The ReportLine Difference Services Technology News Room About Us Contact Us Login
ReportLine  
News Room
Home » Resources » 

Special Report  

Download this Article [PDF]

Hotlines in France: CNIL Publishes Application Documents

February 2006

The Network has helped our clients stay abreast of global legislation and develop solutions that meet changing needs for nearly 25 years. Now that the Commission nationale de l’informatique et des libertés (CNIL) has issued its final decision regarding hotlines, we have prepared this document to outline the compliance issues. Compliance with the requirements regarding hotline procedures are easily accomplished using The Network's advanced technology, and do not require a completely separate hotline for French employees.

The Network has developed this update working with our legal counsel to offer suggestions based on our experience and knowledge of best practices. We encourage all organizations to work with their legal counsel on this or any other matter regarding legal compliance.

OVERVIEW

The CNIL has published Single Authorization Number AU-004 in order to simplify the hotline application process for organizations utilizing an employee hotline in France. If your organization complies with the articles of this Decision, a simple declaration form can be filed in lieu of the more extensive application process. Otherwise the organization will need to apply using the full application process. A translation of the key points of the Single Authorization Decision appears below.

The major concerns of businesses seeking to comply with both CNIL and Sarbanes-Oxley have been resolved:

  • The Decision allows for acceptance of anonymous reports, so long as the investigation of anonymous
    allegations follows specific guidelines (See Article 2)
  • Although the hotline scope should be limited to financial irregularities, reports about other matters of “critical concern” or involving workplace safety may be accepted
  • The CNIL has specifically accepted the use of third-party providers outside of France if they are Safe Harbor Certified. The Network is Safe Harbor Certified

The declaration form is available in French at http://www.cnil.fr/index.php?id=1758

Guidance on the full application process is available in French at http://www.cnil.fr/fileadmin/documents/declarer/mode_d-emploi/declarer-CNIL.pdf

COMPLIANCE ISSUES

The twelve articles of the Single Authorization Decision focus on several broad categories. At a high level, compliance involves:

  • Communication to employees
  • Investigation procedures
  • Processes for destruction of records
  • Processes for handling calls

ISSUE: EMPLOYEE COMMUNICATION. Communication to French employees must include specific information:

  • The name of the person or department responsible for the hotline, the hotline’s purpose and the scope of issues that can be reported via the hotline
  • Information about the organization that answers calls and whether calls are answered outside of the EU
  • A statement that employees are not required to use the hotline and that there will be no adverse consequence to employees who do not use the hotline
  • An explanation of the right of any person identified in a report to access and correct information
  • A statement that abuse of the hotline may expose the employee to disciplinary sanctions, but good faith use will not result in discipline

THE NETWORK CAN HELP: The Network’s communications agency can help you develop, translate and distribute communication to comply with this CNIL requirement.

ISSUE: INVESTIGATION. The CNIL requires that the accused party be notified of the allegation. The timing of notification is supposed to be rapid, but notification does not need to happen until investigators have secured evidence that might otherwise be at risk. A review of investigation processes should be undertaken to address how and when notification of the accused party would be accomplished.

ISSUE: DATA RETENTION/DESTRUCTION. Compliance requires that records of personal information, such as the names of the caller and the accused party, be destroyed two months after the conclusion of the investigation, if no disciplinary or legal action is underway. This requirement pertains to records held by The Network or by the employer in any database, case management system or any hard copy files. If the report concerns a matter outside of the scope of the hotline’s stated purpose, the record is to be destroyed immediately.

THE NETWORK’S RECOMMENDATION: Once you are satisfied that your investigation is concluded, or upon determining that a report is outside of the scope of the hotline’s purpose, simply notify The Network and we will invoke a process developed for CNIL data destruction needs.

ISSUE: HOTLINE INTERVIEW PROCESS. The CNIL requirements have implications in two areas:

  • Limiting the scope of reports accepted regarding French operations
  • Modifying interviews to enforce the scope and discourage anonymous reports

Scope of the Hotline

Although the CNIL wants the hotline to be primarily available for reporting financial irregularities, it makes an exception for other reports of vital concern to the organization or threatening the physical or emotional safety of its employees (See Article 3).

THE NETWORK’S RECOMMENDATION: The Network can limit the Incident Codes that are accepted from France based on any list of codes that you prefer. We recommend you consider incidents that would typically warrant immediate notification, which seems to be the spirit of the exception described in the Decision.

Recommended Incident Codes

  • Accounting/Audit Irregularities and other Sarbanes-Oxley codes
  • Discrimination/Harassment
  • Fraud-related codes
  • Product Quality Concern
  • Substance Abuse
  • Workplace Violence/Threats

Interview Modifications

Modifying the interview will require first identifying reports within CNIL jurisdiction and then modifying the interview process to ensure only appropriate reports are taken.

Step One: Identifying calls within CNIL jurisdiction. The Network’s telephone systems automatically recognize the country of origin of the call. Calls originating from France are sent to a dedicated team of trained Interview Specialists who handle international calls. The Interview Specialist confirms the location at the outset of the interview, based on the locations database that you have already provided.

Step Two: Modifications to the interview process. Your new employee communications campaign for France will set the expectation that callers will provide their names and will describe the scope of reports that will be taken. You can use The Network’s standard pre-recorded announcement for French speaking callers or The Network can easily develop a customized announcement to meet your needs.

Once the location is confirmed, The Network’s award-winning Link2 system will act as a real-time quality analyst, warning the Interview Specialist if the report appears to be outside of the scope of the hotline. The system will also prompt the Interview Specialist to ask for the caller’s identity again at the close of the interview if it was not provided previously, as an additional technique for “discouraging” anonymous reports.

THE NETWORK’S RECOMMENDATION: Discuss the recommended Incident Codes with your legal team, showing our recommendations as appropriate.

NEXT STEPS

If you have questions about any of the above information, or would like The Network’s help with your hotline or employee communications program, please contact The Network at 800-357-5137 or send an email to info@tnwinc.com.

Translation of CNIL Single Authorization Decision
ReportLine is a service of The Network | © 2008 The Network, Inc. All rights reserved. | Terms of Use | Privacy Policy Contact Us | Call Us: 800.253.0453