Q&A about the implementation of a system to handle Whistleblower requests

Handling of Whistleblowers’ requests in the eHelpDesk system

We make every effort to meet the expectations of our clients. That’s why, after the implementation of a novelty in the eHelpDesk system – a module for Signallers, hundreds of hours conducted at presentations and realized webinars, we created a set of frequently asked questions.

Frequently asked questions about the Signalman module

Below you will find a list of the most frequently asked questions about the operation of the Signalman module

1. Data transfer rules (RODO). How are the servers? Where are the data located?

The program’s data storage and transfer rules are fully compliant with the provisions of the RODO. As a rule, the system is installed on a server provided by the client and located in the client’s network. It is possible to install on another server specified by the client or in the cloud. Note that cloud installation requires compliance with RODO requirements, which, for example, eliminates the solutions of most large US companies. In this case, it is suggested to use BTC’s cloud server, which meets all RODO requirements. Program data is stored in an encrypted database on the server.

2. Who should deal with the subject of data transfer? I do not know to whom to send the information I received from you.

According to the directive’s provisions, each unit is obliged to establish and maintain an internal breach notification channel and must do so on its own. According to the directive’s provisions, impartial persons should be appointed to recognize reports of violations, but the establishment of the rules and regulations and the reporting channel itself is the responsibility of the head of the unit.

3. Am I required to implement the system in my infrastructure?

According to the Directive of the European Parliament and the Council, the obligation covers all private entities with at least 50 employees and, in principle, all public entities with at least 50 employees (including municipalities and other TSUs).

The Polish legislator must clarify the conditions for inclusion in the directive’s provisions and define penalties for non-compliance. It should do so by December 17, 2021. However, a law on the subject is not expected to be adopted until early 2022.

4. Can a company employee be a system administrator? How to appoint this person?

The system administrator may be an employee of the company. It can also be another person. The appointment of such a person is made by granting the appropriate authority by the head of the unit and entrusting the tasks of handling reports of violations.

5. Can the module work independently of our other solutions?

The Signals module can operate either as an add-on to the eHelpDesk system or as a stand-alone program, without the need to install other BTC solutions.

6. If I have eHelpDesk Professional, will I have to buy a module for Signals or will I get it for free as an upgrade?

The module for Signallers is paid independently of the current solutions offered by BTC. Pricing is prepared based on individual terms and conditions. For example, in the case of subscriptions, the purchase amount will be reduced accordingly so that the warranty period (SA) coincides or excludes the need to purchase additional accesses for signal handlers.

7. Is it possible to purchase on a 12-month subscription model or an indefinite license?

The purchase of the Signalman Module is possible in both the 12M Subscription and Indefinite License models. It all depends on individual arrangements.

8. How do you ensure confidentiality? How and where is data protected?

The system is designed to protect the anonymity of the Signaller. As a rule, the Signaller’s data is not stored by the system, as long as anonymous submissions are allowed. Even in the case of downloading information about the Signaller’s person, the data stored in the system is protected from unauthorized access. The system’s database is fully encrypted, and there is no way that it can be accessed by someone who does not have the proper login credentials. Access to the system administrator’s console is restricted to authorized persons only. This also applies to the use of the module as part of the eHelpDesk system. In this case, only authorized persons also have access to Sygnalist notifications.

Within the system itself, there is also the possibility of granting access to certain authorized persons to process only part of the submissions.

The Sygnalist himself does not leave any of his contact information in the system. Communication with the authority takes place through an encrypted connection offered by the program.

9. How much time does the person handling the requests have to respond? In what time should the issue be resolved? Can the times be configured?

The response time is set by law and is 7 days from receipt of the request to the first response. However, this does not mean that the request must be finally resolved, for which the time is indefinite and subject to determination in the unit’s internal regulations. The system measures the time to first response from acceptance of the request.

10. How does the Signer log into the system? What do his credentials look like?

In order to make a report, the Signaller does not need to log into the system. After entering the page of the Signaller’s panel, he has the opportunity to make a report according to the rules set by the client (it is the client who decides on the shape of the report form, the issue of anonymity, etc.). After reporting a violation, the Signaller receives individual login data (these are the report ID and report CODE). These data are unique for each report.

