Earlier this year, the French data protection regulatory authority (“Commission Nationale de L'informatique” or “CNIL”) significantly broadened the scope of the matters it allows whistleblowers to report through a hotline under its Unique or Single Authorisation registration process.
New Options & Scope
Previously, the Single Authorisation process limited reportable matters to financial irregularities, prevention of anti-competitive practices or violations of the Japanese Financial Instrument and Exchange Act.
This left many employers either unable to receive hotline reports on other potentially harmful or important issues—or having to follow a lengthy process seeking formal approval from the CNIL to provide a hotline with a broader range of reportable matters.
Updates to the CNIL’s Single Authorisation process now allow the following matters to be submitted through a hotline:
Fight against discrimination
Health, hygiene and security in the workplace
Protection of the environment
The CNIL updates have also re-emphasised that, although anonymity remains an option, employers may not require—and should not encourage—reporters to submit reports anonymously. Further, the new guidelines clarify that anonymity is only available where 1) the facts are sufficiently detailed, and 2) a process exists for reports to be reviewed or screened to confirm details and severity of the allegation before being distributed for investigation.
To utilize the new options, organisations can complete the Single Authorisation online through CNIL’s website. For organisations that cannot or choose not to use the Single Authorisation process—for example where they may want to allow other “out of scope” matters to be reported—the CNIL offers an alternative in the form of submitting a formal request for approval from the CNIL.
Impact & Employer Considerations
Employers based in France and multi-nationals doing business in France are now faced with deciding whether to broaden their French programme to include the newly allowed issue types. Although the new CNIL reportable matters represent a generally held best practice for hotline programmes, the inclusion of these additional issue types is optional, not mandatory.
That said, organisations doing business in France should review:
The scope of their existing hotline.
Their internal process for managing cases received through their hotline/case management system to ensure that processes and messaging are consistent with the latest CNIL guidelines.
How they have communicated to their organisation the availability of anonymity through the hotline and any web intake sites created to capture matters.
Best Practices for Incident Management
For those organisations that currently do not have an incident management system, now is a good time to reconsider putting one in place. A robust incident management platform helps consolidate hotline, open-door, mobile and web-based incident reports into a single location for secure review, investigation, resolution, reporting and analysis. (See NAVEX Global’s 2014 Hotline Benchmarking Toolkit for a look at the types of data case management systems can report on.)
For additional information on how the new CNIL Guidance impacts compliance with U.S. laws, please review “More CNIL Guidance for Multinationals Seeking to Comply with SOX & Dodd-Frank,” authored by NAVEX Global partner, Littler Mendelson.