The extensive impact of the EU’s GDPR (General Data Protection Regulation) cannot be understated.
Most businesses with operations or interests within the EU will be subject to the new data handling requirements. They will also need to accommodate the new rights afforded to the data subject.
But what effect will GDPR have on the experience of whistleblowers, and what might whistleblowing service administrators have to consider in order to meet their obligations?
Definition of key terms
Before looking at the requirements in more detail, it’s important to first understand the way key terms are now defined under GDPR.
Critically, the Regulations have extended the definition of “personal data”. This means the term will now be applicable in wider range of situations.
Of equal importance is the definition of “consent”, which the Regulation says must be given by way of a clear affirmative action (rather than implied). This change places greater obligations on Data Handlers to ensure that they can evidence active consent.
GDPR also includes the concept of ‘Pseudonymisation’ under Art 4(5). This requires that data is processed in such a manner that it can no longer be attributed to a specific data subject without the use of additional information.
These slight changes are all aimed at protecting the subject’s personal data – a key issue when you consider the potential ramifications for a whistleblower in the event of a data breach.
Principles of processing under GDPR
Articles 5-11 outline the principles for data processing afforded by the GDPR.
Whilst a large proportion of whistleblowing reports are made anonymously, many contain personal data that is divulged as part of the reporting process.
The processing of personal data can greatly aid effective operation of a whistleblowing service because it allows a more detailed investigation to take place. It also enables the receiving party to provide feedback to the reporter on the outcome of an investigation.
The governing principles for processing personal data under GDPR state that data should be:
- Processed lawfully, fairly and transparently
- Collected for specified, legitimate purpose
- Adequate, relevant and limited to what is necessary
- Accurate and up to date
- Kept in a form which permits identification for no longer than necessary for purpose
- Processed in a manner to ensure appropriate security of the data
1. Data Minimisation in a whistleblowing context
‘Data minimisation’ means ensuring only data that is “adequate, relevant and limited to what is necessary” is processed.
When capturing a whistleblowing report, detail is essential. More detail can greatly aid the investigation process – but it can be difficult to determine how much information is ‘too much’.
Yet even when structured questioning is involved, the whistleblowing process is generally ‘reporter led’ (the reporter will divulge only the information they choose to).
With reporters keen to protect themselves, and non-compliant processors and controllers facing heavy fines under GDPR, both parties will be motivated to avoid unnecessary personal data being shared (and subsequently stored and processed). For this reason, data minimisation may be relatively easy to ensure.
2. Storing whistleblowing report and subject data
Article 5(1)(e) requires that data is not kept for longer than is necessary for the purposes for which the personal data was processed.
Whilst GDPR does not impose an exact timeframe, it may cause data processors and controllers to implement stricter requirements to delete and destroy data which is no longer deemed necessary.
This storage period may vary significantly for whistleblowing reports. In the event of a complex investigation, the data controller may need to retain the data for several months whilst that investigation takes place.
Although a ‘set retention period’ is not always applicable, whistleblowers should be advised that their details will only be retained until the case is closed and the issue resolved.
The lack of a set retention period presents further issue when we consider the extended consent provisions of Article 7.
Under GDPR, Data Handlers must be able to “demonstrate that the data subject has consented” to the processing of his or her data. The consent must be specific, informed and there must be some form of clear affirmative action.
This means the whistleblower will be more informed about how and where their data is stored and, in turn, can exercise their rights under GDPR should they wish to.
Obtaining consent at outset
This presents various obstacles surrounding the whistleblowing process. Whilst obtaining the consent of an individual regarding their own data may be straightforward, what about instances when the reporter shares the data of a third party?
Where a whistleblowing service has been set up by an organisation (whether internally or via a third party provider) for its employees to use, that service exists to protect the reporters’ interests as much as it is to protect the interests of the company.
One way to address the consent requirement for whistleblowing services is to advise all employees (ideally at the outset) that, in the process of running the service, their data may be processed and request their consent to proceed.
