We can support you in multiple ways

Assistance

In this page it is possible to access all the resources, technical documentation, training content on whistleblowing and a series of FAQs to support public and private organisations that joined the project. The support is aimed not only to make the use of the platform easier, but also to give help in the implementation of procedures and adequate policies to create an efficient whistleblowing system.


Resources

TECHNICAL DOCUMENTATION

The service contract, the privacy and security documents and the project certifications are available here.

COMMUNICATION MATERIALS

On this page, communication templates and other materials are available to disseminate the service.

LAW RESOURCES AND PUBLICATIONS

We have collected the main law references on whistleblowing and the best research and analyses on the topic.


Tutorial

Registration: how to register and set-up a WhistleblowingPA platform for free
Reports: how to access and manage whistleblowing reports on the WhistleblowingIT platforms

FAQ

Law compliance

If I adopt one of WhistleblowingIT digital solutions, is my organisation compliant with the Italian whistleblowing requirements established for the public and private sector, in particular with respect to Legislative Decree no. 24/2023?

Yes. All the solutions offered within the WhistleblowingIT project comply with current Italian legislation both in terms of technical requirements that the IT platform must comply with as well as in terms of the standard questionnaires proposed which have been specifically designed to comply with national and European regulatory provisions and in line with international best practices.

In case of regulatory changes, will updates be available?

The WhistleblowingIT project is constantly updated with respect to the relevant legislation. The platform is regularly developed to respond not only to legislative requirements but also to user needs. Updates are released constantly for the benefit of everyone. The standard questionnaires proposed as part of this project (free version for public administrations, version for public owned companies and version for private organisations) are updated directly by the project team in case of new regulatory requirements, in compliance with the deadlines indicated by law. Changes to customised versions are agreed directly with the organisation to meet specific needs. Regulatory updates for all types of platforms are released at no additional cost, as an integral part of the service offered by the WhistleblowingIT project.

Can I publish the platform link only on the organisation’s intranet?

No. Legislative decree 24/2023 provides that even subjects external to the organisation (workers or collaborators of supplier companies, external consultants, shareholders) and subjects who do not yet have or no longer have an active collaboration relationship can send a report. To allow this right to all subjects provided for by law, the link to the whistleblowing platform must be public and easily accessible on the organisation’s website, if it is equipped with one, as expressly provided for by law.

When it comes to oral reports provided for by art. 4 of Legislative Decree 24/2023, does the WhistleblowingIT project provide a solution?

Oral reports are not available in the standard solutions offered by the WhistleblowingIT project. The opportunity of having an oral channel is offered only as part of the customised version, in case an organisation specifically requests this functionality. For all other versions we have chosen not to enable this function because we believe that the rationale of the law is to offer an alternative channel for oral reporting and not a different section of the same channel provided for written reporting, to meet the needs of accessibility of whistleblowers.

What documentation is required once the platform is activated to be in line with the law?

Once the platform has been activated, to complete the regulatory requirements it is necessary to produce the following documentation:

  • Appointment as external data processing officer available here to be signed and sent back to info@whistleblowing.it;
  • Whistleblowing policy in which available channels and law references are indicated (template available here);
  • Privacy policy between organisation and whistleblower (template available here);
  • Data Protection Impact Assessment (DPIA) which can be drawn up more easily thanks to the supporting documentation produced as part of this project and available here.

The brief practical guide on data protection available at the following link explains privacy requirements.


adopting whistleblowingpa

Is it possible to start using the free version of the platform for Public Administrations and then decide to switch to the customised version?

Yes. The free basic version is designed for all public administrations that need a secure and dedicated tool and that the law catches unprepared. It is designed to be a tool suitable for both small municipalities and more structured institutions. The customised version, which can be adopted at a later time, allows a further improvement of internal whistleblowing procedures, adapting the platform to the specific purposes of the administration.

Can the data entered during registration be changed later?

Yes. The email associated with the platform can be changed directly by the organisation in its administration panel. Other registration data are only relevant for registration purposes and are not reported on the platform. During registration it is necessary to have access to the email indicated as the configuration procedure requires its verification and involves sending essential information to the address indicated.

Does the public administration have to sign a contract to activate the free platform?

The institution accepts contractual terms of service when registering the platform. A copy of the same terms of service is also available on the technical documentation page of this website at the following link. The organisation is also required to return the signed appointment as external data processor available at the following link and to communicate via the following form the webpage of its institutional website dedicated to whistleblowing where the digital platform link is published, as required in the Acceptable Use Policy.

WHY CAN’T I FIND MY ORGANIZATION IN THE LIST OF MEMBERS?

The list of organizations that have joined the project is updated weekly with the information of the members for whom the publication of the platform on the institutional website has been verified. To complete this verification it is necessary for the organization to communicate via the following form the webpage dedicated to whistleblowing where the digital platform link is published. If your organization is not present among the members, it is possible that we have not yet updated the list or that we have not received notification of the publication.


platform features

Is it possible to make an oral report through the platform?

