Skip to content

Whistleblowing Law - how to protect and react to whistleblowers reports?

A guy in a yellow shirt points to the graph next to the table and a large chess knight

This is a long read for professionals and enthusiasts (but not only) about whistleblowing protection laws. Whistleblowers, business owners, and NGOs might find it useful to learn how to analyze whistleblower rights and identify potential risks for reporting with the help of this guide. 

What we'll go through? 

Types of laws, reporting channels, data protection, and rewards for whistleblowers are a broad list of requirements that the law typically has to clarify. 


1. Origin — date, and country. 

The law can be:

1) Local and cover only one country (both local companies and their foreign subsidiaries)

2) Complex (cover several countries like the EU Directive)

3) Global - apply to any country (for example, international compliance standard ISO 37001). 

Law enforcement's data is essential for understanding the duration and acceptance of whistleblowing culture in particular countries. Also, we pay attention to how regularly the whistleblower protection law is updated. It should meet the requirements of current data protection standards, ensure sufficient protection of whistleblower's confidentiality, be tailored to cultural specificities, and more. 


2. Ad hoc law.

 The law can be specialized (ad hoc) and aim to describe in detail the whistleblower protection principles and encourage the whistleblowers to disclose more practices of misconduct. Usually, it is evident from the law's name, for example, the Public Interest Disclosure Act (the UK) or European Directive on Whistleblower Protection

In contrast, the country might not have an ad hoc whistleblower law. In this case, the information on whistleblower protection forms a part of other laws (local labor code, for example). The absence of dedicated whistleblower law in most cases means that the protection of whistleblowers will be insufficient. 

A group of people, including an elderly woman in a wheelchair, a child and three adults, greet each other

3. Definition of the whistleblower - criteria (who can become a whistleblower)

Defining a whistleblower means limiting the circle of persons who can report misconduct. The definition of whistleblower, if present, includes:

  1. The type of contract (employee, volunteer, candidate for employment, etc.). 
  2. Source of whistleblower's information (usually it should be obtained from a work-related context). If the information source doesn't fall within the legal sources mentioned in the law, the whistleblower may lose his status.
  3. Coverage. The law may cover only reports on financial misconduct (corruption, bribery, money laundering) or include human rights protection, ecology, and more. 


4. Reporting channels and requirements of their use. 

The reporting channels that whistleblowers may use are divided into internal and external. Internal channels include the means of communication that are available within the company. It can be a personal meeting with a compliance officer, web form, corporate hotline, etc. 

External channels suppose that a whistleblower will reach out to the media (public whistleblowing) or overarching authorities - the company loses the opportunity to start an internal investigation. 

The law may oblige the whistleblower to report using internal channels in the first place, and only in case of ignorance, he can report externally. In case of violation of this rule, the whistleblower may lose his protection. Also, whistleblowers may have the opportunity to decide which channel to use according to the situation (it can be an emergency that hurts public interests or a small case of bribery - the channels are chosen accordingly). Whistleblowers are strongly encouraged to ask for legal assistance when selecting a channel to report. Even though reporting directly to the media is a common practice, which is allowed to protect public interests, the whistleblower can be held accountable for disclosing the trade secret, violating his contract's terms, and more. The law strictly determines the number of channels and principles of their use.


5. Obligation to have a compliance system.

Whistleblower protection laws require companies to have a compliance system with regulatory mechanisms: compliance officers or responsible persons, whistleblowing mechanisms, regular updates of compliance standards, etc. Depending on the country, the law may require middle-size and big companies to have a compliance system (in some cases, even the smallest companies with ten employees need to present their whistleblowing mechanisms).


6. Follow up with the whistleblower.

If present, whistleblower protection law should obligate the authorities, who received a whistleblower's report, to provide a follow-up for the whistleblower. The time frame for feedback usually doesn't exceed three months. If the whistleblower doesn't get the information about his case using internal channels, he may turn to external channels and keep his right to protection. If the time frame isn't specified in the law, the whistleblower may not get a response, and the authorities will not be prosecuted for their ignorance.

A guy works in a chair with a laptop on his lap-webp

7. Reputation protection. 

Not only the whistleblower but the accused person has a right to protect his reputation and get access to the details of the whistleblower's report where personal information of the accused person and the accusation itself are indicated. The number of persons who have access to the whistleblower's report should be determined by the law and correspond to data protection requirements, with clarifications regarding confidential and anonymous reports.


8. Access to public information. 

The information on principles of reporting the misconduct and available channels should be accessible and provided by request. The company is obliged to educate its employees about the company's policy and provide regular training. This standard of compliance is not present in all of the whistleblowing laws. Nevertheless, it defines the level of whistleblower protection and the culture of whistleblowing.


9. Scope - sectors. 

Whistleblower protection laws apply to the public or private sector - comprehensive laws cover both. The public sector includes governmental organizations and their contractors. The private sector covers medium and large companies (sometimes even small ones) regardless of their specialization.


