What should we do when a security incident concerns a report, and incidents are handled by employees other than the committee?

ANSWER

An interesting and not easy question. The likelihood of such a situation arising (especially given that the volume of whistleblower reports is unlikely to be significant) is slim, but theoretically possible. I see the solution in limiting to the maximum extent the number of persons handling the security incident, and additionally, before granting access to whistleblower data, I would propose obtaining from them declarations confirming that they are aware of the sensitivity of the data to which they have access and of the liability they face for disclosing whistleblower data or data relating to persons whose reports were involved.

Admittedly, obtaining a declaration does not resolve the matter, but it is important to make those handling the security incident aware that they are not dealing with an ordinary incident, and it also gives us, as the controller, evidence that we have taken all possible steps to protect whistleblower data and data relating to persons covered by the report. Nevertheless, the security incident must be handled, which is also in the interest of persons whose data was compromised as a result of the incident.