SlideShare uma empresa Scribd logo

Anonymous Whistleblowing Systems and European Union Data Protection Measures

Business Controls, Inc.
Business Controls, Inc.
CarreirasNegócios
1 de 10
Baixar para ler offline
Anonymous Whistleblowing Systems and CNIL and European Union Data Protection Measures OVERVIEW credence to the reporting party and the potentially increased protection against As U.S. companies move into international retaliation that the option of anonymity provides. markets, many are confronting foreign These distinct U.S./E.U. cultural differences regulations, which seem to conflict with those resonate clearly in their respective employment- governing operations in the U.S. In the aftermath related laws and regulations. of several corporate debacles, the adoption of the Sarbanes-Oxley Act (SOX) in the U.S. in 2002 presented new challenges to U.S. Regulations organizations, particularly those that are publicly traded. The decline of public trust in the ethics of Regulated by the Securities and Exchange corporate America had a resoundingly negative Committee (SEC), the Sarbanes-Oxley Act of economic impact not just in the U.S., but 2002, among other provisions, requires publicly worldwide. Perhaps the most internationally traded organizations to establish independent challenging provision of SOX is the requirement audit committees to essentially provide company for organizations listed on U.S. stock exchanges oversight regarding financial and accounting- to provide at least one channel of related issues. In the pursuit of such communication by which employees can make responsibility, the audit committee must also anonymous reports. Now that the SOX implement a “whistleblower” program to enable compliance deadline has long since passed, employees, vendors, and any other stakeholders organizations are recognizing the special to submit complaints or knowledge of fraudulent challenges posed by the collision of domestic activity in an anonymous and confidential and foreign regulations, especially regarding fashion. Organizations are not only responsible anonymous reporting by employees. for providing a mechanism by which such reports can be received, but must also Historically, the U.S. has provided greater document retention and treatment activities of employer protection in the management of submitted complaints. Failure to comply may employees engaging in misconduct and criminal result in SEC-enforced sanctions, civil penalties, behavior within the organization. Other and possible de-listing from the stock 2 countries, particularly those in the European exchange. Union (E.U.), take a decidedly pro-employee 1 approach. In addition, cross cultural beliefs The intent of anonymous reporting channels is regarding the utility of anonymity in employee to encourage employees to report their reporting are markedly different. While European knowledge of financial misconduct who may sensibility places great value on the rights of the otherwise fear reprisal. In this way, accused, the American perspective lends more organizations may investigate and identify potential problem areas or employees to 1 Schreiber, M. E., Held, J. M., Bond, R. T. J., Dana, R., efficiently manage and prevent organizational Runte, C., & Flower, K. (2006). Anonymous Sarbanes- losses due to employee misconduct. Oxley hotlines for multi-national companies: Compliance with E.U. data protection laws. Retrieved June 5, 2006, from 2 http://www.theworldlawgroup.com/db30/cgi-bin/pubs/Privacy Sarbanes-Oxley Act of 2002. Available: Matters - Ch9.Anonymouns http://fl1.findlaw.com/news.findlaw.com/cnn/docs/gwbush/sar SOX.PracGuideSOX.Vol2.ELEC.pdf banesoxley072302.pdf.
Perhaps the most common mechanism mandates imposed by European data protection organizations have adopted to meet the laws. compliance requirements of SOX is the confidential fraud hotline. Many third-party As E.U. Member States began adopting their hotline providers also administer an internet- own data protection measures, the flow of based reporting portal in addition to the information across the E.U. became increasingly traditional hotline. Regardless of the method of restricted due to conflicting mandates. The report intake, the option of anonymity is often passage of E.U. Directive 95/46 EC in 1995 advertised and sometimes even encouraged, sought to synchronize diverging E.U. legislation which further assists organizations in their and all E.U. Member States are required to compliance efforts. implement regulations consistent with the Directive and establish a supervisory body SOX compliance, however, is not limited to only responsible for the enforcement of data 4 domestic locations. Multinational companies are protection laws. required to implement such mechanisms throughout their organization to include those The Directive principally covers the “processing” employees working in international locations. of personal data and defines the circumstances Therefore, many organizations have under which processing is lawful and 5 implemented “one-size-fits-all” reporting warranted. In order to legally process personal channels across the organization, whether data, three conditions must be met: domestic or international. In addition, many transparency, legitimate purpose, and organizations allow their employees to make proportionality. anonymous complaints about diverse forms of employee misconduct, not just those that are ♦ In order to meet the condition of financial or accounting-related. For example, transparency, the individual whose data is to many employee hotlines are set up to receive be processed (“data subject”) has the right reports of sexual harassment, discrimination, to be notified of the processing and must be and unsafe working conditions. Though not given access to all personal data to be mandated by SOX, organizations are quickly processed. The Directive further outlines six recognizing the benefits associated with specific situations in which personal data receiving reports of all forms of employee may be processed and the data subject has misconduct and are opening up their reporting the explicit right to modify any inaccuracies mechanisms to receive such employee 6 in the data to be processed. complaints. ♦ Personal data must be collected only “…for specified, explicit and legitimate purposes…” European Union Data Protection Laws In addition, the possibility that personal data may be collected through a whistleblowing European regulations are rooted in distinctly system and the purpose for such a system differing cultural values related to privacy, particularly in occupational settings. As early as 1978, some European countries adopted data 4 European Commission Data Protection . Available: protection legislation governing the use, http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm. processing, and dissemination of the “personal 5 3 Directive 95/46/EC of the European Parliament and of the data” of any citizen. Any information that allows Council of 24 October 1995 on the protection of individuals for the direct or indirect identification of with regard to the processing of personal data and on the individuals constitutes personal data. Generally, free movement of such data. Available: as applied to U.S.-based corporations with http://www.cdt.org/privacy/eudirective/EU_Directive_.html European operations, the receipt, investigation, 6 These circumstances include: (1) When the data subject treatment, and retention of any reports of provided consent for data processing, (2) when the employee misconduct, financial or otherwise, processing is contractually required, (3) when the processing would be subject to the restrictions and is required for legal compliance, (4) when the processing is necessary in pursuit of the public interest, (5) when the processing is for the protection of the data subject, or (6) 3 Act n° 78-17 of 6 January 1978 on Data Processing, Data when processing is necessary for the legitimate interests of Files and Individual Liberties. Available: the data controller, unless superseded by the fundamental http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf. rights and freedoms afforded to the data subject. © 2006 Business Controls, Inc. 2 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
must be clearly communicated to those who The French Data Protection Model and may be identified through the reporting Overarching E.U. Implications mechanism. Founded under the Act of January 6, 1978, the ♦ The collection of personal data “must be Commission nationale de l’informatique et des adequate, relevant and not excessive in libertés (CNIL) is the administrative body relation to the purposes for which they are established for the enforcement of E.U. and 7 collected or further processed.” That is, State data protection laws in France. In 2005, organizations must limit the types of France enacted legislation making the information collected through reporting implementation of anonymous incident reporting mechanisms to only that information systems by any employer in France unlawful in 1 necessary to meet the purpose(s) set forth the absence of certain precautions. The specific by the implementation of the reporting provisions and dual compliance options will be mechanism (e.g. proper corporate discussed in detail below. However, in general, governance). The level of information administrative and judicial decisions in France reported must be in proportion to the dictate anonymous whistleblowing systems must purpose the collection of such information have a specific and narrow scope with regard to sets out to achieve. the type of data collected. In addition, such mechanisms must be submitted to the CNIL for Since the adoption of the E.U. Data Protection authorization prior to implementation. Other Directive in 1995, U.S.-based multinational provisions mandate that individuals accused of organizations face significant challenges across misconduct must have access to the data all E.U. Member States, as all E.U. Member retained by the organization and must have the States have separate data protection laws and opportunity to correct any inaccuracies once the regulatory enforcement agencies. Such data has been sufficiently preserved for circumstances require a comprehensive investigative or evidentiary purposes. evaluation of existing SOX compliance protocols implemented internationally and the local It is important to understand the adoptions of the governing regulations. CNIL regarding the compliance expectations of U.S.-based multinational companies because Recent discussions between relevant U.S. and many of the existing data protection laws across E.U. regulatory agencies revealed that, though the E.U. resemble those in France and are U.S. and E.U. legislation appears to conflict on rooted in very similar philosophical values. its face, there are no critical inconsistencies Many E.U. countries, including Germany and the expressly precluding whistleblower compliance United Kingdom, are rapidly adopting mechanisms from being implemented in E.U. approaches comparable to those in France 1 regarding the use of anonymous incident Member States under E.U. data protection law. Much of the work required for resolution of U.S. reporting systems in those Member States. and E.U. regulations lies in ensuring Therefore, such specialized and dual U.S. and implementation of such systems are tailored to E.U. compliance is not likely to remain limited to meet the applicable legal requirements. U.S.-based operations in France. Consequently, traditional “one-size-fits-all” systems are a solution of the past and may, in fact, expose organizations to legal liability that Striking a Balance could have been prevented. Recognizing the need to come to some compromise between U.S. and E.U. regulations regarding the use of anonymous whistleblower systems, the CNIL recently published guidelines establishing suggested compliance techniques 7 Article 29 Data Protection Working Party. (2006). Opinion to assist multinational organizations confronting 1/2006 on the application of EU data protection rules to 8 these apparent conflicts. In addition, a internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against 8 bribery, banking and financial crime. Available: Commission nationale de l’informatique et des libertés http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/20 (CNIL). (2005). Guideline document. Available: 06/wp117_en.pdf http://www.cnil.fr/index.php?id=4 © 2006 Business Controls, Inc. 3 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
