Public Concern

• Home
• About Us
• FAQ
• Individuals
• Organisations
• Policy
  • Policy Overview
  • Policy Papers
  • Whistleblower
  • Annual Reports
• Schools
• Law
• News

Submission on the CNIL’s draft guidelines on whistleblowing schemes under the French Data Protection Act

Developments
In December 2005, CNIL issued new guidance on the implementation of whistleblowing systems in France. These guidelines, and CNIL’s FAQs on them, can be found here.

Submission on the CNIL’s draft guidelines on whistleblowing schemes under the French Data Protection Act

7 November 2005

Summary
Public Concern at Work supports the CNIL’s approach set out in the draft guidelines that:

• It is not desirable that employees should be mandated by their employer to blow the whistle;
• Whistleblowing arrangements should focus on concern about illegality or wrongdoing that threatens an innocent third party or the wider public interest;
• Anonymous reports - and so schemes or hotlines that actively encourage such reports – raise particular data protection problems which justify separate rules from those that apply to whistleblowing alerts which are made openly or confidentially; and
• Whistleblowing should be viewed as subsidiary to, and not a replacement for, internal management.

However, we regret that we are unable to support the draft guidelines as their effect, scope and application are unclear. We believe it will be difficult, if not impossible, for employers, employees or other organisations to comprehend when and why whistleblowing is acceptable, to understand the data protection issues involved or to comply with these guidelines in practice.

Whistleblowing
Our starting point is that all good employers will want their employees to tell them of actual or potential dangers in the workplace that threaten stakeholders and the public. Recognising that some employees will be reluctant to raise such a concern with their manager, or that the management line may lose or block the concern, reasonable employers provide a fail-safe option to discourage employees from doing nothing. Rather than undermine management accountability, such a fail-safe option strengthens it.

The fail-safe communication line that is whistleblowing will exist in most well-run organisations but often go under some other name or, where it is seen an inherent part of the organisational culture, under no name.

By contrast, as we show in Annex 1, any criminal, dangerous or reckless employer will exploit this underlying culture of silence to damage consumers and competitors and to undermine the ability of the state to protect its citizens and safeguard the public interest. For this reason it is important people understand that whistleblowing also addresses the relationships between the employer, the state and the wider public interest.

The main benefit of whistleblowing arrangements is that they deter those tempted by the opportunity to engage in serious wrongdoing. Where whistleblowing arrangements or laws protect those who raise concerns about illegality and wrongdoing in good faith, they operate so that open reporting is the default with confidential reporting(1) as the fall-back position.

Such whistleblowing arrangements provide an effective alternative to anonymous reports and provide a proportionate and effective protection for someone falsely and maliciously accused. For these reasons, developed countries where the rule of law operates should treat whistleblowing arrangements differently and separately from schemes that encourage or require anonymous reporting(2).

For these reasons it is important that any guidance in this area does not confuse whistleblowing with anonymous reporting. Equally it is important it does not see whistleblowing merely as a potential battleground between employee and employee, or between employee and employer. Rather any guidance should be clear that whistleblowing demonstrates and reflects the relationships between citizens, employers, the community, the state and the public interest.

The issue before the CNIL
The rapid interest in whistleblowing in recent years has led to a number of technological solutions and systems aimed at large organisations which, for reasons of convenience and commercial advantage to the provider of those solutions, have emphasised anonymous reporting. It was two of these systems that caused the CNIL concern in its decisions of May 2005.

We believe the CNIL correctly recognised that systems which:

• mandate employee reports,
• are promoted as an alternative to, rather than a fail safe for, the management line,
• emphasise and encourage anonymity, and
• invite reports on all matters and not only concerns about illegality and danger

are likely to result in an increase in false reports made maliciously.

Due to the emphasis on anonymity in such schemes, the rights and interests of such a person who has been wrongly accused may be left exposed and unprotected. By contrast where a concern is raised openly or confidentially, the whistleblower can be held to account for his actions (see Annex 2 for further information).

We think it would have been better and simpler if these draft guidelines had focused on the problem of anonymous reporting and the data protection issues it raises. However, the draft has a much wider scope and seems to impact on the normal management and running of all organisations. This is for the simple reason that many of the data protection issues that arise will be the same whether the whistleblowing alert is sounded to the management line, through ‘open reporting methods’, senior officers, regulators or through some other system. As we have said the only real data protection problems arise in the context of anonymous reports(3), and this is the case whether the report is received by the management line, or an unsigned letter through other reporting methods or to senior officers, regulators or through some other system.

