Malta Publishes Bill on Whistleblower Protection

The Parliament of Malta has recently published Bill No. 249 to amend the Protection of the Whistleblower Act ('the Act').

The purpose of this Bill is to transpose Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, also referred to as the Whistleblower Protection Directive. The Directive is to be transposed into national law of all Member States by 17th December 2021.

The Bill fully reflects the requirements and obligations emanating from the Whistleblower Protection Directive, which public and private entities are to implement within their internal and external reporting mechanisms.

Once enacted, the Bill will bring into force the following changes to the existing Maltese legislative framework, in an effort to enhance the protection afforded to individuals who report improper practices in a work-related context.

Changes made to the definition of the ‘Subject Person’ (i.e. the employer)

The Bill, once enacted, will drastically alter the Persons subject to the Act, as the definition will bring into scope all organizations within the private sector employing fifty (50) or more workers. Organizations with fewer than fifty (50) workers may also be subject to the requirements emanating from the Act, where a risk assessment establishes that the level of risk ensuing from the nature of operational activities requires the implementation of an internal disclosure channel (e.g. heightened risk posed to the environment or public health).

Changes made to the definition of ‘employee’

The definition of employee will now bring into scope shareholders and persons belonging to the administrative, management or supervisory body of an organization, including non-executive members and paid or unpaid trainees. The definition also brings into scope any candidate for employment, where information concerning improper practices is acquired during the recruitment process.

Establishment of new definitions within the law, including, ‘improper practice’ ‘occupational detriment’ and ‘work-related context’

The definition of ‘work-related context’ comprises current and past work activities carried out within the public or private sector, throughout which persons may acquire or have access to information on improper practices and within which those persons may suffer retaliation if they reported such information.

The definition of ‘improper practice’ will now bring into scope a series of actions that are, or will most likely result in, the failure, non-compliance or breach of an existing law or regulation. This includes, the endangerment of the environment or health and safety, a miscarriage of justice, bribery, corrupt practices, breaches on the protection of privacy, consumer protection and prevention of money laundering and financing of terrorism regulations.

The definition of ‘occupational detriment’ comprises any direct or indirect act or omission tantamount to an unjustified detriment, which occurs in a work-related context, that is prompted by internal, external or public disclosures. This therefore includes, lay-offs, dismissals, demotions, early terminations or transfers, coercion, intimidation and harassment, negative performance assessments or the failure to renew a temporary employment contract.

Extent of protection afforded to whistleblowers

Whistleblowers shall have access to free, comprehensive and independent information and advice, particularly on the procedures and remedies available to reporting persons, including the protection afforded to whistleblowers against retaliation by virtue of the Bill, once enacted. In addition, whistleblowers shall have access to legal aid in criminal and cross-border civil proceedings and effective assistance from competent authorities.

Reference to the GDPR

The Act shall make reference to the processing of personal data throughout the internal, external and public reporting process. All processing of personal data is to be carried out in accordance with the General Data Protection Regulation. As a result, the receipt of personal data that is not relevant to the handling or follow up of a report is not to be collected, or, if obtained, deleted without undue delay.

Exclusion of anonymous disclosures

The Act will not allow or enforce the protection of anonymous disclosures made by reporting persons. The latter was left at the discretion of Member States by the EU Commission. Nevertheless, the Act permits the receipt and processing of anonymous disclosures in determining whether improper practice has occurred. Furthermore, should a whistleblower be identified following an anonymous disclosure, and consequently suffers retaliation, that disclosure would still be a protected disclosure, provided it meets the conditions set out within the Act concerning protected disclosures (i.e. made in good faith, not for personal gain and based on reasonable grounds).

Internal Reporting Procedures to be implemented by all private organization that employ fifty (50) or more workers (including stipulated timeframes for follow up)

Every employer falling within the above definition of a ‘Subject Person’ shall implement internal reporting procedures for the receival and handling of information concerning improper practice committed within or by that organization, and as a minimum, shall comprise the following:

  • channels for receiving reports in writing, orally or both;
  • secure and confidential channels deploying access rights and identity protection measures;
  • designation of a whistleblowing reporting officer competent for following up on reports;
  • diligent follow up by the designated person or department;
  • clear and easily accessible information on the existence of the internal procedures and external reporting.

External reporting procedures to be implemented by Designated Authorities

Designated authorities (specified in the First Schedule of the Act) shall also respectively set up an independent and autonomous whistleblowing unit. In terms of external reporting, provision of feedback may be extended to six (6) months in justified cases. Similarly, channels for receiving reports are to be made available in writing and orally, within secure means and safeguarding the identity of the reporting person, ensuring such remains confidential throughout reporting process and subsequent to the final outcome. Whistleblowers are to first report the breach internally (to the extent possible), prior to making an external disclosure.

Public Disclosures

By virtue of the amended Act, a public disclosure will only be protected if an internal disclosure and an external disclosure have been made, but no appropriate action was taken. Nevertheless, a public disclosure shall be protected upon reasonable or justifiable grounds to bypass the internal and/or external reporting channels, such as manifest danger to public interest.

Retention of Records

Whistleblowing reporting units/officers shall keep records of every report received, and such shall be stored as required in order to comply with the requirements imposed by the applicable regulation.

Oral disclosures, including face-to-face meetings, must be recorded. The whistleblower shall be afforded the opportunity to check, rectify and confirm the record of the disclosure.

Our Whistleblower Protection Services for You

BDO Malta can assist organizations with the:

  • development of internal reporting whistleblowing channels;
  • development of a tailored risk management framework;
  • outsourcing of the whistleblower protection investigating unit; and
  • provision of whistleblower protection training.

In the course of developing a tailored organizational framework, BDO will hold discussions with the organization to ensure the internal mechanisms in place reflect the internal processes, values and set up.

Learn more about the Whistleblower Protection services offered by BDO and Download our Brochure now.

Get in touch: