Whistleblower Protection Act – Focus on anonymity

Fol­low­ing the Bundestag’s de­cision, the Bundes­rat’s ap­prov­al is still needed, which is ex­pec­ted to take place this week. After the Bundes­rat’s ap­prov­al, the HinSchG will enter into force. Trans­ition­al periods for the es­tab­lish­ment of a whis­tleblower system are not provided for. However, there are for the re­quire­ment to set up an­onym­ous re­port­ing chan­nels, which has been changed in the draft law: The trans­ition­al period for setting up an an­onym­ous re­port­ing channel is 01.01.2025. Despite the trans­ition­al period, com­pan­ies should already start think­ing about im­ple­ment­a­tion pos­sib­il­it­ies. Because after ap­prov­al by the Federal Council, only systems that can guar­an­tee an­onym­ous com­mu­nic­a­tion are future-proof.

An­onym­ity as a re­quire­ment

An­onym­ous com­mu­nic­a­tion is a much higher re­quire­ment for a system than the iden­tity pro­tec­tion de­scribed in the pre­lim­in­ary draft of the law. One option for com­pan­ies is to appoint om­bud­sper­sons to whom whis­tleblowers should turn. De­pend­ing on the con­di­tions (e.g. if there are no om­bud­sper­sons in the company yet), a tech­nic­al solu­tion may be more ef­fect­ive and less ex­pens­ive. Digital whis­tleblow­ing systems that guar­an­tee an­onym­ity lower the in­hib­i­tion threshold for whis­tleblowers. The lower the threshold, the greater the like­li­hood that the company will benefit from valu­able in­form­a­tion. Another ad­vant­age of digital whis­tleblow­ing systems is that they can be im­ple­men­ted quickly and op­er­ated at man­age­able costs (monthly SaaS fee).

Tech­nic­al solu­tion from otris

When de­vel­op­ing otris’ whis­tleblow­ing system, the an­onym­ous com­mu­nic­a­tion channel was a key re­quire­ment – even though it was not ini­tially de­man­ded in the le­gis­lat­ive process. An an­onym­ous re­port­ing channel not only provides ad­di­tion­al mo­tiv­a­tion for whis­tleblowers who wish to remain uniden­ti­fied, it also sim­pli­fies the im­ple­ment­a­tion of another legal re­quire­ment: iden­tity pro­tec­tion. Whis­tleblowers who choose to report an­onym­ously auto­mat­ic­ally enjoy iden­tity pro­tec­tion, as their iden­tity is not known. The iden­tity of whis­tleblowers who report non-an­onym­ously must of course also be pro­tec­ted. The high IT se­cur­ity stand­ards of the otris whis­tleblow­ing system provide the tech­nic­al re­quire­ments for iden­tity pro­tec­tion: the system ensures that third parties cannot access in­form­a­tion that whis­tleblowers and whis­tleblowers ex­change. To this end, the system com­plies with the fol­low­ing IT se­cur­ity stand­ards, among others:

• Hybrid en­cryp­tion in ac­cord­ance with BSI spe­cific­a­tions (applies to all in­form­a­tion-related data on the re­port­ing plat­form)
• End-to-end en­cryp­tion
• BSI-com­pli­ant trans­port en­cryp­tion of all mes­sages and at­tach­ments with TLS1.3
• On request: two-factor au­then­tic­a­tion
• Data centres cer­ti­fied ac­cord­ing to ISO 27001 and ISO 9001
• System pentests ac­cord­ing to OWASP Ap­plic­a­tion Se­cur­ity Veri­fic­a­tion Stand­ard
• Se­cur­ity audits

We would be happy to show you how to im­ple­ment an­onym­ous com­mu­nic­a­tion and other legal re­quire­ments with the otris whis­tleblow­ing system. We look forward to an ex­change with you – by e-mail, tele­phone or web form!