Confusion and problems in the draft guidelines
While the 3 week consultation period has made it difficult for us to provide more than an initial view, we set out below a number of the points that are unclear in the draft guidelines. While we recognise that some aspects of this confusion may be as a result of translation (which for example refers to ‘schemes’, ‘options’, ‘processes’ and ‘systems’), we believe that the underlying problems apply equally in the French language version of the draft guidelines.

1) As the guidelines seek to set out data protection and other obligations that arise on whistleblowing alerts, it is not clear to what extent the same protections apply to whistleblowing alerts:
a) made openly through the normal chain of command;
b) made openly to senior officers or the Board, outside the normal chain of command but in a manner authorised by the employer;
c) made in confidence through the normal chain of command; or
d) made in confidence to senior officers or the Board, outside the normal chain of command but in a manner authorised by the employer.

2) It is unclear whether the guidelines oblige an employee to exhaust the line management command step-by-step if he wishes to report a whistleblowing alert. As such, it should be clear whether the guidelines will apply:
a) whenever an employee reports a whistleblowing alert to a director or the Board of the organisation, when he is normally expected to report to his line manager, and
b) to an employer which has not set up a whistleblowing arrangements when he is responding to an alert reported to him outside the normal chain of command.

3) What application do the guidelines have where the employer’s arrangements permit whistleblowing alerts to be raised with or through:
a) the union,
b) a professional association, or
c) an external body, e.g. a statutory agency or the police?

4) What application do the guidelines have where, irrespective of any arrangement the employer may have, an employee raises a whistleblowing alert with or through:
a) the union,
b) a professional association, or
c) an external body, e.g. a statutory agency or the police?

5) Are the guidelines intended to apply to whistleblowing arrangements
a) in all areas,
b) only in areas where such arrangements are required or authorised in French law, or
c) only in areas where such arrangements are not required or authorised in French law?

6) Do the guidelines apply where the whistleblowing alert is about a discrepancy or problem in the accounts but the alert does not identify or implicate any individual? If so, is the intention that the employer should contact every person who may possibly be implicated in an investigation, in case the discrepancy or problem proves valid and it may turn out that they may have been at fault?

7) The guidelines accept only the legitimacy of whistleblowing where this has been authorised under French law or European law that applies in France . The guidelines refer to legislation in the financial field but omit reference to European legislation in health and safety, environmental and other areas which require or authorise the reporting of whistleblowing alerts. If the CNIL is to introduce such wide-ranging guidelines, it will be helpful if it could detail all, rather than only some, of the reporting obligations set out in European and French law.

We imagine that it is lawful in France for an employee to report to those in charge of his organisation or to the police any reasonable suspicion that a colleague is involved in terrorism or is planning to use the employer’s premises or equipment to attack the police during a riot. Under the guidelines (paragraph 10) it appears that the employer, when in receipt of such information, must without delay notify the person implicated and, if this is the case, it might limit the options available to the police and the state. Is this correct and, if so, is it the intention?

8) The guidelines emphasise in paragraph 3 that the whistleblower’s identity should be processed confidentially and should not be disclosed to any incriminated person. Does this rule apply where
a) The whistleblower has reported the alert openly,
b) The employer is satisfied the report was made both falsely and maliciously,
c) A court has ordered the identity be disclosed?

Real cases, real issues
On 24 October we sent the CNIL five whistleblowing cases (reproduced overleaf) we have dealt with through our free helpline, and asked if they could let us know if they intended that such whistleblowing would be allowed under the draft guidelines. While we were told that they intended to respond to us at the start of November, we have – whether due to pressure of work at the CNIL or for some other reason - received no substantive reply before the date of this paper, which is the latest we were advised we had to submit our comments on the draft guidelines.

It seems to us that none of the following five real examples of whistleblowing are allowed under the CNIL’s draft guidelines. This is for one or more of the following reasons -

• the illegality or danger is not one that it is legitimate to blow the whistle on under the guidelines,
• the whistleblower was not someone allowed to blow the whistle under the guidelines,
• the guidelines say it is not proportionate that such a criminal or wrongdoer should be the subject of a whistleblowing alert,
• the guidelines say the whistleblowing alert was reported to the wrong person or body, or
• the data protection rights of the criminal or wrongdoer were, according to the guidelines, unlawfully infringed.

