Amendments to The Protection of the Whistleblower Act: What Employers need to know
The Protection of the Whistleblower Act, CAP 527 of the Laws of Malta (the “Whistleblower Act”), which became part of our legislation in 2013, was recently revised with the aim of transposing the requirements of the EU Directive 2019/1937 on the protection of persons who report breaches of Union law into our law. The new amendments entered into force on the 24th of December 2021.
Prior to the recent amendments, the obligations emanating from the Whistleblower Act applied only to Government Ministries and large private organisations with a minimum of 250 employees, or with balance sheets or an annual turnover meeting very high thresholds.
In contrast to the prior law, today all entities with a minimum of 50 employees fall within the scope of the law and are required to meet the obligations established therein, primarily the obligation to incorporate internal reporting channels for the protection of whistleblowers who report improper practices at the workplace. Organisations with less than 50 workers, particularly those which operate in areas wherein environment and public health risks may ensue, would also be required to abide by the said obligations, if same is determined following an appropriate risk assessment.
Moreover, those voluntary organisations which annually raise €500,000 from public collections and other donations, are subject to the same law.
All employees who disclose improper practices by their employers or other employees in the employ of the employer are granted protection from detrimental action. These include self-employed persons, contractors or sub-contractors, outworkers, volunteers, civil servants, seconded workers and following the new amendments shareholders, directors including non-executive directors, and paid or unpaid trainees.
Protection is also extended to former employees and to job applicants. The latter may be granted whistleblower protection in so far as the information regarding the improper practice was acquired during the recruitment process.
By the new amendments, the same protection afforded to the whisleblower, may also be granted to:
The amendments have broadened the scope of what constitutes improper practices. Indeed, wrong doings that may be the subject of a disclosure include actions relating to failure to comply with any legal obligation or with any legal obligation emanating from the laws on public procurement, financial services and anti-money laundering, product safety, transport safety, nuclear safety, food safety, animal welfare, consumer protection and data protection; actions whereby health and safety is likely to be endangered or the environment is likely to be damaged, and other actions whereby a corrupt practice, a criminal offence, a miscarriage of justice, bribery has occurred or is likely to occur.
Certain restrictions on protected disclosures have been done away with. The amended law now provides that disclosures on improper practices shall be protected in so far as, the whistleblower had reasonable grounds to believe that the information on breaches disclosed was true at the time of disclosure, and it has been disclosed in terms of the disclosure channels provided by the Whistleblower Act; these being internal, external or public disclosure routes.
The Whistleblower Act continues to restrict protection to anonymously made disclosures. As a rule, these are not afforded protection, however the new amendments now provide protection to anonymous whistleblowers who following a public disclosure, are subsequently identified and suffer retaliation.
The obligations of private employers
All private employers that fall within the scope of the Whistleblower Act are obliged to establish internal procedures for receiving and dealing with information about improper practices committed within or by its organization. It is fundamental that these reporting channels provide the necessary protection with respect to the confidentiality of the whistleblower. These internal procedures should, as a minimum, include all of the following:
- The appointment of a whistleblowing reporting officer competent for receiving and following-up on reports;
- Channels for receiving reports in writing or orally, or both. Oral reporting is to be made possible by telephone systems or other voice recording software. These channels are to be designed, established an operated in a secure manner that ensures confidentiality of the identity of the whistle-blower and any third party mentioned in the disclosure is protected, and prevents access thereto by non-authorised staff members;
- The provision of a physical meeting to the whistle-blower within a reasonable time period, where this has been requested by same;
- The reporting officer is required to maintain communication with the whistleblower and, where necessary, ask him/her for further information and provide him/her with feedback, and follow-up diligently on all reports.
In addition, each employer should also provide its employees clear and easily accessible information about the existence of the internal procedures, and adequate information on the use of such procedures shall be published widely within the organisation and republished at regular intervals. Moreover information should also be provided in relation to the procedures for reporting externally to Maltese competent authorities and relevant EU institutions.
The whistleblowing reporting officer is also bound to acknowledge receipt of the internal disclosure with 7 days of receipt and provide feedback by not later than 3 months from the acknowledgement.
Furthermore, the whistleblowing reporting officer is bound to keep record of every report received in terms of the provisions of the Whistleblower Act, as well as other applicable laws.
In the event that an internal disclosure leads to the detection of a crime or contravention, the reporting officer may refer the report to the police for investigation.
The head or deputy head of an organisation may be deemed to be the whistleblowing reporting officer in certain circumstances, including where that same organisation has not established and published the aforementioned internal procedures.
It goes without saying that all processing of personal data carried out in relation to any disclosure is to be carried out in terms of the data protection laws including the GDPR.
Action for damages
Any person who believes that detrimental action (which among others, includes harassment, occupational detriment and disciplinary proceedings) has been taken or is to be taken against him in reprisal for a protected disclosure may file an application to the Civil Court for an order requiring the defendant to remedy the detrimental action or an injunction.
In conclusion, it is crucial that all employers are aware of and understand the set of obligations that they are now subject to in terms of this law, including the establishment of reporting channels, internal policies and the handling of the whistleblowers’ reports. Similarly, employees are required to understand their rights and when they are afforded protection in terms of the law.
An article published by Times of Malta and written by our Partner Celia Mifsud and Zack Esmail Legal Intern: