On 17 December 2021, the Flemish Government published the draft decree on whistleblowers, which develops a scheme for the transposition of the European Whistleblower Directive (Directive 2019/1937) in the public sector, specifically for the Flemish Government and local authorities. On 18 January 2022, the Flemish Supervisory Commission for the Processing of Personal Data (Vlaamse toezichtcommissie voor de bescherming van persoonsgegevens – VTC) issued its advice no. 2022/006 on the draft decree. The advice highlights some crucial aspects of data protection, which are also relevant for anyone who has to introduce whistleblowing schemes in the private sector.
Draft decree on whistleblowers
We previously reported on the draft act for companies in the private sector (see our contribution of 15 December 2021). The Flemish Government’s draft decree of 17 December 2021 focuses on the public sector and should allow for reporting within the Flemish government and local authorities. The draft decree amends the Provincial Decree of 9 December 2005, the Decree of 22 December 2017 on local government and the Administrative Decree of 7 December 2018. The Provincial Decree and the Decree of 22 December 2017 already contained a limited whistleblower arrangement. These provisions will now be deleted, and a more extensive set of rules will be elaborated in the Administrative Decree. As a result, the amended Administrative Decree will include a whistleblower scheme for a very wide range of authorities, ranging from the Flemish internal and external autonomous agencies, to the Flemish municipalities, to welfare associations and autonomous care institutions.
Data protection in the draft decree on whistleblowers
On 18 January 2022, the VTC issued its advice on the processing of personal data under the draft decree on whistleblowers.
Although the draft decree only concerns the public sector, any whistleblower scheme – regardless of the sector, whether private or public – involves the processing of personal data. Therefore, the VTC’s comments have much broader relevance and constitute, as it were, a checklist for anyone working with whistleblowing schemes.
The VTC concludes that the draft decree provides sufficient guarantees for the protection of personal data, but it nevertheless identifies some shortcomings. The VTC makes the following points concerning the draft decree:
- There is a need for a clearer demarcation of reporting with other reporting and complaints procedures. For instance, whistleblowers can also turn to other channels to report non-compliance with legal or regulatory provisions in the workplace. This could be, for instance, reporting a violation of the General Data Protection Regulation (GDPR) to the VTC or – in the future – a complaints procedure for reporting discrimination to the Flemish Human Rights Institute.
- The draft decree must include additional guidelines to guarantee the protection of personal data when the whistleblower discloses the alleged breach. After all, at the time of disclosure, no investigation has yet taken place, but the identity of others involved (e.g. the person about whom a report is made) could already become public.
- There must be a clear legal basis for the processing in the context of a report. In the public sector, the processing is primarily based on Article 6(1)(e) GDPR (performance of a task carried out in the public interest or in the exercise of official authority), but the VTC also points out that there is a need for a legal basis in Article 9 GDPR. After all, special categories of personal data may also be processed, namely biometric data. This could, for instance, be a voice when the reporting is done via an audio recording.
- According to the VTC, reporting channels, both internal (e.g. Audit Flanders or the board) and external (e.g. the Flemish Ombudsservice), are to be regarded as data controllers.
- The VTC recommends carrying out a data protection impact assessment pursuant to Article 35 GDPR. The reasoning is that the arrangement will entail a high risk for the whistleblower and for other data subjects who may or may not be mentioned in the reporting file.
- The collection of personal data of data subjects should be limited to what is necessary. If a head of staff delegates his/her power to receive reports, the number of persons having access to the personal data must be limited on the basis of that delegation.
- The retention periods are set in the draft decree at six or ten years, depending on whether or not the data relates to a crime. These retention periods are aligned with the applicable statutes of limitations for crimes and offences. However, according to the VTC, these periods are too long in light of the principle of storage limitation in Article 5(1)(e) GDPR.
- The draft decree lacks a provision that personal data must be accurate and kept up to date, as required by Article 5(1)(d) GDPR.
- The draft decree indicates that the manager of the Flemish public authority or the head of personnel of the local authority or local administration to whom the report is submitted may decide under certain conditions to limit the rights of data subjects (e.g. the whistleblower or the person who is the subject of a report) in Articles 12–21 GDPR. As in comments on other decrees, the VTC points out that the GDPR only allows the limitation of the scope of the rights, but not the existence of those rights per se. With regard to the whistleblower, the VTC is opposed to any limitation of rights. After all, this person is, in principle, already aware of the investigation. As regards other data subjects (e.g. (third) parties mentioned by the whistleblower), the general reference to the provisions of the GDPR is not sufficient and the possibilities for derogation must be further clarified.
- When audio recordings of the report are made, the VTC considers it insufficient to inform the whistleblower, but recommends that the whistleblower gives permission for the recording to be made. This is also included in the Whistleblower Directive.
- Furthermore, the draft decree implements the principle of data protection by design for reports received in order to guarantee the confidentiality of (i) the identity of the whistleblower, (ii) the identity of (third) parties mentioned by the whistleblower, and (iii) information from which the identity of the whistleblower or a (third) party can be derived. The VTC recommends that this should be applied to all communication, including external communication of the report. Moreover, safeguards must be put in place to ensure the anonymity of the whistleblower in the case of an anonymous report.
- Finally, the draft decree includes a scheme for personal data breaches, e.g. when a whistleblower reports to an unauthorised staff member or when a report is made in an insecure manner. In this case, the unauthorised staff member must forward the report in a secure manner to the authorised staff member as soon as possible. Reports may also be made by telephone, where a person’s voice may be recognised. Therefore, the VTC recommends the immediate distortion of telephone recordings of reports and the inclusion of further measures in the draft decree to prevent personal data breaches. The VTC refers to the examples of security measures in Article 32 GDPR (e.g. pseudonymisation and encryption, and setting up a procedure to regularly test the security measures) and the previous recommendation of the Commission for the Protection of Privacy. Furthermore, the VTC stresses the importance of proper user and access management and logging of data access. For the use of cloud applications, it refers to its previous opinions and recommendations.
We will keep you further informed about new developments and are ready to assist you in implementing a whistleblower policy within your organisation.