The recommendation of the Privacy Commission (29 November 2006) states that whistleblowing procedures are reconcilable with the Privacy Act of 8 December 1992. Whistleblowing procedures enable an individual to report suspicious behaviour of other employees which, according to the individual, conflicts with legislation or is against the rules of the company. A whistleblowing procedure inevitably involves the processing of personal data of the parties involved.
When a company introduces such a procedure, it should ensure that it respects the principles of loyalty, proportionality and transparency, as mentioned in the Data Protection Act and should make sure that the individual’s personal data is not used for any other purposes.
Finally, prior to the introduction of a whistleblowing procedure, resulting in an automatic treatment of personal data, the employer must inform the employees and make a declaration to the Privacy Commission.
- How-to guide How-to guide: How to determine and apply relevant US privacy laws to your organization (USA)
- How-to guide How-to guide: How to develop, implement and maintain a US information and data security compliance program (USA)
- Checklist Checklist: Remote working - minimising cybersecurity risks (UK)