Frequently Asked Questions document is now - the name, address, and contact details available to clarify previously confounding of the person responsible for 9 interpretations of the law. The CNIL has compliance in general, ultimately determined that whistleblowing - the name, address, and contact details systems, such as those mandated in the U.S. of the person responsible for the right to under SOX, are “neither allowed nor banned access personal data, under the provisions of the French Labor - the name, address, and contact details 8 Code.” Furthermore, the CNIL does not prohibit of the person whom the CNIL can the use of a third-party service supplier, as long contact, and as the service provider contractually agrees to - a purpose section indicating what comply with French and European data service provider or software is utilized, protection laws. However, these decisions were how many persons are covered by the based upon reporting mechanisms collecting program, implementation year, and only certain types of personal data, specifically whether data will be transferred outside “…in the fields of accounting, financial audit, of the E.U. (and if so, a list of the 9 fight against bribery or banking areas…” In countries involved must be included). addition, data of a particularly serious nature, outside of financially-related incidents, may be ♦ Standard Authorization: Organizations collected. Seriousness is defined as any facts wishing to implement an anonymous that “affect the vital interests of the company or incident reporting system to collect data 9 its employees’ physical or mental integrity.” outside the scope of that described above Some examples of serious issues that would be (e.g. financially related concerns) and that considered acceptable data include threats to does not expressly meet the CNIL’s the safety of employees, moral and sexual requirements must submit a complete harassment, discrimination, threats to public application to the CNIL for examination at a health, and insider trading. plenary session of the CNIL. The CNIL is mandated to review the application within Regardless, the organization wishing to two months of the filing, provided that no implement SOX-compliant anonymous reporting additional information is needed by the CNIL mechanisms in France is required to have that to make a determination. system authorized by the CNIL. The CNIL has established two authorization processes, depending upon the type of facts the The Governance of Cross-Border Data organization is requesting authorization to Transfer – Safe Harbor collect and process. In addition to the mandates and regulations ♦ Single/Unique Authorization: This described above, organizations implementing authorization procedure was established to anonymous incident reporting systems expedite the process and allow E.U.- internationally must be cognizant of restrictions compliant organizations to implement SOX- regarding the cross-border transfer of data compliant anonymous reporting originating in the E.U. to countries outside of the mechanisms in a timely manner. The CNIL E.U. Many organizations may find it necessary should receive a filing acknowledgement for U.S. management representatives or audit 1 within one to two weeks of submission. committee members to be made aware of and even investigate employee misconduct occurring The single authorization process, known as in the E.U. that is reported through their a unilateral commitment to comply, is an whistleblower system. However, portions of the internet-based process that requires the E.U. Directive 95/46 EC discussed above also organization to submit the following limit the ability to transfer personal data outside information: of the E.U. and explicitly prohibit data transfer to countries that do not adequately meet E.U. privacy protections. After negotiations between E.U. and U.S. officials, the Safe Harbor 9 Commission nationale de l’informatique et des libertés Arrangement was delineated to make data (CNIL). (2006). Frequently asked questions. Available: http://www.cnil.fr/index.php?id=4 © 2006 Business Controls, Inc. 4 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
transfer across the boundaries of the E.U. disclosure, alteration, and destruction” of possible. personal information retained by the 10 organization Safe Harbor went into effect in 2000 and prevents multinational organizations from ♦ Data Integrity: Organizations must take experiencing business interruptions as a result reasonable steps to ensure the data of seemingly conflicting, yet equally applicable, collected is that which is necessary to meet 10 cross-border regulations. Organizations can the purpose for which it was collected and to join the Safe Harbor by a self-certification ensure that it is accurate and reliable. process, renewed annually, in which they agree to comply with the requirements of Safe Harbor ♦ Enforcement: Adequate and non- and publicly declare that they do so. In order to burdensome recourse mechanisms must join, there are seven Safe Harbor requirements exist for the appropriate investigation and to which organizations must comply: resolution of individual complaints and damages awarded where applicable under ♦ Notice: Organizations must notify individuals the relevant law. In addition, there must be that they may collect and use personal a means for verifying organizational information, the purpose for which they adherence to the Safe Harbor principles as would do so, and any third parties with well as accountability for problems resulting whom their information may be shared. In from a failure to comply. Furthermore, addition, individuals must be provided with a consequences for failure to comply must be means by which they can contact the “sufficiently rigorous” to encourage 10 organization. consistent compliance. ♦ Choice: Individuals must be given the Organizations reap many benefits for joining the opportunity to authorize the organization to Safe Harbor and maintaining their compliance. disclose personal data to third parties or to First and foremost, perhaps, is the ability to use the information in a manner diverging ensure seamless and efficient organizational from the purposes for which the information communication internationally. In addition, Safe was originally collected. Harbor participation satisfies the adequacy standard for all 25 E.U. Member States, who all ♦ Onward Transfer: In order to transfer have very similar data protection regulations. personal information to a third party, the Also, prior approval for data transfers will be organization must first apply the Notice and automatically approved or waived and, subject Choice principles and must further ensure to limitations, all complaints made by E.U. that the third party also subscribes to Safe citizens against U.S. companies will be heard in Harbor principles. In so doing, the the U.S. organization may obtain written agreement from the third party that it provides at least the same level of privacy protection as the applicable regulations dictate. ♦ Access: With some exceptions, individuals must be granted access to the information the organization retains about them and must have the opportunity to modify, delete, or otherwise edit inaccuracies. ♦ Security: Reasonable precautionary measures must be undertaken to prevent “the loss, misuse, and unauthorized access, 10 U.S. Department of Commerce. (n.d.) Welcome to Safe Harbor. Available: http://www.export.gov/safeharbor/index.html © 2006 Business Controls, Inc. 5 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
and how organizations, as well as the ® MYSAFEWORKPLACE SUGGESTED MySafeWorkplace solution, comply. COMPLIANCE TECHNIQUES With the advent of the recent CNIL regulations Scope of incidents reported and necessary regarding whistleblower protocols, much of the filing procedures literature has focused on compliance overlap between SOX and CNIL regulations. For Professional, or external, whistleblower systems multinational organizations, this may initially should be authorized by the CNIL prior to appear as a burdensome task. However, it implementation. The types of incidents reported appears the discrepancy lies within company- upon will direct the authorization process. Your specific compliance strategies and organization may choose to adopt only a SOX- implementation choices versus a direct conflict type focused code of conduct and whistleblower of laws. So what should an organization do? mechanism. If this is the choice, your Organizations should ascertain how E.U. data organization may file with the CNIL through the protection laws apply to those states in which online CNIL single authorization process with no 1 the organization operates. Organizations further subsequent CNIL review. This process should carefully follow any developments in will require submission of the following regard to whistleblower statutes in each of those information: legal nature of organization; name, E.U. Member States and consider establishing address, and contact details of the entity relationships with the appropriate local data responsible for the implementation; name, 1 protection authorities. Furthermore, address, and contact details for the person organizations should consider the following responsible for compliance in general; name, convenient guidelines to minimize the address, and contact details for the person possibilities of violating relevant data protection responsible for the right to access personal data; 1 laws : name, address, and contact details for the person whom the CNIL can contact. In addition, ♦ Consult with appropriate data protection the notification must include a section that personnel prior to establishing whistleblower iterates which software is used, how many protocols. persons are concerned with the whistleblower system, the year of its implementation, and ♦ Ensure employees’ due process rights are whether data will be transferred to countries maintained. outside of the E.U. (Chapter 8). Once the on-line application is received, the CNIL will send an acknowledgement receipt approximately two ♦ Ensure that the implemented compliance weeks from the time of submission. Once programs include methods beyond standard received, the organization can implement its whistleblower practices, to include such whistleblower hotline immediately without any options as employee training. additional review by the CNIL. ♦ Ensure that data alleging wrongdoing is The other option is for an organization to adopt a preserved for only as long as necessary and more inclusive whistleblower system, which that this data is stored separately from the encompasses broader reporting than that of individual’s personnel file, unless the SOX-related issues. This will require the allegations result in some form of organization to undergo the standard CNIL disciplinary action. review process, which typically consists of a case-by-case review by the CNIL regarding the ♦ Ensure that the appropriate steps are taken legitimacy of the program’s purposes, the to guarantee proper transfer of data outside “proportionality” of the contemplated program as 1 of the E.U. (e.g. Safe Harbor certification). well as its transparency to all parties involved. Approval may take months. These recommendations, based on best practices, will help organizations be compliant with applicable state laws and regulations. The following details more specific CNIL regulations © 2006 Business Controls, Inc. 6 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