10. Waiver of liability. 

The whistleblower gets an immune deal as a part of whistleblower protection. Therefore, he should be exempted from civil, disciplinary, and criminal liability resulting from his involvement under other laws. In particular cases, it means that a whistleblower may disclose information related to not only trade secrets but national security - the court should consider such cases individually.


11. Requirements for the source of information. 

Whistleblowers usually get their information from a work-related context in a legal way - these terms do not provide for any whistleblower's civil, disciplinary or criminal liability. Still, the whistleblower can obtain the information by breaking the law - such a case should be specified in the law and considered individually. If the whistleblower is unsure about his source's credibility, he is strongly advised to consult with a lawyer.


12. Anonymity and confidentiality. 

Both internal and external channels can be used with options of anonymity and confidentiality. By confidentiality, we mean the limited and authorized access to the whistleblower's data that can identify him. Confidential information can be shared:

  • Only between the whistleblower and overarching authority (compliance officer, lawyer, responsible person, etc.)
  • Between the whistleblower, overarching authorities, and all the persons involved in the misconduct on which the whistleblower reports. The accused person has a right to know all the necessary information about the accusation but can't retaliate against the whistleblower or disclose personal information to any third person.

By anonymity, we mean a hidden identity of the whistleblower which can't be disclosed to anyone (even the accused person). Also, if the information is insufficient to identify the whistleblower, he can still be considered anonymous. In rare cases, the whistleblower's status is anonymous in general but confidential in essence - his identity is known to the lawyer who represents the whistleblower's interests. 

The anonymity option is not common among the whistleblower protection laws since it complicates communication with whistleblowers - the downside of this is a lack of trust from whistleblowers, which would prefer to report anonymously.


13. Burden of proof. 

A good whistleblower protection law specifies the burden of proof in favor of the whistleblower. The accused person has to prove that he didn't take any retaliation measures and provide all necessary information. When the accused person is obliged to prove that detrimental to the whistleblower's actions have no relation to the report, the burden of proof reversal applies. Yet, some laws put the burden of proof on the whistleblowers, discouraging them from reporting. 


14. Retaliation penalties and remedies.

 It is a common practice to retaliate against whistleblowers - the law should not only prohibit this kind of action but present a list of restrictive measures against the people who retaliate. A gold standard of whistleblowing protection law requires retaliation measures to be compensated with the same value benefits. If the whistleblower was fired or transferred to another department, he should be reinstated. The compensation for moral damages should be included as well. While the reinstatement conditions and compensation may vary, most whistleblower protection laws define the amount of penalty for retaliation measures. 


15. Good faith requirement. 

We pay attention to the whistleblower's right to make an honest mistake and not be prosecuted for his report - that's exactly what the 'good faith' requirement stands for. Whistleblowers may not be able to check the credibility of the information they provide but still can raise a concern - it significantly increases the number of reports. However, whistleblowers are still held accountable for disclosing knowingly false information and making defamatory statements. 


16. Legal assistance.

 Most whistleblowers need to consult with a lawyer before submitting a report. This way, they can be sure that their source of information is credible and legitimate and be aware of all consequences of their choice to blow the whistle. Legal assistance can be free of charge for whistleblowers if this is specified in the law. Otherwise, the whistleblower may ask for compensation for his legal expenses or refuse to make any statements. The lack of governmental support for free legal aid and the absence of NGOs who help whistleblowers for free demonstrates partial whistleblower protection.

A woman sits on a large graph with a laptop on her lap

17. Data protection and storage. 

Specific data protection regulations apply to whistleblower's data depending on the country. The reported case and all its participants (whistleblower, the accused person, suspects, and third persons) should be kept confidential. According to data protection regulations, the data can or can't be transferred to another country for investigation. Data can't be stored in countries not specified in international agreements. The time of data storage and its conditions should be set. The whistleblower and accused person have the right to know which information was collected and how it would be processed. 


18. Third-party contractors for compliance systems - the possibility of cooperation. 

The companies which are required to set up the whistleblowing system under the whistleblower protection law have a choice to make it in-house or make an agreement with third-party companies. Whistleblower protection law may prohibit third parties use - the company has to roll out the whistleblowing system by itself. Data protection regulations and the possibility of data transfer should be considered while implementing a whistleblowing system. Third-party contractors who offer hotline implementation services have to comply with data protection standards of relevant jurisdiction legislation.

A girl in a yellow T-shirt is watering a money tree

19. Financial rewards. 

The practice to reward whistleblowers is rare. While some countries chose to promote whistleblowing as an opportunity to both get some money and uncover illegal practices, others consider rewards as harmful practices for whistleblower image.

Currently, only the US and Ukraine offer rewards for whistleblowers with whistleblower protection laws. The law may define the entry point for getting a reward - a minimum amount of financial loss for the government caused by financial misconduct. If the loss is less than this fixed amount of money, the report is still considered, but the whistleblower doesn't get any reward.

Does any law have an extensive list of all of the mentioned requirements and provide sufficient protection for anonymous whistleblowers? The answer is no, and it's going to be a no in the nearest years. What we can do now is be aware of the possible options and report as safely as possible. 



Technology vector created by stories -

Business vector created by stories -

Data vector created by stories -

People vector created by stories -