ICARS Whistleblowing policy

Approved by the Board of Directors on 28 January 2022

1. Introduction

This policy[1] describes the process for the disclosure of

  1. misconduct that is illegal, unethical or against the organisations ethos as detailed in ICARS’ Code of Ethics and Professional Conduct, and
  2. in the public interest.

ICARS promotes a safe and transparent organisational culture where ICARS staff and partners can safely report illegalities and unethical conduct and thereby cultivate a culture of integrity. The whistle blower mechanism will support this aim.

Importantly, the whistleblower mechanism should be seen as a

SUPPLEMENT to direct and day-to-day communication in the workplace regarding errors and unsatisfactory conditions of a significant nature.

Therefore, the first step ICARS staff should take to resolve problems is to contact senior staff, HR, trade union representative etc.

If a partner of ICARS is experiencing problems with ICARS, the partner should first try to engage with their regular contact persons in ICARS to resolve the problems or contact a member of the Executive Management.

ICARS acknowledges the key role staff members play in protecting the organisation against reputational damage and financial loss. A well-functioning whistleblowing system is an excellent early warning system to identify risk in a company. The success of the system relies on an open speak up culture where staff members (and partner employees) do not fear retaliation and know that their concerns will be taken seriously.

ICARS Whistleblowing policy and procedure is intended to be supportive and consistent with national laws and regulations, in particular the Danish Whistleblower Protection Act (Lov om beskyttelse af whistleblowere), which will come into force on December 17, 2021. The Act implements the EU Directive on the protection of persons who report breaches of Union law 2019/1937 (Whistleblowing Directive) into Danish law. Only an internal whistleblowing channel for employees is mandatory under the Act. With a current workforce of under 50 employees, ICARS is currently not subject to the Danish Whistleblower Protection Act, but voluntarily implements it regardless. According to the Danish Act, whistleblowers can report on breaches of EU law, but the Act also covers reporting on breaches of Danish national law and infringements of a serious nature (e.g., bribery, corruption, and sexual harassment). Denmark also has a number of laws regulating whistleblowing procedures in the financial sector []. Other relevant laws include EU General Data Protection Regulation 2018/1725 (GDPR) and the Danish Data Protection Act: Establishing and operating a whistleblowing policy involves the processing of personal data of highly sensitive or confidential nature, which means that there are more stringent requirements for complying with the data protection rules (see also ICARS data protection policy). In the event there is an inconsistency between the requirements and procedures prescribed in this policy and those in national law, the law shall control.

In addition to reporting to the internal ICARS whistleblowing mechanism, ICARS would like to draw attention to the fact that ICARS staff and partners can also report externally to the authorities. A number of sector-specific external reporting channels already exist in Denmark, such as the ones maintained by e.g., the Danish Financial Supervisory Authority, the Danish Working Environment Authority, the Danish Environmental Protection Agency and the Danish Business Authority. Further, the Danish Data Protection Agency will establish an external hotline for handling reports related to infringements of EU law under the Danish Whistleblower Protection Act.

To be complete, ICARS would like to draw attention to the fact that under certain circumstances public reporting is protected under the Danish Whistleblower Protection Act. This is the case if:

  • the whistleblower’s reporting though internal and external channels leads to inappropriate measures being taken within the deadlines laid down in the Whistleblower Protection Act;
  • the whistleblower reasonably believes the breach constitutes an imminent or manifest danger to the public interest; and
  • the whistleblower reasonably believes that, in case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed.
Key elements of the ICARS whistleblowing policy

  • Creating a safe and ethical working environment is everybody’s responsible and ICARS will always welcome it if concerns about misconduct are raised so that the organsiation can do something about it, minimise damage, and reflect on preventive action for the future.
  • ICARS has zero-tolerance for any threats or attempts to retaliate against whistleblowers (and which are also prohibited by law).
  • The ICARS Board of Directors has a board member explicitly responsible for overseeing the organisation’s whistleblowing programme. This individual acts as a champion for the whistleblowing programme, provides oversight and holds those who operate the programme to account.

All terms in italic are defined in section 9.

2. Purpose

The purpose of this policy is to outline the ICARS Whistleblowing procedure to demonstrate to ICARS staff and partners (1) that a whistleblowers concern raised in good faith will always be taken seriously and investigated thoroughly, (2) how confidentiality is protected in case of whistleblowing and (3) that there will be no retaliation for the whistleblower.

3. Scope

What can be reported?

In accordance with the Danish Whistleblowing Act (when it enters into force on December 17, 2021), the scope of this policy covers:

a) breaches falling within the scope of the EU Whistleblowing Directive, i.e. breaches of EU legislation concerning the areas of:

  • public procurement
  • financial services, products and markets, and prevention of money laundering and terrorist financing
  • product safety and compliance
  • transport safety
  • protection of the environment
  • radiation protection and nuclear safety
  • food and feed safety, animal health and welfare
  • public health
  • consumer protection
  • protection of privacy and personal data, and security of network and information systems

b) other “serious breachesof Danish law, such as breach of statutory confidentiality, misuse of financial means, theft, fraud, embezzlement, bribery as well as serious breaches of occupational safety; and

c) other “serious matters” such as discrimination, violence, harassment if it has a serious or recurring nature (including sexual harassment).

The whistleblower can provide information about breaches of EU and Danish law that have already taken place, breaches that have not yet happened but that are believed highly likely to take place, actions or failures that the whistleblower has reasonable concern to consider as a breach of EU or Danish law and attempts at hiding breaches of law.

Any issue must be observed in connection with ICARS-related activities and reported in good faith.

In the ICARS digital whistleblowing system, the reporter must select among the following categories when reporting:

  1. Bribery, fraud and corruption
  2. Data protection and IT security breaches
  3. Unethical research and/or research misconduct
  4. Food and feed safety, animal health and welfare
  5. (Sexual) abuse, exploitation and harassment
  6. (Public) Health, safety and environment
  7. Other

What whistleblowing is not

Reports of personal grievances by ICARS staff, such as violations of internal guidelines (e.g., sickness, use of office supplies etc.) or less serious personal conflicts, e.g., general disagreements with management, disagreements regarding terms of employment, contract and pay conditions, holiday planning, working hours, etc., are not generally covered by whistleblower protection legislation and therefore also not by this policy. Instead, ICARS staff should revert to the general employee grievance procedures for such issues. In any case, non-whistleblowing reports will also be treated respectfully and referred to as appropriate.

Knowingly false or misleading information may not be submitted through the whistle blower mechanism. Information submitted in bad faith may be reported to the police and may have negative employment consequences or result in contractual consequences for the person, who submitted the information.

 Who can submit a whistle blower report?

ICARS current and former staff, ICARS partners, and everybody else who observes in good faith an issue that might be covered under this policy and in a work-related context.

The ICARS digital whistleblowing system allows for anonymous reporting. However, ICARS encourages whistleblowers against submitting information anonymously (no provision of name, telephone number or other personally identifiable information, including in any shared files). While reports can be submitted anonymously, often whistleblowers fail to provide all the necessary information in their initial report to allow their concern to be thoroughly investigated. Whistleblowers may also have additional evidence documents to facilitate the investigation or subsequent prosecution. Further, ICARS will be unable to protect the whistleblower from potential retaliation of persons who know the whistleblowers’ identity. It is therefore desirable that ICARS is able to communicate with the whistleblower following the initial report and therefore encourages to thoroughly reflect on the need for anonymous reporting.

If information about a whistleblower’s identity has been received, even if unintentionally (e.g., in uploaded files), ICARS may be required in some cases to disclose this information to others. For example, if the report is about a specific individual and that person has a right to the information under the data protection regulations (although of course these rights may be restricted in order to ensure the protection of the rights and freedoms of the whistleblowers and/ or others affected by the reporting). In accordance with the rules of the Danish Access to Public Administrative Files Act, it is also possible to apply for access to documents in a whistle blower case.

4. Implementing procedures

Reporting

ICARS staff can – and is encouraged to – report any concern about misconduct via email or verbally to senior staff or the Safeguarding Officer directly (or the Data Protection Officer depending on the issue), or, if the issue relates to the Executive Management, directly to the Board of Directors/ the Board member in charge of overseeing the ICARS whistleblowing system.

ICARS partner can report to the designated person in the partnership agreement or the ICARS Safeguarding officer.

Further, all whistleblowers can report via the ICARS digital whistleblowing system, including with the option to report anonymously. Detailed instructions on the system can be found on the landing page.

All reports are received by the designated Safeguarding officer and his/ her representative, and subsequently generally forwarded to relevant (senior) staff members, including specific subject matter experts within ICARS (and potentially externally in case of lack of capacity), depending on the category of the report made (e.g., the ICARS Data Protection Officer is involved in case the issue raised is related to data protection), and unless of course the concern relates to their behavior.

In any case, confidentiality will be ensured. I.e., the identity of the reporting person is not disclosed and every effort will be made to protect the person’s identity, unless the person has explicitly consented, or disclosure is required by law. This duty also applies to any information from which the identity of the reporting person can be deduced.

The person against whom the allegation has been made will be protected in the same manner as the whistleblower, since there is a risk of stigmatisation and victimization within their organisation. Whistleblowing reports may also include personal information about third persons, such as witnesses or colleagues. Their personal information also needs to be protected at all stages of the procedure.

Response time

ICARS will generally acknowledge receipt of the report within three days, and absolute maximum of seven days. In the case of reporting to the ICARS digital whistleblowing system, this is done via automated message.

Triage on reports

An initial triage system helps to identify whether issues raised qualify as whistleblowing or not, e.g., as an employee grievance issue. This decision is generally undertaken by the person receiving the report, depending on the issue potentially in consultation with the Director of Operations and the Safeguarding Officer (or its representative) – while of course complying with confidentiality requirements. In any case, non-whistleblowing reports will also be treated respectfully and referred to as appropriate.

Register of safeguarding issues

The Safeguarding Officer will register the disclosure in the register of safeguarding issues, give it an identity number for tracking purposes, and promptly inform a member of the Executive Management and the Board Member in charge of Whistleblowing.

Investigation plan

All investigations must be carried out on a case-by-case basis. Every effort will be made to deal with an issue raised in a timely manner, balancing the need to resolve issues quickly with ensuring that they are dealt with appropriately.

For each whistleblowing report, an investigation plan will be developed that establishes clear roles and responsibilities and sets out an indicative timeline (general rule: 1-3 months for an investigation, absolute maximum in exceptional cases 6 months).

Key elements of the plan include to meet early on with the whistleblower (unless of course he/she reported anonymously), as this is regularly a good way to establish a constructive relationship with the individual and to gather additional material for the investigation, as well as deciding whom to involve in any further investigation, including whether to bring in special expertise, sourced either internally or externally etc.

Any person against whom a concern has been raised (the ‘person concerned’) has the right to know the nature and sufficient details of the concern in order to respond. It is important that no decision is taken until the concern has been investigated and the person concerned has had the opportunity to respond. Any evidence which is entered into the official record and/or is used to make a decision must be shared with the persons concerned.  More generally, it needs to be ensured that the persons concerned enjoys the right to an effective remedy, a fair trial, the presumption of innocence, and the rights of defence, including the right to be heard and the right to access their file. Therefore, ICARS will inform persons concerned as soon as practicable possible. If there is a substantial risk that this notification could jeopardise the ability to effectively investigate the reported allegation or collect necessary evidence, providing notice to persons concerned will be delayed as long as such risk exists.

ICARS may seek advice and involve external authorities when deemed necessary or where there is an obligation to do so.

Record keeping

All whistleblowing reports must be registered in the ICARS whistleblowing register, which includes all documents received as part of the report, and in compliance with confidentiality and other security requirements. In addition, all oral reports must be documented by recording the conversation (subject to the whistleblower’s consent) or by drawing up exact minutes of the meeting or conversation which the whistleblower may approve afterwards.

Record keeping further includes recording of the full whistleblowing investigation (in implementation of the investigation plan, which of course should be reviewed as appropriate), including preserving documents, searches and reviews; recording and/or keeping notes of all conversations with employees and third parties; and recording actions taken and steps taken to test or validate the issue raised.

Importantly, this also includes taking notes about how the scope of the investigation is decided and who is involved in this process. All engagements with the whistleblower also need to be recorded, as well as with those being investigated, the pastoral care given, and the outcome of the investigation.

In general, a clear audit trail of documentation will be created to ensure that a robust investigation of issues raised is conducted.

Maintaining an “in the know” list of those directly involved in the whistleblowing investigation is also part of record keeping.

The ICARS Safeguarding Officer is in charge of keeping the ICARS digital whistleblowing register updated and managing restricted access.

All information relating to the concerns must be treated in the strictest confidence by all parties, limited to those who have a need to know and only to the extent necessary. This includes having robust Information and Communication Technology (ICT) systems in place. Personal information must also be stored securely.

In accordance with personal data protection legislation and the ICARS data protection policy, reports shall be stored for no longer than necessary and proportionate to comply with the requirements imposed by the Whistleblower Directive.

Responses

Responses and sanctions will depend on the gravity of any determined misconduct and its implications for project implementation, the partnership, ICARS’ reputation, or the reputation of ICARS’ funders.

The response will generally be determined jointly by the Safeguarding Officer and, depending on the gravity of the matter and its impact, the Executive Management and/or the Board of Directors.

If the safeguarding issue is likely to have a significant impact on a partnership, or the reputation of ICARS or ICARS’s funders, the Board of Directors needs to be involved.

If the disclosure involves misconduct by members of the Executive Management, the Board of Directors will be involved, and if it involves misconduct by the Executive Director, the Board of Directors will also decide on the appropriate course of action in accordance with the Rules of Procedures of the Board of Directors. Otherwise, the Executive Director will decide on response measures.

If the investigation leads to the identification of impermissible circumstances, illegalities or serious ethical or other irregularities, a number of responses are possible. For example, ICARS may:

  • Express its view on the case to the relevant unit, employee(s), or partner, including criticism, recommendations and/or orders
  • Implement changes to internal guidelines or procedures
  • Initiate a personnel case (e.g. disciplinary or dismissal case) against the relevant involved employees
  • Handover the case to the police or other relevant public authority for investigation of possible criminal offences
  • Activate contractual consequences in cases where the matter involves serious errors or neglect committed by a partner

The response will always be guided by the needs and wishes of the whistleblower and survivors, who are treated with dignity and respect. This includes due consideration of the rights of survivors to privacy and safety. ICARS will also take account of local context to identify suitable response measures, where for example reporting to authorities would potentially cause further harm to the survivor. Consideration will also be given to the support needed by staff and partners aiding the survivor(s).

Follow-up

Once a whistleblowing investigation is concluded, results will need to be shared with the relevant stakeholders, including the whistleblower, employees who were directly impacted by the investigation, senior management, the board, and potentially regulators.

Communicating outcomes of whistleblowing investigations requires the same level of care and attention to detail as the investigation process.

The outcome of investigations may not be fully communicated to the original whistleblower as the confidentiality and protection of staff is a priority. However, also in situations where there are legal constraints that prevent disclosing the exact outcome of an investigation, it’s crucial to provide at least a minimum of feedback to the whistleblower. Therefore, ICARS will consider publishing anonymised reports to inform staff and the general public about any whistleblowing incidents in the organisation and their outcomes.

5. No retaliation

ICARS has zero-tolerance for any threats or attempts to retaliate against whistleblowers, and which are also prohibited by law.

Anyone who raises in good faith a concern about a possible compliance violation will be supported and protected by ICARS management and will not be subject to retaliation. Any act or threat of retaliation will be considered a serious violation of the Code.

Any person can contact the ICARS Safeguarding Officer of the Board member in charge of overseeing the whistleblowing programme if they have suffered negative consequences because they submitted information to the whistle blower mechanism.

ICARS would also like to draw attention to the fact that under the Danish Whistleblowing Act (when it enters into force), whistleblowers are entitled to compensation if they are retaliated against or in case of attempts to prevent their reporting.

6. Whistleblowing and GDPR

Establishing and operating a whistleblowing policy will involve the processing of a number of personal data of highly sensitive or confidential nature.

