12/09/2009 06:56:03 AM EST
Hotlines and Cross Border Issues
Whether voluntary or required, whistleblower hotlines create data protection dilemmas that need to be addressed in detailed, updated compliance programs. The implementation of a pan-European hotline is riddled with complexity and numerous steps because there is no one-size-fits-all solution. In this Emerging Issues Analysis, Mark Schreiber, Socheth Sor, and Theo Godfrey discuss some of the traps faced by practitioners and compliance professionals. They write:
Compliance Points
The differences between SOX [Sarbanes-Oxley Act of 2002] requirements and local country data protection laws demand thoughtful attention, if not creative compliance solutions. Adjustments of the program in each EU country may stem from one or more of the following areas:
1. Limiting, where required, the scope of the hotline or reporting program in the country to SOX issues such as audit, accounting, fraud or financial irregularity or other anti-corruption areas, and not including general employment, harassment, or environmental issues. Some of these latter, out-of-scope categories in some countries, however, may be taken in but have to be immediately referred to the appropriate department, like human resources for resolution. (The French DPA [Data Protection Authority], the CNIL, specifically allows for this routing of complaints for areas of vital company interest or the physical or mental safety of employees.)
2. Making clear that hotline reporting is non-mandatory for EU based employees.
3. Making anonymity available but not requiring it of the reporting individual.
. . . .
Important Documents
The implementation of a whistleblowing program requires a number of important documents. The principal documents likely to be needed for a whistleblowing scheme are: the hotline procedure, which is a general operating document applicable at the corporate level and to each subsidiary; notices to employees, which describe the hotline, its scope and how and where to make a report, and; any notifications required by the relevant countries' DPAs. Addendums to or variations of these documents will be required where the program must be adjusted to comply with local country laws.
For ease of implementation, the program should be as similar as possible in every EU jurisdiction. While amendments will have to be made to program documentation in many jurisdictions to comply with local country laws, care should be taken so that only the minimum required amendments are made to program documents. This means that managing counsel must cast a critical eye over all proposed amendments and discuss those which seem likely to be surplus to requirements or which may cause implementation problems or conflicts with SOX.
If you do not have a lexis.com ID, you can purchase the Emerging Issues Analysis content through our lexisONE Research Packages