Italian Data Protection Authority: opinion on two ANAC resolution proposals on whistleblowing.

The Privacy Authority has expressed an opinion on two ANAC resolution proposals relating to whistleblowing. The first concerns the approval of the Guidelines for internal reporting, the second the updating of the Guidelines for external reporting. The goal is to make the management of reports, both internal and external, more uniform and effective.

The Guidelines take into account the discussions with the Office of the Italian Data Protection Authority, with a view to ensuring, in particular, the full protection of the confidentiality of the identity of the whistleblower and the content of the report, as well as the protection of the data of the persons involved in various capacities.

There are many points of attention, including, in particular, the possible risks deriving from the use of e-mail as a reporting channel; the need for a prior data protection impact assessment to be carried out, including with the possible support of technology providers; the retention times of the report and related documentation; the possibility, in certain circumstances, to share the reporting channel, without prejudice to the need to adopt technical and organisational measures to ensure that each entity has access only to the reports under its competence.

In continuity with the Authority's guidelines on the subject, the Guidelines on internal reporting channels provide indications and principles that employers may take into account when activating their own reporting acquisition and management channels.

This is also with regard to the technical and organisational measures that, in compliance with the principle of accountability, public and private employers, and other obliged entities, may adopt to protect individuals' data during the process of acquiring and managing the report, such as, for example, measures to prevent the traceability of the reporting person who accesses the internal reporting channels from the internal data network of the employer's organisation work.