EU Whistleblower Protection – Compliance Guide: Part 4 – Disclosure Procedures

The Whistleblowing Protection Directive has entered into force and will be implemented to ensure that reporting persons, also known as whistleblowers, will have proper protection when reporting possible and actual breaches (disclosures) to the appropriate individuals, as previously discussed here. The Directive has further set out certain procedures that should be followed when reporting any of these breaches. This includes internal and external reporting and public disclosures. In general, disclosure will be encouraged to be first done through internal reporting channels before using external reporting channels or disclosing information to the public.

This post will deal with the minimum requirements set out for all three types of disclosures and how this can be used to increase transparency, compliance, and prevention of unlawful actions within your organisation.

Internal Reporting

The Whistleblower Protection Directive requires EU Member States to ensure that entities which fall within the scope of the Directive, both in the private and public sector, establish channels and procedures for internal reporting and follow up monitoring and action. These reporting channels should be managed by the appropriate reporting unit (as determined by the organisation). The disclosures can be done verbally or in writing, however, the individual should receive confirmation that the report has been made and there should be appropriate follow ups.

Further considerations should include:

  • an internal reporting system which includes proper acknowledgement and diligent follow up procedures;
  • procedures that are designed, established and operated in a secure manner to ensure the confidentiality of the identity of the whistleblower;
  • procedures that allow reporting to other individuals within the organisation (example to the Head or Deputy head) if the reporting person believes the person responsible for the receipt of the report is involved in the breach in any way;
  • information relating to the proper authorities whereby external reporting channels should also be established;
  • ensuring full compliance with the GDPR while processing personal data;
  • ensuring that records are kept for every report received (written or orally) and that they are stored for no longer than necessary; and
  • these procedures must be published widely within the organisation.

External Reporting

In some instances, internal reporting will not be the best method for the disclosure of breaches, and therefore, organisations should inform their staff of certain external reporting channels for receiving and handling information. These instances include scenarios such as if internal disclosures were made but no feedback has been received or nothing has occurred, immediate attention from an authority is required or if the employee will be subjected to immediate occupational detriment.

In this regard, the Whistleblower Protection Directive requires the EU Member States’ competent authorities to implement a designated unit to receive, give feedback and follow up on whistleblower reports and to provide these authorities with proper resources.

These authorities should establish independent reporting channels, with requirements that prioritise confidentiality, acknowledge receipt of disclosures, follow up and feedback procedures and procedures for the closing of reports if the breaches are minor. These authorities should communicate the final outcome of the investigation to the reporting persons (if any) and provide these reports to competent institutions.

As per Maltese legislation, certain authorities within Malta should establish easily accessible and identifiable reporting mechanisms that should be available to the whole public. These authorities include, but are not limited to, the following:

  • Auditor General;
  • Commissioner for Revenue;
  • Commissioner for Voluntary Organisations;
  • Financial Intelligence Analysis Unit;
  • Malta Financial Services Authority;
  • Ombudsman;
  • Permanent Commission Against Corruption

Public Disclosures

A public disclosure relates to the reporting of breaches or potential breaches directly to the media or other sources within the public domain. Individuals who make any public disclosures will only be protected if one of the following occurred:

  • The breach was first reported internal and externally, but no action was taken respond to the initial report;
  • The reporting person reasonably believes that the breach constitutes an imminent or manifest danger to the public interest (example a public emergency); or
  • The reporting person reasonably believes that there is a risk of retaliation or there is a low prospect of the breach being effectively addressed such as the evidence may be destroyed, or an authority may be in collusion with the perpetrator of the breach.

The Directive provides guidelines for all three types of reporting and these should be implemented into an organisation to be fully compliant with this Directive and the amendment of the Maltese legislation.

At RSM Malta, we will be able to provide you with the following whistleblowing related services:

  • Gap analysis & implementation of policies and procedures
  • Awareness Training to staff members
  • Training to the Whistleblower Reporting Officer (WRO) or Unit
  • Outsourcing Whistleblower Function
  • Ongoing Whistleblower Support
  • Anonymous Fraud Hotline & Reporting Service

For more insights, support and additional information on the application of Whistleblower Protection Directive, analysis of current whistleblowing polies in place and implementation of policies and procedures within your organisation, reach out to us by contacting [email protected] or [email protected].