“Any times of turbulence, like the COVID-19 crisis with its diverse effects on organisations, may increase the risk of irregularities arising out of internal reasons. Exceptional circumstances and the need to make decisions in a rapidly changing environment may also lead to unintentional deviations from company policies.”
Corporate responsibility as a driver
Sustainability and corporate social responsibility are becoming distinctive characteristics of successful companies. Such commitment to sustainable and responsible action is truly put to the test when a company is facing irregularities within its own organisation. Such irregularities may mean exposure of trade secrets, embezzlement or other misuse of company finances or any other unethical conduct. Any times of turbulence, like the COVID-19 crisis with its diverse effects on organisations, may increase the risk of these irregularities arising out of internal reasons. Exceptional circumstances and the need to make decisions in a rapidly changing environment may also lead to unintentional deviations from company policies. Each company with an ambitious compliance program and high ethical standards should also have sufficient means in their toolbox to investigate possible or suspected misconduct, whether malicious or merely negligent.
If a company suspects that its employee might be associated with any activity that contradicts its own internal compliance requirements, or even laws, investigating such activity is a delicate matter and the ability to conduct the investigation without the employee’s knowledge could be crucial.
Due to restrictions imposed by legislation, investigative measures available to companies in the event of irregularities or suspected misconduct are limited. An efficient investigation within the set boundaries may, however, be essential in identifying whether a threshold for a criminal investigation is reached, and the matter may be referred to the police, who have much farther reaching investigative powers.
This article examines the necessary steps for a company to establish a legally sustainable process for internal investigation and to raise its compliance actions to the next level.
Finland as an exception in the global field
Compared internationally, Finnish legislation protecting employees’ rights to privacy and confidentiality of communications is exceptionally strict. Confidentiality of communications is set in stone in the constitution, and, because of the margin of manoeuvre left for member states in the GDPR, a high level of employee privacy is retained also in the era of EU-wide harmonisation. This may result in complex questions not only in international organisations with Finnish affiliates, but also in companies operating solely in Finland.
When talking about communication, think broadly
Employees’ right to privacy of communication applies to all communication – regardless of its content. Even internet browsing is considered a form of communication. Whether the communication is private or business related, and even when stored on the company’s hardware, analysing, monitoring or intercepting the content of communications in principle impedes the employees’ right to privacy of communications. Any files attached to, e.g., an email, form a part of that email and may not be accessed. Even traffic data, i.e., the data used to transmit a message and information is considered an essential part of communication and is thus protected by the right to confidential communication. All measures which include any processing, such as opening, scanning or monitoring, of employee emails, other messages, or employees’ private files are allowed only where provided by applicable express provisions.
An individual employee may waive the confidentiality of a specific communication by making it public. This can be done, for example, by forwarding a message to a third party, knowingly providing the message for the use of others by storing it in an archiving system, or publishing the communications on a shared workspace. Storing the communications on a computer hard drive or other medium without the intent of making it available to others is not deemed making it public.
Right to access an employee’s communication may be gained with the employee’s explicit consent. An employer may not circumvent the employees’ rights to the confidentiality of communications or employee privacy through general consent or a contractual clause given, for example, as part of an employment contract. The option of obtaining an employee’s consent for the purpose of an internal investigation is often not on the table due to the possible urgency and delicacy of the matter.
Nevertheless, a company providing a communications service internally is legally obliged to ensure the information security of the network and communications services they provide. Companies are therefore allowed to implement certain measures for data security purposes, provided that such measures are carefully designed, adapted to the seriousness of the threat and do not go beyond what is necessary.
Companies therefore have the right to undertake necessary measures to detect, prevent and investigate (and commit to pre-trial investigation) any disruptions in information security of communications networks or related services, as well as to safeguard the possibilities of the sender or recipient of the message for communication.
In theory it is possible to initiate a cumbersome notification process to have a limited right to monitor the employees’ use of e-mail, i.e., to process communication traffic data. Processing of traffic data may be allowed in order to prevent misuse in cases of unauthorised use of a company’s network or disclosure of trade secrets (under the so called “Lex Nokia” provisions of the Act on Electronic Communication Services). It should be noted that adopting the Lex Nokia rights requires that the company’s data security processes are already on a high level.
IT tools are a bliss – or are they?
