Big corporate scandals have made whistleblowing a headline topic. From Danske Bank to the Panama Papers, whistleblowers have thrown a spotlight on problematic behaviour.
Politicians and regulators have responded with measures to protect whistleblowers, seeing such individuals as a check on wrongdoing and a way of ensuring corporate accountability. But what are the key elements of whistleblowing in the UK and how do companies get it wrong?
The statutory regime for whistleblowing in the UK was established in 1998 with the Public Interest Disclosure Act, which followed a wave of corporate scandals.
Crucially, the legislation provides protection for whistleblowers. First, by deeming unfair any dismissal of a worker for making what is known as a “protected disclosure”. Second, by making unlawful any action that causes “detriment” to a worker if the action was prompted by the worker blowing the whistle.
Key to the legislation is the definition of “protected disclosure”. Whistleblowing is considered protected if a worker discloses information rather than making threats; the worker has a “reasonable belief” the disclosure is in the public interest; information is disclosed to specified persons such as the employer or to prescribed external bodies; and the disclosure relates to one of six kinds of “relevant failure”.
Failures considered relevant are breaches of a legal obligation and dangers to health and safety; criminal offences; miscarriages of justice; damage to the environment; and, lastly, covering up information about failures in these areas.
Crowley Woodford, head of the European employment practice at law firm Ashurst, warns that the law in this area can be “tricky”. The requirement that workers need only have a “reasonable belief” that something is awry is a key example.
“That’s a relatively subjective test, “ says Woodford. “As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong.”
There is a further warning as whistleblowing must be in the “public interest.” When originally enacted the legislation demanded that whistleblowing was in “good faith”. But, prompted by many workers reporting their own employment concerns, the public interest test was introduced as a counterweight.
“As long as the whistleblower subjectively believes that a breach has occurred and that is objectively reasonable, it does not matter if that belief later turns out to be wrong”
—Crowley Woodford, Ashurst
Woodford warns, however, that employment concerns can still be reported; all whistleblowers need do is show that their complaint applies to more than one individual.
The legislation is also open to use tactically by a worker. For example, when an individual’s professional performance is called into question, companies may find that he or she then blows the whistle and consequently argues that any dismissal
has arisen because of their whistleblowing.
“If the tribunal can see that there is a history of poor performance before the whistleblowing and a good paper trail evidencing this,” says Woodford, “that will present a powerful argument that the dismissal or detriment did not arise as retaliation for blowing the whistle.
“The problem is that employers often don’t do that and performance issues are often dealt with informally without documentation, leaving the company more exposed.”
As mentioned, whistleblowers are protected from “detriment” where they have made a protected disclosure. It is relatively easy for companies to ensure at the time of a report that a worker is not subjected to detriment.
According to Woodford, problems arise once an investigation has ended if a whistleblower is excluded from events as innocuous as project team meetings or discussions because that could be enough for someone to claim that detriment has taken place.
“The wider the knowledge of the whistleblowing spreads, the more potential there is for this type of exclusion to occur,” says Woodford. “It requires effective management and containment to a small group of individuals who are skilled in dealing with these issues.”
Restricting access to information also applies to anonymous whistleblowing because of the natural tendency for speculation to focus on who made the report. Protocols are therefore needed to govern access to information.
“Having these issues embedded in a policy is a powerful means of ensuring that the employer at each step is trying to afford the whistleblower protection,” concludes Woodford.
The situation in France
French multinationals have been implementing whistleblowing policies for some years, but the work was given added impetus in 2016 with the introduction of the Sapin II law.
The legislation details which companies must implement a whistleblowing policy (those with 50 employees or above), lays out step-by-step procedures to be followed and offers a definition of what constitutes whistleblowing.
However, according to Nataline Fleury, an employment law partner at Ashurst in Paris, a complex mesh of laws apply to whistleblowing in France. This includes Sapin II, data protection law (GDPR), law relating to works councils and legislation applying to disciplinary sanctions.
Sapin II procedures are designed to ensure whistleblowers do not face discrimination, while those found responsible for wrongdoing do not face sanctions that cannot be justified. That means taking great care with the process.
French whistleblowing is driven by a desire to avoid anonymous reports. Whistleblowers can claim anonymity but should not be encouraged. It is considered preferable for whistleblowers to be named.
“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate”
—Hubert Blanc-Jouvan, Ashurst
Confidentiality must also be maintained. This is why many French firms choose third-party service providers to handle their whistleblowing hotlines and investigatory procedures. It’s not mandatory, but it provides a level of assurance against leaks.
Risk then arises when an investigation is complete and a company must decide on what disciplinary action they will take.
Hubert Blanc-Jouvan, a regulatory partner with Ashurst, explains that in financial services, this is the point when matters are often handed to a regulator when related to financial regulations.
“Where there is an opportunity to pass the matter to a regulator, it is better for them to investigate,” he says. Additional requirements apply to financial firms and French regulators implement specific procedures to collect and deal with the reports received from whistleblowers, he adds.
Employers in unregulated sectors must decide which disciplinary action to take themselves. Here confidentiality remains paramount, as does the need to follow procedure as it is set down in law.
Fleury warns: “You need to ensure that the whistleblowing policy, the consultation process of the employee representatives, the information of the employees and the manner in which the whistleblowing procedure was followed through all comply with the law, or an employee can challenge any sanction faced by arguing that the process did not comply with the regulations.”
The situation in Germany
Unlike the UK and France, Germany has no specific whistleblower law. However, according to Andreas Mauroschat, an employment law expert at Ashurst in Frankfurt, German companies, especially those in financial services, have been implementing whistleblowing plans for many years. These have also become a mandatory part of the risk management obligations stipulated in the German Banking Act.
Regulatory requirements from BaFin, Germany’s financial regulator, are broad and simply ask firms to have some form of whistleblowing plan and procedure which allows employees to secretly provide information on breaches of certain laws, such as MAR (Market Abuse Regulation), the German Banking Act, the German Securities Trading Act and others.
“When there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented”
—Andreas Mauroschat, Ashurst
Employee protection comes through labour laws because employment agreements impose a fiduciary duty on employees to disclose problematic behaviour, or go to an external body if the issue is thought to be in the public interest. In these circumstances an employer is prevented from taking any retaliatory action because the employee is not in breach of their employment contract.
According to Mauroschat, whistleblowing policies need to be robust with standard procedures that allow for benchmarking, action plans for containment and prevention plans addressing future processes. Most importantly, systems need to document each step taken during the whistleblower process, especially the reasons for any decisions taken on issues such as disciplinary action.
A failure to keep adequate records can lead to problems later. “We often see an incident is handled professionally,” says Mauroschat, “but when there is a follow-up, or a challenge to a decision, we frequently see documentation for the original incident is not complete and elements of the process are undocumented.”
One way to resolve that issue is through the use of new internet-based integrity systems. “These systems allow you to move away from managing data to managing a process, and avoid people failing to act correctly because the system forces you to take steps in line with internal policies,” says Mauroschat.
“They can be a very powerful tool and massively reduce risk.”
This article has been prepared in collaboration with Ashurst, a supporter of Board Agenda.
The post What boards need to know about whistleblowing appeared first on Board Agenda.