A whistleblower program, if well-designed, is an adequate tool to build a culture of good communication and corporate social responsibility, where reporting persons are considered to contribute to self-correction and excellence within the organisation significantly.
The most significant risks typically occur in a work-related environment, such as theft or fraud, bribery/corruption, environmental misconducts, health and safety concerns, privacy issues, employer’s policy breaches.
Employees are the ones to which it is easier to detect a breach. Still, they do not often report violations, mainly because they either believe that the breach cannot be effectively addressed or that there is a risk of retaliation.
As part of compliance programmes, reporting channels can be used as a risk management tool, giving organisations the chance to become aware of concerns/misconducts at earlier stages and prevent or mitigate financial and reputational risks.
Reporting channels allow building a confident and secure environment. Employees are encouraged to openly speak about their concerns with the management as their first preferred course of action. Confidentiality, response times, and follow-up must be ensured. Otherwise, a reporting channel will quickly fail its credibility and trust before its primary recipients – the employees.
This paper explains the main steps organisations need to take to comply with the Directive (EU) 2019/1937 (the ‘EU Whistleblowing Directive’ or the ‘Directive’) and Law 93/2021 of 20 December 2021, which implemented the Directive in Portugal.
The time to act is now for those who have not yet taken steps to ensure that a whistleblowing programme with effective report channels is in place. The Portuguese Whistleblowing Law requires ongoing internal reporting channels by 18 June 2022.
The EU Whistleblowing Directive
Currently, whistle-blower protection provided in the EU is fragmented across its Member States. This situation is due to different reasons, including cultural ones.
The purpose of the EU Whistleblowing Directive is to create a harmonised legal framework, which will introduce substantial changes in approach to whistleblowing in the many Member States, including Portugal, and with effects for employers with EU cross border operations.
The Directive affects all legal entities in the private and public sector with 50 or more employees and, regardless of the number of employees, entities within the scope of some EU acts, including Anti-Money Laundering (AML) rules. These organisations must provide means for employees to report misconducts that occurred in a work-related environment, including, but not limited to, the following: public procurement; prevention of money laundering; environment; personal privacy data.
The definition of “employees” has a broad range, comprising those with the employee’s status and freelance employees, contractors, subcontractors, suppliers, shareholders, management roles, former and prospective employees.
The deadlines to incorporate the minimum standards of the Directive into local laws are as follows:
- Businesses and government organisations with or more than 250 employees, entities falling into the scope of EU some acts (such as AML rules), and municipalities serving 10,000 inhabitants must implement an internal reporting system by 17 December 2021; and
- Businesses and government organisations with 50 to 249 employees must have their internal reporting system by 17 December 2023.
Organisations must have systems in place to monitor and follow up on reports. They must be prepared to understand the steps to protect whistle-blowers following their reports, safeguard their identity, and ensure that employees will not suffer any retaliation.
The Directive contains the minimum standards for accepting, processing, and reporting information received from whistle-blowers. The EU Member States may impose additional requirements on top of these, so it is recommended to keep track and review the local whistleblowing legislation.
Reporting channels
In Portugal, the Whistleblowing Directive was implemented by Law 93/2021, of 20 December 2021.
The Portuguese Whistleblowing Law imposes that local businesses and government organisations with or more than 50 employees, “obliged entities” falling into the scope of the Portuguese Anti-Money Laundering Law (Law 83/2017, of 18 August 2017), and municipalities serving 10,000 inhabitants implement an internal reporting system by 18 June 2022.
Employees must first use internal reporting channels before using external channels. The procedures for internal reporting channels shall include:
- Setting-up of channels for receiving the reports which need to be designed, established, and to operate in a secure manner that guarantees that the confidentiality of the identity of the reporting person and any third party mentioned in the report is protested, and prevent access thereto by non-authorized staff members;
- Acknowledgment of receipt of the report within seven days of that receipt;
- An impartial person or department competent for following-up on the reports and which will maintain communication with the reporting person and, where necessary, ask for further information from and provide feedback to the reporting person;
- Provision of feedback within a reasonable timeframe, not exceeding three months from the acknowledgement of receipt or, if no acknowledgement was sent to the reporting person, three months from the end of the seven days after the report was made; and
- Provision of clear and easily accessible information regarding the procedures for reporting externally to competent authorities.
Employees must use external channels in case internal channels cannot reasonably be expected to function correctly. This may occur if employees have valid reasons to believe that:
- They will suffer retaliation in connection with the reporting, including as a result of a breach of confidentiality, or
- Competent authorities will be better placed to address the breach effectively.
Internal reporting channels
Main features
Employees can address complaints in writing and/or verbally. Complaints can be submitted anonymously.
Internal reporting channels can be operated in-house to receive and follow-up on complaints by persons or services selected for that purpose, or externally, to receive complaints only.
Independence, impartiality, confidentiality, data protection, secrecy, and absence of conflict of interest of the person(s) or entity chosen for this purpose must be safeguarded.
That person or entity will have to act diligently to follow up on the report.
Appropriate actions must be taken to verify the assertions made in the report and, where necessary, to cease the reported violation by opening an internal investigation or informing the competent authority to investigate the breach.