Case study 1
Mark worked for a large construction company. He had become more and more suspicious over the behaviour of his line manager, Eric. Due to structural changes, an increasing amount of work was contracted out, particularly to XYZ. Mark noticed that the quality of work carried out by XYZ was markedly substandard and mentioned this to Eric. Eric’s response was surprising: he owned XYZ and most of its employees were family members. Although the need to subcontract work had been approved in general by the construction company, it knew nothing of this arrangement.

Mark then discovered that technical equipment was being sold by Eric to XYZ at a significant undervalue, and that Eric had begun altering computer records for the equipment. Small technical items were also going missing with increased frequency and Eric would order these to be replaced immediately. The relationship between Mark and Eric became strained. Mark felt trapped. Eric was a popular and respected senior manager who had worked in the industry for many years.

We advised Mark to prepare a detailed statement of his concerns in chronological order. At his request, we wrote to the Managing Director of Mark’s company and to the Group Personnel Director of the parent company, enclosing a copy of Mark’s statement. We asked that the company keep in mind Mark’s personal position in coming forward with the information and to treat his identity as confidential.

Mark was asked to stay at home for a week whilst his concern was investigated. One week later, we received a letter from the parent company thanking us for our assistance. The result of their investigations was that Eric resigned from the company and Mark was able to continue in his position. Four months later, Mark wrote to us: “I have been treated very well by the company. The matter has been handled very firmly but very discreetly. I would like to thank you for your help and support through this matter. I cannot imagine having blown the whistle without your support”.

Case study 2
Adrian worked at a local site of a major waste disposal firm. He was concerned that his colleagues were involved in a big scam defrauding a local paper mill. Adrian suspected that some employees of the mill were being paid to steal top grade paper, which was then concealed amongst waste paper in skips that were collected daily by a waste paper company. When the company delivered the waste to Adrian’s firm, the paper was also sold on for cash, at a fraction of the market cost.

Adrian was reluctant to identify himself initially and was concerned that the perpetrators were influential in his firm and had good contacts with the local police. He described the atmosphere at the site as intimidatory, and the managers as bullying and abusive. He feared that if he spoke out, not only would he lose his job, but his life would be made intolerable. From the information that Adrian gave us, we were satisfied that the matter should be looked into. With Adrian’s agreement we contacted the victim of the fraud, the local paper mill. Although the company initially suspected we were a security company seeking new business, they soon realised that their procedures left them open to such a fraud.

Within a couple of weeks the company caught two of its staff engaged in the scam red-handed. However, they were unable to identify the size of fraud or how long it had gone on. Having obtained assurances on his behalf, we put the company’s investigators in touch with Adrian. He was able to show them how the fraud had been concealed in the paperwork.

With this information the company realised that the fraud had cost it some £3 million. The police were called in and arrests were made. The boss of the waste paper company was convicted and sentenced to three years, and others involved were jailed for several months. Adrian’s foreman was sacked, the charge hand resigned and the manager of the site took early retirement. The local paper mill recovered almost £1 million from its insurers toward the loss and so averted plans to close down with the loss of over one hundred jobs. The atmosphere at Adrian’s firm has improved no end.

Case study 3
Ian worked as a safety inspector at an amusement park. He was responsible for maintaining one of the park’s most popular rides. Every morning he would carry out a safety inspection on the ride and, if it passed, he would sign the ride off as safe in the log. During one inspection, he noticed that pins on the axles which kept the carriages stable had become loose. Ian thought this presented a serious risk and notified his managers. After what Ian felt was a cursory examination, the operation’s manager cleared the ride as safe. Ian was unhappy with this and the next day, as no corrective action had been taken, he again failed the ride. Again the operations manager overruled Ian and he was assigned to other rides.

Ian contacted us the same day. He was anxious that the weekend was coming up and that the park would be extremely busy. He was also worried that if he pursued the issue any further he would be dismissed. We advised Ian that we could contact the Health & Safety Executive (HSE) on his behalf and relay the information that he had given us without giving his name. However, it was more than likely that they would want to speak to him, if they felt that the situation was potentially serious. We said we would explain Ian’s anxieties about his position and ask the HSE to bear this in mind. While he was unsure whether he would speak to the HSE, he asked us to make the initial contact.

The HSE agreed that the situation sounded potentially serious. However, they told us that they would need to speak to Ian. We explained Ian’s fears that if the HSE suddenly turned up to inspect this particular ride, his employers would easily put two and two together and he would be out of a job. The HSE assured us that if they were to carry out an inspection, it could be done in such a way as not to make Ian’s role apparent. We went back to Ian and, after talking things through, he agreed that he would speak to the HSE.

Shortly afterwards the HSE made a ‘routine’ visit to the park during which they inspected the ride, along with several other rides. As a result of the inspection, the ride was suspended and the repairs were carried out.

Case study 4
Judith Jones is the deputy matron at Denison House, a small private nursing home in Selby, Yorkshire which looks after elderly and disabled people. One day a care assistant told Judith that Mr Tiplady, who ran the home with his wife, was behaving oddly in one of the rooms. When Judith went to investigate, Mr Tiplady was not there but Judith found what looked like semen on a lady’s cardigan and in her hair. She immediately tended to the resident, washing her and her cardigan.

A few weeks later, Judith heard about Public Concern at Work and contacted us. As Mr Tiplady ran the home with his wife, she didn’t feel confident that she could safely raise the matter internally. Equally, if she went to the Health Authority inspectors or to the police, there was a risk: because she had removed the evidence, it would simply be a matter of her word against Mr Tiplady’s. As he had a long career in the caring sector - for which he had received a Gold Award from the Archbishop of York - Judith’s word alone might not have been enough.

We advised her to keep a vigilant eye on Mr Tiplady and to try to ensure that he was not left alone with the female residents. If another incident occurred, we advised her to contact us immediately and take care to keep any supporting evidence. We checked with the Social Services Inspectorate who confirmed our advice was sensible.

Several months later Judith rang. The previous night she had entered a room where there were two blind ladies and one with senile dementia; Mr Tiplady seemed to have his groin in the face of the lady with dementia. Judith thought he might be forcing oral sex on her. She left the room and got a colleague. Once Mr Tiplady had gone, they returned and, with a clean swab, took a specimen from the lady’s mouth. Once she was home, she contacted us. Neither the Social Services Inspectorate nor the police could offer practical help, even though all we wanted was a forensic test of the swab. The police could not arrange one unless there was a formal complaint; if there were, then even if the specimen proved negative, they would have to question Mr Tiplady. We pointed out that this put Judith Jones in a catch-22. We decided to pay the costs of the test. The Forensic Laboratory collected the swab from Judith’s home and within 24 hours the sample had been found to contain semen.

We immediately forwarded the evidence to Selby CID who interviewed Judith Jones and arrested Mr Tiplady the next day. He initially denied the allegation but, when confronted with the forensic evidence, changed his stance. Tiplady pleaded guilty to three charges of indecent assault over a nine year period and was jailed for four years in February 1997.

The home now has new owners, Judith’s job is secure and the residents are well cared for. As one of the residents’ relatives said “If it hadn’t been for her, it could still be going on and no-one would ever have known. Judy Jones deserves a medal.”

Case study 5
Kate was recruited by a major training company to secure new contracts for courses funded by Training and Enterprise Councils (TECs). The courses, paid for by public funds, led to vocational qualifications to help the unemployed get back into the job market.

On a routine site visit, Kate discovered that certificates had been issued at one centre for fictitious trainees and for students who had not completed the courses. She alerted her management who commenced an investigation, which revealed large numbers of falsely claimed certificates. The company dismissed the manager of that centre. Despite this action, Kate was surprised she herself was then moved to other duties. Some weeks later, she was telephoned at home by the local TEC and asked whether anything was wrong at that centre. Kate said that there were problems but that they were being sorted out. The following day she received a letter by courier summarily dismissing her for breaching confidentiality in mentioning to the TEC that there had been problems.

Kate contacted us to discuss the options. Fearing a cover-up she decided to give a journalist copies of company documents confirming the scale and nature of the fraud and the reason for her dismissal. However when the story appeared the proven fraud was referred to simply as Kate’s allegations. Worse, the story falsely said that Kate had been dismissed because the TEC had lost trust in her. After we threatened the paper with legal action, the story was corrected - but days later. Media interest continued as more trainees came forward to corroborate the scam and as politicians demanded an investigation. The company then issued a press release, implying that Kate had been involved in the fraud.

The TEC sued the company to recover the public money paid on the false certificates. A Fraud Squad investigation led to a number of arrests before the investigation was taken over by the Serious Fraud Office. We arranged for expert libel solicitors to help and Kate brought proceedings against her former employer for the damage done to her reputation. Kate has now received a fulsome apology from her former employers, an undertaking they will not repeat the slur, damages of £25,000 and legal costs.