inform the reporting party that his/her contact MSW and Organizational Compliance: It is information will be kept confidential. In ultimately the organization’s decision if they addition, if reporting via the internet, MSW has would like to implement a broad or narrow the technical capabilities to insert a customized whistleblower system. The MSW system has the landing page that outlines the necessary capability to accommodate both. Under the organizational information, to include single authorization code for CNIL, titration of confidentiality information and CNIL only SOX-related incident reports is the most regulations, if appropriate. efficient compliance strategy. These may include, but are not limited to, financial, banking, accounting, anti-bribery, or other vital Reporting is not mandatory in the E.U. corporate interests related to such categories. The CNIL indicates that a whistleblower system should not be “compulsory” for employees. MSW provides an all-inclusive list of Contrary to this tenet, SOX regulations stipulate approximately 60 incident types to all client that employees must report violations or risk organizations, in turn allowing the organization discipline if they do not report obvious or known to limit the incidents types. infringements. If an organization has locations in both the U.S. and the E.U., this discrepancy between the two regulations may be a burden in Anonymity cannot be required or “actively regard to communication and implementation of encouraged” the whistleblower services. One proposed compromise is that organizations not “require” Anonymity is allowed by CNIL as long as it is not reporting, but instead state that they “expect” 9 made compulsory and is not actively violations to be reported. In E.U. Member encouraged by the company. Furthermore, the States, it should be communicated to the reporting party has a choice regarding his/her employees that there will be no adverse actions anonymity. CNIL requests that, prior to taken against employees who do not use the submission of the report, the reporting party be hotline. informed that he/she will not suffer or be retaliated against for the report. Furthermore, MSW and Organizational Compliance: MSW the reporting party’s identity must be kept does not have authority to dictate whether confidential and not disclosed to third parties employees “should” or “must” report such as the incriminated person and the employee’s line supervisor. The CNIL believes organizational violations, as it simply serves as non-anonymous reports offer the following a repository for the receipt of reports, allowing advantages: 1) to avoid or at least limit false further follow-up by appropriate organizational and/or intentionally slanderous accusations; 2) members and the reporting party. Although to organize the protection of the whistleblower MSW is able and willing to consult on against retaliation; 3) to ensure a better handling implementation and communication strategies, it of the report, with the option of requesting is ultimately the responsibility of the additional details on the alleged facts from the organization to organize a strategic method for 2 author of the report. the implementation and communication regarding the intended required usage of the MSW and Organizational Compliance: MSW is system. unique in that it employs three anonymity options: do not care about anonymity, remain completely anonymous, and remain anonymous Cross-Border data transfer obligations if toward your organization. MSW accepts a personal data is transmitted outside of the neutral stance regarding anonymity and does E.U. member country to the U.S. not encourage a reporting party to select a certain option. Moreover, if reporting via SOX rules and regulations require the chairman telephone, MSW has the capability to verbally of the audit committee to receive, handle, and © 2006 Business Controls, Inc. 7 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
treat reported violations that are financially- limited exceptions.11 Furthermore, MSW has related. For U.S.-based organizations, these the technical capabilities to educate the individuals are typically located in the U.S. When professional call center agents handling non-financially related reports (e.g. sexual hotline report intake so they can effectively harassment) are submitted via the whistleblower educate reporting parties on the organizational system, CNIL regulations deem it appropriate to not necessitate the review by U.S.-based audit report recipients. In addition, MSW facilitates committee members. However, this does not online communication between the always preclude them from receipt and review of organization and the reporting party such that the report, as even routing employment the organization may post information to the concerns could have a potential impact on reporting party regarding the recipients of 9 financial or accounting statements. specified reports. Data transfer outside of the E.U. is acceptable under E.U. data protection laws if appropriate 9 Prompt notification to the “incriminated” cross-border data protections are utilized. The person required U.S. entity receiving the information must have implemented a cross-border transfer solution. CNIL purports that the “incriminated” person Current options include: 1) consent of the must be notified by the person in charge as soon individual affected, which oftentimes is as data is collected about him/her. (V-9-16). unreasonable; 2) data protection agreement; Pursuant to Article 39 of the data protection act, and 3) obtain certification for the U.S. Safe information provided to the “incriminated” person Harbor, which is administered by the U.S. cannot contain the confidential information Department of Commerce and enforced by the pertaining to the whistleblower, nor does it need Federal Trade Commission. Pursuant to the to contain the entirety of information initially CNIL, it is important to notify the reporting party provided. There is a delay exception when if the information is transferred outside of the protective measures need to be taken, in the E.U., and also inform them of the receipts of the case of prevention of destruction of evidence. report. This may include, but is not limited to, securing, copying, or performing forensic analysis on 9 MSW and Organizational Compliance: MSW appropriate computer systems. This delay complies with the E.U. data protection law in exclusion may alleviate concerns regarding the regard to cross-border transfer of information. notification to the alleged suspect prior to MSW was Safe Harbor certified on January 6, employing proper investigatory techniques. 2005. Safe Harbor certification provides the Nevertheless, contacting the alleged suspect is a basic principle of the data protection laws in all following benefits: 1) All 25 Member States of E.U. countries and will require, at the very least, the European Union will be bound by the some disclosure to the incriminated person. 9 European Commission’s finding of adequacy; 2) Companies participating in Safe Harbor will MSW and Organizational Compliance: be deemed adequate and data flow to those Developing and implementing a sound policy for companies will continue; 3) Member State notifying “incriminated” individuals accused of requirements for prior approval of data wrong doing is the obligation of the transfers either will be waived or approval will organization. This policy should outline the be automatically granted; and 4) Claims method of contact and describe what brought by European citizens against U.S. information should typically be shared with the companies will be heard in the U.S. subject to 11 Extracted from http://www.export.gov/safeHarbor/index.html on June 8, 2006. © 2006 Business Controls, Inc. 8 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
accused person. Due to the support provided by Although the CNIL states that its regulations the investigative professionals of MSW’s parent only apply to whistleblower mechanisms that are organization, Business Controls, Inc., MSW has “automated,” a succinct definition of what the capability to consult with organizations and defines “automated” is difficult to find. Some documents speculate that exclusion of mail, provide suggested sample procedures, if deemed drop-boxes, or even individual email makes appropriate. Furthermore, MSW is the central 9 appropriate sense. Nevertheless, one cannot repository for obtaining and retaining all deny the all-encompassing presence of information submitted from the initial report (to electronic means for the receipt, retention, include name of suspected individuals) and dissemination, and response of such inquiries, subsequent updates. The organization may also regardless of the original submission method. In utilize MSW’s message board capabilities to light of the implications found within the CNIL document and retain communication with the research and regulations, it is safe to presume “incriminated” individual. that implementation of any whistleblower service, regardless of the available report intake mechanisms is subject to CNIL regulations. Accused individuals have the right to respond, contest, or rectify (change) MSW and Organizational Compliance: MSW is information considered an “automated” service and therefore the use of such service is governed by A fundamental right of E.U. data protection laws CNIL regulations. MSW encourages is to allow the suspected person identified in a organizations to err on the side of caution and report alleging a violation to access the data, assume that any implemented whistleblower request rectification, or potential deletion of the service will, ultimately, be considered 9 information. CNIL posits that such access “automated” and, therefore, necessitates rights do not include access to information about other individuals, such as the whistleblower’s compliance with CNIL regulations and E.U. name. Under certain “blatantly abusive” data protection laws. 9 conditions, subject access rights can be denied. MSW and Organizational Compliance: Data Retention Regulations Accused individuals, unless they are Enterprise The CNIL regulates the length of time Portal Users on the MSW Database, do not have organizations are allowed to retain reports, access to the secure database in which all archive reports, and eventually destroy reports. reports are stored. The organization should, The regulation states that unsubstantiated therefore, generate a policy outlining reports should be deleted “immediately.” appropriate procedural steps regarding how to Furthermore, CNIL requires deletion of reports gather this information from the accused and within two months of closure, unless there is how to effectively insert the information into the ongoing disciplinary or court action. If there is original report submitted. MSW allows for no further action on the report, the organization additions, responses, or requested changes to be must delete the file or archive the data. 9 (Frequently Asked Questions, #17 ). Archiving submitted via the message boards. Additionally, of information is permitted for relevant data MSW retains all initial information and unrelated to or beyond the required additional information in its original form. whistleblower program, especially if it affects the physical safety of others or the vital interests of 9 the organization. This data may be retained for Limiting whistleblowing reporting to mail, up to 30 years (Frequently Asked Questions, 9 drop-box, or “non-automated” means #17 ). There appears to be some discrepancy in the CNIL literature describing what reporting methods, if any, are excepted from CNIL regulations regarding whistleblower reporting. © 2006 Business Controls, Inc. 9 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
MSW and Organizational Compliance: Internal procedural documents should be generated that outline the organization’s definition of “unsubstantiated” and all parties responsible for labeling and responding to reports as such should be accurately educated on the protocols.9 Furthermore, effective policies regarding investigative and closure procedures must be implemented by the organization. MSW is able to delete reports from the database at the organization’s request. MSW requests that the organization designate one (or at the most two) contact names of individuals who are responsible for the communication of requests relating to deletion or archiving of reports. Ultimately, it is the responsibility of the organization to establish protocols for monitoring its database, determination of closure rates, and establishment of appropriate communication triage to MSW personnel to the deletion or archival of records. THE FINAL WORD While E.U. data protection regulations and best compliance practices are quite perplexing, there are clearly methods organizations can employ to ensure their whistleblowing programs are compliant across all of their locations, domestic or international. It may be appealing to select a strategy and apply it universally throughout the organization. However, multinational organizations do not usually have this option. Therefore, organizations must assess their overall needs and choose responsible implementation techniques. Furthermore, multinational organizations who are considering the option of outsourcing their whistleblower program should be careful to select a vendor who understands these seemingly conflicting regulations and can articulate how they can assist organizations in compliance, both domestically and abroad. As new guidelines and best practices continue to emerge, the organization’s responsibilities are becoming clearer. However, such guidelines are continuing to evolve and we have likely not yet heard the final word regarding E.U. data protection regulation compliance requirements. © 2006 Business Controls, Inc. 10 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection

Recomendados

Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Amministratore Bluefactor
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
 
Cscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceCscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceAlireza Ghahrood
 
"Information Compliance - Freedom of Information, Data Protection and Librari...
"Information Compliance - Freedom of Information, Data Protection and Librari..."Information Compliance - Freedom of Information, Data Protection and Librari...
"Information Compliance - Freedom of Information, Data Protection and Librari...Terry O'Brien
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
 
Regulations And Standards For DR
Regulations And Standards For DRRegulations And Standards For DR
Regulations And Standards For DRTPComps LLC
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenEdouard Nguyen
 

Recomendados

Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...
Att. patrizia giannini ggi lisbon conference 19 april 2013 - electronic dis...Amministratore Bluefactor
 
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Att. patrizia giannini fordham university new york 19 july 2013 - electroni...
Att. patrizia giannini fordham university new york 19 july 2013 - electroni...Amministratore Bluefactor
 
Cscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceCscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceAlireza Ghahrood
 
"Information Compliance - Freedom of Information, Data Protection and Librari...
"Information Compliance - Freedom of Information, Data Protection and Librari..."Information Compliance - Freedom of Information, Data Protection and Librari...
"Information Compliance - Freedom of Information, Data Protection and Librari...Terry O'Brien
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
 
Regulations And Standards For DR
Regulations And Standards For DRRegulations And Standards For DR
Regulations And Standards For DRTPComps LLC
 
Factsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenFactsheet data protection and Right to be Forgotten
Factsheet data protection and Right to be ForgottenEdouard Nguyen
 
Privacy_Issues_Overview
Privacy_Issues_OverviewPrivacy_Issues_Overview
Privacy_Issues_OverviewBrian Berger
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
Personal Data in Russia
Personal Data in RussiaPersonal Data in Russia
Personal Data in RussiaAdrien Henni
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
Investigative powers in practice – SINGAPORE – November 2018 OECD GFC
Investigative powers in practice – SINGAPORE – November 2018 OECD GFCInvestigative powers in practice – SINGAPORE – November 2018 OECD GFC
Investigative powers in practice – SINGAPORE – November 2018 OECD GFCOECD Directorate for Financial and Enterprise Affairs
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pchgmf
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 
TDG
TDGTDG
TDGTravel Dream Group
 
Do You Trust a Resume
Do You Trust a ResumeDo You Trust a Resume
Do You Trust a ResumeBusiness Controls, Inc.
 
Can Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not DisabledCan Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not DisabledBusiness Controls, Inc.
 
gandu
gandugandu
ganduAatish Sakhare
 
Fotografias
FotografiasFotografias
Fotografiasselmasoares
 
Module 9.4.9.5,9.6
Module 9.4.9.5,9.6Module 9.4.9.5,9.6
Module 9.4.9.5,9.6RobinFilter
 
PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 

Mais conteúdo relacionado

Mais procurados

Privacy_Issues_Overview
Privacy_Issues_OverviewPrivacy_Issues_Overview
Privacy_Issues_OverviewBrian Berger
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
Personal Data in Russia
Personal Data in RussiaPersonal Data in Russia
Personal Data in RussiaAdrien Henni
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
香港六合彩
香港六合彩香港六合彩
香港六合彩pchgmf
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesPageFreezer
 

Mais procurados (9)

Privacy_Issues_Overview
Privacy_Issues_OverviewPrivacy_Issues_Overview
Privacy_Issues_Overview
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy Shield
 
Personal Data in Russia
Personal Data in RussiaPersonal Data in Russia
Personal Data in Russia
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
 
Investigative powers in practice – SINGAPORE – November 2018 OECD GFC
Investigative powers in practice – SINGAPORE – November 2018 OECD GFCInvestigative powers in practice – SINGAPORE – November 2018 OECD GFC
Investigative powers in practice – SINGAPORE – November 2018 OECD GFC
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Website and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government AgenciesWebsite and Social Media Archiving: A Growing Necessity for Government Agencies
Website and Social Media Archiving: A Growing Necessity for Government Agencies
 

Destaque

Can Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not DisabledCan Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not DisabledBusiness Controls, Inc.
 
Module 9.4.9.5,9.6
Module 9.4.9.5,9.6Module 9.4.9.5,9.6
Module 9.4.9.5,9.6RobinFilter
 

Destaque (6)

TDG
TDGTDG
TDG
 
Do You Trust a Resume
Do You Trust a ResumeDo You Trust a Resume
Do You Trust a Resume
 
Can Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not DisabledCan Employees Raise Claims Under ADA if They Are Not Disabled
Can Employees Raise Claims Under ADA if They Are Not Disabled
 
gandu
gandugandu
gandu
 
Fotografias
FotografiasFotografias
Fotografias
 
Module 9.4.9.5,9.6
Module 9.4.9.5,9.6Module 9.4.9.5,9.6
Module 9.4.9.5,9.6
 

Semelhante a Anonymous Whistleblowing Systems and European Union Data Protection Measures

PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoJoel A. Gómez Treviño
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptSamir Jha
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Adriana Sanford
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)Craig Mullins
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKSally Hunt
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShareqsilytnc
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareriguo
 
香港六合彩
香港六合彩香港六合彩
香港六合彩racbhe
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩eqhnwl
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareyndadubf
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShareuoemnumu
 
香港六合彩
香港六合彩香港六合彩
香港六合彩mhffyol
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protectionJos Dumortier
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Victor Gridnev
 

Semelhante a Anonymous Whistleblowing Systems and European Union Data Protection Measures (20)

PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?PECB Webinar: The End of Safe Harbour! What happens Next?
PECB Webinar: The End of Safe Harbour! What happens Next?
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in Mexico
 
CCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.pptCCSP_Self_Domain_6.ppt
CCSP_Self_Domain_6.ppt
 
Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014Data Security and Privacy Under The Compliance Spotlight April 2014
Data Security and Privacy Under The Compliance Spotlight April 2014
 
The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)The impact of regulatory compliance on DBA(latest)
The impact of regulatory compliance on DBA(latest)
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare六合彩,香港六合彩 » SlideShare
六合彩,香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
香港六合彩-六合彩
香港六合彩-六合彩香港六合彩-六合彩
香港六合彩-六合彩
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩 » SlideShare
香港六合彩 » SlideShare香港六合彩 » SlideShare
香港六合彩 » SlideShare
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protection
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
Www.ico.org.uk ~ media_documents_library_data_protection_practical_applicatio...
 
Privacy trends 2011
Privacy trends 2011Privacy trends 2011
Privacy trends 2011
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 

Último

办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样umasea
 
Ioannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfIoannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfjtzach
 
AICTE PPT slide of Engineering college kr pete
AICTE PPT slide of Engineering college kr peteAICTE PPT slide of Engineering college kr pete
AICTE PPT slide of Engineering college kr peteshivubhavv
 
LinkedIn Strategic Guidelines April 2024
LinkedIn Strategic Guidelines April 2024LinkedIn Strategic Guidelines April 2024
LinkedIn Strategic Guidelines April 2024Bruce Bennett
 
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一fjjwgk
 
Application deck- Cyril Caudroy-2024.pdf
Application deck- Cyril Caudroy-2024.pdfApplication deck- Cyril Caudroy-2024.pdf
Application deck- Cyril Caudroy-2024.pdfCyril CAUDROY
 
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...nitagrag2
 
Protection of Children in context of IHL and Counter Terrorism
Protection of Children in context of IHL and Counter TerrorismProtection of Children in context of IHL and Counter Terrorism
Protection of Children in context of IHL and Counter TerrorismNilendra Kumar
 
Graduate Trainee Officer Job in Bank Al Habib 2024.docx
Graduate Trainee Officer Job in Bank Al Habib 2024.docxGraduate Trainee Officer Job in Bank Al Habib 2024.docx
Graduate Trainee Officer Job in Bank Al Habib 2024.docxJobs Finder Hub
 
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改yuu sss
 
Back on Track: Navigating the Return to Work after Parental Leave
Back on Track: Navigating the Return to Work after Parental LeaveBack on Track: Navigating the Return to Work after Parental Leave
Back on Track: Navigating the Return to Work after Parental LeaveMarharyta Nedzelska
 
ME 205- Chapter 6 - Pure Bending of Beams.pdf
ME 205- Chapter 6 - Pure Bending of Beams.pdfME 205- Chapter 6 - Pure Bending of Beams.pdf
ME 205- Chapter 6 - Pure Bending of Beams.pdfaae4149584
 
办理老道明大学毕业证成绩单|购买美国ODU文凭证书
办理老道明大学毕业证成绩单|购买美国ODU文凭证书办理老道明大学毕业证成绩单|购买美国ODU文凭证书
办理老道明大学毕业证成绩单|购买美国ODU文凭证书saphesg8
 
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证nhjeo1gg
 
Unlock Your Creative Potential: 7 Skills for Content Creator Evolution
Unlock Your Creative Potential: 7 Skills for Content Creator EvolutionUnlock Your Creative Potential: 7 Skills for Content Creator Evolution
Unlock Your Creative Potential: 7 Skills for Content Creator EvolutionRhazes Ghaisan
 
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档208367051
 
Black and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfBlack and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfpadillaangelina0023
 
Escort Service Andheri WhatsApp:+91-9833363713
Escort Service Andheri WhatsApp:+91-9833363713Escort Service Andheri WhatsApp:+91-9833363713
Escort Service Andheri WhatsApp:+91-9833363713Riya Pathan
 
Jumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3AJumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3Ajumarkdiezmo1
 
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一diploma 1
 

Último (20)

办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
办理学位证(纽伦堡大学文凭证书)纽伦堡大学毕业证成绩单原版一模一样
 
Ioannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdfIoannis Tzachristas Self-Presentation for MBA.pdf
Ioannis Tzachristas Self-Presentation for MBA.pdf
 
AICTE PPT slide of Engineering college kr pete
AICTE PPT slide of Engineering college kr peteAICTE PPT slide of Engineering college kr pete
AICTE PPT slide of Engineering college kr pete
 
LinkedIn Strategic Guidelines April 2024
LinkedIn Strategic Guidelines April 2024LinkedIn Strategic Guidelines April 2024
LinkedIn Strategic Guidelines April 2024
 
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一
定制(ECU毕业证书)埃迪斯科文大学毕业证毕业证成绩单原版一比一
 
Application deck- Cyril Caudroy-2024.pdf
Application deck- Cyril Caudroy-2024.pdfApplication deck- Cyril Caudroy-2024.pdf
Application deck- Cyril Caudroy-2024.pdf
 
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...
Escorts Service Near Surya International Hotel, New Delhi |9873777170| Find H...
 
Protection of Children in context of IHL and Counter Terrorism
Protection of Children in context of IHL and Counter TerrorismProtection of Children in context of IHL and Counter Terrorism
Protection of Children in context of IHL and Counter Terrorism
 
Graduate Trainee Officer Job in Bank Al Habib 2024.docx
Graduate Trainee Officer Job in Bank Al Habib 2024.docxGraduate Trainee Officer Job in Bank Al Habib 2024.docx
Graduate Trainee Officer Job in Bank Al Habib 2024.docx
 
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改
办澳洲詹姆斯库克大学毕业证成绩单pdf电子版制作修改
 
Back on Track: Navigating the Return to Work after Parental Leave
Back on Track: Navigating the Return to Work after Parental LeaveBack on Track: Navigating the Return to Work after Parental Leave
Back on Track: Navigating the Return to Work after Parental Leave
 
ME 205- Chapter 6 - Pure Bending of Beams.pdf
ME 205- Chapter 6 - Pure Bending of Beams.pdfME 205- Chapter 6 - Pure Bending of Beams.pdf
ME 205- Chapter 6 - Pure Bending of Beams.pdf
 
办理老道明大学毕业证成绩单|购买美国ODU文凭证书
办理老道明大学毕业证成绩单|购买美国ODU文凭证书办理老道明大学毕业证成绩单|购买美国ODU文凭证书
办理老道明大学毕业证成绩单|购买美国ODU文凭证书
 
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证
原版快速办理MQU毕业证麦考瑞大学毕业证成绩单留信学历认证
 
Unlock Your Creative Potential: 7 Skills for Content Creator Evolution
Unlock Your Creative Potential: 7 Skills for Content Creator EvolutionUnlock Your Creative Potential: 7 Skills for Content Creator Evolution
Unlock Your Creative Potential: 7 Skills for Content Creator Evolution
 
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档
格里菲斯大学毕业证(Griffith毕业证)#文凭成绩单#真实留信学历认证永久存档
 
Black and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdfBlack and White Minimalist Co Letter.pdf
Black and White Minimalist Co Letter.pdf
 
Escort Service Andheri WhatsApp:+91-9833363713
Escort Service Andheri WhatsApp:+91-9833363713Escort Service Andheri WhatsApp:+91-9833363713
Escort Service Andheri WhatsApp:+91-9833363713
 
Jumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3AJumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3A
 
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一
办理(Salford毕业证书)索尔福德大学毕业证成绩单原版一比一
 

Anonymous Whistleblowing Systems and European Union Data Protection Measures

  • 1. Anonymous Whistleblowing Systems and CNIL and European Union Data Protection Measures OVERVIEW credence to the reporting party and the potentially increased protection against As U.S. companies move into international retaliation that the option of anonymity provides. markets, many are confronting foreign These distinct U.S./E.U. cultural differences regulations, which seem to conflict with those resonate clearly in their respective employment- governing operations in the U.S. In the aftermath related laws and regulations. of several corporate debacles, the adoption of the Sarbanes-Oxley Act (SOX) in the U.S. in 2002 presented new challenges to U.S. Regulations organizations, particularly those that are publicly traded. The decline of public trust in the ethics of Regulated by the Securities and Exchange corporate America had a resoundingly negative Committee (SEC), the Sarbanes-Oxley Act of economic impact not just in the U.S., but 2002, among other provisions, requires publicly worldwide. Perhaps the most internationally traded organizations to establish independent challenging provision of SOX is the requirement audit committees to essentially provide company for organizations listed on U.S. stock exchanges oversight regarding financial and accounting- to provide at least one channel of related issues. In the pursuit of such communication by which employees can make responsibility, the audit committee must also anonymous reports. Now that the SOX implement a “whistleblower” program to enable compliance deadline has long since passed, employees, vendors, and any other stakeholders organizations are recognizing the special to submit complaints or knowledge of fraudulent challenges posed by the collision of domestic activity in an anonymous and confidential and foreign regulations, especially regarding fashion. Organizations are not only responsible anonymous reporting by employees. for providing a mechanism by which such reports can be received, but must also Historically, the U.S. has provided greater document retention and treatment activities of employer protection in the management of submitted complaints. Failure to comply may employees engaging in misconduct and criminal result in SEC-enforced sanctions, civil penalties, behavior within the organization. Other and possible de-listing from the stock 2 countries, particularly those in the European exchange. Union (E.U.), take a decidedly pro-employee 1 approach. In addition, cross cultural beliefs The intent of anonymous reporting channels is regarding the utility of anonymity in employee to encourage employees to report their reporting are markedly different. While European knowledge of financial misconduct who may sensibility places great value on the rights of the otherwise fear reprisal. In this way, accused, the American perspective lends more organizations may investigate and identify potential problem areas or employees to 1 Schreiber, M. E., Held, J. M., Bond, R. T. J., Dana, R., efficiently manage and prevent organizational Runte, C., & Flower, K. (2006). Anonymous Sarbanes- losses due to employee misconduct. Oxley hotlines for multi-national companies: Compliance with E.U. data protection laws. Retrieved June 5, 2006, from 2 http://www.theworldlawgroup.com/db30/cgi-bin/pubs/Privacy Sarbanes-Oxley Act of 2002. Available: Matters - Ch9.Anonymouns http://fl1.findlaw.com/news.findlaw.com/cnn/docs/gwbush/sar SOX.PracGuideSOX.Vol2.ELEC.pdf banesoxley072302.pdf.
  • 2. Perhaps the most common mechanism mandates imposed by European data protection organizations have adopted to meet the laws. compliance requirements of SOX is the confidential fraud hotline. Many third-party As E.U. Member States began adopting their hotline providers also administer an internet- own data protection measures, the flow of based reporting portal in addition to the information across the E.U. became increasingly traditional hotline. Regardless of the method of restricted due to conflicting mandates. The report intake, the option of anonymity is often passage of E.U. Directive 95/46 EC in 1995 advertised and sometimes even encouraged, sought to synchronize diverging E.U. legislation which further assists organizations in their and all E.U. Member States are required to compliance efforts. implement regulations consistent with the Directive and establish a supervisory body SOX compliance, however, is not limited to only responsible for the enforcement of data 4 domestic locations. Multinational companies are protection laws. required to implement such mechanisms throughout their organization to include those The Directive principally covers the “processing” employees working in international locations. of personal data and defines the circumstances Therefore, many organizations have under which processing is lawful and 5 implemented “one-size-fits-all” reporting warranted. In order to legally process personal channels across the organization, whether data, three conditions must be met: domestic or international. In addition, many transparency, legitimate purpose, and organizations allow their employees to make proportionality. anonymous complaints about diverse forms of employee misconduct, not just those that are ♦ In order to meet the condition of financial or accounting-related. For example, transparency, the individual whose data is to many employee hotlines are set up to receive be processed (“data subject”) has the right reports of sexual harassment, discrimination, to be notified of the processing and must be and unsafe working conditions. Though not given access to all personal data to be mandated by SOX, organizations are quickly processed. The Directive further outlines six recognizing the benefits associated with specific situations in which personal data receiving reports of all forms of employee may be processed and the data subject has misconduct and are opening up their reporting the explicit right to modify any inaccuracies mechanisms to receive such employee 6 in the data to be processed. complaints. ♦ Personal data must be collected only “…for specified, explicit and legitimate purposes…” European Union Data Protection Laws In addition, the possibility that personal data may be collected through a whistleblowing European regulations are rooted in distinctly system and the purpose for such a system differing cultural values related to privacy, particularly in occupational settings. As early as 1978, some European countries adopted data 4 European Commission Data Protection . Available: protection legislation governing the use, http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm. processing, and dissemination of the “personal 5 3 Directive 95/46/EC of the European Parliament and of the data” of any citizen. Any information that allows Council of 24 October 1995 on the protection of individuals for the direct or indirect identification of with regard to the processing of personal data and on the individuals constitutes personal data. Generally, free movement of such data. Available: as applied to U.S.-based corporations with http://www.cdt.org/privacy/eudirective/EU_Directive_.html European operations, the receipt, investigation, 6 These circumstances include: (1) When the data subject treatment, and retention of any reports of provided consent for data processing, (2) when the employee misconduct, financial or otherwise, processing is contractually required, (3) when the processing would be subject to the restrictions and is required for legal compliance, (4) when the processing is necessary in pursuit of the public interest, (5) when the processing is for the protection of the data subject, or (6) 3 Act n° 78-17 of 6 January 1978 on Data Processing, Data when processing is necessary for the legitimate interests of Files and Individual Liberties. Available: the data controller, unless superseded by the fundamental http://www.cnil.fr/fileadmin/documents/uk/78-17VA.pdf. rights and freedoms afforded to the data subject. © 2006 Business Controls, Inc. 2 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 3. must be clearly communicated to those who The French Data Protection Model and may be identified through the reporting Overarching E.U. Implications mechanism. Founded under the Act of January 6, 1978, the ♦ The collection of personal data “must be Commission nationale de l’informatique et des adequate, relevant and not excessive in libertés (CNIL) is the administrative body relation to the purposes for which they are established for the enforcement of E.U. and 7 collected or further processed.” That is, State data protection laws in France. In 2005, organizations must limit the types of France enacted legislation making the information collected through reporting implementation of anonymous incident reporting mechanisms to only that information systems by any employer in France unlawful in 1 necessary to meet the purpose(s) set forth the absence of certain precautions. The specific by the implementation of the reporting provisions and dual compliance options will be mechanism (e.g. proper corporate discussed in detail below. However, in general, governance). The level of information administrative and judicial decisions in France reported must be in proportion to the dictate anonymous whistleblowing systems must purpose the collection of such information have a specific and narrow scope with regard to sets out to achieve. the type of data collected. In addition, such mechanisms must be submitted to the CNIL for Since the adoption of the E.U. Data Protection authorization prior to implementation. Other Directive in 1995, U.S.-based multinational provisions mandate that individuals accused of organizations face significant challenges across misconduct must have access to the data all E.U. Member States, as all E.U. Member retained by the organization and must have the States have separate data protection laws and opportunity to correct any inaccuracies once the regulatory enforcement agencies. Such data has been sufficiently preserved for circumstances require a comprehensive investigative or evidentiary purposes. evaluation of existing SOX compliance protocols implemented internationally and the local It is important to understand the adoptions of the governing regulations. CNIL regarding the compliance expectations of U.S.-based multinational companies because Recent discussions between relevant U.S. and many of the existing data protection laws across E.U. regulatory agencies revealed that, though the E.U. resemble those in France and are U.S. and E.U. legislation appears to conflict on rooted in very similar philosophical values. its face, there are no critical inconsistencies Many E.U. countries, including Germany and the expressly precluding whistleblower compliance United Kingdom, are rapidly adopting mechanisms from being implemented in E.U. approaches comparable to those in France 1 regarding the use of anonymous incident Member States under E.U. data protection law. Much of the work required for resolution of U.S. reporting systems in those Member States. and E.U. regulations lies in ensuring Therefore, such specialized and dual U.S. and implementation of such systems are tailored to E.U. compliance is not likely to remain limited to meet the applicable legal requirements. U.S.