11. Is there a limit to the size of attachments?

Limiting the number and size of attachments depends on the customer’s settings when installing the system.

12. Do I have the option to choose between an anonymous submission and one that contains personal information? Is it possible to block anonymous submissions?

The system allows you to select the option of anonymous submissions or submissions containing personal information. This is done by setting the required columns parameter in the submission.

13. What is the communication between the Whistleblower and the person handling the request? Is there a requirement for the requester to enter an email address for this?

Communication between the Signaller and the authority takes place through the system and there is no need to provide any contact data of the Signaller. The system does not store such data, which ensures constant communication with maximum protection of the Signaller’s data.

14. Does the Whistleblower have access to the submissions?

The Whistleblower, with the help of the ID and CODE obtained from the system, has access only to notifications that he himself has made. In addition, the Sygnalist’s access is limited to viewing data and correspondence with the authority.

15. Can the module work only on the internal network?

The system can operate on both internal and external networks. This is entirely up to the customer. Making the Signaller panel available on the external network widens the potential pool of Signallers to include people who are “affiliated with employees” of the entity, a phenomenon desired by the directive, but not required.

Regardless of the availability of the Signaller’s panel, the client has complete freedom to determine the availability of the administrative panel, which can allow remote work without the need to connect using a VPN.

16. How do we take care of data confidentiality?

The system safeguards data by minimizing the collection of necessary data and securing data storage and transfer.

The Signals module does not take any contact information from the Signaller, and it also allows reports to be made anonymously, providing the Signaller with maximum identity protection. All connections made within the system are also encrypted and have security features in accordance with ISS security certificates.

The database is password-protected against unauthorized access.

Access to the administrator’s console is protected by a dual login credential.

17. Who has access to the database? What data does it have access to?

As a rule, access to the data is made from the administrator’s console. Data processing and viewing is limited to those with access to the program console, i.e. those whose job is to process requests. Only the system administrator has access to the database.

18. Is it possible to animate the IP of a request for a cloud server service?

There is such a possibility. However, this does not affect the tracking of the activity of the computer from which you logged into the system by other programs.

19. Can the system be configured so that the requester’s data is stored on a different server than the request itself?

It is possible to configure the system so that the Signer’s data is stored in a separate database, if downloaded.

20. Do we have protection against bots?

The system is secured with the latest CAPTCHA solution.

21. If the parent unit purchases the system am I required to implement it individually as well?

This depends on the number of employees and the regulations of the parent entity. It can oblige the entity to implement the system or allow the use of the sent system. You can use the profiles function from the Signals module in eHelpDesk to create notification channels for subordinate units.

22. Can the login screen be modified for multiple entities?

With the profiles feature, the Signals module provides a number of fully customizable panels that can have different requirements for the request form and a different layout.

23. Is it possible to restrict administrator access to requests from a specific entity?

The system allows, like eHelpDesk, to modify the permissions of individual users at will. You can narrow access for users to specific types of requests or requests delivered from specific profiles. What’s more, you can freely modify the scope of permissions, just like in the eHelpDesk system. Note that only the system administrator has access to all data in the system.

24.Can the system/module be operated from the phone?

Yes. All the solutions offered by BTC are available in web technology, the module for Signals also.

25. Is it possible for the administrator to enter the requests themselves?

Yes. Such a possibility will be available in the system from the administration console.

26. Is it possible to add your own comments to the submissions?

Yes. Editing of submissions is available from the administrator’s console. It can add notes to notifications.

27. Is it possible to revoke the rights of a person (administrator) with whom the organization has terminated cooperation?

Yes. You can revoke the administrator’s privileges after termination of cooperation also without the administrator’s consent and cooperation.

28. Are the actions of administrators monitored? Are logs available on the system?

The actions of the administrator and users are monitored and the history of processing requests can be established.

29.Does the system allow automatic translation of requests into another language?

At the moment, the system does not allow automatic translation of submissions. Adding an option to translate written submissions is feasible, but the system does not provide support for transcription of oral submissions in any language at this time.

30. Is it possible to report/export the data available in the system?

The system will offer the ability to generate reports and export them from the system.

You may be interested in