Conclusion
For the reasons given above, we are unable to support the draft guidelines and ask that the CNIL does not approve them in their current form. We think it would be preferable if the CNIL proceed to issue guidelines that focus on anonymous reporting or informing. If, however, it wishes to issue guidelines on all aspects of whistleblowing, we ask that such guidelines:

• are clear on the eight areas of confusion; and
• allow whistleblowing in the five cases set out above.

We hope the comments made in this submission will help the CNIL and the authorities in France to better understand the value of whistleblowing to citizens, employers, the state and the public interest.

Back to Top

ANNEX 1

Whistleblowing - [a] Bringing an activity to a sharp conclusion as if by the blast of a whistle ( Oxford English Dictionary ); [b] Raising a concern about wrongdoing within an organisation or through an independent structure associated with it (UK Committee on Standards in Public Life ); [c] Giving information (usually to the authorities) about illegal or underhand practices (Chambers Dictionary); [d] Exposing to the press a wrongdoing or cover-up in a business or government office ( US, Brewers Dictionary ); [e] ( origins ) Police officer summoning public help to apprehend a criminal; referee stopping play after a foul in football.

Why whistleblowing matters
Whistleblowing matters to all organisations and people. This is because every business and every public body faces the risk of things going wrong. The risk may be that some food you are about to buy is contaminated, that the train your family will travel on is unsafe, that the surgeon who will operate on your child is incompetent, that a hazardous substance is being dumped in your neighbourhood, that a public official demands a bribe to do his job or that your savings are being stolen. Where such wrongdoing is taking place, usually the first people to realise what is going on will be those who work in or with the organisation. Yet while employees are the people best placed to sound the alarm or blow the whistle and so enable the risk to be removed or reduced, they are also the people who have the most to lose if they do.

Unless organisations foster a culture that indicates that it is safe and accepted to raise a genuine concern about wrongdoing, employees will assume that they face victimisation, losing their job or damaging their career. The consequence is that they will stay silent where there is a threat – even a grave one - to the interests of others, be they consumers, passengers, patients, communities, taxpayers or shareholders. This silence means that those in charge are denied the opportunity to remove or reduce any such risk, and can only find out about it when serious damage has been caused. Equally, the knowledge that there is a culture of silence in the workplace both encourages and shields the corrupt and dishonest.

Whistleblowing matters because it addresses how we can counter this breakdown in communication in the workplace. That such a breakdown undermines the public interest is clear when one considers that the most successful way the police deter, detect and clear up crimes is through information communicated to them by the public. Yet in workplaces across the world, law and practice gives a strong message that employees should not communicate information about suspected wrongdoing either internally or externally.

The consequence of this culture is that it discourages normal, decent law abiding people from raising concerns about workplace wrongdoing that threatens the interests of others. It encourages employees to be guided exclusively by their own short-term interests and undermines any sense of mutual interest between the organisation and its workforce. While its effect is most damaging and direct in relation to workplace wrongdoing, it also influences the way employees behave when - whether travelling home or shopping at the weekend - they come across crime in their community. Conditioned to turn a blind eye in the workplace, this culture encourages them to walk away from their community.

These are the ‘big picture’ reasons why whistleblowing matters. But to understand whether or how an organisation or group can do anything to address this issue, we must first consider the position of the individual employee who realises that there is some crime or threat to the public interest.

A human dilemma
In practical terms, if an employee is concerned about corruption or serious wrongdoing in his workplace, he has four options. These are

• To stay silent;
• To blow the whistle internally or to the person responsible;
• To blow the whistle outside to the authorities or the media; or
• To leak the information anonymously.

Silence and society
Silence is the option of least risk for the individual employee who comes across serious wrongdoing in the workplace. It is the default option for many reasons. The employee will realise that his suspicions could be mistaken or that there may be an innocent explanation for the conduct. Where colleagues are also aware of the suspect conduct but are staying silent, he will wonder why he alone should speak out. Where the wrongdoing seems clear to the employee, he will assume that those in more senior positions have also seen it and are implicated in some way and so will see little reason to pursue the matter internally. In societies where unions are scarce or their independence has been compromised, the employee will be left without any independent guidance as to who to approach and how, and so will more likely stay silent. In organisations where labour relations are adversarial and whistleblowing is unwelcome, the employee will be expected to prove that the wrongdoing is occurring, even though it clearly would be far better if those in charge investigated the matter. Finally, unless the employee believes there is a good chance that something will be done to address the wrongdoing, there will be no reason why he should consider risking his own position.

Even if the employee is not deterred by any or all of these reasons, he will rightly need to consider his private interests and those of his family before raising the matter. Without any reassurance to the contrary, he will fear workplace reprisal – be it harassment, isolation or dismissal.