ICARS is committed to ensuring that all processing of personal data under this policy follows data protection legislation. Recognizing that the whistleblower and the person(s) concerned can exercise their individual rights under data protection legislations, ICARS in particular commits to developing respective privacy notices and making them available in line with transparency requirements under the GDPR[3]. See the ICARS data protection policy for more information.

Key points in implementation of essential data protection principles[4]:

  • Data minimisation: Personal data which is manifestly not relevant for the handling of a specific report should not be collected. If such data was collected accidentally, they should be deleted without undue delay. This is particularly important for sensitive personal data.
  • Retention Period: Personal data processed in the context of a whistleblower report should be deleted promptly and usually within two months of completion of the investigation of the reported allegations. Different conservation periods will apply depending on the information reported and how the case is dealt with, e.g. the periods may be extended if legal proceedings or disciplinary measures are initiated. Different conservation periods also apply for record keeping on the response measure.
  • Transfer to data: With regards to allegations that concern activities or people outside the EU, reports should as a general guidance be dealt with locally as far as possible. If personal data associated with a report needs to be shared with recipients outside of the EU, ICARS will need to ensure that the data transfer restrictions in Chapter V of the GDPR are taken into account.
  • Anonymisation: Any whistleblowing-related personal information retained for statistical purposes should be made anonymous. ICARS will be particularly cautious with any information that may result in indirect identification.
  • Privacy notice: All individuals affected by a whistleblowing procedure should be directly provided with a specific data protection notice as soon as practically possible.

7. Communication and training

The Policy will be regularly communicated to all ICARS staff and all new ICARS staff will be provided with a copy of this Policy when joining the organization. It will also be made available via the ICARS website.

In addition, ICARS will raise awareness of the policy among partners, in particular by prominently featuring the ICARS whistleblowing landing page on its website.

ICARS will regularly train relevant staff on their whistleblowing responsibilities and communication channels established.

8. Policy review

The Board of Directors shall authorise and oversee a periodic review of the administration of this whistleblowing policy at least every two years. The review may be written or oral. The review shall consider the level of compliance with the policy, information on how outcomes have supported the overall compliance and ethics and integrity programmes, the continuing suitability of the policy, and whether the policy should be modified and improved.

Regarding the level of compliance with the policy, this includes (1) awareness and trust among employees, (2) detailed information about any cases of retaliation that were raised, confidentiality broken, or data privacy breached, and (3) any adverse incidents that should potentially have been flagged by employees but were not.

Any changes to the policy shall be communicated immediately to ICARS staff and published on the ICARS website.

9. Key definitions

Personal data: Any information which are related to an identified or identifiable natural person.

Retaliation: Any direct or indirect action or omission that (1) occurs in a work-related context, (2) is the result of internal or external reporting or of public reporting, and (3) causes – or may cause – the whistleblower unjustified harm.

Survivor: A person negatively affected by a reported illegality/ misconduct.

Whistleblower: A natural person who reports or publishes information on a person or organisation regarded as engaging in an unlawful or immoral activity.

Additional references

The following ICARS policies reference protection for whistleblowers:

The ICARS Code of Ethics & Professional Conduct includes several references to the whistleblowing procedure.

The ICARS data protection policy.

[1] Inspired amongst others by Traffic’s Whistleblowing Policy 2016 and the Whistleblowing process of the Ministry of Foreign Affairs of Denmark.

[2] These laws include the Danish Anti-Money Laundering Act, the Danish Financial Business Act, the Danish Property Credit Companies Act, the Danish Consumer Credit Agreements Act, the Danish Insurance Mediation Act, the Danish UCITS Act, the Danish Capital Market Act, the Danish AIFM Act and the Danish Payments Act. The laws specific for the financial sector only apply if whistleblowers report illegal conduct relevant under the specific legislation.

[3] A flow chart on ensuring individual’s rights is included in the EDPS Guidelines on processing personal information within a whistleblowing procedure. December 2019, Annex 12.2.

[4] Based on EDPS Guidelines on processing personal information within a whistleblowing procedure. December 2019.