A digital whistleblowing system is a reporting channel that enables a whistleblower to submit information about breaches confidentially or anonymously. Such a reporting channel is part of the compliance management system and serves the early detection of breaches of rules and criminal offences.
National whistleblower protection laws are based on EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting infringements of Union law, which had to be transposed into the national law of all EU Member States. The Whistleblower Protection Act stipulates that whistleblowers must be provided with appropriate confidential reporting channels.
In addition, the possibility of adequate communication between the internal reporting office and the whistleblower must be ensured. There is a need for simple and secure digital whistleblowing software that, on the one hand, meets the legal requirements and, on the other hand, ensures the protection of the whistleblower as well as the secure and data protection-compliant processing of sensitive data. The most suitable way to meet these requirements is to use anonymous and digital whistleblowing software.
A digital whistleblowing system allows a whistleblower to submit a web-based report of a violation anonymously or confidentially. The requirements are a browser and an intact internet connection.
The so-called SaaS (Software as a Service) is cloud-based, does not require installation on the company’s end devices and enables simple and quick implementation. Further advantages are the reduced IT administration effort, as no own servers have to be operated and updates installed. The software ensures device- and location-independent access at all times. Data centres certified to the ISO 27001 standard guarantee data security through a professional IT security management system. Storage space can be expanded at any time. If requirements change, adjustments can be made to the software.
The high degree of flexibility, data security and protection of in-house IT resources make SaaS very attractive for companies and public authorities.
DISS-CO’s digital whistleblowing system is a secure digital whistleblowing software with many selectable modules, integrations and customisation options. The software, which can also be used as complaint management software, offers dashboards and intuitive case management that stores sensitive personal and case-related data centrally, DSGVO compliant and unmanipulable. The whistleblower has the choice to submit an anonymous or confidential report. Through encrypted and anonymous communication, further information can be obtained from the whistleblower.
Ensuring the anonymity of the whistleblower system also creates tremendous security and trust in the internal reporting office and the company. By removing the metadata of the file attachments, the whistleblower system ensures technical anonymisation. Internal communication as well as communication with consultants can also take place exclusively and encrypted on the platform. This reduces the data leakage risk. An individual authorisation concept can be used to regulate access within the organisation.
If the internal reporting office is partially or completely outsourced, the external agents have access to the information via an authorisation concept. Persons assisting in the clarification of a case can easily and quickly obtain access for task management without having to view the entire case. This allows the person responsible for the case to maintain an overview of the tasks at all times and to define deadlines and dependencies. In addition, a Kanban board provides an overview of the status of pending and ongoing tasks. For audit security, all information is recorded and cannot be changed until the final deletion of the entire case. The software also reminds of the legal deadlines.
The central, secure and unmanipulable processing of information in connection with secure communication while respecting the anonymity of the person providing the information enables efficient case processing.
Many companies still provide a general email address for reporting breaches.
If the person providing the tip wants to remain anonymous, there is no way around an anonymous e-mail account. Creating an e-mail account with a private e-mail provider is very easy and free of charge nowadays. However, this method has several disadvantages and risks.
The emails are usually unencrypted, which creates a security risk for the company. In addition, employees are practically forced to transmit internal company information via a private email provider. The sensitive information could be tapped during transmission or afterwards. The usual US email providers, such as Google and Yahoo, transmit the data to servers in the US or elsewhere, or to subcontractors or affiliates, who in turn process and transmit information to their subcontractors and affiliates. For users, the strand of data processing is not transparent.
If, for example, US authorities are involved in external investigations, the providers are obliged to cooperate and must transmit the information and e-mails to the authorities. The data subjects are not informed about the transfer. In both cases, the consequence is that sensitive internal company information is passed on and processed in an uncontrolled manner.
Employees also sometimes use their private devices, depending on the structure and IT policies of the company. Either because they do not need end devices such as laptops and smartphones for their work or because there is a bring-your-own policy or the use of private end devices for company purposes is not regulated. This poses a high risk for the data subject. In the past, there have been repeated whistleblower cases with criminal consequences for the whistleblower due to the transfer of company information into the private sphere.
The data was transferred either physically or digitally for the purpose of transmission to external reporting bodies or to the press from the company environment, sometimes after the person suffered reprisals due to an internal report. It is not relevant whether, for example, one or more file folders are physically transferred or the data is transferred digitally to external storage media or by e-mail. What is relevant is the transfer itself. In addition, the scope of the transferred data is relevant.
Data transmissions via the company’s end devices and from the company network can be traced using various methods. This can reveal the identity of the anonymous whistleblower. More secure is the use of the digital whistleblowing software Smart Intergity Platfom by DISS-CO and the application of the associated guidelines, which, among other things, prohibit tracking of the use of the specific URL by IT.
If file attachments are attached to the report, the metadata can be used to determine the identity of the person providing the information. The metadata is attached to each file and provides information about the author, the users and the history of the file, among other things. If the person providing the information is skilled enough to remove the metadata themselves, the information cannot be traced. We know from practice that only a small percentage of people who usually report have the technical knowledge or are willing to read up on it in detail. Therefore, DISS-CO’s digital whistleblowing software automatically removes the metadata from anonymous reports.
In addition, for security reasons, some companies have so-called data loss prevention (DLP) tools in place that can record and monitor all actions. DLP tools can be used preventively to prevent data theft, but they are also very suitable for employee monitoring and can endanger the anonymity of the whistleblower. Whistleblowers are well advised to inform themselves in advance about the use of DLP tools if they wish to use the whistleblowing system for anonymous reporting.
Using an email address as an internal whistleblowing channel offers many risks for the company and the whistleblower. Sensitive information within the company is processed and forwarded externally in an uncontrolled manner, could be misused and cause financial and reputational damage.
The possible negative consequences for the whistleblower reduce trust in the whistleblowing system, which leads to lower use of the whistleblowing system. This in turn leads to violations going undetected for longer.
By implementing a secure digital whistleblowing system such as DISS-CO’s Smart Integrity Platform, companies and authorities can provide security to whistleblowers and uncover risks at an early stage.
