Reporting violations to the Oversight board / Anti-Corruption function and 231/2001

Reservation notes

Forms of protection of the whistleblower provided by the law

The art. 1, paragraph 51 of the Law 190/2012 (so-called anti-corruption law) introduced a new article, the 54-bis, in the D.Lgs. 165/2001, entitled “protection of the public employee who reports offences”, under which was introduced in our set of rules a measure aimed at promoting the emergence of cases of wrongdoing, known in English-speaking countries as whistleblowing.

The whistleblowing is regulated by the Law 179 of November 30th,2017, that has amended the art. 54-bis of the D.Lgs. 165/2001. The legislation provides the protection for the public and private employees who report the commission of an illicit and/or an offence to the persons in charge, protecting himself against any reprisals or discriminatory measures, direct or indirect, from his colleagues or superiors.

The identity of the whistleblower cannot be disclosed without his express consent and all those who receive the reports or are involved in the management of the reports are obliged to protect the confidentiality of that information.

Discriminatory or retaliatory acts adopted by the administration or by the body are invalid.

The ANAC, with the Determination number 6 of April 28th, 2015 has issued the “Guidelines on the protection of the public servant who reports abuse (whistleblower)” with the clear indication that the reports, in order to protect the whistleblower, should be treated computationally with computerised and cryptographic systems.

Confidentiality obligations on the identity of the whistleblower

Except in cases where is attributable a responsibility by way of calumny and defamation, the identity of the whistleblower is protected in every context following the report. The identity of the whistleblower may be revealed to the disciplinary authority and to the accused only in cases where:

  • There is the expressed consent of the whistleblower;

  • The contestation of the disciplinary charge is founded, in whole or in part, on the report and the knowledge of the identity of the whistleblower is absolutely essential to the defence of the accused, provided that this circumstance is deduced and proven by the accused himself at the hearing or by submission of defences.

Distinction between anonymous reports and confidentiality of the identity of the whistleblower

The procedure for the management of the reports must ensure the confidentiality of the identity of the whistleblower since the receipt of the report and in any later stage.

The guarantee of confidentiality presume that the whistleblower makes known his identity. The purpose of the law, basically, is to ensure the protection of the employee, keeping his identity confidential.

 

Infrastructure and security

The management software of Whistleblowing, in line with the law, guarantees the highest levels of security both for the whistleblower and in relation to infrastructure.

Security of the whistleblower and of the reports

  • Asymmetric encryption on textual contents and attachments: the encryption does not require specific actions from the users. The cryptographic system ensures that both the messages and the attachments can only be read by the sender and by the recipient, through the combination of a "public and private cryptographic key".

  • Login with smart card.

  • Access regulated in accordance with the privacy legislation: the access to the reports is allowed only through the insertion of credentials (for registered users) or by entering the codes that are associated to the report (for unregistered users).

Application security

Separation of reporting the identity of the whistleblower: as provided in the ANAC Determination number 6 of April 28th, 2015, part III, Chapter 2. The secrecy of the identity of the whistleblower is guaranteed by the application, that separates the process of registration from the process of the insertion of a report, for a proper separation of data; in the report, in fact, the name of the whistleblower is not shown. The Supervisor has the possibility to activate the procedure through which the system connect the identity of the whistleblower to the report, when this is considered necessary and in cases provided by law; the Supervisor must insert a motivation for his request to reveal the identity of the whistleblower. This action is automatically notified to the whistleblower by the application and is registered in the system logs.

DigitalPA dedicated servers: maximum data protection and security levels, guaranteed both by DigitalPA and by the server farm infrastructure, both certified under ISO 27001/2014.

Integrated hardware and Software Firewalls: every platform has an integrated firewall with strict rules, which limit the accesses and the actions exclusively to the tasks that the user must perform with the software; the integration of the different firewalls enhances the security even further.

SSL certificate: the whistleblowing software is accessible exclusively via HTTPS access (Secure Sockets Layer).

Dedicated IP and SSL Certificate for each client.

User input validation: the platform is based on an approach of the validation of the input of the user. Through extremely rigid rules, the user is verified both at the client and at the server level.

CSRF Prevention: all requests managed by the platform are protected by CSRF token.