuals have the right torespond, contest, or rectify (change) MSW and Organizational Compliance: MSW isinformation considered an “automated” service and therefore the use of such service is governed byA fundamental right of E.U. data protection laws CNIL regulations. MSW encouragesis to allow the suspected person identified in a organizations to err on the side of caution andreport alleging a violation to access the data, assume that any implemented whistleblowerrequest rectification, or potential deletion of the service will, ultimately, be considered 9information. CNIL posits that such access “automated” and, therefore, necessitatesrights do not include access to information aboutother individuals, such as the whistleblower’s compliance with CNIL regulations and Under certain “blatantly abusive” data protection laws. 9conditions, subject access rights can be denied.MSW and Organizational Compliance: Data Retention RegulationsAccused individuals, unless they are Enterprise The CNIL regulates the length of timePortal Users on the MSW Database, do not have organizations are allowed to retain reports,access to the secure database in which all archive reports, and eventually destroy reports.reports are stored. The organization should, The regulation states that unsubstantiatedtherefore, generate a policy outlining reports should be deleted “immediately.”appropriate procedural steps regarding how to Furthermore, CNIL requires deletion of reportsgather this information from the accused and within two months of closure, unless there ishow to effectively insert the information into the ongoing disciplinary or court action. If there isoriginal report submitted. MSW allows for no further action on the report, the organizationadditions, responses, or requested changes to be must delete the file or archive the data. 9 (Frequently Asked Questions, #17 ). Archivingsubmitted via the message boards. Additionally, of information is permitted for relevant dataMSW retains all initial information and unrelated to or beyond the requiredadditional information in its original form. whistleblower program, especially if it affects the physical safety of others or the vital interests of 9 the organization. This data may be retained forLimiting whistleblowing reporting to mail, up to 30 years (Frequently Asked Questions, 9drop-box, or “non-automated” means #17 ).There appears to be some discrepancy in theCNIL literature describing what reportingmethods, if any, are excepted from CNILregulations regarding whistleblower reporting.© 2006 Business Controls, Inc. 9 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  10. 10. MSW and Organizational Compliance: Internalprocedural documents should be generated thatoutline the organization’s definition of“unsubstantiated” and all parties responsiblefor labeling and responding to reports as suchshould be accurately educated on the protocols.9Furthermore, effective policies regardinginvestigative and closure procedures must beimplemented by the organization. MSW is ableto delete reports from the database at theorganization’s request. MSW requests that theorganization designate one (or at the most two)contact names of individuals who areresponsible for the communication of requestsrelating to deletion or archiving of reports.Ultimately, it is the responsibility of theorganization to establish protocols formonitoring its database, determination ofclosure rates, and establishment of appropriatecommunication triage to MSW personnel to thedeletion or archival of records. THE FINAL WORDWhile E.U. data protection regulations and bestcompliance practices are quite perplexing, thereare clearly methods organizations can employ toensure their whistleblowing programs arecompliant across all of their locations, domesticor international. It may be appealing to select astrategy and apply it universally throughout theorganization. However, multinationalorganizations do not usually have this option.Therefore, organizations must assess theiroverall needs and choose responsibleimplementation techniques. Furthermore,multinational organizations who are consideringthe option of outsourcing their whistleblowerprogram should be careful to select a vendorwho understands these seemingly conflictingregulations and can articulate how they canassist organizations in compliance, bothdomestically and abroad.As new guidelines and best practices continueto emerge, the organization’s responsibilities arebecoming clearer. However, such guidelines arecontinuing to evolve and we have likely not yetheard the final word regarding E.U. dataprotection regulation compliance requirements.© 2006 Business Controls, Inc. 10 COMPANY CONFIDENTIALAll Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection