Ethics and Compliance Glossary

Encryption is the method by which information is converted into secret code that hides the information’s true meaning. In order to reveal the data, the reader needs a unique encryption key.
When dealing with sensible data such as a whistleblowing report, it’s important to ensure the security of the information. Data encryption is a good way to make sure that you have full control over accessing the data, even when using a third party solution for your whistleblowing system.

ESG stands for Environmental, Social, and Governance. ESG criteria are a set of standards for a company’s behavior used by socially conscious investors to screen potential investments. ESG issues are no longer treated as an afterthought by companies, they are central to an increasing number of companies. Establishing effective reporting channels is crucial to address the three areas of ESG in an organization.

The European Whistleblower Protection Directive provides and promotes a safe and secure way for employees to speak up about misconduct in their work environment. Promulgated in 2019 and enforced since December 2021, most member states are still in the process of transposing the Directive into national law.

Forced labour, or unfree labour, is any work relation, especially in modern or early modern history, in which people are employed against their will with the threat of destitution, detention, violence including death, or other forms of extreme hardship to either themselves or members of their families. Like Modern slavery, organizations having suppliers or subsidiaries in developping countries are the most subject to this kind of behavior. It is crucial to set up ways for all employees to speak up safely about their work environment and working conditions, at all level of the supply chain.

Fraud is a deliberate act (or failure to act) with the intention of obtaining an unauthorized benefit, either for oneself or for the institution, by using deception or false suggestions or suppression of truth or other unethical means, which are believed and relied upon by others.

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, replaced the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data.
Through this framework, data privacy is harmonazied in Europe by law, and as a result, GDPR will also impact how personal data is handled in whistleblowing systems. Compliance officers and other employees involved in the compliance management of their organization must follow very specific procedures when handling personal data, particularly when it is issued from whistleblowers and whistleblowing reports.

Governance, risk and compliance (GRC) refers to an organization’s strategy for handling the interdependencies between the following three components:

• corporate governance policies
• enterprise risk management programs
• regulatory and company compliance

Any size organization can use GRC. Developing a GRC discipline is especially important for large organizations that have extensive governance, risk management and compliance requirements and where programs to meet these requirements often overlap.

Illegal behaviour towards a person that causes mental or emotional suffering, which includes repeated unwanted contacts without a reasonable purpose, insults, threats, touching, or offensive language. By encouraging a Speak-Up culture in your organization, you can start a continuous cycle of improvement to fight harassment in the workplace and make it easier for victims and witnesses to report these kind of harmful behaviors, so they can rapidely be addressed internally.

Server hosting refers to the outsourcing of an organization’s server placement and platform to a third-party Managed Hosting Provider (MSP). This means that the data is storred by an external hosting solution. When dealing with sensitive and personnal information, it’s important to make sure that the hosting solution complies with the local requirements regarding the level of security required. Since the highest level of security remains data localisation, having the option to chose a local hosting solution will ensure that you can meet the majority of security requirements for data storage.

A direct telephone line in constant operational readiness so as to facilitate immediate communication. Hotlines are one of the way to allow whistleblowing in your organization. However, this reporting channel has a lot of roadblocks to its utilization both for employees and case managers. For instance, not everyone feels comfortable reporting sensitive issues with a phone call, there can be language barrier issues, or a difficulty to remain anonymous if the whistleblower’s voice is atypical or has a distinct accent. When choosing a whistleblowing solution, it’s important to assess which one is best suited for the specific needs of your organization.

Interactive Voice Response (IVR) is an automated phone system technology that allows incoming callers to access information via a voice response system of pre recorded messages without having to speak to an agent.
IVR solutions allow whistleblowers who prefer speaking up through a phone call to raise concerns whithout having to share sensitive information with a third party like a hotline service. This way, personal information and sensitive data remain within the organization. Since the whistleblower speaks to a machine instead of a human being, it can alleviate some fears or concerns associated with speaking up. Whistleblowers can record their report, modify their voice and listen to their report before sending it through the system. 

Internal whistleblowing refers to the reports made by employees through the internal reporting channels set up by their own organization. Under most legislation, when an employee feels unsafe using the internal reporting channels, they will turn to external third parties or directly to the press, making their report public. In these cases, organizations have little to no control over the situation and how it escalates. Having effective and attractive internal reporting channels will encourage employees to use them prior to turning to external solutions.

ISO/IEC 27001 is an international standard on how to manage information security.
It is worth noting the difference between being ISO 27001 compliant and ISO 27001 certified. A certification guarantees the utmost level of security, since being certified means that the certification is performed by an “accredited” certification body, or auditor. Being “accredited” means the auditors have themselves been audited against an ISO standard for how they conduct audits and certifications.
On the other hand, any organization meeting requirement points of the ISO 27001 standard can claim to be compliant, but their word for it constitue their only source of proof.

Encryption key management software role is to generate, exchange, import, store, use, destroy, and replace keys. It also allows to manage SSL/TLS certificates. This allows to choose and manage Encryption Keys to access and manage the sensitive data stored within your whistleblowing system. This way, no one can access your data, including your whistleblowing platform provider.

The definition of modern slavery is when people are exploited and not allowed to refuse or leave work due to abuse of power, threats, violence, deception, or coercion. Examples of modern slavery include child labour, human trafficking, forced labour, deceptive recruiting, debt servitude, and of course, slavery. This practice is often observed in supply chains based in developping countries. Modern Slavery Acts, such as the one passed in Australia in 2018, aim to ensure that organizations are taking the necessary steps to stamp out these practices in their supply chain. By publicly reporting how they are combating modern slavery, it shines a brighter light on the subject and encourages better behaviour through their supply chain partners.

Multi-Tenant – Multi-tenancy means that a single instance of the software and its supporting infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. Each tenant’s data is isolated and remains invisible to other tenants.
Having a multi-tenant environment for your whistleblowing system means than several case managers can access and be assigned reports. This become extremely convenient when local case managers are appointed in subsidiaries or different office locations, as it it sometimes required by some legislations.

When a tragic event almost happened in organisations.
Though no immediate injury or damage occurs, near misses represent potential threats to the safety of the office and its employees and should be reported as soon as they occur. Reporting a near miss helps ensure that future incidents and injuries are avoided and can reduce medical expense costs, workers’ compensation payments, time lost due to injury, accident investigation costs and equipment replacement costs.

Personal data, also known as personal information or personally identifiable information, is any information related to an identifiable person.
Reporting irregularities in organizations opens up many questions regarding the processing of personal data of the whistleblowers, those affected by the whistleblowing, and witnesses. Data privacy rights play a key role in the design of whistleblowing procedures, and organizations need to take into account the penalties they can face in case of non-compliance with existing regulations (such as the GDPR).

The Personal Information Protection Law (PIPL) regulating use of personal data has now come into force in China.
This legislation affect every business, inside and outside of China, managing and processing personal data from employees based in China.
One of the strictest privacy laws now on the books, complying with the PIPL includes the obligation to store sensible and personal data on servers located on Chinese territory.

Privacy (and Data Protection) by design and by default is written into Article 25 of the EU GDPR. Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. “Privacy by default” in turn, means that the “privacy by design” principle should be incorporated by default into any system or business – so that personal data is automatically protected without any action from the data subject.
Under these conditions, a particular importance must be given to the way your whistleblowing system process and handles the personal data of employees and those included in reports.

Privacy Shield was an informal agreement between the U.S. and the EU intended to ensure compliance with European data protection standards for data transfers to the U.S. It was invalidated in 2020, and in March 2022, European Commission’s President Ursula von der Leyen and United States’ President Joe Biden reached common ground and announced a new agreement for transatlantic data privacy and transfer framework.

Pseudonymization (or pseudonymisation, the spelling under European guidelines) is one way to comply with the European Union’s new General Data Protection Regulation (GDPR) demands for secure data storage of personal information. Pseudonymisation of data (defined in Article 4(5) GDPR) means replacing any information which could be used to identify an individual with a pseudonym, or, in other words, a value which does not allow the individual to be directly identified.
This way, the identity of whistleblower who wishes to remain anonymous is protected, and it is their choice to reveal their identity to their organization if they wish and feel confident to do so.

When a whistleblower decide to take their report to the public domain, by contacting the press, medias, posting on their social media accounts, etc.
Whistleblowing legislations such as the EU Directive extend protection to whistleblowers who make the choise to disclose informations publicly.
Organizations can limit public disclosures by implementing efficient and attractive internal reporting channels, through which employees feel safe to make reports and are actively taking action to address the issues reported.