Without any guidance on what to do, it is inevitable that most employees stay silent. The reasons that people are now re-evaluating whistleblowing are because the costs of this silence have become too high. They mean that

• Consumers, shareholders and communities are left at risk with neither the information nor opportunity to protect their own interests;
• Unscrupulous competitors, managers or employees are given a reason to believe that ‘anything goes’;
• Those in charge are denied the chance to look into concerns about wrongdoing and to avert real problems; and
• Debates focuses on ways to improve the system, rather than on the conduct of the humans who have to make it work.

Whistleblowing and the employer
Recognising the damaging effects of this culture, the UK Committee on Standards in Public Life recommended steps for organisations to take to reassure and enable staff to raise concerns constructively. While its recommendations were directed at public bodies, the same message applies to organisations in all sectors. One of the reasons the Committee was set up was because of the damage that was being done to public confidence by (a) incidents of wrongdoing which had not come to light before real damage was done (caused or facilitated by silence), and also by (b) rumours of misconduct or sleaze that were difficult to effectively refute or substantiate (often caused by anonymous leaks to the media).

“Placing staff in a position where they feel driven to approach the media to ventilate concerns is unsatisfactory both for the staff member and the organisation. We observed in our First Report that it was far better for systems to be put in place which encouraged staff to raise worries within the organisation, yet allowed recourse to the parent department where necessary. An effective internal system for the raising of concerns should include:

• A clear statement that wrongdoing is taken seriously in the organisation and an indication of the sorts of matters regarded as wrongdoing;
• Respect for the confidentiality of staff raising concerns if they wish, and an opportunity to raise concerns outside the line management structure;
• Access to independent advice;
• Penalties for making false and malicious allegations;
• An indication of the proper way in which concerns may be raised outside the organisation if necessary.” (4)

At the heart of this approach is the recognition that without safe and constructive means for concerns to be raised and addressed, the only options employees have are silence or the feeding of a rumour mill that can only undermine public confidence. While these options appear as alternatives, they are in fact linked because though the organisation is kept in the dark the silence is rarely absolute. This is because in many cases the employee will mention the concern about the wrongdoing to immediate family or close friends (who are unable to do anything but sympathise with the employee’s plight) and through them the unchecked allegation can gain its own demoralising momentum.

In formulating its recommendations, the Committee took account of good practice in the private sector where in genuinely competitive markets there has been a growing recognition that the early reporting of suspected wrongdoing was in the organisation’s self-interest and a key aspect of effective self-regulation. The reason for this is that as every shopkeeper and small business knows if it suffers wrongdoing or damages its consumers they will likely take their custom elsewhere.

In terms of shifting cultures, an analogy can be drawn with the approach taken by large corporations to feedback from consumers. Businesses in sectors that became more competitive over the past twenty years realised the need to try and build lasting relationships with their customers. Aware of surveys that one dissatisfied customer would tell ten or more people of their unhappy experience, market leaders started to solicit feedback from customers rather than wait for complaints. They found that even if they did not satisfy the particular complaint, the mere fact they had considered it would substantially improve the customer’s attitude to the company. This was in contrast to the approach adopted by monopolistic organisations which treated and treat consumers - once the purchase had been completed - as troublesome, if not untrustworthy, complainants.

The approach taken to information from the workforce has been equally negative. The assumption is that employees will only raise personal grievances because they neither recognise nor identify with the well-being of the organisation. This assumption has informed a raft of laws and practices on workplace relationships and so, in turn, inevitably influenced the way employees are conditioned to behave in the workplace. This is not just misguided but self-defeating as information from the workforce is not only readily accessible and free to collect, but it enables the organisation to put a potential problem right before it causes any real damage to it, its reputation or its stakeholders.

The self-interest of organisations in promoting whistleblowing is now being recognised and increasingly employers have begun to provide whistleblowing routes for staff. While many of these are in response to recent legislation, the most effective ones are where the organisations’ leaders realise the importance of providing an alternative to (but not a substitute for) line management. This is because without it their managers are given a monopolistic control over the information which goes to those in charge. As with any monopoly, one weak link – be it a corrupt, lazy, sick or incompetent manager – will break the communication chain and stop those in charge receiving information which could be critical to the success or failure of the organisation.

Whistleblowing outside the organisation
Where, however, it is not safe and accepted for people to blow the whistle internally, we need to turn to the options that exist for those employees who decide to speak up if they come across serious wrongdoing. Without a safe internal route, one key option is to disclose the matter openly outside the organisation - be it to the authorities or more widely.