It would be advisable to point out at this stage that only data relevant to the report would be processed, and that information would only be held until the report has been fully investigated and resolved.
There are also various requirements under Article 13 which can be addressed at this stage, such as the identity of the controller and any applicable data transfer requirements.
Withdrawal of consent
Whilst employees can be asked to agree to the processing of their data for the whistleblowing service, they are also within their rights to withdraw such consent.
Under Article 7(3), it must be as easy to withdraw as to give consent. For example, if consent is obtained by a signed letter, it must also be possible to withdraw consent with a signed letter.
Rights of the Data Subject
Articles 12-23 outline the rights afforded to Data Subjects under the GDPR, namely:
- The Right to access
- Right to data portability
- Right to rectification / Right to erasure
- Right to object
- Right to restriction of processing
In a whistleblowing context, the rights of the data subject may be restricted. For example, it would not be productive to identify, under a subject access request, that they are the subject of a serious report regarding a criminal offence.
There is provision under Article 23 for Member States to restrict the GDPR subject rights for the “prevention, investigation, detection or prosecution of criminal offences” or civil law claims, which could be relied on in our hypothetical context.
However, no provisions have yet been enacted or even drafted so we will examine the rights and their effects in their current form.
1. Right to access
Under Article 15, the Data Subject has the right to reconfirm if their personal data has been processed and, if so, have access to the following information:
- Purpose for processing
- Categories of personal data concerned
- Recipients of the data
- Envisaged period for which the personal data will be stored or the criteria used to determine that period
- The existence of the right for rectification under Article 16 or erasure under Article 17
- The right to lodge a complaint with a supervisory authority
- Where the personal data is not collected from the data subject, any information held as to its source.
The last point is of particular concern in the whistleblowing context as it could, theoretically, risk exposing a whistleblower’s identity. Article 29 Working Party recommends that “under no circumstances can the person accused in a whistleblower’s report obtain information about the identity of the whistleblower”.
This right is likely to be subject to any overriding safeguarding measures required to prevent the destruction of evidence, or other obstructions to the processing and investigation of the report.
2. Right to data portability
In a similar vein, the right of data portability under Article 20 may present issues when considering that the data subject is the subject of a report.
Under data portability, the subject has the right to be provided with the personal data held on them in a structured, commonly-used, machine-readable format. They also have the right to transmit that data to another controller without hindrance.
Whilst only the personal data needs to be transferrable, the fact remains that the subject is made aware that they are the subject of an ongoing investigation.
3. Right to rectification / Right to erasure
The data subject shall have the right to have inaccurate or incomplete data changed without undue delay under Article 16, and has the right to be forgotten under Article 17.
In order to request data erasure, one of the following grounds must apply:
- The personal data is no longer necessary for the purpose it was collected
- Consent is withdrawn
- Processing is deemed unlawful
As the data for a whistleblowing service is only retained for the duration of the investigation, it is unlikely this provision will have great practical application. The biggest potential stumbling block is where consent is withdrawn.
Whilst providers should be able to remove personal data from reports, investigation of the report may be more difficult without this information.
4. Right to object
With the right to object, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing:
- which override the interests, rights and freedoms of the data subject, or
- for the establishment, exercise or defence of legal claims.
Whilst the subject of a whistleblowing report can vary, it is not uncommon for a report to have a legal foundation or criminal aspect to the subject of the report. Therefore the right to object under GDPR may be countered on this basis.
5. Right to restriction of processing
The data subject can also restrict the controller’s processing where one of the following applies:
- The accuracy of the data is contested
- The processing is unlawful and the data subject opposes the erasure of the personal data, and request restriction of its use instead
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- The subject has exercised their right to object under Article 21(1)
As the data subject, GDPR does put the whistleblower in a much stronger position and affords them more authority over their own data.
In doing so it may mean your whistleblowing processes need to change, but it will do so in a way that means the reporter is more informed and the potential for significant data breaches is reduced. This can only be a positive thing for both controllers, and reporters.