In the wake of recent public corporate scandals involving fraud and misconduct, regulators at a global level are increasing their oversight in the area of whistleblower protection as well as issuing substantial fines and penalties to public and private sector organizations for such misconduct. Several jurisdictions have implemented, recently updated, or are introducing whistleblowing laws and anti-retaliation measures in an effort to identify and combat fraud and misconduct across different sectors including financial, pharmaceuticals, and technology. These laws typically include recordkeeping and personal data protection requirements.

Organizations must ensure that their information governance programs and practices adequately account for records and reports generated through their whistleblowing systems. In particular, organizations are actively monitoring EU jurisdictions for local implementation of the EU Whistleblowing Directive (2019/1937) (“EU Directive”) which will occur either through amendments to existing whistleblower related laws or through the introduction of new legislation. The purpose of the EU Directive is to provide greater protection across EU jurisdictions for individuals seeking to expose breaches of EU law and to ensure a comprehensive regime across all EU member states. With the exception of Denmark and Sweden and as it currently stands, the majority of EU jurisdictions will likely not meet the local EU Directive implementation deadline of December 17, 2021.

Whistleblowing 101

Whistleblowing occurs when an individual such as an employee or third-party reports the misconduct of an organization in relation to financial fraud, discriminatory practices, and safety violations. Misconduct which may prompt whistleblowing must rise above personal employment grievances and instead relate to activities that have serious and widespread implications. Whistleblowing complaints relate to activities specifically prohibited by law, discrimination, or proof of a cover-up (i.e., destroying or hiding evidence). Whistleblower protection measures prohibit employers from engaging in direct and indirect adverse actions and retaliation measures against their employees for reporting fraudulent activities. Adverse actions include but are not limited to making threats, dismissals, demotions, denial of overtime or promotion, and reducing wages.

Whistleblowers are important as they help organizations identify fraudulent practices, provide them with an opportunity to mitigate risks, and protect their reputation, provided that matters are resolved internally before being publicized. They also serve the public at large by bringing to the forefront any illegal and fraudulent practices that may have widespread implications for issues such as consumer product safety, environmental protection, and public health. 

Whistleblower legislation generally provides for both internal and external reporting channels. Internal reporting channels allow employees and relevant parties to bring misconduct to an organization’s attention. In the absence of satisfactory internal measures, external whistleblowing reporting channels allow an individual to announce such misconduct to the public through the press, social media, regulatory agencies, or law enforcement.

Information Governance Measures

Whistleblowing legislation generally requires private and public sector organizations to allow written and oral reporting and to retain related records, reports, and whistleblower system documents. Organizations must ensure that they have the consent of the reporting individual for recording any whistleblower related disclosures. For example, the EU Directive provides that in the event that reporting occurs orally through a recorded telephone line or voice messaging system, organizations may, subject to the reporting person’s consent, either record the conversation in a durable and retrievable format or create a complete and accurate transcript of the conversation. Where oral reporting is through an unrecorded system or meeting, organizations may, subject to the reporting person’s consent, document the oral reporting in the form of accurate minutes of the conversation written by the staff member responsible for handling the report. In either situation, organizations must offer the reporting person with an opportunity to check, rectify, and agree to the transcript of the call, conversation, or meeting by signing it. Similar requirements exist in the whistleblower legislation of other jurisdictions.

Organizations must ensure that they retain reports and records for the duration specified under the respective whistleblowing legislation. For example, Sweden’s recently enacted Whistleblowing Act (2021:890) implementing the EU Directive, requires organizations to provide for internal reporting channels, procedures, and follow-up, and keep written reports and documentation of oral reporting for as long as necessary, but no longer than 2 years after a follow-up case has been closed.

In certain jurisdictions, the whistleblower legislation may not include any recordkeeping obligations or may provide a retention obligation without specifying the duration of retention for such records. For example, the EU Directive requires private and public entities to retain records of every received report, without specifying the duration for which such records must be retained. Denmark’s Whistleblower Protection Act (No. 1436 of 29/06/2021) requires organizations to keep written documentation for the establishment of and the procedures for a whistleblower scheme, without specifying the duration of retention. Similarly, the new Whistleblower Act, 2021 in the British Virgin Islands requires organizations to retain disclosures of impropriety in safe custody pending investigation, without specifying the duration of retention.

In the absence of any specified or unspecified statutory retention requirements, organizations should still retain the necessary reports and records for at least the duration of an investigation (including follow-up) and until the matter is resolved or the duration of the limitation period for retaliation actions. In the United States, the state of New York recently expanded protections for whistleblowers by amending its existing whistleblower law (New York Labor Law, Section 740), increasing the limitation period for an employee to file a retaliation claim from 1 to 2 years after the alleged retaliatory action was taken.

Due to the confidential nature of the whistleblower reports and records as well as the material amount of personal data involved, organizations must ensure that they comply with local and regional privacy laws. Essentially, personal data related to the whistleblowing disclosure must only be retained for as long as necessary for the purpose for which the data is collected or processed. For example, the EU Directive provides that any processing of personal data must be carried out in accordance with the EU General Data Protection Regulation (GDPR). Furthermore, personal data which is not relevant for the handling of a specific report must not be collected and, if accidentally collected, must be deleted without undue delay. Similar requirements will be found across the EU Directive implementing legislation in member states, such as Section 7 of Sweden’s Whistleblowing Act (2021:890).

Practical Steps for Organizations

  • Monitor whistleblower legislation and regulatory enforcement actions to ensure that information governance practices are up-to-date and demonstrate legal compliance.
  • Ensure policies and procedures for internal whistleblower reporting channels are documented, reviewed, and updated as necessary.
  • Review information governance programs and records retention schedules to ensure the adequate coverage of whistleblower records and reports.
  • Ensure that whistleblowing records and reports are retained for a duration that is legally compliant, kept available for investigation purposes, and personal data is retained and deleted in compliance with local and regional data protection legislation.
  • Ensure that oral and written reporting meets consent requirements and is documented/transcribed in a format that is easily retrievable.
  • Maintain confidentiality and provide for the secure storage of whistleblower reports and records.