Outsourcing whistleblowing solutions transfers the operational handling of sensitive employee concerns to a third party. That transfer creates a due diligence obligation that many organisations underestimate.
The data processed through a whistleblowing channel – identities, allegations, investigation notes, personal details of those implicated – is among the most sensitive an organisation holds. The security and governance standards of the provider to whom that data is entrusted matter as much as the standards the organisation applies internally.
For compliance officers tasked with selecting or reviewing an outsourced whistleblowing solution, understanding which security standards are relevant, what they require and how to verify compliance is a practical necessity. This is not a matter of contractual box-ticking. It is a substantive risk management question.
Why Security Standards Matter More for Whistleblowing Than for Many Other Services
Whistleblowing data is sensitive in a specific and legally significant way. It typically contains the identities or partial identities of reporters who have been promised anonymity, the identities of individuals against whom allegations have been made, details of alleged misconduct that may be legally privileged or subject to regulatory disclosure obligations, and communications that form part of a formal case record.
A data breach involving whistleblowing case data does not just create regulatory exposure under UK GDPR – it can expose reporters to the very retaliation they sought to avoid, compromise ongoing investigations and create significant legal liability. The IBM Cost of a Data Breach Report 2024 put the average cost of a data breach in the US at $9.36 million. For organisations in regulated sectors, the reputational and enforcement consequences of a whistleblowing-specific breach are likely to exceed that figure.
This context sets the floor for what security standards an outsourced provider must meet.
ISO 27001: The Baseline for Information Security
ISO/IEC 27001:2022 is the international standard for information security management systems. It requires organisations to implement a systematic, risk-based approach to securing the confidentiality, integrity and availability of information – covering people, processes and technology.
For an outsourced whistleblowing provider, ISO 27001 certification is the baseline assurance that the organisation has:
- Identified and assessed the information security risks relevant to its operations
- Implemented controls proportionate to those risks
- Established ongoing monitoring, review and improvement processes
- Submitted its security management system to independent third-party audit
Certification is not self-declared. It requires an accredited external audit body to verify that the organisation’s information security management system meets the standard. For procurement purposes, ISO 27001 certification should be treated as a minimum requirement rather than a differentiator – a provider that cannot demonstrate it presents an unacceptable baseline risk.
GDPR and UK Data Protection Compliance
Any whistleblowing service operating in the UK or processing data relating to UK subjects must comply with the UK GDPR and the Data Protection Act 2018. For an outsourced provider, compliance involves several specific obligations.
As a data processor acting on behalf of the organisation, the provider must process personal data only on documented instructions, implement appropriate technical and organisational security measures, support the organisation in meeting its own data subject rights obligations and notify the organisation without undue delay of any personal data breach.
The data processing agreement between the organisation and the provider is the contractual mechanism through which these obligations are formalised. It should specify what data is processed, for what purpose, under what security controls and for how long. Data retention periods for whistleblowing case data are a particularly important clause – data held beyond the period necessary for the purpose creates unnecessary risk and may itself constitute a compliance failure.
UK Data Residency
UK data residency is a distinct consideration from GDPR compliance. A provider can be fully GDPR-compliant while storing and processing data in data centres outside the UK – subject to the appropriate transfer mechanisms being in place. For some organisations, particularly those in regulated sectors or subject to specific data sovereignty requirements, UK-only data residency is a requirement rather than a preference.
This should be confirmed explicitly in the due diligence process and documented in the data processing agreement. A provider that cannot confirm UK data residency, or that routes data through international infrastructure without adequate safeguards, may not be suitable for organisations with this requirement.
ISO 37002: The Whistleblowing-Specific Standard
ISO 37002:2021 is the international standard specifically for whistleblowing management systems. Where ISO 27001 addresses information security broadly, ISO 37002 addresses the governance, confidentiality and impartiality requirements specific to whistleblowing programmes.
The standard establishes principles of trust, impartiality and protection as the foundation of a credible whistleblowing system, and sets requirements for how concerns are received, assessed, addressed and closed. For an outsourced provider, alignment with ISO 37002 provides assurance that its operating model has been designed around the specific requirements of whistleblowing case management – not simply adapted from a generic case handling framework.
Not all providers will hold formal ISO 37002 certification, but alignment with its principles is a meaningful indicator of programme maturity. Procurement teams should ask providers how their service maps to ISO 37002 requirements, even where formal certification has not been sought.
NIS2 and Emerging Cyber Security Requirements
The NIS2 Directive, in effect across the EU from October 2024, extends mandatory cyber security requirements to a broader range of organisations and sectors than its predecessor. While its direct application in the UK post-Brexit is through domestic equivalents rather than the Directive itself, the security expectations it establishes – incident reporting, supply chain security, access controls – represent a direction of travel that is relevant to any organisation reviewing its third-party security obligations.
Organisations in sectors covered by NIS2 or its UK equivalents should ensure that outsourced whistleblowing providers are included in their third-party security assessments, and that provider security practices are reviewed on a periodic basis rather than only at the point of initial procurement.
What to Verify Before Committing to a Provider
A structured security due diligence process for an outsourced whistleblowing solution should cover:
- Current ISO 27001 certification – certificate number, issuing body and expiry date
- GDPR compliance documentation, including a draft data processing agreement
- Confirmation of UK data residency in writing
- Data retention policy and deletion procedures
- Incident response and breach notification procedures
- Sub-processor disclosure – a list of any third parties to whom the provider itself passes data
- Business continuity and disaster recovery arrangements
Safecall is ISO 27001 certified, fully GDPR compliant and stores all case data in the UK. Security documentation is available on request as part of the procurement process.
Related Resources
Whistleblowing Security & Anonymity – safecall.co.uk/resources/whistleblowing-security-anonymity/
How Does Whistleblower Case Tracking Software Ensure Confidentiality? – safecall.co.uk/resources/how-does-whistleblower-case-tracking-software-ensure-confidentiality/
Whistleblowing Data Privacy & GDPR – safecall.co.uk/resources/whistleblowing-data-privacy-gdpr/
Whistleblowing Service Selection – safecall.co.uk/resources/whistleblowing-service-selection/
Speak to Safecall
Safecall is ISO 27001 certified, GDPR compliant and stores all case data in the UK. If you are reviewing the security credentials of your current or prospective whistleblowing provider, we are happy to provide documentation and answer due diligence questions as part of your procurement process.
Contact us: safecall.co.uk/en/contact-us/ | +44 (0) 191 516 7720
Sources and Further Reading
ISO/IEC 27001:2022 Information Security Management Systems – iso.org
ISO 37002:2021 Whistleblowing Management Systems – iso.org
UK GDPR and Data Protection Act 2018 – ico.org.uk
IBM Cost of a Data Breach Report 2024 – ibm.com/security
NIS2 Directive (EU) 2022/2555 – eur-lex.europa.eu