GDPR & Whistleblowing
People that leave a report through a whistleblowing system may include personal data in their message. Organisations that want to set up a whistleblowing system for their employees, suppliers or other parties have to consider the privacy aspects that come into play. For example: how to deal with data retention periods in line with GDPR in whistleblowing systems?
Data must be stored for the shortest time possible. Or as set out in article 5 (1) (d) of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR): ‘personal data shall be kept (..) no longer than is necessary for the purpose for which the personal data are processed’.
So, you need to think about how long you can keep personal data and for what purpose you are keeping it.
Article 29 of the Data Protection Working Party gives further guidance in their Opinion 1/2006: “Personal data processed by a whistle-blowing scheme should be deleted, promptly, and usually within two months of completion of the investigation of the facts alleged in the report”.
But in the context of whistleblowing, you need to take a few steps back before you can say ‘we delete and/or anonymize everything after two months’.
How to have GDPR compliant data retention rules in whistleblowing?
You first need to decide when an investigation can be closed. This will differ per case. ‘Non-cases’ can be closed immediately, while serious misconduct investigations can take years. Some investigations will end in legal proceedings. Sometimes there will be exceptions such as HR-related obligations that require you to keep certain data longer (e.g. for disciplinary records).
It is important to consider this when you are establishing your case-handling and case-closing policies. It’s not merely a black-and-white question. When a case comes in, the appropriate follow up will be different per case. This impacts the data retention period and when it starts running.
The main purpose of all these data retention rules is to keep organisations thinking critically about how they store data and that people are informed properly. In your policies you can be transparent towards data subjects and give unified instructions to case handlers.
And of course, don’t forget to monitor if people are operating according to your case closure-policy.