The ReportLine Difference Services Technology News Room About Us Contact Us Login
ReportLine  
News Room
Home » Resources » News Archive » 

Special Report  

 

October 2005 Update Regarding Hotlines in France

Overview

The Commission nationale de l’informatique et des libertés (CNIL) has drafted guidelines for the implementation of whistleblower hotlines. These guidelines were issued on October 13, 2005 and will be submitted to public authorities, professional organizations, trade unions and expert associations for comment prior to final approval. A timeline for input and adoption is not yet clear. This document is a summary of the CNIL’s drafted guidelines, followed by The Network’s interpretation of the guidelines.

The document states that the CNIL has no objection in principle to “whistleblower schemes”, provided the rights of accused individuals are guaranteed in compliance with personal data protection rules. The draft guidelines raise objections to the use of hotlines to ensure compliance with general legal requirements, corporate policies or internal rules of business conduct, but acknowledge their legitimacy as internal controls in specific defined areas, such as auditing and accounting fraud, or bribery of foreign officials.

Regarding Sarbanes-Oxley

The draft guidelines acknowledge the conflict this presents regarding the confidential reporting requirement of Sarbanes-Oxley. The document states “legitimacy [of a whistleblower process] may not result from the mere existence of foreign legal provision.” However, the CNIL notes “ensuring that information relating to financial embezzlement and account rigging properly reaches the Board of Directors is a critical concern for any issuer.”

Suggested Limits on Hotlines

The draft guidelines suggest the following limits on whistleblower processes:

  • The hotline must be subsidiary to other communication channels, especially to reporting misconduct through the chain of command.
  • The subject matter of hotline complaints should be specific and limited in scope, for example, to accounting irregularities.
  • The categories of people who could be named in a hotline call “should be determined accurately” so that an employee without responsibilities in the hotline’s specific subject matter could not be accused; similarly, the categories of employees able to make a hotline call should be limited to those who work in the relevant area.
  • Anonymous calls should be discouraged and, if received, investigated more carefully than others. The document suggests that “whistleblowing schemes should imply that the data necessary to identify the whistleblower is collected.”
  • Communication to employees regarding the hotline should include:
    • the identity of the entity in charge of the hotline
    • its purposes and scope
    • its optional nature
    • the fact that employees will not be sanctioned for not using it
    • the recipients of the reports
    • the existence of the chain of command for reporting issues
    • the right of incriminated individuals to access and rectify their data
    • a statement that abuse of the system will result in disciplinary action and criminal proceedings
  • Any third party provider’s contract must state that the provider "will not use the data for diverted purposes, that it will ensure the confidentiality thereof, meet limited data retention periods, and inform the individuals identified by the whistleblower system."
  • Personal data relating to an allegation that is found to be unsubstantiated should be deleted immediately; other data must be deleted two months after the investigation is completed, unless further legal action/prosecution ensues.
  • The accused must have access to their personal data in the system and the right to correct or delete it; access should not include the identity of the whistleblower.

Other Highlights of the Draft Guidelines

  • Employees cannot be compelled to use the hotline.
  • The hotline should be a dedicated communication channel, not used for other communication.
  • The number of people involved in processing hotline reports should be limited and each person should be specially trained with contractually defined duties regarding maintaining confidentiality.
  • The accused person must be notified by the person “in charge” of the process “as soon as data is recorded”, but not “before indispensable protective measures have been taken.”
  • Data should not be disseminated outside the French business entity collecting it, even to a parent company. If, under exceptional circumstances, disclosure is required to a legal entity based in a non-EU country that does not ensure an adequate level of protection, further protection provisions will apply.

The Network’s Interpretation

The draft guidelines are reassuring to companies seeking to comply with Sarbanes-Oxley in that the CNIL is clearly not banning anonymous reporting mechanisms. In fact, they are acknowledging the role of confidential reporting as an internal control in preventing accounting fraud. The Network will provide comments to the CNIL based on our 23 years operating ethics hotlines, and we encourage other key organizations to do the same.

Providing comment may help resolve certain troubling aspects to the proposed guidelines. For example, there is the limited scope of confidential reporting to a single purpose, such as financial irregularities. This presents the risk of a corporation failing to take action regarding a seriously inappropriate situation. If an employee calls to report his or her supervisor for violent behavior in the workplace, surely the employer should not turn its back on the complaint.

Another concern is the involvement of the third party hotline provider in the process of informing an accused party of the allegation that has been made. The document states that this should happen “as soon as data is recorded”, but not “before indispensable protective measures have been taken.” There are many serious issues with this approach. The most obvious is that a third party service provider will not know how to contact the accused party and will not know when the “protective measures” have been taken. This level of involvement would transform the hotline provider from a neutral third party into an entity playing a role in the investigation of the complaint. The corporation should be the only entity that manages communications to employees that result from a hotline report.

Among the most troubling issues is the suggestion that anonymous reports should be discouraged. Written communication can obviously be anonymous. If a telephone hotline refuses to accept anonymous reports the company will fail to reap the benefits of a live interview that adds to the level of detail received from an anonymous party. If all anonymous communication bypasses the telephone hotline the organization will be forced to base investigations on weaker information than would likely be culled from an interactive interview.

The drafted guidelines are an encouraging step toward resolving the conflict between the CNIL and the SEC. The CNIL has acknowledged the usefulness of confidential reporting and has opened the topic for comment.

For a full copy of the translated drafted guidelines, please contact The Network at info@tnwinc.com.
ReportLine is a service of The Network | © 2008 The Network, Inc. All rights reserved. | Terms of Use | Privacy Policy Contact Us | Call Us: 800.253.0453