With the publishing of Bill No.249 ('Bill') which proposes amendments to Chapter 527 of the Laws of Malta seeking to transpose the EU Directive ('Directive') on the protection of persons who report breaches of Union law, entities ought to be looking into the steps required to be fully compliant with same at their earliest. Read here for more information on the Bill.
The Directive sets out certain areas which must necessarily be covered by Member State Law. One such area which the Directive highlights is that relating to privacy and data protection in the context of whistleblowing, a topic which features on two fronts:
1. Whistle-blowers & breaches of Data Protection Law
First, from a regulatory perspective, Member State law must cater for the protection of whistle-blowers in the context of disclosures regarding breaches or abuses of EU law concerning, amongst others, the protection of privacy and personal data, and security of network and information systems.
The Bill has catered for this in that the failure or likely failure to comply with any legal obligation on protection of privacy and personal data, security of network and information systems will be integrated into the amended definition of an 'improper practice' subject to protection at law.
2. Whistleblowing channels - Privacy by Design & By Default
Secondly, the Directive reiterates that any whistleblowing channel must comply with all data protection law requirements.
The whistleblowing process will undoubtably result in and require the processing of personal data. In this regard, the Directive requires that any personal data processed for this purpose is done in accordance with EU data protection law, and the General Data Protection Regulation ('GDPR') in particular.
Entities must ensure that the whistleblowing process, including
internal whistleblowing channels are compliant with data protection
principles, namely:
1. Lawfulness, fairness and transparency;
2. Purpose limitation;
3. Data minimisation;
4. Accuracy;
5. Storage limitation;
6. Integrity and confidentiality.
Amongst others, entities must necessarily have a privacy policy in place for all those involved in the whistleblowing process and, ensure that no more personal data than what is necessary is processed for this purpose. This will have to identify the purpose of the processing, the legal ground for the processing as well as other information required for the purposes of satisfying the obligation to inform data subjects.
Adequate security measures must be introduced to secure the confidentiality of all those involved and to safeguard all data being processed. Indeed, the Bill makes specific reference to the processing of personal data throughout the internal, external and public reporting process, with a strong emphasis on confidentiality and integrity/security of the data.
The management of a whistleblowing channel is complex, as confidentiality must be engrained at all levels, yet the rights of the accused, including to be able to defend him/herself, must also be respected and thus balanced out.
Expert advice ought to be sought on the implications of the processing of personal data through such channel. Compliance must be achieved, and those entities that process the personal data will be accountable to demonstrate their compliance as well as to keep appropriate records.
Due to the nature of the processing, which is likely to include processing of sensitive and special category data, a Data Privacy Impact Assessment (DPIA) may also be mandatory to ensure that the processing is lawful, that sufficient measures are implemented to safeguard the integrity, accessibility and confidentiality of the personal data, and that the impact on the rights and freedoms of data subjects is not disproportionate.
In terms of the Bill, the draft law proposes for whistleblowing reporting units/officers to keep records of every report received. Therefore, entities will have to balance out their record retention obligation with the obligation of not retaining personal data for longer than is strictly required. Understanding the parameters within which to apply such balancing exercise will also be relevant in the context of the application of data subject rights (such as right to access, erasure or rectification), given the different interests at stake and the need to strike a balance between the right to privacy and the interests pursued by a whistleblowing channel. Certain rights are not absolute, and entities must be prepared to be able to apply the lawful restrictions in an efficient and transparent manner.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
