Protecting Data Privacy in Global Whistleblowing Schemes

Implementation of a whistleblowing hotline provides businesses with an effective tool to provide their employees with a confidential route to report wrongdoing in the workplace and aid global enterprises in combating fraud, bribery, corruption and financial malpractice.

However, planning a rollout of global whistleblowing lines across territories can be challenging. This is especially true when setting up whistleblowing lines for your organisation when it may be necessary to transfer personal data across international borders. With this comes strict data protection laws which businesses must comply with. Failure to take necessary measures may, in certain territories, result in the imposition of sanctions including financial penalties.

In the EU, the current legal framework surrounding data protection, including transfers across international boundaries, revolves around Articles 25 and 26 of EU Directive 95/46/EC, otherwise referred to as the Data Protection Directive “DPD”. This directive aims at ensuring that all EU members have a coherent and shared set of data privacy laws. Whilst the directive prescribed a minimum standard of data privacy throughout the EU, it did not prevent some members from imposing more rigid requirements.

Consequently, there have been ongoing efforts to create a single set of data protection regulations. In December 2015, the European Commission, the European Council and the European Parliament agreed on the final version of a European Data Protection Regulation which, after a transitional phase, will come into force in 2018.

At present, the EU Data Protection Directive, provides a common basis on which personal data may be transferred from an EEA member state to any other country in the EEA in accordance with the common data protection standards set out in the Directive.

Where personal data is to be transferred to a country outside of the EEA, businesses need to ensure that at least one of the following additional conditions must apply:

• Transfer is to the EU Commissions approved countries/territories outside the EU
• Transfer is made using one of three EU-approved Model Contracts
• Transfer is within a group of companies covered by EU-approved Binding Corporate Rules
• Transfer has the clear and unambiguous consent of the individual data subject(s)
• Transfer is either: authorised by law or by the Data Protection Commissioner; from a public register; necessary for reasons of substantial public interest; necessary in relation to certain contractual and legal proceedings; necessary to protect the vital interests of the individual.

Adequate Levels of Protection

In the UK, businesses should act in strict accordance with the Data Protection Act 1998 and in particular the eighth data protection principle, to ensure that personal data collected shall not be transferred to a country or territory outside the EEA unless there are strictly applied proper measures to ensure an adequate level of protection for the rights and freedoms of data subjects. This principle closely aligns to those included in the EU Directive.

The adequacy of the level of protection afforded by a third country should be assessed in consideration of all circumstances surrounding a data transfer. Particular consideration should be given to the nature of the data, the purpose and duration of processing of data, the country of origin and final country of destination.

Other considerations include the rules of law in force in the third country in question and the professional rules and security measures which are complied with in that country.

The laws associated with privacy and data protection across the globe are often changing as exemplified in October 2015, when the European Court of Justice issued a ruling that annulled the previous retrospective decision by the EU commission. This means that, as of this date, what is essentially safe harbour through EU/US transfer is no longer valid and businesses must now take alternative adequate methods.

Note: The European Commission has since proposed that the Privacy Shield Framework be deemed adequate to enable data transfers under EU law, a proposal that is now in the approval process.

In this environment of changing legislation, it is crucial that businesses who set up whistleblowing lines take appropriate legal advice and work with specialised whistleblowing service providers who will minimise the compliance burden and allow your business to effectively implement whistleblowing hotlines to enhance your businesses ability to combat all wrongdoing.

If you are considering implementation of an external whistleblowing hotline, please contact Sean McAuley, the SeeHearSpeakUp Senior Service Manager, by calling +44 (0)1224 451799