You may be asking yourself, why is a privacy attorney speaking to whistleblowing?
Believe it or not, many of the impediments to an effective (and legal) whistleblowing program are related to privacy laws and/or underlying privacy reasons.
Here are some of the highlights:
What is a whistleblower?
- Ralph Nader coined the phrase in the early1970s to avoid the negative connotations found in words such as "snitches” or “tattle-tells.”
- Whistleblowers report perceived violations of a law by an entity (govt., private, educational, etc.)
- Whistleblowers are typically employees due to the need for insider knowledge.
- Internal – acts within entity to prevent/report violations
- External – reports externally, reward system
Recent cases:
- Medtronic Inc.’s recent settlement involved a business development manager as the whistleblower, who will receive $1.73 million as part of a $9.9 million settlement.
- Omnicare’s recent FCA actions involve a former collection manager and a former customer support employee as whistleblowers.
- Halifax Health Medical System’s recent Stark settlement for $85 million was a result of a qui tam suit brought by a former compliance officer for the system.
The views on whistleblowing between the U.S. and other countries are vastly different. Here in the U.S. we view it as the right to keep businesses honest, to expose fraud, and to enforce compliance. Other countries view it as betrayal and that the U.S. is trying to govern business in their countries.
The laws that impact a global whistleblowing program fall into six categories. I give credit to the fabulous Don Dowling, Jr. of White and Case for his work in this area. Most of my knowledge in this area comes from intense study of his work.)
The six areas of laws that should be evaluated when implementing a global whistleblower program:
- Mandating whistleblower procedures specifically
- Requiring disclosures and cooperation with authorities
- Restricting reporting hotlines (most especially anonymous reports or minor misbehavior)
- Retaliation laws
- Laws around internal investigations
- Laws silent on whistleblowing, but programs possibly triggering data protection laws or work rules
Most of the legal implications are in Europe, which is no surprise given their fundamental right to personal data privacy.
Global whistleblowing programs fall into one of these categories:
- One global program
- Meet both US law requirements and EU restrictions
- Two hotlines
- one in EU (meet SOX and most conservative EU country); another everywhere else
- Tailored hotlines to each local jurisdiction
- No EU hotline
- Informal EU reporting
Last, a short checklist to implementing a global whistleblowing program (drawn heavily from Mr. Dowling's work):
- Pay attention to EU particularly
- Check whistleblowing laws and privacy laws
- Disclose hotlines where required
- Secure data (calls, reports, investigations)
- That includes destroying the file after investigating
- Adhere to data transfer requirements
- Limit reporting topics to ensure proportionality
- several nations only permit reporting of potential major criminal activity
- Have routing for other reports that are not major crimes to a less formal process
- Enable alternate reporting channels
- phones, emails, supervisor, HR, online
- Do not encourage anonymity
- if you cannot bar anonymous in applicable countries, at least do not encourage or advertise it
- Have a list of due process rights for accused
- Translations and multi-lingual operators should be easily available
- Verify compliance, knowledge, capability of hotline vendor
No comments:
Post a Comment