Key Considerations for Building an Effective Whistleblowing Policy
Corporate whistleblowing policies are becoming the norm in Canada and globally. These policies are not simply “another avenue” anymore, particularly due to recent legislative changes and regulatory expectations.
Effective policies promote corporate accountability and encourage internal reporting of actual or suspected misconduct as the first step in any escalation, thereby mitigating against potentially damaging outreach to external stakeholders and regulatory bodies for matters than can instead be satisfactorily managed in-house with lesser to no financial or reputational harm. In this article, we discuss key considerations for building effective whistleblowing policies.
The Canadian legal regime is complex
In 2019, the European Union (the “EU”) passed a ground-breaking Whistleblower Directive requiring all EU member states to implement into their respective national laws the Directive’s rights and obligations for whistleblowers, private companies and the Member States themselves. While Canada currently has no mandatory directive on whistleblowing, corporate policies for whistleblower reporting and protections are increasingly prevalent across a variety of industries and viewed as an important component of corporate governance and customer relations.
When drafting whistleblower policies, companies should consider the patchwork of Canadian federal and provincial legislation and regulations that address the reporting of potential misconduct internally and externally, most of which are tailored for specific legal issues. Most legislation encourages the good faith reporting of potential wrongdoing and provides certain protections against reprisal to whistleblowers. Some legislation also provides financial incentives and anonymity to whistleblowers. For example:
- The Public Servants Disclosure Protection Act (the “PSDPA”), the Canada Labour Code and associated regulations encourage federal public sector employees to report wrongdoings, protect such employees, and impose obligations on employers to investigate complaints.
- Provincial public sector laws offer similar protections for public sector employees.
- The Criminal Code makes it illegal for employers to retaliate against an employee for, or deter them from, reporting information to law enforcement regarding a criminal offence the employee believes has been committed by their employer.
- The Competition Act prohibits employers from disciplining employees who disclose violations of the Competition Act to the Competition Commissioner in good faith.
- The Canada Labour Code and comparable provincial statutes concerning employment standards and occupational health and safety prohibit employers from taking disciplinary action against employees who make complaints under the legislation.
- The Personal Information Protection and Electronic Documents Act (“PIPEDA”) protects the identity of employees who, acting in good faith, notify the Privacy Commissioner of a potential privacy breach or contravention of PIPEDA and prohibits the reprisal of such employees.
- Other provincial statutes in Alberta, BC and Quebec are substantially similar to PIPEDA. Under these provincial statutes, individuals who have reasonable grounds to believe a company has contravened (or is about to contravene) the province’s privacy legislation and who notify the relevant privacy regulator in good faith are protected from reprisal and can request that their identity be kept confidential with respect to the notification.
- Provincial securities acts protect whistleblowers who report securities laws violations to regulators. Several securities acts prohibit retaliation against employees who disclose securities-related misconduct in good faith, or who cooperate with a regulator’s investigation. The Ontario Securities Commission (the “OSC”) has gone one step further, incentivizing potential whistleblowers with monetary rewards. Under the OSC’s Whistleblower Program, eligible whistleblowers may be awarded up to $5 million for reporting serious securities-related wrongdoings that lead to significant enforcement or settlement outcomes. See our previous blogs discussing the OSC’s Whistleblowing Program in more detail here and here.
- Several self-regulating professional bodies in law, medicine, accounting and engineering have imposed on their members a duty to report misconduct and often provide independent channels for complaints by the public regarding misconduct by their members. For example, lawyers have an ethical duty to advise clients if they know the client has acted dishonestly, fraudulently or criminally and to report the matter internally “up the ladder”, as appropriate. Other professionals such as engineers have a similar duty to expose dishonest or unethical conduct by any other practitioner to the appropriate regulator.
Benefits of an Effective Whistleblowing Policy
There is tension between encouraging employees to report potential misconduct internally and not unlawfully discouraging them from reporting to regulators or law enforcement, recognizing many statues require the employer to make it clear that they are not prevented from so doing.
As a general matter, employees owe their employers a duty of loyalty, fidelity and confidentiality. Failure to adhere to these duties can justify disciplinary action, including summary dismissal. That said, such duties will not override a statutory whistleblower regime. For instance, an employee who reports a potential criminal law offence to law enforcement in good faith is not necessarily breaching their duty of confidentiality to the employer. If the employee’s reporting is not undertaken in good faith or the employee has no reasonable basis to suspect wrongdoing, then the employer may consider taking disciplinary action. Any action taken would be fact-specific and the employer should seek legal advice, especially whenever an allegation of retaliation could be made by the employee or a regulator.
Despite the tension noted above, there are clear benefits to employers adopting effective whistleblower policies:
- Having a clear and effective whistleblowing policy and a strong “speak-up” culture is consistent with good governance and potentially helps detect, if not prevent, misconduct before it escalates.
- In some cases, facilitating a strong culture of communication and whistleblowing may prevent or detect hard to detect misconduct within a company.
- By preventing misconduct or making misconduct harder to sustain, companies with effective whistleblowing policies can arguably earn a greater return on assets. There are studies indicating that effective whistleblowing policies can make companies more profitable.
- By preventing misconduct or making misconduct harder to sustain, companies with effective whistleblowing policies can curtail lawsuits or mitigate damages, potentially resulting in lower business costs.
- Effective internal policies allow companies to address issues before they become public.
Best Practices for Effective Policies
Below are helpful considerations for companies when building or updating a whistleblower policy.
Start with a clear policy
Ensure that the whistleblowing policy language is clear and concise. The policy should outline the process for making a report (such as by independent telephone lines, online reporting, or dedicated email) and the protections afforded to whistleblowers. Companies should ensure the policy covers all aspects of whistleblowing, including the types of incidents that can be reported, how to report them and how they will be investigated.
Offering a confidential process that allows for anonymity
Effective whistleblowing policies are designed to ensure that the identity of a whistleblower is either kept confidential (only designated individuals know the whistleblower’s identity) or completely anonymous (the whistleblower’s identity is unknown). It is important for companies to uphold privacy obligations when collecting any personal information through whistleblowing reports or related investigation documentation, including the personal information of the whistleblower, those suspected of wrongdoing and other third parties. In such cases, it is imperative that companies abide by their privacy obligations and any existing privacy policies (including with regard to retention and disposal). Unauthorized information leaks may not only deter future issues from being disclosed, but could also have adverse consequences for all individuals involved and/or lead to a reportable privacy breach. Further, a company’s whistleblowing policy should discourage the collection or storage of irrelevant or excessive personal information. Finally, the potential limits on the reach of the investigation that can result from this type of protection should be expressly stated, reminding whistleblowers that in some circumstances they may need to disclose their identities or the investigation may be unable to continue to resolution, and if they do disclose their identities that confidentiality protections will remain in place to the greatest extent possible.
Prioritize prevention, correction and accountability
The effectiveness of a whistleblowing policy is dependant on proper action following investigations, such as corrective measures, proactive steps toward preventing reoccurrences and substantive decisions to hold wrongdoers accountable. The credibility of the policy also depends on stakeholders’ perception that complaints will be dealt with appropriately.
Facilitate effective and transparent investigations
The perception of transparency and accountability are key to successful whistleblowing policies. Studies show that lack of reporting often stems from people believing there will be no response or remedy. Companies should make it clear to employees that knowledge gained from investigations will be implemented and, if appropriate, disclosed.
It is important to establish a process by which complaints, and particularly those relating to individuals in supervisory, managerial or executive positions, can be effectively received and addressed, given the practical realities and limits of corporate chains of command. Establishing an independent complaints system or retaining external, arms-length investigators to deal with issues relating to alleged misconduct are useful measures for maintaining an independent, neutral and unbiased process and for achieving appropriate outcomes.
Parties should take care to involve internal or external legal counsel at the outset of an investigation, including in relation to the retention of any investigator. By doing so, components of the work, communications and reports generated at the request of legal counsel can be pursued under the protection of legal privilege, which is invaluable for encouraging the free flowing of theories and potential resolutions, particularly while they are in draft state. Where privilege can be properly applied, the integrity of the purpose for the process can be better preserved.
Protect whistleblowers from reprisal
As detailed above, there are a variety of statutory protections for whistleblowers or individuals who participate in an investigation process, with which companies must comply. Non-compliance could compound the company’s exposure to the underlying issue, ground a retaliation claim by the individual impacted, and lead to negative reputational impact or financial consequences. It is important for HR and compliance teams to understand the difference between agitation, grievance and whistleblowing as well as statutory obligations—including the prohibition against retaliation.