The GlobaLeaks software has developed a voice messaging functionality which, however, will not be integrated into the free and standard versions of the platform. It will be available, where requested, on customised platforms. We do not think that voice messaging systems constitute a good practice for whistleblowing, as they do not allow receiving a qualified report, with a path that guides the whistleblower to provide targeted information. It involves a significant burden for the recipient who must draft the oral file received, verbalise it and reach, if possible, the whistleblower to validate the report and therefore complete the process. We also believe that the oral channel should be “alternative” to the written one and should not be made available through the same tool. Our recommendation is that oral reporting should be guaranteed through a mediated channel, through a personal meeting or telephone contact at the request of the whistleblower.

Do the platforms of the WhistleblowingIT project separate the report from the identity of the whistleblower through the so-called custodian functionality?

No. The Italian National Anticorruption Authority Guidelines (adopted with Resolution no. 469 of 9 June 2021 and now replaced by the new legislation) had envisaged the role of the Custodian of the identity. This role was established thinking that hiding the identity of the whistleblower was useful for his/her protection; however, the organisations promoting this project believe that there is no real added value in having this role and that not only the protections for those who report could be weakened, but also that the responsibilities of the Anti-Corruption Manager would become less clear once another subject is introduced into the reporting process. The WhistleblowingIT project has therefore decided not to implement, in its free and standard versions, a separation between the report and the identity of the whistleblower through the role of the custodian.

Is WhistleblowingIT a service qualified by the National Cybersecurity Agency (ACN)?

Yes. The digital whistleblowing service offered as part of this project has obtained a qualification from the National Cybersecurity Agency (ACN). See the certificate here.

Do the platforms of the WhistleblowingIT project provide for the automatic sending of an acknowledgment of receipt of the report within 7 days of its receipt?

From a technical point of view, the platforms give the whistleblower an immediate confirmation of receipt of the report. However, we believe that the intention of the provision of art. 5.1 of Legislative Decree 24/2023 is to provide for a specific action by the receiving organisation to confirm the actual acceptance of the report. For this reason, we invite recipients to act in this direction.

Can I activate the whistleblowing software on my internal information systems instead of adopting one of the solutions provided by the WhistleblowingIT project?

The GlobaLeaks whistleblowing software on which the solutions offered by the WhistleblowingIT project are based is open source and can therefore be freely downloaded from the website www.globaleaks.org, configurated and distributed under the AGPL 3.0 licence. It can be installed independently by an IT expert following the instructions on the website. There are no forms of lock-in or other restrictions sometimes applied in the commercial sector, so that it is possible to export and migrate the settings of the platform activated through this project to an installation of the software carried out independently on an organisation’s own information systems. The software used, and further developed in the future, in the WhistleblowingIT project is public, free and reusable by public institutions, private companies and associations to develop similar projects independently.

How is the whistleblower identification data processed?

The WhistleblowingIT platforms provide both the possibility of anonymous reporting and declared reporting. The whistleblower has the possibility to choose whether to provide his/her identification data, such as name, last name and any alternative contact method to communications via the platform. If not provided, the whistleblower may at his/her choice decide to communicate the identity at a later stage. In every situation in which the whistleblower has entered this information into the system, the recipients have the opportunity to see if it is available and access it via the “Show” button within the report. This information on the identity of the whistleblower can in fact be accessed in a specific section separated from the content of the report. For security and audit reasons, the system records the date and user who requests the first access to the identity of the whistleblower.

What is the default data retention policy of reports on the platform?

In compliance with the legislation, which provides that reports must be kept only for the time necessary for their processing, we have set a data retention policy of 12 months, a time which seems appropriate to us to carry out the assessment activities and at the same time not detrimental to the principle of data processing minimization.

With reference to the single report, the recipient can postpone the expiry of the reports by up to 3 months from the date of the operation and can extend the deadline of the reports for the time deemed appropriate for the processing of the data. Advances and extensions of deadlines can be made by the recipient several times.


assistance

If I need technical assistance on the platform what should I do?

It is possible to request technical support directly from the login page of your platform or within the user interface once accessed by clicking on the support icon available at the top right. The WhistleblowingIT team will provide you with information and resolve any issues promptly.

What should I do if I forgot my password?

To be able to access your platform again if you lose your password, you can proceed in different ways, depending on the information known by the user:

  1. If you know the account recovery key and the email connected to the platform, you can reset the password independently through the login page at the specific link of your platform.
  2. If you know the email connected to the platform but not the account recovery key, a reset request must be sent by clicking on the “Forgot your password?” button in the login page and then on “Request support”, specifying that you wish to request a password reset to the email address connected to the platform.
  3. If you do not know either the recovery key or the email connected to the platform or it is necessary to replace it, a request must be sent via email to info@whistleblowing.it, specifying also the email you intend to replace. In the cases of Public Administrations, the appointment of the new Anti-Corruption Manager must also be attached to the request.
What is the account recovery key and where do I find it?

The recovery key is a key that protects a copy of the platform’s encryption key. It is available within the platform in the Preferences section and is used, among other things, to reset the password independently and recover the account in the case the password is forgotten. We recommend that you access your recovery key and save it in a safe place after you log in to the platform for the first time.