Section 301 (4) of the US Sarbanes-Oxley Act(SOX) of 2002 requires publicly held US companies and their EU-based affiliates, as well as non-US companies listed on one of the US stock markets, to establish, within their audit committee, “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”.

The issue of the compatibility of the type of ‘whistleblower’ scheme required under the terms of the US legislation has been examined by the EU Article 29Working Party. Its Opinion 1/2006 (WP 117) sets out the potential data protection implications of such schemes and gives guidance as to how their operation can be made compatible with EU data protection law.

Can Data Protection issues by avoided?

Whistleblowing only becomes a data protection issue when personal data are involved.  Personal Dataare defined in the Acts as  “….data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”. Data means automated data and manual data (“…information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system”).

The legislation therefore does not apply where:

  • No record is kept in electronic or manual form of the content of a whistleblowing report or of the person either making the report or the subject of the report; or
  • A whistleblowing report relates to an irregularity in an organisation but  responsibility for the irregularity is not, and  cannot readily be, attributed from the content of the report

From a data protection perspective, a best practice approach for an organisation introducing a whistleblowing scheme is to arrange, to the maximum extent possible, that the data produced from such a scheme refer to issues rather than individuals [1]. A report based on information from a whistleblower which refers to alleged irregularities in an organisation does not, in principle, give rise to data protection concerns if neither the whistleblower nor the person/s responsible for the irregularities can be identified from the report.  In contrast, a report which identifies either the whistleblower, or a specific person against whom an allegation of irregularity is made, involves personal data.

Compliance with the Sarbanes-Oxley Act requires the establishment of: “…procedures for  the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters”.  As the focus is on the reporting by employees of  questionable accounting or auditing matters,  a whistleblowing scheme designed solely for such compliance  does not appear to require  the recording of personal data [2].

Whistleblowing Compliance where Personal Data are involved

The Article 29 Opinion deals comprehensively with the data protection issues that arise when whistleblowing schemes related to the reporting of financial etc irregularities are being implemented which involve the processing of personal data.  Data controllers should follow the guidance contained in the Opinion, otherwise they risk being found in breach of the Acts. Some key points that Controllers should consider are:

  • Do I have a good reason to put such a scheme in place, taking account of the risk to the rights of individuals that may result from its establishment?
  • Have I considered the data protection and other implications?
  • Does the scheme have to involve the processing of personal data?
  • Have I provided comprehensive information to employees on the operation of the scheme?
  • Have I designed the scheme so that:
    • reporting through a ‘whistleblowing’ scheme, rather than through normal channels, is seen as exceptional
    • anonymous ‘whistleblowing’  is not encouraged
    • it is clear what type of complaint may be made, who may make a  complaint and against whom a complaint may be made
    • the identity of the whistleblower is kept confidential provided her/his report is made in good faith
    • adequate measures are in place to ensure that there can be no retaliation against the whistleblower
    • personal data contained in ‘whistleblowing’ reports are  dealt with confidentially
    • personal data processed by the scheme are deleted promptly unless required for legal proceedings or disciplinary action
    • an individual against whom an accusation is made is informed of  the accusation as soon as possible and of her/his right to access the data and seek rectification (see  separate guidance note on Access Requests and HR)
  • If the operation of the scheme is outsourced, have I satisfied myself that the operator will comply with data protection obligations?
  • If the outsource partner is located outside the EU, have I complied with the requirements for transfers of personal data abroad.


[1] ‘Whistleblowing’ schemes can give rise to serious issues under laws related to employment. This note deals only with data protection aspects. Certain types of issue that an organisation may wish to include in such a scheme – for example, bullying or harassment – may of necessity have to involve naming individuals.

[2] The Securities and Exchange Commission Final Rule  (Rel 33-8220) does not go beyond the requirement of Section 301 (4), the SEC having decided “.. to leave flexibility to the audit committee to develop appropriate procedures in light of a company’s individual circumstances, so long as the required parameters are met”.