Such outside disclosures can raise ethical and legal issues of confidentiality and secrecy. They also influence the balance of relationships between business, the state and the media. An outside disclosure will more often than not involve some regulatory intervention and, at worst, unjustified adverse publicity. At the very least this will cause inconvenience and disruption to an organisation that would have dealt with the matter properly had it been told of the concern directly. In cases where the employer would have addressed the matter responsibly the value of an external disclosure is questionable as regulators and the media, when they receive such information, will mostly put the facts straight back to those in charge of the organisation. So a workplace where – in the absence of safe alternatives – outside disclosures are seen and used as the legitimate first port of call is an illustration of poor management and weak leadership.

Obviously not all employers are responsible and in such cases outside disclosures are the only effective way of averting a problem before real damage is done. But understood and used properly, whistleblowing allows regulators to distinguish those organisations that can rightly be given the chance to address such problems themselves from those that cannot.

Until recently, in most legal systems there has been no protection for an employee who makes an outside disclosure – even if it is in good faith, justified and reasonable. Accordingly, such disclosures have often been made anonymously, raising the difficult issues we address below. Where the ability of the authorities or the media to do their job depends so much on the information that they receive, there is every reason why law and culture should explain and provide for when such open disclosures are permitted and protected.

Where a whistleblowing culture exists, protecting outside disclosures is something that should cause little or no fear to any well run organisation as it will see how such a provision works to its advantage. First, without there being an external body to which staff may safely and openly go, some of its employees will lack the confidence to believe that any internal scheme is a genuine attempt to hear and address such concerns. Secondly recognition that there is an outside body (be it a regulator, parliament, shareholders or the wider public) makes real the principle of accountability – in the sense that people can be expected to give an explanation of their conduct. This has a key benefit throughout the organisation as it engenders a sense of self-discipline across the workforce that deters wrongdoing without giving managers an excuse to duck difficult decisions. Finally, the clear acceptance that there is such an external route is a powerful reason for the organisation’s management to promote and deliver its own internal scheme and to ensure that it will address any concerns properly.

Anonymous disclosures
Without safe routes for whistleblowing concerns to be raised openly and addressed properly, anonymous disclosures are the likely alternative to silence. Here it is important to distinguish anonymous from confidential disclosures. An anonymous disclosure is one sent in a brown envelope or a message left on an answer machine, with little or no possibility of identifying the person and so contacting him or verifying the information. By contrast, a confidential disclosure is where the recipient knows the identity of the person but agrees not to disclose it when he uses the information.

As to the message, anonymity raises real problems as it makes the concern more difficult to investigate, the facts more difficult to corroborate and excludes the possibility of clarifying any ambiguous information or asking for more.

As to the messenger an anonymous disclosure focuses more attention on and speculation about his identity than open whistleblowing. The result is that anonymity is no guarantee that the source of the information will not be deduced. Where the allegations are serious, those implicated will try all the harder to identify the source and, in the context of disclosures from the workplace, they succeed far more often than not. When they do, the fact that the employee acted anonymously will be claimed as a sign of bad faith or dishonesty, and will be used to undermine any suggestion he was acting in the public interest .

As anonymity makes it harder to address the message and can also harm the messenger, it can have little to commend it from either point of view. Looked at in a wider sense, anonymity also has little virtue. First, whether anonymous disclosures are made internally or externally, they are tainted by the fact that anonymity will always be the cloak preferred by a malicious person. Secondly whether the anonymous information is solicited or received by the state, it gives it unaccountable and unlimited power over what to do with it. As it is anonymous, it is entirely in the discretion of the body whether to use, ignore or conceal the information. This is because its decision is not open to question by the anonymous informant and nobody else knows it exists. For these reasons anonymity fuels mistrust and makes the powerful unaccountable and this explains why it is a common feature among dictatorships.

So what is whistleblowing?
As this shows, the word is now used to describe the options available to an employee to raise concerns about workplace wrongdoing. It refers to the disclosure of wrongdoing that threatens others, rather than a complaint about one’s own treatment. Whistleblowing covers the spectrum of that communication, from raising the concern with managers, with those in charge of the organisation, with regulators or with the public (be it through the media or otherwise). And the purpose of whistleblowing is not the pursuit of some private vendetta but that the risk can be assessed and, where appropriate, reduced or removed.

