Understanding the GDPR: Retention of Data Related to Whistleblowing Reports

On May 25, 2018, the General Data Protection Regulation (GDPR) will come into full effect. It’s the most comprehensive change to data legislation in decades, and while it’s a European Union law, the provisions apply to all companies processing personal data of EU citizens, including third-party vendors.

The purpose of the GDPR is to protect citizens’ rights, and the legislation outlines the exact obligations organizations have in regards to the information they collect about data subjects. Because the new rules are extensive, and often confusing, we’ll be digging into some of the most important pieces here on the Convercent blog. — It’s a lot to process, so don’t hesitate to reach out in the comments with any questions.

But first, some background…

Article 29 Data Protection Working Party

In February 2006, the Article 29 Data Protection Working Party Opinion 1/2006 was issued to provide detailed guidelines regarding whistleblowing procedures. The intent was to offer guidance that would allow companies to more easily comply with Sarbanes-Oxley obligations, and this, ‘Application of EU data protection rules to …. whistle-blowing schemes’ has been adopted, to varying degrees, by a number of EU Member States.

What does this have to do with the GDPR? The Article 29 Working Party (also called the WP 29) will be transformed into the European Data Protection Board, which will be the EU body in charge of the application of the General Data Protection Regulation (GDPR) as of May 25th, 2018.

Returning to that 2006 Opinion, the WP 29 stated:

Personal data processed by a whistle-blowing scheme should be deleted, promptly, and usually within two months of completion of the investigation of the facts alleged in the report.

Such periods would be different when legal proceedings or disciplinary measures are initiated against the incriminated person or the whistle-blower in cases of false or slanderous declaration. In such cases, personal data should be kept until the conclusion of these proceedings and the period allowed for any appeal. Such retention periods will be determined by the law of each Member State.

Personal data relating to alerts found to be unsubstantiated by the entity in charge of processing the alert should be deleted without delay. Variants of these requirements have also made their way into some (but certainly not all) pieces of EU Member State legislation. For example,

France requires:

Data relating to a report found to be unsubstantiated by the entity in charge of processing such reports must be deleted immediately. Data pertaining to a given report and reporting of facts giving rise to an investigation (or ‘verification’) must not be stored beyond two months, unless a disciplinary procedure or legal proceedings are initiated against the person incriminated in the report or the author of an abusive/false alert. In that case, data must be deleted at the end of the procedure/proceedings.

Additionally, under Hungarian law:

Reports must be investigated within 30 days, which can be extended to a maximum of three months in exceptional circumstances where the report is not made anonymously and the whistle-blower is notified at the same time. The employer must destroy all data relating to the investigation within 60 days if it concludes that the report is baseless or that no action is necessary. Otherwise, it may process data by closing the investigation in a binding and enforceable manner.

It is worth noting that the Hungarian Whistleblowing Act does not regulate the case where data retention may be necessary for a longer term – especially for compliance purposes, archival of documents in official proceeding, etc.

The problem with differing whistleblower report retention periods

As you can see above, some countries (particularly EU Member States) have established whistleblower reporting retention of data periods of:

  • Zero if the case is unsubstantiated,
  • 30 days or 2 months if there is an investigation,
  • Only until the investigation/disciplinary process is concluded, and;
  • 6/7 years if criminal proceedings are involved.

However, it should be recognized that employer data retention periods in relation to issues (such as HR) that are likely to arise under the whistleblowing process are currently much longer. Typical examples include:

  • Data held on HR System – Date of Employee Termination + 6 years
  • Disciplinary Records – Date of Employee Termination + 1 year
  • Declaration of Outside Employment – Date of Employee Termination + 4 years
  • Grievance Records – Date of Termination + 1 year

Crucially, the established whistleblower report retention of data periods above do not take into account aspects such as retaliation, follow-up reports, and linked reports. For example, the latest and best research shows that some 80% of retaliation occurs within three weeks of a report being made, and 90% within six months. Meaning, the six months time frame is typically where a reporter is retaliated against through the annual review, pay or bonus process. However, under these six month retention periods, all details of the original case would have been deleted. And while the case may be remembered by the case manager/team, all the case details will be gone.

Similarly, it may take three or four cases to establish a pattern of issues, and those cases could be lost to deletion before the pattern is fully established. Ironically, had the reporter made the report through his/her employer’s grievance process, then that information would have been statutorily retained. Arguably, deleting a case early with the associated loss of records might (hypothetically) result in an employer not being able to satisfactorily discharge their Duty of Care responsibilities.

The Data Protection Directive (DPD) & the General Data Protection Regulation (GDPR)

Similar to the current Data Protection Directive (DPD), the GDPR does not specify timeframes for data retention and/or deletion. However, what Article 5 of the GDPR does require is that data is not kept longer than is necessary for the purposes for which the personal data was originally obtained and processed. Clearly, Article 5 may trigger data controllers and processors to be stricter regarding data deletion. This may also be influenced by the removal of the fee for Data Subject Access Requests (DSAR’s) which may mean – and opinions on this vary – that employees will be more prepared to question what data their employer holds on them.

A lack of consistency in retention of data

Even with the Article 29 Working Party Opinion, there is relatively little explicit or implicit consistency across the EU Member States regarding whistleblower hotline report data retention.

Let’s compare Spain and Portugal. Spain’s regulations state, ‘personal data should be deleted when no longer necessary or appropriate’. Portuguese law, on the other hand, specifies that, ‘where no disciplinary or judicial procedures will take place, data should be destroyed six months after the investigation has ended’.

It should be recognized that post-GDPR, many EU Member State whistleblower-related requirements will remain (at least initially), and will not be harmonized by the new Regulation.

How companies can prepare for the GDPR

Convercent is currently in the latter stages of development and implementation of the customer capability to partially and fully redact and delete their whistleblower hotline reports, particularly in preparation for the GDPR. Clearly, redaction of any type has some complexities. For example, anonymizing reports successfully is reliant on factors such as the number of employees in a location. Nonetheless, when launched, this Convercent capability will be comprehensive, and will also incorporate the necessary process protocols, controls, and safeguards

However, whilst this short article cannot cover all the considerations, there are wider issues that need to be recognized as part of each customer’s decision-making process regarding whistleblower report data retention and deletion

Clearly, there is a balance to be struck between Data Privacy law and employer Duty of Care-type law. One effective approach would be to establish a company policy based on whether a report is (i) unsubstantiated, (ii) investigated, (iii) results in disciplinary proceeding, (iv) results in judicial proceedings, or (v) if there are special ‘legitimate interest’ exceptions.

Then, operate in accordance with that policy, which showcases a demonstrable, structured, and compliant process.