Deadlines for the follow-up of reports
- Seven days: acknowledge receipt of the report to the reporting person should occur within seven days of that receipt. Within the same deadline, the reporting person must be informed, in a clear and easily accessible way, on relevant procedures and external reporting procedures to relevant competent authorities.
- Three months: follow-up and feedback should take place within a reasonable timeframe, given the need to promptly address the issue that is the subject of the report and the need to avoid unnecessary public disclosures. This timeframe should not exceed three months but could be extended to six months, if necessary, due to the specific circumstances of the case, in particular the nature and complexity of the subject of the report, which may require a lengthy investigation.
The reporting person can, at any time, request the organisation to disclose the outcome of the review carried out following the report and within 15 days as of its conclusion by the organisation.
External reporting channels
Main features
Competent authorities will establish external reporting channels, independent and distinct from other communication channels, to receive and pursue reports. They will also publish information on the reporting procedures in a separate, easily identifiable, and accessible section on their websites.
When there is no competent authority to address the report or in cases where the target of the report is the competent authority itself, the report must be addressed to the Portuguese Anti-Corruption Authority and, if this authority is the target, to the Public Prosecutor's Office.
Reports will be dismissed when the competent authority, by a reasoned decision (to be notified to the reporting person), considers that:
- The reported offense is of minor seriousness, insignificant or manifestly irrelevant;
- The complaint is repeated and contains no new elements of fact or law that justify a different follow-up to the first complaint; or
- The complaint is anonymous and there is no evidence of an infringement.
Deadlines for the follow-up of reports
- Seven days: acknowledge receipt of the report to the reporting person should take place within seven days of that receipt unless the reporting person explicitly requested otherwise, or the competent authority reasonably believes that acknowledging receipt would jeopardise the protection of the reporting person's identity;
- Three months: for the organization to notify the whistleblower of the measures envisaged or adopted to follow up the complaint with the relevant grounds.
The reporting person can, at any time, request the competent authority to disclose the outcome of the review carried out following the report and within 15 days as of its conclusion by the competent authority.
Competent authorities will review the procedures for receiving and handling reports every three years, considering their experience and that of other competent authorities.
Safeguards
In addition to implementing effective, confidential and secure reporting channels, it is crucial ensuring that reporting persons are protected effectively against retaliation.
Retaliation means any direct or indirect act or omission which occurs in a work-related context, is prompted by internal or external reporting or by public disclosure, and which causes or may cause unjustified detriment to the reporting person.
For instance, employees need specific legal protection to acquire the information they report through their work-related activities. Therefore, employees risk work-related retaliation for breaching the duty of confidentiality or loyalty. Employees may also find themselves in a position of economic vulnerability in the context of their work-related activities.
Protection should be provided against retaliatory measures taken not only directly vis-à-vis employees themselves but also those that can be taken indirectly, including vis-à-vis facilitators, colleagues or relatives of the reporting person who are also in a work-related connection with the reporting person's employer or customer or recipient of services.
Once employees make their report, they should be protected by:
- Steps are being taken to prevent retaliation, harassment and threats against them by issuing fines to anyone looking to hinder the process in such a manner;
- Suspension, lay-off, dismissal or equivalent measures;
- The burden of proof being reversed so that the business or municipality has to provide evidence that it was not trying to retaliate against a whistleblower;
- Being offered free advice and information on procedures;
- Understanding that, by exposing wrongdoing, they did not contravene contracts, non-disclosure agreements or similar;
- Being offered financial assistance;
- Being offered psychological support.
The role of the management
Many organisations make their internal reporting system accessible to their employees but do not actively encourage its use. Only a few seek to instil a sense of obligation by sending the message that persons who perceive misconduct but do not raise the alarm are complicit in their apathy or indifference.
Whistleblowing programmes may fail if the high-level management cannot provide proper assurance that those who report issues will not be ignored, silenced, or punished for the bad news.
In turn, middle-level management must balance supporting the programme and preventing access due to much control. Too much management control over the process can hinder its use.
Doubts about management commitment can still arise if the reporting channel is exclusively handled in-house and without the involvement of an independent and impartial third party.
Ensuring the protection and safety of whistleblowers is necessary for the effectiveness of a whistleblowing programme.
A whistleblowing programme must guarantee confidentiality and allow discreet or anonymous reports. If an individual feels seriously threatened or in a situation where a company has only a few employees, guarantees of confidentiality may not be sufficient to encourage whistleblowing, in which case it would be necessary to offer anonymity.
Any reports must be stored confidentially and securely. Each organisation needs to take steps to protect whistleblowers' identities and comply with the General Data Protection Regulation (GDPR). Having a central tracking system to enter, monitor, and update case details will help ensure this while at the same time simplifying the investigation procedure.
Providing feedback to the reporting person as part of the investigation process will also show that the issue is assessed and taken seriously by the organisation.
The programme still needs to be informed to all employee levels. The announcement must have a clear and strong message and be repeated from time to time. This communication that the programme enjoys support at the highest-level management and that the use is an act of loyalty, not infidelity, is crucial and stresses the message that reporting is the right thing to do.
If you wish to know more, please download the pdf below.