Does your organisation need to update its whistleblowing practices?

Does your organisation need to update its whistleblowing practices?

EU Whistleblowing Directive (2019/1937) at a glance:

  • Entered into force 16 December 2019
  • Compliance required by 16 December 2021 - organisations with 250+ employees
  • Compliance required by 16 December 2023 - organisations with 50+ employees

Whistleblowers are vital for maintaining an open and transparent society, as they expose misconduct or hidden threats. This new directive ensures that they are better protected against negative consequences.

The goals of the Directive are:

  • To detect and prevent misconduct and breaches of laws and regulations,
  • To improve law enforcement by establishing effective, confidential and secure reporting channels to effectively protect whistleblowers from fear of retaliation,
  • To protect and enable whistleblowers by helping them to raise concerns confidently without fear of retaliation, by ensuring anonymity.

According to the latest EU Directive the answer, for our members in Ireland, is YES. However, internal auditors in the UK should also pay attention as UK Protect (formerly Public Concern at Work) says the UK should follow suit.

In its report focusing on the three years to January 2020, Transparency International Ireland, noted a significant 12% increase in whistleblowers since its 2015 report. Dublin recorded the highest caller rate at 44% followed by Cork with 7%. Supporting the need for improved practices, 24% of whistleblowers across all sectors reported being penalised although within the healthcare sector this reached 40%.

UK research by Protect published in October 2020 found that

  • Managers were more likely to be dismissed during the pandemic for raising concerns
  • 20% of whistleblowers were dismissed having raised Covid-19 issues
  • 43% of Covid-19 concerns were ignored by employers, including public safety risks.

The EU Whistleblowing Directive introduces new measures which the UK government may bring into force to keep pace with best practice and European worker rights. Protect’s campaign “Let’s fix UK whistleblowing law” calls on the government to review and update the Public Interest Disclosure Act 1998 (PIDA) which is timely.

Organisations in Ireland and those with registered entities within the EU need to implement the EU Whistleblowing Directive (2019/1937/EU).

Key takeaways include:

  • Protection not only exists for employees who report their concerns, but also for job applicants, former employees, supporters of the whistleblower and journalists.
  • These persons are protected from dismissal, degradation and other forms of discrimination.
  • Protection applies only to reports of wrongdoing relating to EU law, such as tax fraud, money laundering or public procurement offences, product and road safety, environmental protection, public health and consumer and data protection.
  • The whistleblower can choose whether to report a concern internally within the company or directly to the competent supervisory authority. If nothing happens in response to such a report, or if the whistleblower has reason to believe that it is in the public interest, they can also go directly to the public. They are protected in both cases.

There are five new elements to the Directive. (These are not currently part of PIDA.)

  1. Extension of protection beyond employees to include volunteers, self-employed contractors, non-executive directors and job applicants.
  2. Obligation to have whistleblowing arrangements, including feedback, for organisations with 50+ employees. Currently this is only advisory outside of Financial Services and the NHS.
  3. Regulatory standards for receipt and follow-up of disclosures to maintain confidentiality.
  4. Protection from potential liability for whistleblowers.
  5. Extension of legal aid for whistleblowers seeking to bring employment claims.

Considerations for internal audit

If the new EU Directive applies to your organisation, arrangements should now be in place. Is compliance assurance planned or did internal audit have a role in control design?

More generally, what impact might these new requirements have?

Extending protection beyond immediate employees is a significant change as it also impacts the way organisations communicate with these stakeholder groups. For instance, what new information might be needed at induction? How might contractors and job applicants be made aware of their rights and the process by which to raise concerns?

The availability of legal aid could increase employment claims. Does your organisation have a good record of defending its actions? In 2016, Transparency International Ireland introduced free legal advice for concerned employees which they believe has contributed to the increased whistleblower numbers in their 2020 report. What assurance might the board need that processes, evidence and skills are readily accessible to uphold the reputation of the organisation against claims or better still prevent them in the first place?

Increased protection for whistleblowers may encourage more individuals to raise concerns. While an essential ‘last resort’, it is always more constructive for employees to have open communication channels with line managers. Good governance requires boards to engage with the employee voice. How does your organisation do this? Could it be better?

Next steps

As Ireland and other members of the EU address compliance with their new Directive, organisations in the UK have an opportunity to address the good practice included in the Directive.

The UK although no longer in the EU, is still required to maintain a ‘level playing field’ regards employment protection as part of the UK-EU Trade Cooperation Agreement. In its Employment Bill the UK government committed to review whistleblowing protections including plans to introduce a single body to enforce workers' rights. However, the Bill was not included in the parliamentary priorities for 2021 with Secretary of State for Business, Energy and Industrial Strategy, Kwasi Kwarteng stating it would be brought forward "when parliamentary time allows". 

Whistleblowing is the backstop for failure in governance, risk management and internal control.

As internal auditors, it’s time to take the lead in ensuring the backstop is robust.

Directive (EU) 2019/1937 | European Parliament

Whitepaper: Compliance with EU Whistleblower Directive | Vault/Bird&Bird

Whistleblowing | Transparency International Ireland

Whistleblowing | Integrity At Work Ireland

Content reviewed: 10 January 2022