How do we ensure adequate personal and data security in whistleblowing? This is one of the greatest concerns companies have when setting up their whistleblowing systems. That’s why we have dedicated an entire chapter to security in whistleblowing in WhistleB’s new handbook The ABC guide for establishing a whistleblowing solution that increases customer and employee satisfaction.
This article is the fourth in a series of summer blog articles publishing excerpts from the new handbook. The handbook covers resources, how to get the cases in, legal aspects, culture and yes, data security in whistleblowing, the topic of this article.
Security in whistleblowing – must-haves when selecting your solution provider
Security in whistleblowing matters – because trustworthiness is everything when handling sensitive data. Generating trust requires that you protect the whistleblower and those accused, and you protect sensitive data. This is best done through secure whistleblowing systems.
Security in whistleblowing protects anonymous whistleblowers
Based on many years of customer experience, we know that whistleblower anonymity is essential to getting business-critical information, and thus getting greater value from a whistleblowing solution. Quite simply, if whistleblowers are permitted to remain anonymous, there will be greater trust in the system and more insightful information is likely to be reported.
Any whistleblower wanting to remain anonymous needs to trust that the whistleblowing solution will safeguard their anonymity, all the way from reporting through dialogue, any follow-up case management, investigation and closure. Secure, technology-based solutions are the way to ensure such extensive anonymity. So, what is needed for a whistleblowing solution to guarantee that a whistleblower will remain anonymous?
- An external whistleblowing solution that is separate from an organisation’s own IT environment is an effective option, and it may also be the most efficient way to get up and running. The whistleblowing system should ensure the whistleblower can be anonymous and not be tracked through company firewalls. That is why you should not run a whistleblowing system within your own IT environment, but in a separate environment instead.
- Meta-data related to a whistleblower should not be tracked or traceable. Avoid logging any data that could track a whistleblower, such as IP addresses.
- The whistleblowing solution should include a secure encrypted reporting channel that allows the whistleblower to remain anonymous even during the follow-up dialogue. This enables the case manager to ask for essential follow-up data.
Anonymity must be technologically ensured. Anonymity by policy is simply not sufficient.
Security in whistleblowing protects sensitive data
We cannot emphasise the importance of secure data management enough. Most of us need to rely on experts to get IT security right, so the trick is to choose an external provider with documented competence in data security. With an external developer you avoid in-house developers having access to your code or data.
Some of the key security features you should look for when selecting your whistleblowing solution provider include:
- Secure multi-factor authentication
- Intrusion detection and prevention
- Encryption of data in transmission and in storage
- Activity logs by case and by users
- Redundancy of data (to never lose data)
The system should be developed according to the principle of “security by design”. What does this mean? All communication and investigation documents should be maintained within a protected case management application. Case managers should be guided by the application to manage cases and data correctly. One example of this is that it should be as intuitive as possible to close a case appropriately, i.e., remove personal data before permanent archiving (for data controllers in the EU). As another example, case managers should be notified of important activities and further, it should be easy to communicate securely between appointed case managers.
Security in whistleblowing must be built on secure technical processes designed to make it as difficult as possible to override controls. Security only by policy is not sufficient.
Go digital to enhance security in whistleblowing
A digital whistleblowing system significantly reduces information security risks. Importantly, risks are minimised when data exists in the digital whistleblowing solution throughout the entire case management process and does not sit in any one person’s inbox or computer. Critical data that is better protected in a digital reporting and case management system can include the dialogue with the whistleblower, investigation material, assignments, audit trails, and archived and deleted data.
There is a further advantage to using a digitally-enabled reporting and case management system. The structure and automated processes provided support secure processes and reduce the latency time for the handling of a report, making the process more efficient. Thus, the simplicity of digital whistleblowing systems makes them both an efficient and a cost-effective option.
Threats to security in whistleblowing are ever-changing and need to be monitored continuously. Make sure your digital whistleblowing system undergoes regular professional penetration and vulnerability testing. Your supplier should ensure the system is monitored at all times to mitigate data security risks so that your information and any personal data in the system is systematically protected. Data security monitoring should also apply to your supplier’s sub-suppliers such as IT platform providers, data storage providers and so on. Look for a whistleblowing system that adheres to all relevant international information security standards.
WhistleB believes that there is no excuse for not doing everything you can to select a provider with data security as the highest priority. But security does not end there. We have seen cases where confidential and sensitive data is shared with colleagues or friends. Always keep security top of mind throughout the entire process. Security in whistleblowing is everything because trustworthiness is everything.