-based operations in France. Consequently, traditional “one-size-fits-all” systems are a solution of the past and may, in fact, expose organizations to legal liability that Striking a Balance could have been prevented. Recognizing the need to come to some compromise between U.S. and E.U. regulations regarding the use of anonymous whistleblower systems, the CNIL recently published guidelines establishing suggested compliance techniques 7 Article 29 Data Protection Working Party. (2006). Opinion to assist multinational organizations confronting 1/2006 on the application of EU data protection rules to 8 these apparent conflicts. In addition, a internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against 8 bribery, banking and financial crime. Available: Commission nationale de l’informatique et des libertés http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/20 (CNIL). (2005). Guideline document. Available: 06/wp117_en.pdf http://www.cnil.fr/index.php?id=4 © 2006 Business Controls, Inc. 3 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 4. Frequently Asked Questions document is now - the name, address, and contact details available to clarify previously confounding of the person responsible for 9 interpretations of the law. The CNIL has compliance in general, ultimately determined that whistleblowing - the name, address, and contact details systems, such as those mandated in the U.S. of the person responsible for the right to under SOX, are “neither allowed nor banned access personal data, under the provisions of the French Labor - the name, address, and contact details 8 Code.” Furthermore, the CNIL does not prohibit of the person whom the CNIL can the use of a third-party service supplier, as long contact, and as the service provider contractually agrees to - a purpose section indicating what comply with French and European data service provider or software is utilized, protection laws. However, these decisions were how many persons are covered by the based upon reporting mechanisms collecting program, implementation year, and only certain types of personal data, specifically whether data will be transferred outside “…in the fields of accounting, financial audit, of the E.U. (and if so, a list of the 9 fight against bribery or banking areas…” In countries involved must be included). addition, data of a particularly serious nature, outside of financially-related incidents, may be ♦ Standard Authorization: Organizations collected. Seriousness is defined as any facts wishing to implement an anonymous that “affect the vital interests of the company or incident reporting system to collect data 9 its employees’ physical or mental integrity.” outside the scope of that described above Some examples of serious issues that would be (e.g. financially related concerns) and that considered acceptable data include threats to does not expressly meet the CNIL’s the safety of employees, moral and sexual requirements must submit a complete harassment, discrimination, threats to public application to the CNIL for examination at a health, and insider trading. plenary session of the CNIL. The CNIL is mandated to review the application within Regardless, the organization wishing to two months of the filing, provided that no implement SOX-compliant anonymous reporting additional information is needed by the CNIL mechanisms in France is required to have that to make a determination. system authorized by the CNIL. The CNIL has established two authorization processes, depending upon the type of facts the The Governance of Cross-Border Data organization is requesting authorization to Transfer – Safe Harbor collect and process. In addition to the mandates and regulations ♦ Single/Unique Authorization: This described above, organizations implementing authorization procedure was established to anonymous incident reporting systems expedite the process and allow E.U.- internationally must be cognizant of restrictions compliant organizations to implement SOX- regarding the cross-border transfer of data compliant anonymous reporting originating in the E.U. to countries outside of the mechanisms in a timely manner. The CNIL E.U. Many organizations may find it necessary should receive a filing acknowledgement for U.S. management representatives or audit 1 within one to two weeks of submission. committee members to be made aware of and even investigate employee misconduct occurring The single authorization process, known as in the E.U. that is reported through their a unilateral commitment to comply, is an whistleblower system. However, portions of the internet-based process that requires the E.U. Directive 95/46 EC discussed above also organization to submit the following limit the ability to transfer personal data outside information: of the E.U. and explicitly prohibit data transfer to countries that do not adequately meet E.U. privacy protections. After negotiations between E.U. and U.S. officials, the Safe Harbor 9 Commission nationale de l’informatique et des libertés Arrangement was delineated to make data (CNIL). (2006). Frequently asked questions. Available: http://www.cnil.fr/index.php?id=4 © 2006 Business Controls, Inc. 4 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 5. transfer across the boundaries of the E.U. disclosure, alteration, and destruction” of possible. personal information retained by the 10 organization Safe Harbor went into effect in 2000 and prevents multinational organizations from ♦ Data Integrity: Organizations must take experiencing business interruptions as a result reasonable steps to ensure the data of seemingly conflicting, yet equally applicable, collected is that which is necessary to meet 10 cross-border regulations. Organizations can the purpose for which it was collected and to join the Safe Harbor by a self-certification ensure that it is accurate and reliable. process, renewed annually, in which they agree to comply with the requirements of Safe Harbor ♦ Enforcement: Adequate and non- and publicly declare that they do so. In order to burdensome recourse mechanisms must join, there are seven Safe Harbor requirements exist for the appropriate investigation and to which organizations must comply: resolution of individual complaints and damages awarded where applicable under ♦ Notice: Organizations must notify individuals the relevant law. In addition, there must be that they may collect and use personal a means for verifying organizational information, the purpose for which they adherence to the Safe Harbor principles as would do so, and any third parties with well as accountability for problems resulting whom their information may be shared. In from a failure to comply. Furthermore, addition, individuals must be provided with a consequences for failure to comply must be means by which they can contact the “sufficiently rigorous” to encourage 10 organization. consistent compliance. ♦ Choice: Individuals must be given the Organizations reap many benefits for joining the opportunity to authorize the organization to Safe Harbor and maintaining their compliance. disclose personal data to third parties or to First and foremost, perhaps, is the ability to use the information in a manner diverging ensure seamless and efficient organizational from the purposes for which the information communication internationally. In addition, Safe was originally collected. Harbor participation satisfies the adequacy standard for all 25 E.U. Member States, who all ♦ Onward Transfer: In order to transfer have very similar data protection regulations. personal information to a third party, the Also, prior approval for data transfers will be organization must first apply the Notice and automatically approved or waived and, subject Choice principles and must further ensure to limitations, all complaints made by E.U. that the third party also subscribes to Safe citizens against U.S. companies will be heard in Harbor principles. In so doing, the the U.S. organization may obtain written agreement from the third party that it provides at least the same level of privacy protection as the applicable regulations dictate. ♦ Access: With some exceptions, individuals must be granted access to the information the organization retains about them and must have the opportunity to modify, delete, or otherwise edit inaccuracies. ♦ Security: Reasonable precautionary measures must be undertaken to prevent “the loss, misuse, and unauthorized access, 10 U.S. Department of Commerce. (n.d.) Welcome to Safe Harbor. Available: http://www.export.gov/safeharbor/index.html © 2006 Business Controls, Inc. 5 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 6. and how organizations, as well as the ® MYSAFEWORKPLACE SUGGESTED MySafeWorkplace solution, comply. COMPLIANCE TECHNIQUES With the advent of the recent CNIL regulations Scope of incidents reported and necessary regarding whistleblower protocols, much of the filing procedures literature has focused on compliance overlap between SOX and CNIL regulations. For Professional, or external, whistleblower systems multinational organizations, this may initially should be authorized by the CNIL prior to appear as a burdensome task. However, it implementation. The types of incidents reported appears the discrepancy lies within company- upon will direct the authorization process. Your specific compliance strategies and organization may choose to adopt only a SOX- implementation choices versus a direct conflict type focused code of conduct and whistleblower of laws. So what should an organization do? mechanism. If this is the choice, your Organizations should ascertain how E.U. data organization may file with the CNIL through the protection laws apply to those states in which online CNIL single authorization process with no 1 the organization operates. Organizations further subsequent CNIL review. This process should carefully follow any developments in will require submission of the following regard to whistleblower statutes in each of those information: legal nature of organization; name, E.U. Member States and consider establishing address, and contact details of the entity relationships with the appropriate local data responsible for the implementation; name, 1 protection authorities. Furthermore, address, and contact details for the person organizations should consider the following responsible for compliance in general; name, convenient guidelines to minimize the address, and contact details for the person possibilities of violating relevant data protection responsible for the right to access personal data; 1 laws : name, address, and contact details for the person whom the CNIL can contact. In addition, ♦ Consult with appropriate data protection the notification must include a section that personnel prior to establishing whistleblower iterates which software is used, how many protocols. persons are concerned with the whistleblower system, the year of its implementation, and ♦ Ensure employees’ due process rights are whether data will be transferred to countries maintained. outside of the E.U. (Chapter 8). Once the on-line application is received, the CNIL will send an acknowledgement receipt approximately two ♦ Ensure that the implemented compliance weeks from the time of submission. Once programs include methods beyond standard received, the organization can implement its whistleblower practices, to include such whistleblower hotline immediately without any options as employee training. additional review by the CNIL. ♦ Ensure that data alleging wrongdoing is The other option is for an organization to adopt a preserved for only as long as necessary and more inclusive whistleblower system, which that this data is stored separately from the encompasses broader reporting than that of individual’s personnel file, unless the SOX-related issues. This will require the allegations result in some form of organization to undergo the standard CNIL disciplinary action. review process, which typically consists of a case-by-case review by the CNIL regarding the ♦ Ensure that the appropriate steps are taken legitimacy of the program’s purposes, the to guarantee proper transfer of data outside “proportionality” of the contemplated program as 1 of the E.U. (e.g. Safe Harbor certification). well as its transparency to all parties involved. Approval may take months. These recommendations, based on best practices, will help organizations be compliant with applicable state laws and regulations. The following details more specific CNIL regulations © 2006 Business Controls, Inc. 6 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 7. inform the reporting party that his/her contact MSW and Organizational Compliance: It is information will be kept confidential. In ultimately the organization’s decision if they addition, if reporting via the internet, MSW has would like to implement a broad or narrow the technical capabilities to insert a customized whistleblower system. The MSW system has the landing page that outlines the necessary capability to accommodate both. Under the organizational information, to include single authorization code for CNIL, titration of confidentiality information and CNIL only SOX-related incident reports is the most regulations, if appropriate. efficient compliance strategy. These may include, but are not limited to, financial, banking, accounting, anti-bribery, or other vital Reporting is not mandatory in the E.U. corporate interests related to such categories. The CNIL indicates that a whistleblower system should not be “compulsory” for employees. MSW provides an all-inclusive list of Contrary to this tenet, SOX regulations stipulate approximately 60 incident types to all client that employees must report violations or risk organizations, in turn allowing the organization discipline if they do not report obvious or known to limit the incidents types. infringements. If an organization has locations in both the U.S. and the