Journey

1. Anti-fraud complaint mailboxes: basic concepts

We are facing a new legal obligation. Directive 1937/2019 of the European Parliament and of the Council, of October 23, 2019, regarding the protection of people who report violations of Union Law, establishes the need to promote internal and external reporting channels: “ Member States shall promote communication through internal complaint channels before communication through external complaint channels.” (article 7.2). The rule establishes a preference for internal reporting channels over external ones, “Member States shall promote communication through internal reporting channels (…), provided that the infraction can be dealt with effectively internally and provided that the complainant consider that there is no risk of retaliation.” (article 7.2). This need to promote the implementation of internal complaint channels is complemented by the need to articulate the appropriate complaint and follow-up procedures, after consulting the social partners and in accordance with them when established by national law.

However, the complainant may go directly to the external channel if, after the internal complaint, the appropriate measures are not taken; if it is presumed that the complaint to his superiors will not produce effects; or when there is imminent or manifest danger to the public interest.
For its part, the Draft Law transposing Directive 2019/1937 (hereinafter, APL), refers to internal information systems, opting for this less forceful terminology, almost a euphemism, and providing that these internal information systems information are the preferential channel to report on the actions or omissions provided for in article 2, in short, on infringements of Union Law provided for in the Directive (article 4 APL). The administration or government body of each entity or body will be responsible for the implementation of the internal information system, after consultation with the legal representation of the workers (art. 5 APL). The management of internal information systems may be carried out within the entity itself or by going to an external third party. (art. 6 APL). In addition, all internal information channels will be integrated into the internal information system.

The Preliminary Draft also refers to the anonymization or confidentiality of the informant (understood as “complainant”). Thus, it establishes that the internal information channels must allow the presentation and subsequent processing of anonymous communications (art. 7.3 APL). For its part, the procedure for managing internal communications (understood as “complaints”) is the one established in art. 8 APL, to which we refer. In any case, it will be necessary to follow the evolution of the text already in the phases of the Bill, reports and processing in parliament.

What does seem clear is that the vast majority of public and private entities must have them: “Member States shall ensure that legal entities in the private and public sectors establish channels and procedures for internal reporting and follow-up (…)” (art. 8.1 Directive). According to the Directive itself, the establishment of a complaints channel or mailbox is mandatory for legal entities in the private sector with more than 50 workers. Member States may require it from entities with less than 50 workers, but this decision is left to national regulatory development. At the moment, the aforementioned draft law generally regulates the obligation only for private legal entities with 50 or more workers. The same does not happen in the public sector, where reporting channels will be mandatory. In this case, the Directive once again establishes the possibility for Member States to exempt municipalities with fewer than 10,000 inhabitants or with fewer than 50 workers, as well as other legal entities in the public sector with fewer than 50 workers. But here the preliminary bill does not exempt any public sector entity from the obligation, and given that the difficulties of small municipalities can be solved with the sharing of resources and, above all, with the action of support and assistance of Provincial Councils, Cabildos and Councils, it is more than likely that the obligation will remain.

2. The complaints mailbox of the Valencian Anti-Fraud Agency: a model to reproduce

How to articulate the aforementioned obligation to create and maintain a mailbox for complaints in our public sector entities? Our particular proposal is the model of the Valencian Antifraud Agency. Our complaints mailbox, in this case internal and, as an anti-fraud office, also external in the sense explained above, has been in operation since 2018. It is based on the Globaleaks platform and was originally adapted to the current technology and legislation by Xnet, this form could be used and replicated in different institutions and organizations in Spain quickly, agilely and without cost.

The tool can be downloaded from the website of its creator https://www.globaleaks.org/ where you can access its main features and which we would like to group into four groups:

1.At the user level: simple management from a web interface, translated into more than 60 languages, fully configurable and customizable with the corporate colors and logos of the different administrations. It also allows its adaptation to the casuistry of each project, allowing anonymous reporting, creation of advanced questionnaires, private conversations and exchange of information and statistical reports.

2.On a technical level: long-term maintenance guaranteed by the developer (LTS), fully autonomous application (no need for web servers or other applications), built using light navigation technologies, integrated backup system, configuration automated access through the TOR private network and prepared to be integrated with other web pages and intranets.

3.At a legal level: it complies with the standards of ISO 37002:2021 (Management systems for reporting irregularities) as well as with Community Directive 2019/1937 on the protection of whistleblowers of corruption. It complies with the European GDPR data protection regulation allowing data retention policies to be configured, in the same way it guarantees the custody of the complainant’s identity (if provided) by protecting access to complaints as well as by the absence of registration of the IP addresses of those who make these communications.

4.At the security level: it guarantees access through HTTPS protocols and the TOR network. It is continuously exposed to different pentesting tests to guarantee and improve its security. It allows access through double authentication factor, all the content provided is encrypted and only accessible to authorized recipients. It leaves no trace in the browser cache, has anti-spam mechanisms and offers support for the exchange of messages through PGP (Encryption and Signing of messages).

Lastly, at the level of specific support and maintenance, there are several public forums for the tool where it is possible to consult and propose new doubts that are usually resolved by the developers themselves. If more personalized support and direct attention is necessary, although it is not necessary, it is possible to contract a more specific maintenance with the developer, although with the information available and the existing user community, most doubts are resolved quickly. In the same way, product updates are constant and its distribution and application are free, which guarantees the integrity of the platform and its continuous improvement and adaptation to current technology and regulations.

In summary, we are faced with the solution that, in terms of functional and economic efficiency, will offer the best response to the obligations imposed by articles 7 and 10 of Directive 2019/1937 in terms of the obligation to have internal complaint channels and external. The tool is adaptable to both needs and complies with the technical and security measures that guarantee the protection of the complainant’s identity and access to the reported information only to those users who are authorized to do so.

Victor Almonacid Lamelas. Director of Prevention, Training and Documentation of the AVAF
Javier Alama Izquierdo. Head of the AVAF Information Systems Service