The Government has since published comprehensive guidance on whistleblowing to assist public bodies in understanding their obligations under the new Protected Disclosures (Amendment) Act 2022. Additionally, two template policies for handling internal and external reports have been published.
The amended Protected Disclosures Act expands protection against retaliation, including attempted retaliation, to individuals who make a protected disclosure through designated reporting channels:
1. All legal entities with 50 or more employees, must create a policy setting out the reporting channels and procedures for employees to make protected disclosures.
2. Obliged organisations must establish channels for reporting violations of national and union law or serious wrongdoings. These internal reporting channels must be easily accessible by all employees, and the company needs to provide clear information on their website regarding the use of these channels and the internal procedure for managing reports.
3. The channel for protected disclosures must securely protect the confidentiality of the reporting person’s identity and any third party named in the report, by its design, structure, and management.
4. The company must assign a designated, impartial individual to oversee the internal reporting channel. All reports must be investigated and diligently followed up by the designated person.
5. There is no obligation to accept of follow up anonymous reports, but any anonymous whistleblower who is subsequently identified is entitled to the same protection.
6. Reporting can take place verbally or in writing. The whistleblower can also request a face-to-face meeting.
7. Acknowledgment of the receipt of every whistleblowing report must be provided to the reporting person within seven days.
8. Feedback on the follow-up or investigation must be provided to the whistleblower within three months (can be extended to six months in certain justified cases).
Whistleblowers should be given information on the final outcome of any investigations.
9. Reversed burden of proofs means employers will have to prove that reprisals are not related to whistleblowing.
10. Records must be kept of every report received and the internal whistleblowing channels must use an appropriate encryption system for data protection and confidentiality throughout the entire process. All processing of personal data must be done in accordance with GDPR.
Private sector and charity employers with 250 or more employees were required to comply with the new procedures and establish a secure, impartial, and confidential internal reporting channel by 1 January 2023.
For companies with between 50 and 249 employees, the implementation deadline for reporting channels was December 17, 2023.
Employers in financial services, products and markets, prevention of money laundering and terrorist financing, transport safety, and protection of the environment had to comply from 1 January 2023 regardless of the number of employees, this is also true for all public bodies.
Applicable penalties for non-compliance with whistleblowing regulations include hindering or penalising workers from making reports, bringing vexatious proceedings against reporting persons, and failing to establish internal reporting channels. Such offences can result in fines of up to €250,000 and/or imprisonment for up to two years.
Breaching the duty of confidentiality can result in fines up to €75,000 and/or imprisonment for up to two years. Corporate entities can also be held liable for offences committed with the consent or neglect of directors or officers, who may face similar penalties as the corporation.
Whistleblowers penalised for making protected disclosures could receive compensation equivalent to up to 5 years’ pay if they received salary from
the organisation.
Knowingly making a report with false information is punishable by a fine of up to €100,000 and/or imprisonment for up to 2 years. Whistleblowers cannot be penalised if they had reasonable grounds to believe that the reported information was true at the time of reporting.
Whistleblower protection obligations refer to the legal and ethical responsibilities of organisations to safeguard individuals who report wrongdoing or illegal activities within the workplace.
Non-profit organisations, associations, foundations, and other similar entities are also affected by the law.
Whistleblower protection extends to employees (current and former), contractors, individuals on work experience, agency workers, volunteers and trainees,
shareholders, board members and job applicants
Protection includes prohibition of retaliation, also indirect, against the reporting person. This includes e.g., dismissal, suspension, downgrading or non-promotion, demotion, negative references, intimidation or harassment, reputational damage, or otherwise unfavourable treatment. Protection also includes benefits from support measures provided by third-sector organisations (such as information, assistance, and advice on how to report, the rights of the person concerned and access to legal aid).
A whistleblower is protected even if the information is proved to be incorrect, provided they had reasonable belief in the information at the time of reporting.
To comply with the Irish law on whistleblower protection, organisations should:
Employers must also appoint someone to investigate whistleblower claims. That person or department must have autonomy to investigate and follow-up as necessary.
The internal whistleblowing channels must be easily accessible by all stakeholders and easily found on the organisation’s website. Digital platforms or whistleblower systems such as Whistlelink’s all-in-one solution can offer valuable support for the organised management of whistleblowing.
Whistleblowers are allowed to submit anonymous reports; but an organisation’s legal responsibility is to protect the confidentiality of whistleblowers.
For all reports received in the internal reporting system, records must be kept in compliance with data protection laws. Feedback on the investigation must be
provided to the whistleblower within three months.
Data controllers must implement a combination of organisational and technical measures to protect the confidentiality of the whistleblower, and the integrity and confidentiality of any personal data reported. An appropriate encryption system must be used throughout the entire process.
Organisations are required to adhere to data protection principles and requirements, including those set forth in the General Data Protection Regulation (GDPR), when processing personal data collected through whistleblowing reports.
According to the GDPR, personal data should not be kept for longer than is necessary for the purposes for which it was collected. Therefore, organisations should establish clear retention periods for personal data collected through whistleblowing reports, taking into account factors such as the nature of the reported misconduct, the potential legal or regulatory requirements, and any applicable statutes of limitations.
Train employees on whistleblower rights and procedures. Ensure employees are aware of their rights, the protections in place to prevent retaliation, and understand
the importance of reporting any wrongdoing they witness.
In most cases, internal reporting channels within the organisation should be the preferred method for whistleblowers to raise their concerns. However, whistleblowers may also choose to use external reporting channels such as the Office of the Protected Disclosures Commissioner.
A whistleblower may also report to one of the prescribed persons listed in the Protected Disclosures Act 2014 Order 2020. In general, prescribed persons have regulatory functions in the area which are the subject of the allegations. A list of prescribed persons can be found at:
http://www.gov.ie/prescribed-persons
For external disclosures, the information and any allegations must be substantially true, by reasonable belief.
Whistleblowers should be informed of their rights and provided with guidance on how to access external reporting channels effectively and safely. Organisations must include information on external reporting in their whistleblowing policy.
Early detection of issues allows for addressing concerns at an early stage, preventing them from escalating into more significant problems. Handling concerns internally will help organisations maintain their reputation and credibility.
By creating a culture that values transparency and accountability, employees will feel more comfortable coming forward with their concerns. This can be achieved through regular training and communication, ensuring that employees understand the importance of reporting potential misconduct and the protections in place for whistleblowers.
Nice to meet you!
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions. You may unsubscribe at any time.
HAPPY TO MEET YOU!
Whistlelink values your privacy. We will only contact you about our solutions.
You may unsubscribe at any time. For more info, please review our Privacy Policy
