Whistleblowers liable for similar actions

The legislation that protects an employee who reports unlawful conduct which he/she has become aware of due to his/her duties is ‘aimed at preventing unfavourable consequences for the fact in itself of having reported unlawful conduct, but certainly does not create exemptions with respect to the offences that that person had allegedly committed independently or in concert’. This was affirmed by the Court of Cassation with order No 9148 of 31 March 2023. The case originates from a disciplinary suspension imposed on a nurse working at a public sector hospital, who had worked for a private body for eight years without authorisation from her employer. In the judgment in second instance the Court of Appeal of Rome confirmed the ruling of the Court of first instance and rejected the appeal against the sanction under Article 54-bis of Italian Legislative Decree No 165/2001 – i.e. the protection envisaged in the event of reporting of offences of which the employee became aware due to the duties performed (the employee had, in fact, reported similar behaviour of other colleagues to the employer). The Court of Appeal noted the fact that the employee, having in turn conducted herself in the same way, certainly could not benefit from the protections invoked. The employee lodged an appeal against this decision before the Court of Cassation, in which the Health Authority filed a counter-appeal. In her sole ground of appeal, the appellant alleged breach and erroneous application of Italian Legislative Decree No 165 of 2001, Article 54-bis, on the basis that a whistleblower would only be liable when the report would constitute slander or defamation. The Court of Cassation – in confirming the assessment of the appeal judges – clarified that the function of the aforementioned Article 54-bis is to prevent the employee who makes a report from being sanctioned, dismissed or otherwise subjected to discriminatory measures for reasons connected, even indirectly, to the report.

The full version can be accessed at Italia Oggi.

With Decision No. 17 of 23 January 2020 and in imposing a sanction on an Italian University for not having properly protected the confidentiality of the identification data of two persons – the whistleblowers –, who had reported possible unlawful behaviours, the Italian Data Protection Authority has laid stress on the fact that an obligation weighs on the Employer, namely, the “Controller” (pursuant to Article 4 of Regulation EU 2016/679, hereinafter, the “GDPR”) to implement technical and organisational measures fit to ensure the protection of the personal data processed (cf. Newsletter of the Italian Data Protection Authority No. 462 of 18 February 2020).

 In particular, at the time of the facts and in aligning itself with the obligations to properly protect the employee that reports unlawful behaviours within the working environment (the so-called “whistleblowing” introduced in the Italian legal system with Legislative Decree No. 165 of 30 March 2001), the University had chosen to use a technological solution. In this case, in order to ensure the protection in the capture and management of all reports of offences, the University had availed itself to the use of a software platform supplied by a third party outside the University’s organisation.

In changing and concomitantly updating the software platform, there was the so-called overwriting of access credentials leading to an exposure of the personal data of the two whistleblowers on some browsers accessible and viewable by whomever searched on the Internet.

As a result of the above, the University served notice on the Italian Data Protection Authority as to the so-called data breach, with which the University reported the spread of the common personal data of the two whistleblowers on the public web, to the extent that they could potentially be consulted by anyone.  

The investigation carried out by the Italian Data Protection Authority has found that the University had not adopted proper technical and organisational measures aimed at ensuring “the security and confidentiality needs typical of data management within whistleblowing procedures”; on the other hand, the University failed to define a correct procedure for controlling accesses, which should have limited data processing to the authorised staff. 

Indeed, the University had limited itself to embrace the security measures chosen by the software supplier. Nonetheless, the above-mentioned security measures were neither suitable nor fit, since they failed to foresee measures such as coding or the adoption of a safe communication protocol for information, thus allowing the infringement of the confidentiality and of the integrity of the personal data processed, as well as the respective incorrect keeping and accessibility.

In particular, the Italian Data Protection Authority held that “As regards the application at issue, in light of the nature, the scope and the aim of the processing, as well as of the high risk for the rights and freedoms of the whistleblowers, the solution adopted by the University can in no way be deemed a technical measure fit to ensure the confidentiality and the integrity of the data processed as well as the authenticity of the website used by the users both as a whistleblowing channel (employees, students, etc.) and as a tool for managing any whistleblowing (Head of Corruption Prevention and of Transparency, i.e. RPCT and the respective collaborators, if any”.

Click here to continue reading the article.