Give a spoken or written account of something that one has observed, heard, done, or investigated.
The scope of what can be reported as a misconduct or wrongdoing in your organization should be clearly stated and defined in your internal Whistleblowing Policy. It should also be mentionned how an employee can submit a report and the steps following its submission.

The reporting channels refer to the different ways an employee can submit a report.
Internally, it can take the form of a telephone hotline, an email adress, a postal adress or a digital platform. External reporting channels can include lawyers, the media, law enforcement or watchdog agencies, or other local agencies.

In a single-tenant environment, a whistleblowing software will allow only one person to have access to its data and case management features. If another person would want to have the same access, they would have to purchase a separate license or switch to a multi-tenant environment.
Depending on the size of your organization, it’s good to assess how many people need to have a full access to your whistleblowing platform.

SSO (Single Sign On) is a system that allows users to login on a Portal within their
company and then access the Whistleblowing platform or app without having to log in again.
This feature makes the experience of the whismtleblower easier, and aleviate some of the steps to submitting a report. By allowing an SSO system for your Whistleblowing platform, communication with the whistleblower is facilitated since it’s easy for them to access their reports even after being sent.

Transparency implies openness, communication, and accountability.
Being transparent on processes in regards for whistleblowing within your organization will help you build trust with your employees. They will be more enclined to submit reports if they know what wills become of the information they are sharing and what steps they can expect from submisson to closing the case.

A virtual private cloud is an on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resources.
By having your own Virtual Private Cloud for your organization means that all the data you store on it cannot be accessed by third parties.

A whistleblower is a person, often an employee, who reveals information about activity within a private or public organization that is deemed illegal, immoral, illicit, unsafe or fraudulent.on a person or organization regarded as engaging in an unlawful or immoral activity.
By reporting wrongdoings, they’re expose themeselve to considerable risks of retaliation or identification.
Whistleblowers are more and more recognized as an essential actor to good and sustainable governance, and numerous new legal framework are being introduced to grant them protection.

A Whistleblower communication channel is a tool that allows you to communicate, in a confidential manner, the potentially irregular activities and behavior that could lead to a breach of the Code of Conduct and / or the possible commission of a criminal offence. Being able to have 2-ways conversations with whistleblowers allows you to conduct better investigations and solve issues at their source.

Putting in place protection measures for whistleblowers is a way to encourage employees to report wrongdoing and to protect them when they do, is essential for corruption prevention in both the public and private sectors. Employees are usually the first to recognise wrongdoing in the workplace. Empowering them to speak up without fear of reprisal can help authorities both detect and deter violations.

A lot of new legislation reinforcing whistleblowers protection are being introduced around the world, such as the EU Whistleblowing Directive, the Japanese Whistleblowers Protection Act, the Whistleblowing protection Bill in New Zealand, Australia’s whistleblowing legislation, and many more.

The act of Whistleblowing consists in reporting informations on incidents, wrongdoings, unlawful or harmful behavior, that the whistleblower was a victim or witness to. An efficient and compliant whistleblowing framework is beneficial to both the employees and organizations.

Your Whistleblowing policy, or Whistleblowing guidelines, is an internal document detailing the framework of your Whistleblowing System. It should give clear information about whistleblowing procedure, reporting matters, the role and resposibilities of persons or departements in charge of handling reports, the protection granted to whistleblowers, and governance guidelines for whistleblowing.
Your whistleblowing policy should be unique to your organization, taking into account its specific structure and processes.

A Whistleblowing System encompasses the ways available to a person to make a report to its organization. To differentiate the many Whistleblowing channels available such as a mailbox or a telephone hotline, a Whistleblowing System usually refers to a software or digital solution.
There are many advantages that come with choosing a software solution as your Whistleblowing System, including a better management of the data security, the possibility to extract data from reports to leverage it for risk management or corporate governance, a secure way to preserve the anonymity of whistleblowers, easier communications and follow-ups on reports, etc…

Misconduct in the workplace refers to any behavior that goes against your code of conduct or other policies that dictate how employees should behave at work.

This might include unethical, unprofessional, or even criminal behavior that takes place within a workplace setting.

General Misconduct is behaviour that is inconsistent with employee obligations or duties; a breach of company policy or procedure; or generally unacceptable or improper behaviour.