A new Whistleblowing Act will enter into force on 17 December 2021. This Act is based on an EU Directive and replaces the current law in this area (Act on special protection for workers against reprisals for whistleblowing concerning serious irregularities). As is already the case, the new Whistleblowing Act provides protection for whistleblowers. However, compared to the previous law, this protection has been strengthened and the circle of protected persons has been expanded. In addition, the new Whistleblowing Act imposes an obligation on all operators with 50 or more employees to set up whistleblowing systems.
Below is a comprehensive guide to the new Whistleblowing Act, what it means and how you can prepare your business. If you want to know more or need help to ensure that your business meets the new requirements, please do not hesitate to contact us. Lindahl has extensive expertise in areas of law such as compliance and anti-corruption, employment, privacy and has significant experience in handling whistleblower cases, including internal investigations.
How should I prepare my business for the new Whistleblowing Act?
The new Whistleblowing Act applies in relation to all operations, regardless of the number of employees and regardless of whether the business has already implemented a whistleblowing system.
To ensure that your business meets the requirements of the new Whistleblowing Act:
- Evaluate how your business currently works to pick up signals of misconduct. Is there a whistleblowing system today and how frequently is it used? Do all employees know how to report misconduct? Are all indications of misconduct being followed up? The purpose of this evaluation is to get a 'current situation' assessment as a starting point.
- Businesses with 50 or more employees who do not have whistleblowing systems need to start work on setting them up. Although the new Whistleblowing Act does not specify technical requirements for whistleblowing systems, there are several aspects to consider. For example, the whistleblowing system may need to be available in several languages, confidentiality and anonymity aspects need to be taken into account, technical solutions must ensure personal data processing in accordance with the GDPR and should facilitate the handling of reports within the statutory deadlines.
- Review, supplement and update existing policy documents and procedures so that these are in accordance with the new Whistleblowing Act. It is especially important to ensure that all documentation is clearly formulated and easily accessible.
- Appoint persons and/or entities responsible for receiving, following up and providing feedback on reports received in the whistleblowing system. It is important to consider how to guarantee the independence and autonomy of these people. Here there may be reason to consider giving this task to an external entity.
- Develop a plan for how to deal with reports of misconduct. The plan must include answers to the following questions: Who will conduct any internal investigations? How will communication take place? When should external help for investigations be brought in? Also ensure that you are able to carry out sufficient investigative measures, e.g. by adopting IT policies and including appropriate wording in employment contracts.
What is a whistleblower?
The term whistleblower is generally used for people who raise the alarm about misconduct, often in a work-related context. The new Whistleblowing Act uses the term 'reporting persons' to separate those whistleblowers covered under protection of the law from other whistleblowers.
Protected whistleblowers under the Act are persons who, in a work-related context, have received or obtained information about misconduct that they then report on.
In order for a person to be protected, the person must also be included in one of the following categories: worker, job seeker, trainee or volunteer, staff member or other person at the operator's disposal for the performance of work, a self-employed individual or consultant or otherwise a person carrying out work under the direction or control of an operator, individuals in a company’s administrative, management or supervisory body, and shareholders active in the company. Investigators, inspectors and auditors are also covered.
What is misconduct and what is meant by public interest?
In order for a whistleblower to be protected under the new Whistleblowing Act, he or she must report on a misconduct for which there is public interest in it coming to light. It is therefore important to clarify what constitutes 'misconduct' and what is 'public interest'.
Misconduct can consist of both an action and a failure to act. Even attempts to conceal misconduct can in themselves constitute misconduct.
There is no clear answer as to when misconduct is in the public interest. However, it is assumed that the misconduct concerns the public. In addition, there must be a legitimate public interest in highlighting the misconduct.
It is only in certain limited cases that misconduct involving individuals or individual contracting parties is considered to be in public interest. Examples include slavery-like working conditions, trafficking and corrupt actions.
A further example of what is in the public interest is misconduct in areas of importance to society at large. These areas include public procurement, financial services, product safety, environmental protection, food and feed safety, animal welfare and the protection of personal data.
What is the requirement for setting up whistleblowing systems?
One of the most important innovations in the new Whistleblowing Act is that all operators with 50 or more employees must set up a whistleblowing system. This must be completed by 17 July for public entities and organisations with more than 249 employees. For organisations with 50-249 employees, the whistleblowing system must be in place by 17 December 2023.
The new Whistleblowing Act imposes a number of requirements that the whistleblowing system must meet:
- There must be specially designated persons or entities authorised to receive and follow up on reports and to provide feedback to reporting persons. The specially designated persons or entities must be independent and autonomous.
- The whistleblowing system and procedures must be documented. In other words, there should be a written description of the entire whistleblowing function and how reports are handled, from start to finish.
- The whistleblowing system shall be made available to individuals working with an operator and who may be classified as a reporting person.
- The whistleblowing system must enable reporting both in writing and verbally. In addition, there should be an opportunity to make reports through a physical meeting. Furthermore, a report must be confirmed and feedback given within certain deadlines.
In addition to the above, there should be clear and easily accessible information both on how reporting takes place both through the internal whistleblowing system and external reporting channels. For activities where freedom of communication and freedom of acquisition apply, there must also be information about the search and reprisals ban. This information should also be clear and easily accessible.
Finally, the new Whistleblowing Act requires documentation, preservation and clean-up of reports. The Whistleblowing Act also contains provisions on the processing of personal data.
Which authorities should set up external reporting channels?
The various authorities which should set up external reporting channels are set out in a regulation. These are a large number of authorities that together cover several areas in which reporting of misconduct can take place.
The Swedish Work Environment Authority also has a special responsibility to ensure that operators comply with the requirements of the new Whistleblowing Act.
What are the rules for personal data management?
The GDPR constitutes the general regulation of personal data processing, and also applies to personal data processing under the Whistleblowing Act. According to the underlying Whistleblowing Directive, particular account should be taken of the general principles for the processing of personal data and the principle of built-in data protection and data protection by default.
The Whistleblowing Act contains obligations whereby personal data concerning violations of the law may need to be processed. Such data can now be processed in whistleblowing systems in accordance with a regulation from the Swedish Privacy Protection Authority, but only in relation to persons in key roles or senior positions within their own company or group. No new regulation will be issued in connection with the Whistleblowing Act. Instead, such data will be able to be processed on the basis that the processing is necessary to fulfil a legal obligation. The restriction to only certain people disappears. In order to record conversations during reporting, consent is needed.
The principles of data minimisation and storage minimisation already follow the GDPR, but the Whistleblowing Act places more concrete requirements, for example, on the documentation and storage time of reports. Operators will also need to restrict access to the reports only to persons authorised to receive reports.
The GDPR's rules on third country transfers also apply in full to the processing of data under the Whistleblowing Act. Operators must therefore ensure that data is not transferred outside the EU/EEA in breach of the GDPR.
Do you want to know more about this topic, or did the article raise other questions? Please feel free to contact one of us or your regular contact at Lindahl.