As whistleblowers stand up to be counted and raise concerns openly, they are quite different from the anonymous informer that dictatorships nurture and they are different from the sources that journalists can also depend on to inform their stories. This is the meaning the CNIL should give whistleblowing in its guidelines.

Back to Top

ANNEX 2

Initial thoughts from Public Concern at Work on the CNIL / SOX conflict on anonymous hotlines
1) The German labour tribunal decision was not on data protection grounds but do with the need for co-determination by the Works Council under German law as hotlines affect the internal organisation of the company.

2) The CNIL decision draws both on a confusion in SOX and a well-founded antipathy to anonymous reporting. These two have combined here to cause a misunderstanding about whistleblowing. Whether due to collaboration during the war or to the fact that all tyrannies have encouraged and depended on anonymous reporting, the CNIL decision may have been influenced by the tendency of many in France to assume a whistleblower is no different to an anonymous informer, and so see him as a denouncer rather than a bona fide witness or a good citizen. There’s some useful background on this in the report we did for the EC in 1996 which is at www.pcaw.co.uk/policy/wbfraudeu.htm. As an example of the continuing confusion about what the word means and the activity involves, I have heard from a multinational that its French subsidiaries objected to whistleblowing policies as contrary to human rights, but that when the same policies were reproduced under the name of a compliance policy, the subsidiaries seem to have no problem.

3) But as the following shows, this is not just about names. The real and practical issue is the relationship between whistleblowing and anonymous reporting and as I read it this is clearly the focus of the concerns in the CNIL decision.

4) As a general point and before turning to SOX, without a legitimate and meaningful procedure for staff to raise concerns of wrongdoing or risks to the public, the alternatives that an organisation leaves its staff, where line management is not an option, are silence or anonymous disclosures. Understood and implemented correctly a whistleblowing policy will and does actually discourage anonymous reporting and I do not see how such a procedure can be objected to on data protection grounds. This is because such a whistleblowing procedure offers an alternative to anonymous reports in practice because it provides reassurance and protection to the concerned employee - things which can only be invoked by an identified person.

5) This point was picked up by the Committee on Standards in Public Life in its last report (you can find it at www.pcaw.co.uk/policy/balanceright.htm) when it emphasised that organisations and people must understand the difference between open, confidential and anonymous reporting. The relevance of this to the data protection/human rights point CNIL identify is that if the concern is raised openly or confidentially (where the recipient knows the person’s name and identity but agrees not to disclose it without their consent or court order), the whistleblower can be held to account for his actions. In this way such a scheme is not an invitation to or an opportunity for a malicious employee to falsely denounce a colleague or someone else and so the key concerns identified in the CNIL decision should be met.

6) The issue is, however, complicated by the fact that CNIL has understandably been thrown by an inherent problem in the SOX provision. This is that section 301(4) says that the Audit Committee shall establish procedures for “the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”. It is not possible for an employee to make “a confidential, anonymous submission” as they are alternatives. Equally it is not possible for anyone to guarantee anonymity - and I think CNIL may have read more into SOX than is actually there by the misleading assertion of the hotline provider in the Exide case that it could guarantee anonymity. More to the point, it should be recalled that Enron had a ‘best-in-class’ anonymous reporting system and it clearly did nobody any good as it was only when Sherron Watkins identified herself that the principles of accountability came into play.

7) I gather the confusion in this SOX provision is causing practical difficulties as it is and I imagine that when SOX is reviewed it will be amended. As the purpose of this SOX provision was that companies should introduce early warning systems about potential risks, a better approach would be if it required whistleblowing procedures for employees to raise concerns openly or confidentially. The issue of whether and how a company should in its discretion consider anonymous information is a separate one and one which may conceivably justify some balancing with the data rights of any person denounced in such a way.

Guy Dehn
8 Sept 2005

Back to Top

Footnotes
(1) A confidential report is where the identity of the whistleblower is known to the recipient on the recipient’s promise not to reveal the whistleblower’s identity without his consent or an order of the court. This contrasts with an anonymous report where the person does not disclose his identity to anyone.

(2) We recognise that in some parts of the world, where legal protection is unavailable or the rule of law offers little or no protection, anonymous reporting may be the only alternative to silence.

(3) That said, we do agree with the CNIL that it is important that employers should explain any whistleblowing arrangements to employees and should provide guidance and training on how any promise of confidentiality made to the whistleblowing employee should operate.

(4) UK Committee on Standards in Public Life, Second Report, May 1996, page 22 and Third Report, July 1997, p.49.

Back to Top