Preparing for the EU Whistleblowers Directive – Guidance for Regulators

Stephanie Casey manages Integrity at Work, a Transparency International Ireland initiative. To find out more, please contact  (01) 554 3953 or email support[at]transparency.ie.

Ireland’s whistleblower protection legislation, the Protected Disclosures Act (PDA) 2014, is designed to promote internal disclosures. However, reporting internally may not always be possible where the worker’s employer is involved in the wrongdoing or has failed to respond adequately to a disclosure of wrongdoing. To allow for this, the PDA provides workers with a range of external channels for reporting wrongdoing including a list of regulators described as ‘prescribed persons’.

Prescribed persons are independent from the worker’s employer and generally have regulatory functions in the area that is the subject of the disclosure. Many have the authority to both investigate disclosures and to hold their regulated entities to account. In opting to report to a prescribed person the worker must have a reasonable belief that the wrongdoing falls within the remit of the body and that the information they wish to disclose is substantially true.

Workers are well placed to access information on a day-to-day basis that the regulator may not otherwise be able to obtain. Likewise, the role played by regulators in the whistleblowing process can also be a positive one as they have the potential to address the concerns raised by the worker. However, new research has shown that only 28% of prescribed persons have information on how to make a disclosure publicly available on their website. Furthermore, 79% have either no annual protected disclosures report or only partially comply with the annual reporting obligations under the PDA.[1]

EU Whistleblowers Directive

To date, there has been relatively little guidance for prescribed persons in Ireland as to the scope of their responsibilities and their powers to investigate. The forthcoming EU Whistleblowers Directive includes a range of specific provisions for ‘competent authorities’ which are expected to be transposed into Irish law by 2021. In the Irish context, competent authorities will likely include prescribed persons and any other relevant bodies to whom reports can be made.

Requirements for regulators

The EU Whistleblowers Directive details a range of supports to be developed and established by competent authorities. These include:

• Maintaining secure systems for the receipt and recording of reports that ensure the confidentiality of the discloser. Reports should be stored for no longer than is proportionate and necessary.
• Establishing a variety of reporting channels that allow for oral (including by telephone or via a voice messaging system) and written reports and/or meetings with the discloser where requested. Where an oral report or a meeting has been documented, the discloser must be offered the opportunity to check, rectify and sign off on the transcript.
• Providing dedicated staff to handle reports and maintaining contact with the reporting person. These staff members must have received specific training on how to handle reports. In instances where a staff member not responsible for receiving reports receives a disclosure, they must refrain from disclosing any details that may identify the discloser and must promptly forward the report to the correct staff member.
• Acknowledging receipt of a report within seven days unless the discloser has explicitly requested otherwise or the competent authority believes that acknowledging the report would jeopardise the discloser’s confidentiality.
• Following up diligently on reports and providing feedback on the response to the report within three months (or six months in duly justified cases). In the event of a high inflow of reports, the prescribed person can implement a case prioritisation system.
• Informing the discloser of a decision not to pursue a report in instances where the matter is judged by the competent authority to be minor and not requiring any follow-up on their part, or where there are repetitive reports that do not include any new or meaningful information. Note: this does not preclude the discloser from reporting through other internal or external channels.
• Transferring the report/case to another competent authority where it is deemed that the receiving body does not have the competence to deal with a report. The case must be transmitted within a reasonable timeframe, in a secure manner and the discloser must be kept informed without delay.
• Communicating the final outcome of an investigation to the discloser in accordance with national law, as well as to other relevant authorities and institutions.

Website Information for regulators

Competent authorities must also publish the following information on their website in an easily accessible section and review and update it every three years:

• Conditions under which reporting persons qualify for protection
• Information regarding the types of reports that can be made and measures for protecting the discloser from retaliation
• A clear statement explaining when the discloser will not be liable for a breach of confidentiality relating to the acquisition of or access to the relevant information
• Details of how to make a report to the authority including the full range of reporting options
• Details on how the report will be processed including timeframes and format for feedback
• The confidentiality regime that will be applied to reports and how personal data will be processed
• The nature of the follow-up that will be given to reports
• Remedies and procedures available against retaliation and details of where persons contemplating making a report can access confidential advice
• Contact information for any other relevant bodies providing independent information and advice to the discloser

While it is not clear at this stage exactly what changes will be transposed into Irish legislation, the EU Whistleblowers Directive nevertheless presents a prime opportunity for regulators to assess how their current systems for receiving disclosures can be updated and improved. As part of the Integrity at Work initiative, Transparency International Ireland will be running a series of workshops on the Directive. If you would be interested in attending, please email support[at]transparency.ie.