There are several different IT tools available in the market, often provided by international service providers operating globally. Such tools may be marketed as effective compliance tools with the availability, e.g., to automatically scan content of emails and their attachments as well as to monitor employees’ internet use. Although companies have the right to supervise their employees’ work and, e.g., automatically block certain web sites, all measures, which result in identifying an individual employee, and the websites the employee has visited or other content of communications, are specifically prohibited. Such tools cannot, in practice, be taken into use by Finnish organisations due to their built-in monitoring functionalities.
However, not all IT tools intended for data security and compliance functions are off-limits to Finnish companies. For example, the following measures are allowed in order to prevent disruptions in information security of communications networks:
- protecting IT-systems against unauthorised use or access by using access controls;
- keeping a list of which employees have access to the IT-system or certain parts of the IT-system, such as a mobile device;
- monitoring events that have an impact on data security;
- identifying the network status of a mobile device;
- technical measures to filter trash mail;
- implementing technical measures to block harmful or unwanted sites; and
- automatic removal of malicious software that poses a threat to information security from messages.
“Express instructions on allowed and appropriate use of the company’s communication networks are essential for ensuring that the employer is able to utilise all the measures legally available to it. Instructions and descriptions of used or available methods raise awareness of compliance matters within the organisation.”
Instructions play a vital role
When establishing the foundations of legally sound, yet efficient internal investigation processes, an employer’s instructions play a vital role. Express instructions on allowed and appropriate use of the company’s communication networks are essential for ensuring that the employer is able to utilise all the measures legally available to it. Instructions and descriptions of used or available methods raise awareness of compliance matters within the organisation. Whether or not the employer is allowed to utilise a certain tool or method as part of its internal investigation proceedings, the fact of whether employees are aware of such methods is often decisive.
Any prepared instructions on the use of a company’s networks, equipment and the company’s methods to secure them should be clearly communicated to employees. Employees should therefore be instructed and trained on correct security and compliance practices. Where the company is subject to an obligation of cooperation procedures, such communication should also follow the formal rules set out for cooperation procedures.
Where to draw a line?
Given the strict restrictions on actions available to employers, what then is a company allowed to do when it suspects misconduct within its own organisation?
The principle of confidential communications explained above does not extend to work-related files and documents. As part of an internal investigation, the employer therefore is allowed to access items other than an employee’s private files. Log files tracking the use of IT systems may generally also be accessed as they do not fall into the category of communications, either. Therefore, an employer is allowed to investigate log files in order to establish whether an employee has gained, or tried to gain, access to certain systems where said individual should not, as part of their regular duties, have access.
What to consider if someone blows the whistle?
A company may become aware of suspected misconduct via various routes. Over the course of years, several companies have taken whistleblowing channels into use in order to provide employees and other stakeholders an opportunity to confidentially expose information or activity that the whistleblower finds illegal, unethical, or otherwise contradictory to the organisation’s compliance rules.
Due to legislative changes in the Act on the Protection of Privacy in Working Life one year ago in spring 2019, an employer no longer has the right to collect personal data in order to assess the employee’s reliability without the employee’s explicit consent. As the most essential feature of a whistleblowing channel is the possibility to report any identified irregularities anonymously, this change has an effect on an employer’s possibility to utilise whistleblowing channels as a source of information. The significance of internal policies and instructions increases even more if an organisation has taken a whistleblowing channel into use. It should also be noted that an employee has the right to know where certain information has been obtained, i.e. whether the information has been obtained through a whistleblowing channel or as a result of an investigation, before any employment related measures are taken against the employee.
The above described dilemma will most likely be resolved once the so-called whistleblowing directive on the protection of whistleblowers passed in the EU in 2019 is implemented nationally. Said directive will make whistleblowing channels mandatory in a fairly large proportion of organisations, and therefore changes also to the Act on the Protection of Privacy in Working Life are to be expected as a result.
“In order to ensure that the company can efficiently follow relevant legislation and compliance regulations applicable to it, the best option available is to instruct and train employees on appropriate conduct and compliance requirements, and, where possible, automatically prevent the misuse of the company’s information networks.”
In order to ensure that the company can efficiently follow relevant legislation and compliance regulations applicable to it, the best option available is to instruct and train employees on appropriate conduct and compliance requirements, and, where possible, automatically prevent the misuse of the company’s information networks. It must also be noted that the employer’s preliminary actions, such as taking the necessary cooperative measures, may be required for the measures described above being available in relation to internal investigation.
Being mindful of the restrictions Finnish legislation sets out for internal investigations, as described in this article, companies will be able also to efficiently investigate any possible irregularities or misconduct they may face.