Share this post
A hospital in an EU country enlisted an IT firm to provide a whistleblowing reporting system. The solution was aimed at allowing staff members to make reports of misconduct and other concerning practices so that an investigation team at the hospital could then follow up in a confidential manner.
However, the IT firm’s programme was not compliant with the General Data Protection Regulation (GDPR) and would not have complied with the confidentiality requirements of the EU Whistleblowing Directive. The latter was also a requirement because, at the time when the supervisor fined both parties for their role in the incident, the directive was already transposed into this country’s national law.
Background
Whistleblowers are essential for uncovering wrongdoing within businesses and organisations. Those on the ground who witness illegal or dangerous activity can alert leadership to such incidents before they spread and become embedded. This can reduce the chances of compliance sanctions, reputational damage and, especially in the case of a hospital, illness or even death.
The hospital partnered with the IT firm to develop an internal reporting system. The goal was to allow employees and other stakeholders to report wrongdoing, sparking an investigation that could establish the facts and decide on a course of action to rectify any issues.
However, the software that the IT firm installed contravened GDPR. It logged users that accessed the software by recording their activity and storing it in firewall logs.
This meant that anyone with access to the logs could identify its users, including whistleblowers. At no point did either party inform users about this aspect of the processing of their data.
At the time that this came to light, it meant that both parties faced sanctions for non-compliance with GDPR. But the additional impact could be that anyone reporting misconduct could have their details exposed to the perpetrators of the alleged crimes, leaving them vulnerable to retaliation.
Both parties received fines of €40,000.
What happened next?
It's crucial for your reporting system to protect whistleblower data. This is important both for following GDPR rules and for giving reporting persons the confidence they need to report misconduct without fear of reprisal.
Only authorised personnel should have access to a whistleblower’s report through your internal reporting system. In addition, where the company’s rules and the country’s national law allow, reporting persons can remain anonymous so no other party knows their identity.
In many cases, this is necessary to encourage whistleblowers to come forward with their reports and evidence.
How IntegrityLog helps
IntegrityLog takes whistleblowers' data privacy seriously. Our online reporting system is GDPR-compliant and secure so that only those who need to know the identity of the whistleblower have access to that information. In addition, there is the option to enable anonymous reporting.
Using a trusted system like IntegrityLog ensures your employees can be confident they can make reports in a private manner and helps compliance teams maintain their adherence to the strict EU privacy laws.
Request a demo or request a 14-day free trial to find out how to create a compliant whistleblower reporting system for your organisation.
