On 7 October 2019, the EU approved a new Directive on the protection of persons reporting on breaches of European Union Law, also referred to as the Whistleblower Directive.
In Ireland, public bodies have had regard to the Protected Disclosures Act 2014, which was amended in June 2018 to incorporate provisions of the EU Protection of Trade Secrets Directive. The current legislation entitles a worker (as defined in the 2014 Act) to report wrongdoing in a public body if there is a reasonable belief of such wrongdoing, and have their identity protected. However, the Whistleblower Directive, which must be adopted into Irish law within two years, will mean that the obligations under the 2014 Act will extend to the private sector as well.
The Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations, a global analysis of the costs and effects of occupational fraud, shows that tip-offs or whistleblowing is still the most effective method of detecting occupational fraud, which highlights the importance of this legislation.
What will the EU Whistleblower Directive mean for private companies in Ireland?
The Directive will make it mandatory for companies with over 50 employees to establish internal reporting channels, both for reporting and follow-up. The Directive allows for companies with between 50 and 249 employees to share resources as regards the receipt of reports and any investigation to be carried out.
Who will “reporting persons” be?
The 2014 Act currently defines a “worker” who can make a protected disclosure as an employee or a contractor. In the future, under Article 4(1) and 4(2), the Directive will extend the scope of the definition of “reporting persons” to include shareholders, who are not currently included within the 2014 Act. It will also include volunteers and unpaid trainees, and individuals who report on breaches within their knowledge acquired through a work based relationship, which has since ended.
What are the required time frames for following-up on a disclosure?
The Directive will impose time frames on companies that receive a protected disclosure by creating an obligation to respond to, and follow-up on, the whistleblowers’ reports within three months (with the option to extend this to six months for external channels in duly justified cases). The receipt of a disclosure must be acknowledged within seven days.
"The current legislation entitles a worker (as defined in the 2014 Act) to report wrongdoing in a public body if there is a reasonable belief of such wrongdoing, and have their identity protected".
Will the reporting channels be internal or external?
The Directive seeks to encourage disclosures internally in the first instance. The Directive states: “as a principle, therefore, reporting persons should be encouraged to first use internal reporting channels and report to their employer, if such channels are available to them and can reasonably be expected to work”. However, the Directive also allows for external reporting channels.
Third parties could be authorised to receive reports of breaches on behalf of legal entities in the private and public sector, provided they offer appropriate guarantees of respect for independence, confidentiality, data protection and secrecy. Such third parties could be external reporting platform providers, external counsel, auditors, trade union representatives or employees’ representatives.
Protections against any form of retaliation from employers will be given to persons who report wrongdoing internally and externally. The protections under the Directive will also extend to persons “who make such information available in the public domain, for instance, directly to the public through online platforms or social media, or to the media, elected officials, civil society organisations, trade unions, or professional and business organisations.”
Who are “prescribed persons”?
The Directive includes provisions in respect of “competent authorities” to whom a disclosure can be made. The Directive states: “in the case of legal entities in the private sector that do not provide for internal reporting channels, reporting persons should be able to report externally to the competent authorities”.
Are there any new requirements?
The Directive introduces a wide range of new requirements for companies who receive disclosures, which are summarised below:
- Secure channels for internal reporting. The Directive states that internal reporting shall require “channels for receiving the reports which are designed, established and operated in a secure manner that ensures that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protected, and prevents access thereto by non-authorised staff members”.
- Dedicated, impartial staff to handle reports. The Directive requires the designation of a neutral person or department competent for following up on the reports, which may be the same person or department as the one that receives the reports. These dedicated staff members will maintain communication with the reporting person and, where necessary, ask for further information from – and provide feedback to – that reporting person.
- Diligent follow-up. The Directive requires thorough follow-up and the provision of feedback within three months (which may be extended to six months in duly justified cases).
- Transfer to another competent authority. The Directive allows for the transfer of a disclosure to another competent authority where the receiving body does not have the competence to deal with the matter. The Directive states that this must happen “within a reasonable time, in a secure manner, and that the reporting person is informed, without delay, of such a transmission”.
- Reporting the outcome per national law. The Directive states that the receiving body must communicate to the reporting person the result of investigations triggered by the report, in accordance with procedures provided for under national law.
Procedures for making a disclosure
Article 13 of the Directive sets out the information a competent authority must publish concerning receipts of disclosures. The following information must be published on the competent authority’s website, which must be reviewed and updated every three years:
- The conditions under which reporting persons qualify for protection;
- Contact details for the external reporting channels – in particular, the electronic and postal addresses, and the phone numbers for such channels, indicating whether the phone conversations are recorded;
- Details of how the disclosure will be processed;
- Details of the time frames and format for feedback;
- Details of the confidentiality regime and how personal data will be processed;
- Details of whether or not a discloser will be held liable for a breach of confidentiality;
- Remedies and procedures available against retaliation; and
- Contact details for any other relevant body or information body providing advice to the discloser.
Protections against penalisation
The 2014 Act makes clear the rights of an individual if an employee is penalised for making a Protected Disclosure. The Directive states: “it should not be possible for employers to rely on individuals’ legal or contractual obligations, such as loyalty clauses in contracts or confidentiality or non-disclosure agreements, so as to preclude reporting, to deny protection or to penalise reporting persons for having reported information on breaches or made a public disclosure providing the information falling within the scope of such clauses and agreements is necessary for revealing the breach. Where those conditions are met, reporting persons should not incur any kind of liability, be it civil, criminal, administrative or employment-related”.
Article 20 of the Directive states that reporting persons shall not incur liability of any kind in respect of such a report or public disclosure, provided they had reasonable grounds to believe that the reporting or public disclosure of such information was necessary to reveal a breach under this Directive.
What about trade secrets?
The 2014 Act was amended in 2018 to incorporate provisions of the EU Provision of Trade Secrets Directive. This required whistleblowers to demonstrate that they acted in “the general public interest” when disclosing commercially sensitive information.
The Directive, however, states that where a reporting person can show “reasonable grounds”, they will incur no liability in respect of disclosures including for defamation, breach of copyright, breach of secrecy, breach of data protection rules, disclosure of trade secrets, or for compensation claims based on private, public, or collective labour law. This appears to narrow the burden of proof for reporting persons from acting in the public interest to acting on reasonable grounds.
What should companies do?
All companies in Ireland should review their obligations under the Whistleblowing Directive and assess their ability to implement internal reporting channels and assign dedicated staff to handle such reports.
Companies should undertake planning to identify how reports will be investigated independently, and within the required timeframes of the Directive. While many companies may adopt a “wait and see” approach, companies must act to implement systems and reporting channels per the Directive.
Content Adapted from Accountancy Ireland | Volume 52 | Number 1 | February 2020