Ensuring data protection in Whistleblowing Systems: A lesson learned from Bologna Airport

Whistleblowing is a critical tool in uncovering illegal activities in organisations. However, the incident involving Bologna Airport in Italy will show the importance of implementing robust data protection measures within digital whistleblowing systems. In this blog post, we will explore the violations committed by Bologna Airport and how organisations can ensure data protection in their whistleblowing solutions. 

What happened at Bologna Airport? 

Bologna Airport had engaged a service provider to deploy a digital whistleblowing system, enabling users to anonymously report legal irregularities. However, the Italian Data Protection Authority identified multiple violations of the General Data Protection Regulation (GDPR) during the system’s implementation. As a result, the authority imposed a €40,000 fine on Bologna Airport for inadequate implementation of technical and organisational measures in the internal reporting solution. 
 

1. Security oversight: Encryption deficiency 

The airport failed to implement suitable encryption mechanisms for the transport and storage of the reported data. The absence of encryption not only compromised the confidentiality and integrity of the data but also exposed it to unauthorized access. The Italian data protection authority emphasized that the sensitive nature of the reported information required a high level of encryption to mitigate risks. 
 

2. Privacy breach: Unauthorized logging 

The airport’s whistleblowing system logged the navigation behaviour of users, including IP addresses and usernames. This logging practice violated the principles of „data protection by design“ and „data protection by default settings“ outlined in the GDPR. Whistleblower systems must be designed in a way that ensures confidentiality and anonymity, and logging user activities puts these principles at risk.  

3. Data protection oversight: Missing Data Protection Impact Assessment 

Another violation identified by the Italian data protection authority was the absence of a data protection impact assessment (DPIA). Whistleblowing systems often involve the processing of sensitive data, which can have severe consequences for both whistleblowers and the accused parties. Conducting a DPIA helps identify and mitigate potential risks to the rights and freedoms of individuals. 

Prioritizing data protection in whistleblowing systems: A lesson learned  

The case of Bologna Airport serves as a wakeup call for organisations to prioritize data protection in their internal reporting systems. Here are some key steps to consider: 

1. Implement robust encryption mechanisms: 

To safeguard the confidentiality and integrity of reported data, it is crucial to employ strong end-to-end encryption protocols, such as the HTTPS protocol, for data transfer. Additionally, all stored data should be encrypted to prevent unauthorized access. At Whistlelink, we employ a robust strategy that includes encryption in transit, encryption at rest and effective key management practices that offer good defense mechanisms for protecting data integrity and confidentiality. 

 2. Adhere to „Data Protection by Design“ and „Data Protection by Default“: 

Ensure that the whistleblowing system is designed with privacy in mind. This includes avoiding unnecessary data logging (such as IP addresses or device data) and retaining only the minimum amount of information required for investigations. Anonymity and confidentiality should be maintained throughout the reporting process. 

3. Consider conducting a Data Protection Impact Assessment: 

Before implementing a whistleblowing system, consider conducting a DPIA to identify and address potential risks to individuals‘ rights and freedoms. This assessment should consider the sensitivity of the reported information, the potential impact on whistleblowers and accused parties, and any necessary mitigation measures. 

4. Choose a trusted and experienced provider: 

When selecting a provider for a whistleblowing system, ensure that the provider is committed to data protection and GDPR compliance. Review security measures, encryption protocols, and track record to ensure the system aligns with regulatory requirements, such as the GDPR and national whistleblower protection laws. 

Whistlelink has delivered whistleblowing solutions to satisfied customers for more than 10 years. Our whistleblower service is available on your own website 24/7.

We offer 35+ languages in a customized, user-friendly digital whistleblower solution where all data is stored on servers within Europe, in accordance with GDPR. Start your free trial today!