Assistance

Yes. All the solutions offered within the WhistleblowingIT project comply with current Italian legislation both in terms of technical requirements that the IT platform must comply with as well as in terms of the standard questionnaires proposed which have been specifically designed to comply with national and European regulatory provisions and in line with international best practices.

The WhistleblowingIT project is constantly updated with respect to the relevant legislation. The platform is regularly developed to respond not only to legislative requirements but also to user needs. Updates are released constantly for the benefit of everyone. The standard questionnaires proposed as part of this project (free version for public administrations, version for public owned companies and version for private organisations) are updated directly by the project team in case of new regulatory requirements, in compliance with the deadlines indicated by law. Changes to customised versions are agreed directly with the organisation to meet specific needs. Regulatory updates for all types of platforms are released at no additional cost, as an integral part of the service offered by the WhistleblowingIT project.

No. Legislative decree 24/2023 provides that even subjects external to the organisation (workers or collaborators of supplier companies, external consultants, shareholders) and subjects who do not yet have or no longer have an active collaboration relationship can send a report. To allow this right to all subjects provided for by law, the link to the whistleblowing platform must be public and easily accessible on the organisation’s website, if it is equipped with one, as expressly provided for by law.

Oral reports are not available in the standard solutions offered by the WhistleblowingIT project. The opportunity of having an oral channel is offered only as part of the customised version, in case an organisation specifically requests this functionality. For all other versions we have chosen not to enable this function because we believe that the rationale of the law is to offer an alternative channel for oral reporting and not a different section of the same channel provided for written reporting, to meet the needs of accessibility of whistleblowers.

Once the platform has been activated, to complete the regulatory requirements it is necessary to produce the following documentation:

• Appointment as external data processing officer available here to be signed and sent back to info@whistleblowing.it;
• Whistleblowing policy in which available channels and law references are indicated (template available here);
• Privacy policy between organisation and whistleblower (template available here);
• Data Protection Impact Assessment (DPIA) which can be drawn up more easily thanks to the supporting documentation produced as part of this project and available here.

The brief practical guide on data protection available at the following link explains privacy requirements.

Yes. The free basic version is designed for all public administrations that need a secure and dedicated tool and that the law catches unprepared. It is designed to be a tool suitable for both small municipalities and more structured institutions. The customised version, which can be adopted at a later time, allows a further improvement of internal whistleblowing procedures, adapting the platform to the specific purposes of the administration.

Yes. The email associated with the platform can be changed directly by the organisation in its administration panel. Other registration data are only relevant for registration purposes and are not reported on the platform. During registration it is necessary to have access to the email indicated as the configuration procedure requires its verification and involves sending essential information to the address indicated.

The institution accepts contractual terms of service when registering the platform. A copy of the same terms of service is also available on the technical documentation page of this website at the following link. The organisation is also required to return the signed appointment as external data processor available at the following link.

The list of entities and organizations that have joined the project is updated weekly with the data of those who have had the platform published on their official website. In order to complete this verification, the entity must provide the URL of the webpage dedicated to whistleblowing, which also includes the platform’s address, using the following form. If your entity is not listed among the participants, it may be that the list has not yet been updated or that we have not received the notification of the publication.

The GlobaLeaks software has developed a voice messaging functionality which, however, will not be integrated into the free and standard versions of the platform. It will be available, where requested, on customised platforms. We do not think that voice messaging systems constitute a good practice for whistleblowing, as they do not allow receiving a qualified report, with a path that guides the whistleblower to provide targeted information. It involves a significant burden for the recipient who must draft the oral file received, verbalise it and reach, if possible, the whistleblower to validate the report and therefore complete the process. We also believe that the oral channel should be “alternative” to the written one and should not be made available through the same tool. Our recommendation is that oral reporting should be guaranteed through a mediated channel, through a personal meeting or telephone contact at the request of the whistleblower.

No. The Italian National Anticorruption Authority Guidelines (adopted with Resolution no. 469 of 9 June 2021 and now replaced by the new legislation) had envisaged the role of the Custodian of the identity. This role was established thinking that hiding the identity of the whistleblower was useful for his/her protection; however, the organisations promoting this project believe that there is no real added value in having this role and that not only the protections for those who report could be weakened, but also that the responsibilities of the Anti-Corruption Manager would become less clear once another subject is introduced into the reporting process. The WhistleblowingIT project has therefore decided not to implement, in its free and standard versions, a separation between the report and the identity of the whistleblower through the role of the custodian.

Yes. The digital whistleblowing service offered as part of this project has obtained a qualification from the National Cybersecurity Agency (ACN). See the certificate here.

From a technical point of view, the platforms give the whistleblower an immediate confirmation of receipt of the report. However, we believe that the intention of the provision of art. 5.1 of Legislative Decree 24/2023 is to provide for a specific action by the receiving organisation to confirm the actual acceptance of the report. For this reason, we invite recipients to act in this direction.

The GlobaLeaks whistleblowing software on which the solutions offered by the WhistleblowingIT project are based is open source and can therefore be freely downloaded from the website www.globaleaks.org, configurated and distributed under the AGPL 3.0 licence. It can be installed independently by an IT expert following the instructions on the website. There are no forms of lock-in or other restrictions sometimes applied in the commercial sector, so that it is possible to export and migrate the settings of the platform activated through this project to an installation of the software carried out independently on an organisation’s own information systems. The software used, and further developed in the future, in the WhistleblowingIT project is public, free and reusable by public institutions, private companies and associations to develop similar projects independently.

The WhistleblowingIT platforms provide both the possibility of anonymous reporting and declared reporting. The whistleblower has the possibility to choose whether to provide his/her identification data, such as name, last name and any alternative contact method to communications via the platform. If not provided, the whistleblower may at his/her choice decide to communicate the identity at a later stage. In every situation in which the whistleblower has entered this information into the system, the recipients have the opportunity to see if it is available and access it via the “Show” button within the report. This information on the identity of the whistleblower can in fact be accessed in a specific section separated from the content of the report. For security and audit reasons, the system records the date and user who requests the first access to the identity of the whistleblower.

In compliance with the legislation, which provides that reports must be kept only for the time necessary for their processing, we have set a data retention policy of 12 months, a time which seems appropriate to us to carry out the assessment activities and at the same time not detrimental to the principle of data processing minimization.

With reference to the single report, the recipient can postpone the expiry of the reports by up to 3 months from the date of the operation and can extend the deadline of the reports for the time deemed appropriate for the processing of the data. Advances and extensions of deadlines can be made by the recipient several times.

It is possible to request technical support directly from the login page of your platform or within the user interface once accessed by clicking on the support icon available at the top right. The WhistleblowingIT team will provide you with information and resolve any issues promptly.

Assistance can be requested for technical matters regarding the access and use of the platform, and regarding the necessary documentation to maintain its use. The support team can also be contacted for more general topics related to whistleblowing. For example, regarding compliance with regulatory requirements, how to process a report at the organizational level, or for interpretative doubts concerning the law or secondary regulations

To be able to access your platform again if you lose your password, you can proceed in different ways, depending on the information known by the user:

1. If you know the account recovery key and the email connected to the platform, you can reset the password independently through the login page at the specific link of your platform.
2. If you know the email connected to the platform but not the account recovery key, a reset request must be sent by clicking on the “Forgot your password?” button in the login page and then on “Request support”, specifying that you wish to request a password reset to the email address connected to the platform.
3. If you do not know either the recovery key or the email connected to the platform or it is necessary to replace it, a request must be sent via email to info@whistleblowing.it, specifying also the email you intend to replace. In the cases of Public Administrations, the appointment of the new Anti-Corruption Manager must also be attached to the request.

The recovery key is a key that protects a copy of the platform’s encryption key. It is available within the platform in the Preferences section and is used, among other things, to reset the password independently and recover the account in the case the password is forgotten. We recommend that you access your recovery key and save it in a safe place after you log in to the platform for the first time.