E.U., this discrepancy between the two regulations may be a burden in Anonymity cannot be required or “actively regard to communication and implementation of encouraged” the whistleblower services. One proposed compromise is that organizations not “require” Anonymity is allowed by CNIL as long as it is not reporting, but instead state that they “expect” 9 made compulsory and is not actively violations to be reported. In E.U. Member encouraged by the company. Furthermore, the States, it should be communicated to the reporting party has a choice regarding his/her employees that there will be no adverse actions anonymity. CNIL requests that, prior to taken against employees who do not use the submission of the report, the reporting party be hotline. informed that he/she will not suffer or be retaliated against for the report. Furthermore, MSW and Organizational Compliance: MSW the reporting party’s identity must be kept does not have authority to dictate whether confidential and not disclosed to third parties employees “should” or “must” report such as the incriminated person and the employee’s line supervisor. The CNIL believes organizational violations, as it simply serves as non-anonymous reports offer the following a repository for the receipt of reports, allowing advantages: 1) to avoid or at least limit false further follow-up by appropriate organizational and/or intentionally slanderous accusations; 2) members and the reporting party. Although to organize the protection of the whistleblower MSW is able and willing to consult on against retaliation; 3) to ensure a better handling implementation and communication strategies, it of the report, with the option of requesting is ultimately the responsibility of the additional details on the alleged facts from the organization to organize a strategic method for 2 author of the report. the implementation and communication regarding the intended required usage of the MSW and Organizational Compliance: MSW is system. unique in that it employs three anonymity options: do not care about anonymity, remain completely anonymous, and remain anonymous Cross-Border data transfer obligations if toward your organization. MSW accepts a personal data is transmitted outside of the neutral stance regarding anonymity and does E.U. member country to the U.S. not encourage a reporting party to select a certain option. Moreover, if reporting via SOX rules and regulations require the chairman telephone, MSW has the capability to verbally of the audit committee to receive, handle, and © 2006 Business Controls, Inc. 7 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 8. treat reported violations that are financially- limited exceptions.11 Furthermore, MSW has related. For U.S.-based organizations, these the technical capabilities to educate the individuals are typically located in the U.S. When professional call center agents handling non-financially related reports (e.g. sexual hotline report intake so they can effectively harassment) are submitted via the whistleblower educate reporting parties on the organizational system, CNIL regulations deem it appropriate to not necessitate the review by U.S.-based audit report recipients. In addition, MSW facilitates committee members. However, this does not online communication between the always preclude them from receipt and review of organization and the reporting party such that the report, as even routing employment the organization may post information to the concerns could have a potential impact on reporting party regarding the recipients of 9 financial or accounting statements. specified reports. Data transfer outside of the E.U. is acceptable under E.U. data protection laws if appropriate 9 Prompt notification to the “incriminated” cross-border data protections are utilized. The person required U.S. entity receiving the information must have implemented a cross-border transfer solution. CNIL purports that the “incriminated” person Current options include: 1) consent of the must be notified by the person in charge as soon individual affected, which oftentimes is as data is collected about him/her. (V-9-16). unreasonable; 2) data protection agreement; Pursuant to Article 39 of the data protection act, and 3) obtain certification for the U.S. Safe information provided to the “incriminated” person Harbor, which is administered by the U.S. cannot contain the confidential information Department of Commerce and enforced by the pertaining to the whistleblower, nor does it need Federal Trade Commission. Pursuant to the to contain the entirety of information initially CNIL, it is important to notify the reporting party provided. There is a delay exception when if the information is transferred outside of the protective measures need to be taken, in the E.U., and also inform them of the receipts of the case of prevention of destruction of evidence. report. This may include, but is not limited to, securing, copying, or performing forensic analysis on 9 MSW and Organizational Compliance: MSW appropriate computer systems. This delay complies with the E.U. data protection law in exclusion may alleviate concerns regarding the regard to cross-border transfer of information. notification to the alleged suspect prior to MSW was Safe Harbor certified on January 6, employing proper investigatory techniques. 2005. Safe Harbor certification provides the Nevertheless, contacting the alleged suspect is a basic principle of the data protection laws in all following benefits: 1) All 25 Member States of E.U. countries and will require, at the very least, the European Union will be bound by the some disclosure to the incriminated person. 9 European Commission’s finding of adequacy; 2) Companies participating in Safe Harbor will MSW and Organizational Compliance: be deemed adequate and data flow to those Developing and implementing a sound policy for companies will continue; 3) Member State notifying “incriminated” individuals accused of requirements for prior approval of data wrong doing is the obligation of the transfers either will be waived or approval will organization. This policy should outline the be automatically granted; and 4) Claims method of contact and describe what brought by European citizens against U.S. information should typically be shared with the companies will be heard in the U.S. subject to 11 Extracted from http://www.export.gov/safeHarbor/index.html on June 8, 2006. © 2006 Business Controls, Inc. 8 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 9. accused person. Due to the support provided by Although the CNIL states that its regulations the investigative professionals of MSW’s parent only apply to whistleblower mechanisms that are organization, Business Controls, Inc., MSW has “automated,” a succinct definition of what the capability to consult with organizations and defines “automated” is difficult to find. Some documents speculate that exclusion of mail, provide suggested sample procedures, if deemed drop-boxes, or even individual email makes appropriate. Furthermore, MSW is the central 9 appropriate sense. Nevertheless, one cannot repository for obtaining and retaining all deny the all-encompassing presence of information submitted from the initial report (to electronic means for the receipt, retention, include name of suspected individuals) and dissemination, and response of such inquiries, subsequent updates. The organization may also regardless of the original submission method. In utilize MSW’s message board capabilities to light of the implications found within the CNIL document and retain communication with the research and regulations, it is safe to presume “incriminated” individual. that implementation of any whistleblower service, regardless of the available report intake mechanisms is subject to CNIL regulations. Accused individuals have the right to respond, contest, or rectify (change) MSW and Organizational Compliance: MSW is information considered an “automated” service and therefore the use of such service is governed by A fundamental right of E.U. data protection laws CNIL regulations. MSW encourages is to allow the suspected person identified in a organizations to err on the side of caution and report alleging a violation to access the data, assume that any implemented whistleblower request rectification, or potential deletion of the service will, ultimately, be considered 9 information. CNIL posits that such access “automated” and, therefore, necessitates rights do not include access to information about other individuals, such as the whistleblower’s compliance with CNIL regulations and E.U. name. Under certain “blatantly abusive” data protection laws. 9 conditions, subject access rights can be denied. MSW and Organizational Compliance: Data Retention Regulations Accused individuals, unless they are Enterprise The CNIL regulates the length of time Portal Users on the MSW Database, do not have organizations are allowed to retain reports, access to the secure database in which all archive reports, and eventually destroy reports. reports are stored. The organization should, The regulation states that unsubstantiated therefore, generate a policy outlining reports should be deleted “immediately.” appropriate procedural steps regarding how to Furthermore, CNIL requires deletion of reports gather this information from the accused and within two months of closure, unless there is how to effectively insert the information into the ongoing disciplinary or court action. If there is original report submitted. MSW allows for no further action on the report, the organization additions, responses, or requested changes to be must delete the file or archive the data. 9 (Frequently Asked Questions, #17 ). Archiving submitted via the message boards. Additionally, of information is permitted for relevant data MSW retains all initial information and unrelated to or beyond the required additional information in its original form. whistleblower program, especially if it affects the physical safety of others or the vital interests of 9 the organization. This data may be retained for Limiting whistleblowing reporting to mail, up to 30 years (Frequently Asked Questions, 9 drop-box, or “non-automated” means #17 ). There appears to be some discrepancy in the CNIL literature describing what reporting methods, if any, are excepted from CNIL regulations regarding whistleblower reporting. © 2006 Business Controls, Inc. 9 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection
  • 10. MSW and Organizational Compliance: Internal procedural documents should be generated that outline the organization’s definition of “unsubstantiated” and all parties responsible for labeling and responding to reports as such should be accurately educated on the protocols.9 Furthermore, effective policies regarding investigative and closure procedures must be implemented by the organization. MSW is able to delete reports from the database at the organization’s request. MSW requests that the organization designate one (or at the most two) contact names of individuals who are responsible for the communication of requests relating to deletion or archiving of reports. Ultimately, it is the responsibility of the organization to establish protocols for monitoring its database, determination of closure rates, and establishment of appropriate communication triage to MSW personnel to the deletion or archival of records. THE FINAL WORD While E.U. data protection regulations and best compliance practices are quite perplexing, there are clearly methods organizations can employ to ensure their whistleblowing programs are compliant across all of their locations, domestic or international. It may be appealing to select a strategy and apply it universally throughout the organization. However, multinational organizations do not usually have this option. Therefore, organizations must assess their overall needs and choose responsible implementation techniques. Furthermore, multinational organizations who are considering the option of outsourcing their whistleblower program should be careful to select a vendor who understands these seemingly conflicting regulations and can articulate how they can assist organizations in compliance, both domestically and abroad. As new guidelines and best practices continue to emerge, the organization’s responsibilities are becoming clearer. However, such guidelines are continuing to evolve and we have likely not yet heard the final word regarding E.U. data protection regulation compliance requirements. © 2006 Business Controls, Inc. 10 COMPANY CONFIDENTIAL All Rights Reserved MySafeWorkplace® and CNIL/EU Data Protection