While it is strongly preferable that employees report issues internally so that companies have an opportunity to investigate and correct issues themselves, it is important that individuals are not discouraged from reporting misconduct to regulatory bodies. Federal and provincial occupational health and safety statutes protect individuals who make complaints to provincial regulatory boards. When it comes to securities regulators, discouraging reporting may be viewed as a breach of securities law. Notably, s. 121.5 of the Ontario Securities Act voids any contractual provision prohibiting the disclosure of information to the OSC. Moreover, in the US, the SEC has found contractual limitations on an employee’s ability to report to a securities regulator to be problematic.While Canadian securities regulators have not yet made similar findings, companies operating here can nonetheless take the prudent step of ensuring that confidentiality policies make clear that employees are prohibited from disclosing confidential information, except as required or as permitted by law.
Demonstrate commitment from leadership
A strong whistleblowing policy starts at the top. It is crucial that the company’s leadership team is informed and committed to the system. Leaders should possess a sufficient familiarity with the whistleblowing process and demonstrate commitment to impartial investigations. There should also be a commitment to following appropriate procedures to promptly remedy issues.
Any whistleblowing policy must also be communicated to all members of the company through internal communications, education and periodic follow-up training to ensure everyone has an appropriate understanding of the policy and makes proper use of it.
Please contact us with your questions about whistleblower policies, on how best to make use of your existing policies or how to properly investigate a whistleblower complaint.
 SC 2005, c. 46.
 RSC 1985, c. L-2.
 Work Place Harassment and Violence Prevention Regulations, SOR/2020-130.
 For example, in BC public servants who have disclosed wrongdoings regarding citizen privacy and data management are protected under the Freedom of Information and Protection of Privacy Act, RSBC 1996, c. 165 and whistleblowers can confidentially disclose serious or systemic issues of wrongdoing that affect the public interest under the Public Interest Disclosure Act, SBC 2018, c. 22. In Ontario, the Public Service of Ontario Act, 2006, SO 2006, c. 35, Sched A, ss. 108–150 has similar protections to the PSDPA. In Alberta, the Public Interest Disclosure (Whistleblower Protection) Act, SA 2012, c. P-39.5 provides a mechanism by which public servants can disclose matters an individual believes may be unlawful, dangerous, or injurious to the public interest and protects that individual from repercussions. See also the Public Interest Disclosure (Whistleblower Protection) Act, CCSM, c. P217; E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c. 38, s. 22.
 RSC 1985, c. C-46, s. 425.1.
 RSC 1985, c. C-34. ss. 66.1, 66.2.
 SC 2000, c. 5 [PIPEDA], ss. 27 and 27.1. PIPEDA applies to Federally regulated organizations or private-sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity.
 Personal Information Protection Act, SA 2003, c P-6.5 [“Alberta PIPA”]; Personal Information Protection Act, SBC 2003, c. 63 [“BC PIPA”]; Act Respecting the Protection of Personal Information in the Private Sector, RSQ, c. P-39.1, s. 81.2 [“Quebec Act”].
 BC PIPA, ss. 54 and 55. Alberta PIPA, s. 58; Quebec Act, s. 81.2.
 Professional Engineers Act, RRO 1990, Reg 941, s. 77(8); Association of Professional Engineers and Geoscientists of Alberta, Professional Practice Guideline, APEGA, 2020, s. 4.1.5; Engineers & Geoscientists British Columbia, Code of Ethics.
 Stubben, Stephen and Kyle Welch, “Evidence on the Use and Efficacy of Internal Whistleblowing Systems” (2020) Journal of Accounting Research, 58:2. This study analyzed over 10 years’ worth of records from NAVEX Global.
 Ethics Resource Center, “2011 NBES Supplemental Research Report: Inside the Mind of the Whistleblower” (2012) at 5, online(pdf): Corporate Compliance Insights.
 Rule 21F-17 prohibits any impediment to communicating direction with the SEC about securities law violations. See for example In re Guggenheim Securities LLC (23 June 2021), No. 92237; In re SandRidge Energy, Inc (20 December 2016), No. 79607; In re BlueLinx Holdings Inc (10 August 2016), No. 78528.