During the GDPR marketing meltdown in the Spring of 2018 most media attention focussed on the headline features of the new legislation. Notably the significantly increased maximum level of fines for non-compliance. It has taken a little time for attention to turn to some of the practical issues which will challenge business owners and Human Resources practitioners under the the new legislation.
GDPR and whistleblowing hotlines:
Following the provision of new Government guidance in Germany (which recommends anonymisation of all whistleblowing notifications) it is clear that one subject which will require some careful analysis is the use of outsourced whistleblowing hotlines. UK businesses have an obligation to provide employees with a system to make a protected disclosure (“blow the whistle”) on any issue which they consider to be in breach of business policy or which is illegal. It is has become relatively common for businesses to use a whistleblowing hotline (frequently a 24/7 telephone line or chat/email facility) which is operated by an outsourced supplier to comply with that obligation.
These systems provide a convenient solution because they allow the supplier to gather initial information/undertake an element of investigation and encourage employees to report matters in the belief that their identity will be protected. The issue which arises under the GDPR is that notifications usually involve the provision of personal data to the third party supplier and that data will inevitably be processed as part of the investigation. Therefore it is necessary to consider how that personal data will be processed by the supplier and whether that processing will be compliant with the GDPR. If it is not compliant businesses should review their relationship with the supplier (often this will be a data controller/data processor relationship) to understand whether they could be at risk of regulatory enforcement action as a consequence of non-compliant processing.
The GDPR requires that personal data should be processed lawfully, fairly and transparently, that the data should be collected for a legitimate purpose and that the nature of the personal data which is collected should be limited to that which is necessary for the purpose for which it was collected or for which consent was given for collection. Unfortunately many businesses have not examined the extent to which their agreements with their suppliers are compliant with these obligations.
It is critical to understand the legal basis for the processing of the personal data which is provided during a whistleblowing notification. Any processing which does not have a lawful basis will not comply with the GDPR and will expose the processor (and potentially the controller) to enforcement action. In the past there has been a tendency to assume that any personal data which is supplied to an employer by an employee will have been supplied with consent and that any subsequent processing would be reliant upon consent as the legal basis for processing. Often this assumption is based upon the implied rather than express consent of the data subject, but the GDPR now clarifies that it will not be acceptable to rely upon implied consent. GDPR Art 4(11) specifies that consent should be “…clear, informed and unambiguous…” which is conveyed via a “…clear affirmative action…” and where businesses rely upon consent as a basis for processing within a whistleblowing system they should consider how the consent is provided and how they will evidence that the consent was “informed” (this must require that the data subject understands what processing is proposed prior to giving their consent).
Many businesses have tried to engineer a “get out of jail” card for processing in the form of a generic processing consent which employees provide (often contained in their contract of employment). I have advised against relying upon this approach because it is difficult to see how generic consent could be informed. Art 4(11) also requires that consent should be “freely given” and there seems to be an inherent inequality of bargaining power in the employee/employer relationship which undermines the employee’s ability to “freely” provide consent. I anticipate an argument that such generic consent is not given freely because an employee must provide the consent as part of signing their contract – “no consent no job”.
A further issue with consent is that the personal data which is supplied to the operator of the whistleblowing hotline may not be data relating to the person who is making the notification. Many notifications will involve an allegation that a third party was involved in the action which is the basis of the notification. Those third parties will not have consented to the processing of their personal data by the hotline supplier. There will also be occasions when the third party may not be an employee of the business and therefore any generic consent in the employment contract will be irrelevant – many businesses now retain contractors, agency and other “non-employed workers” who could be the subject of a notification.
2) Compliance with a contract:
GDPR Art 6 states that processing of data will be lawful where it is necessary to comply with a contract with the data subject. This could conceivably cover a situation where the complainant provided personal data about themselves as part of their notification but I am not certain that the operation of an outsourced hotline would be considered to be integral to the employment contract – would a failure to provide such a whistleblowing system breach the employment contract? This seems doubtful unless the whistleblowing process was part of the agreement. Even in such an unlikely scenario it would not cover the processing of data relating to a third party data subject.
3) Compliance with a legal obligation:
Art 6(1) (c) permits processing which is necessary for compliance with a legal obligation to which the controller is subject and this will undoubtedly cover processing for some whistleblowing notifications. However this provision is unlikely to cover every notification (for example where there is no relevant legal obligation, or where the allegation which is central to the notification is unfounded). Additionally it may not cover processing which is undertaken by the operator of the hotline which is unlikely to be subject to any relevant obligation.
4) Legitimate interest:
Some business believe that there is a fall back option under GDPR Art 6(1)(f) which permits processing which is necessary for the purposes of legitimate interests pursued by the controller and that this can be relied upon in all circumstances where other processing conditions are not applicable. I expect that it may be argued that legitimate interests could be a lawful basis for processing in the course of a whistleblowing notification but I would not recommend relying upon this condition. At best it will be necessary to undertake a “balancing test” in each case to establish whether the legitimate business interests are overridden by the individual data subject’s rights and freedoms. It would be necessary to document this test on every occasion and have an alternative option where the balance of the test was not in favour of the business.
Once a lawful basis for processing is established it will be necessary to ensure that any personal data which is collected is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (GDPR Art 5(1)(c) – data minimisation). This will raise some practical challenges for businesses which have outsourced the operation of a whistleblowing helpline. How will you ensure that your supplier has not collected excessive or unnecessary personal data? How will you ensure that your supplier has not retained personal data which is no longer relevant to an ongoing notification? We all have experience of businesses which fail to consistently apply their data deletion policies, if the outsourced supplier fails to delete unnecessary personal data on time it is likely that they will breach the GDPR, possibly exposing the data controller to enforcement action.
It is also worth checking whether the supplier is proposing to use sub-processors to support their work (this could be the case where translators are used). If this is the case how will you ensure that the sub-processors are also complying with the data minimisation obligations?
Careful thought should be given to the detail of any agreement with an outsourced supplier of whistleblowing helpline services and it would be wise to have a good understanding of how the supplier will comply with their GDPR obligations. If you have any questions about these type of agreements please do not hesitate to get in touch and I will be happy to offer my views.