Is the management ready for the whistleblower?
22 June 2015
The use of whistleblower programmes is increasing and it is an efficient method to get information about seriously damaging activities in a company. But it could cause problems if the management is not properly prepared for a whistleblower.
Attorney-at-Law and Plesner Partner Michael Hopp writes in "Børsen Ledelse" (an Danish internet portal about management) about the preparatory work that must have been done before the management itself starts investigating.It is crucial for a company to provide good opportunities to uncover any crime or any other serious matters targeted at the company.
Matters involving for example fraud, bribery or forgery cannot only result in a direct loss. They can also harm the company's reputation in respect of external business partners, customers and public authorities, creating the risk of additional loss of income.
But it is one thing to establish an anonymous whistleblower programme to get information about a crime or other serious matters. Another thing is to be ready when the programme is used.
A well thought-out procedureCompanies will often carry out an internal investigation when they receive information about a possible criminal activity before the matter is perhaps reported to the police. In such situation it is important that the management knows beforehand what it can do and what it cannot do.
The measures that the company can take within the scope of the Danish Act on Processing of Personal Data and the Danish Criminal Code to uncover the extent of the criminal actions must be clear. For example, to which extent is it possible to examine documents, IT equipment, emails and to interview relevant individuals about the matter?
Already before there is an issue, the individual responsible in the company should have prepared a procedure for how the internal investigation is to be carried out so that immediate action is possible when the issue comes to the company's attention.
Clear procedures must be in place for how the investigation is commenced, the use of external experts, the handling of personally compromising information, who gets access to the information, how and when will the suspected individual be informed of the matter, subsequent deletion of data etc. The individual elements of the procedure must be specifically assessed in each case.
The risk of a weak caseBut in general and more importantly the data protection officer must be able at any time to give an exact account of the purpose of each single investigation step and how the results of the measures are to be used.
All experience shows that companies that have not established clear procedures beforehand often end up with a weak case because they did not handle the investigation correctly.
It can harm the company's reputation but also result in the Danish Data Protection Agency or the courts finding that the investigation of the matter has been illegal.