corporate governance / whistleblowing

Do Whistleblowing Hotlines Work?

Although there are many definitions for whistleblowing the widely and most cited definition is “the disclosure by organisation members (former or current) of illegal, immoral or illegitimate practices under the control of their employers, to persons or organisations that may be able to effect action” (Near & Miceli 1985).  Whistleblowing hotlines[1], and the number of organisations establishing “hotlines” is increasing[2].  This trend received a substantial boost with the passing of the US Sarbanes-Oxley Act (2002) which required Audit Committees of all US listed companies and their subsidiaries to establish procedures for the “confidential, anonymous submission by employees” of complaints regarding internal accounting controls or auditing matters[3].  Organisations could also apply these procedures to other areas other than financial covered by codes of conduct of ethics policies.

This area is topical again as a new “secure and anonymous” whistleblowing hotline was launched by a group of people, including TDs, to encourage disclosures relating to a specific Irish organisation[4].  The group set up a website to receive disclosures which it states provides the first of its kind level of security and anonymity.   Such facilities may be more important where public sector employees are concerned, as usually they have fewer alternate employment opportunities due to their skill set being specific to public sector, for example, fire-fighters, in contrast to for-profit sector employees who may have more opportunities for alternate employment and thus a different propensity to whistleblow(Glazer & Glazer 1989; Qusqas & Kleiner 2013).  The existence of an anonymous reporting hotline may be more important for government organisations due to a lack of alternate employers.

Anonymous and confidential reporting has a number of benefits including that it may encourage more reporting, and protect the whistleblower from retaliation.  However, there are few interventions in any area that have only positive effects and no unintended negative ones.  This is certainly true with whistleblowing hotlines, where, the benefits need to be balanced against the interests of the accused party to their privacy and the right to defend themselves against, potentially false, exaggerated, unjustified or defamatory allegations, damaging their reputation, career prospects, financial and emotional safety (Hassink et al. 2007).

Balancing these rights has caused difficulties.  McDonalds in France and Wal-Mart in Germany encountered legal challenges to the lawfulness of their whistleblower hotlines under privacy, data protection and worker consultation laws(Hassink et al. 2007) . Guidelines have been subsequently issued in France and Germany and also under the EU.  The EU guidelines produced under the Data Protection Working Group WP 117 have narrowed the possible scope of whistleblower hotlines by recommending that organisations limit the numbers of people who can report and be reported against and limit the scope of reporting to auditing, accounting and financial matters[5] . Most EU countries, have broadly adopted the EU WP117 with some variations, including Ireland whose position is that it is possible to operate a fully anonymous whistleblowing helpline where the “whistleblowing report relates to an irregularity in an organisation but responsibility for the irregularity is not, and cannot readily be, attributed from the content of the report” and thus no personal data needs to be collected[6].  Data collected is thus recommended to focus on “issues” and not “individuals”. Under Irish Data Protection laws anyone operating a whistleblowing hotline becomes a data controller or data processor, with significant legal responsibilities.

The EU Data Protection Working Group recommendations on whistleblowing hotlines also recommend that personal data collected under such a scheme should be deleted within 2 months of completion of the investigation that revealed no evidence of wrongdoing[7].  Thus although no specific timeline for investigation is indicated, an organisation that failed to investigate promptly could find itself in breach of EU Data Protection laws.

Under Section 3 of the Data Protection Acts, you have a right to find out, free of charge, if a person (an individual or an organisation) holds information about you.  You also have a right to be given a description of the information and to be told the purpose(s) for holding your information.  “Personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity[8].  This concept is particularly broad in order to give individuals the right to access their own personal information.  There are limitations but these are very limited and specific, for example, a criminal suspect does not have a right to see the information held about him by An Garda Síochána, where that would impede a criminal investigation.

The EU guidelines produced under the Data Protection Working Group WP 117 recommend clear information to the users [employees] about the whistleblowing procedures, that those reported on are informed and kept up to date with investigations, that a dedicated independent internal team be established to handle whistleblowing reports, and recommendations on limiting the retention and transfer to third countries of information. Finally, the guidelines while allowing for anonymous reporting, recommend that organisations instruct and encourage reporters to submit their own details without prohibiting anonymous reporting.

The new hotline presumably complies with the above law and guidelines, and can provide the necessary security for anonymous reporting and protect the reporter’s identity.  However, these protections also ensure that it may be difficult to get sufficient information to proceed with an investigation and less so a criminal prosecution due to the lack of detailed information, information that may reveal the identity of the reporter. For example, a complaint of bullying or harassment is almost impossible to report without identifying the complainant, and an investigation will reveal the identity to the alleged perpetrator.  In addition, anonymous reports are less trusted, possibly due to the lack of substantial information and the inability of investigators to clarify details of the report with the informant(Kaplan & Schultz 2007).   Care must also be taken by the collectors of the data to avoid publically revealing any individuals or organisations reported and unconfirmed wrongdoing to avoid breach of data protection and defamation laws.  Whistleblowing is a “disclosure…to persons or organisations that may be able to effect action”, and without sufficient information “action” may simply not be possible.

Glazer, M. & Glazer, P., 1989. The Whistleblowers. In The Whistleblowers. New York: Basic Books, pp. 137–237.

Hassink, H., Vries, M. & Bollen, L., 2007. A Content Analysis of Whistleblowing Policies of Leading European Companies. Journal of Business Ethics, 75(1), pp.25–44.

Kaplan, S.E. & Schultz, J.J., 2007. Intentions to Report Questionable Acts: An Examination of the Influence of Anonymous Reporting Channel, Internal Audit Quality, and Setting. Journal of Business Ethics, 71(2), pp.109–124.

Near, J.P. & Miceli, M.P., 1985. Organizational dissidence: The case of whistle-blowing. Journal of Business Ethics, 4(1), pp.1–16.

Qusqas, F. & Kleiner, B.H., 2013. The Difficulties Of Whistleblowers Finding Employment. Management Research Newsesearch News, 24(3), pp.97–100.

[1] Merriam Webster (2016). Retrieved August 20, 2016 from  The definition given is  “(1) a direct telephone line in constant operational readiness so as to facilitate immediate communication. (2)  a usually toll-free telephone service available to the public for some specific purpose .

[2] Lewis, D., 2010. A survey of whistleblowing/ confidential reporting procedures in the UK Top 250 FTSE Firms; Moberly, Richard, and Lindsey E. Wylie (2011), “An empirical study of whistleblower policies in United States corporate codes of ethics”; and Business Ethics Surveys conducted by the Ethics Resource Centre, United States,  shows that the number of formal ethics and compliance programs is on the rise.

[3] The United States Sarbanes Oxley Act 2002. Retrieved August 20, 2016 from

[4] The Journal (2016, August 15) Mick Wallace and Clare Daly launch Nama whistleblowing website.  Retrieved August 20, 2016 from

[5] WP117, Data Protection Working Party Article 29, 1 Feb 2006

[6] Data Protection Commission (2016) Whistleblowers schemes and Compliance with US Sarbanes-Oxley Act. From accessed June 5 2010.

[7] WP117, Data Protection Working Party Article 29, 1 Feb 2006

[8] Data Protection Commissioner (2016). What is personal data?  Retrieved August 20, 2016 from