There are some rumours, myths and also misconceptions around the application of the Whistleblower Act. In this blog, I will go through 7 key facts about the mandatory whistleblowing channel.
1. Will a whistleblowing channel become mandatory?
Yes. The EU Directive, adopted in autumn 2019, obliges all organisations employing 50 or more people to have a whistleblowing channel.
Finnish national legislation has been delayed, but now the Whistleblower Protection Act has fully entered into force on 1 January 2023. The law, based on the EU Directive, obliges all organisations, both public and private, employing 50 or more people to have an internal whistleblowing channel.
Timelines for organising a whistleblowing channel:
- Organisations employing 250 people or more must set up a whistleblowing channel, including the associated administration, and any training within a short transition period, i.e. by 31st March 2023.
- For smaller private sector organisations employing between 50 and 249 people, the deadline is 17th December 2023.
In few sectors, size of organisation is irrelevant, but all operators must provide their stakeholders with the opportunity to make a whistleblowing notification.
2. Our old feedback channel in our intranet is probably sufficient?
Unfortunately, the intranet or email channels are no longer sufficient. The identity of the whistleblower must be strongly protected, and neither email nor intranet meet these requirements. The identity of the whistleblower must not be accessible, for example, by the ICT department of the organisation. Communication with the whistleblower is also required by law, so this must also be possible without revealing the identity of the whistleblower.
The core of the Directive is to protect whistleblowers from discrimination and retaliation. This protection applies not only to employees, but also to job applicants, former employees and subcontractors, for example. Whistleblowing must therefore also be made possible for a wide range of external stakeholders.
It is also good to consider your reputation as an employer when thinking about meeting your obligations under the law. What kind of solution and way of working will communicate to both current and future staff that your organisation wants to do the right thing, is modern and respects data security.
In the event of any further action or litigation, it is necessary to ensure that whistleblowing reports, as well as all related documentation, records and communications with the whistleblower, are properly recorded and files securely maintained. Access to the material must be aligned with the rights to process the notifications.
3. We will drown in whistleblowing reports
This is possible, but very unlikely. We monitor the statistics on our First Whistle, collect experiences from our customers and discuss experiences in many international forums. There is some variation in the number of whistleblower reports across organisations and sectors, but on average there is about 1 report per 500 people per year. So if an organisation has 5 000 employees, there will be around 10 whistleblower reports per year, or less than one report per month.
In smaller organisations, we can expect an estimated 0.5 reports per 100 employees per year, slightly more in proportion to the size of the workforce. This is probably because, regardless of size, the organisation still has all the key functions where accidents and misconduct can occur.
The number of whistleblower reports may be higher than average when the channel is introduced, as statutory training on the contents of the law, the rights and obligations of the whistleblower is provided in connection with the introduction of the channel.
4. The whistleblowing channel will be used for harassment
It is true that the whistleblowing channel can also be misused. However, when we look at international data, it seems that the concern is largely unfounded. Our customers' experiences follow international averages: malicious reports are rare.
However, it is good to be prepared also for the possibility of a malicious report. In particular, care should be taken to ensure that governance and all processes work in a way that demonstrably safeguards the interests of the organisation and also protects the person maliciously defamed in a difficult situation.
The sanctioning of malicious reporting is provided for in the Directive and sanctioned in Finnish law. The size of the sanction is a balancing act between the extent to which any sanction will deter unsure but honest whistleblowers from reporting. Any genuine report that will not be received for fear of negative consequences would be a loss for business.
5. All services must be purchased
Not all services need to be purchased.
It is difficult to build a whistleblowing channel yourself in a way that meets the requirements of the Directive and makes economic sense. In this case, it would be necessary to
- take full responsibility for monitoring the legislation, resolve how to resource the monitoring
- entirely own responsibility for data protection, security updates, anti-attack measures. Continuous maintenance of security is costly, requires skills and effort.
- how to ensure that incidents are not accessible to anyone other than officially designated persons
- how to manage regulatory compliance with archiving and up-to-date access management
- how to have the expertise to design a channel that is both regulatory compliant and prevents various types of abuse
Skills in case management are likely to need to be developed and it may be useful to get help in areas such as defining the case management process, communication or conducting an investigation. However, it is a good idea to start with the attitude that the twists and turns in the process will gradually be taken over and will soon be done by the internal case managers. It is important for the organisation to know what issues are reported and to have the competence to investigate and deal with wrongdoing.
6. Staff need to be trained
This is true. Staff need to be informed about the whistleblower protection, rights and obligations under the Directive, as well as being made aware of the practicalities of whistleblowing. At the same time, it makes sense to explain which notifications fall under which channel (if you have several) and the general outline of the investigation process. We recommend that you also remind them that speaking up is always a good starting point in these matters as well. It is a good idea to go through the main points of the whole law when you introduce your whistleblowing channel.
7. And the seventh claim: simple is beautiful.
This is true. There is no point in making things more complicated than they are.
- Erika Heiskanen