The Whistleblower Protection Act imposes on personal data administrators the obligation to adequately protect the sensitive data of individuals reporting irregularities and data that can be used to identify them. However, not all data protection duties were precisely elaborated in the Act. For instance, the provisions allow anonymous reports, but do not contain sufficiently clear requirements related to it. – Obvious issues such as meeting informational obligations when collecting data start to grow into huge problems,” assesses Dr. Marlena Sakowska-Baryła, Professor at the University of Łódź, member of the Social Expert Team at the Personal Data Protection Office (UODO), Poland.
The Whistleblower Act, which comes into effect on 25th September 2024, introduces a number of new obligations for companies and personal data administrators primarily concerning the processing of personal data contained in the infringement report as well as data of the whistleblowers themselves.
Let’s remember that we must simultaneously apply the general data protection regulation and the provisions of the Whistleblower Protection Act. The problem lies in the fact that the provisions of the Whistleblower Protection Act are significantly flawed and it turns out that even such apparent issues as meeting informational obligations when collecting data start to grow into huge problems – emphasizes Prof. Marlena Sakowska-Baryła in an interview with Newseria Business agency.
During the legislative work on the Whistleblower Protection Act, the UODO emphasized that the rules for processing personal data of both whistleblowers and individuals whose reports refer to, should be clarified. The UODO addressed these concerns in a letter to the Marshal of the Polish Senate, emphasizing the inconsistencies within the act regarding the rights and obligations of whistleblowers who want to report both non-anonymously and anonymously. The UODO urged to clearly define in the proposed act what personal data would allow identifying the identity of whistleblowers, such as the place of work.
Not only the sensitive data within the scope of the general data protection regulation will be extremely important, but also data that can identify a whistleblower. Special protection and security must accompany the entire system, from reporting infringements, through their verification, and subsequent actions so that our carelessness does not lead to the exposure of data that could identify a whistleblower – which is unacceptable from the perspective of these provisions- explains the member of the Social Expert Team at the UODO.
Administrators must clearly define the purpose of collecting and processing personal data associated with legal infringement reports. It should be limited to what is necessary. – The protection of personal data is not only focused on the whistleblower. There are also many other people involved, including the person reported, whose personal data is also protected. Also, people associated with the whistleblower, witnesses– these are all individuals whose personal data needs to be properly secured – points out Prof. Marlena Sakowska-Baryła.
The aim of the implemented provisions is to provide protection for those reporting irregularities against potential retaliatory actions such as dismissal, wage cuts, loss of promotion opportunities, or bullying. According to the 2024 EY “Global Business Integrity Survey,” the percentage of respondents who trust that they can report irregularities at work without fear of negative consequences related to the report dropped from 79% to 64%. Respondents claim that they do not report violations due to lack of faith that it will cause any reaction. Potential whistleblowers are still concerned about further career development (40% of respondents). Hence, ensuring appropriate data protection is crucial.
– This confidentiality must be ensured at several levels. This refers to accepting, documenting the report, and subsequent proceedings. As part of these actions, we need to ensure that the identity of the whistleblower is not revealed, while collecting the necessary information from the perspective of this process. This is certainly a significant challenge for all the people involved in the verification actions as well as those who may have any contact with these reports – evaluates the expert.
According to Sakowska-Baryła, the key element of implementing the new provisions is educating employees. Employers should also conduct regular training on personal data protection, including the rules for processing whistleblower data. – In contrast to the provisions of the Act, which requires the creation of dedicated channels, reporting can reach completely different places within the organization. Each staff member who may potentially come across such information should be prepared for how to behave, primarily to ensure confidentiality to what has reached them – says Prof. Marlena Sakowska-Baryła.
The challenges related to data protection in the context of the new Whistleblower Protection Act were the subject of a seminar organized at the Personal Data Protection Office in August. Mirosław Wróblewski, President of the UODO, together with representatives of the Social Expert Team at the PUODO and external experts discussed feedback submitted as part of social consultations and presented proposals for interpreting the provisions of the Whistleblower Protection Act with regard to personal data.