How should monitoring of employee email accounts be handled if the company has an email mailbox dedicated to receiving whistleblower reports?

ANSWER

The purpose of corrective measures within an organization is to implement organizational decisions that prevent similar incidents (breaches) from occurring in the future. Therefore, reviewing employee email in this situation would not appear to qualify as either a corrective measure or a preventive measure.

According to the applicable legislation, access to the content of a whistleblower report may only be granted to authorized individuals, which generally means members of the designated whistleblowing team. In such circumstances, it would be difficult to conclude that confidentiality and the protection of the whistleblower's identity are being maintained if the mailbox dedicated to receiving reports is subject to monitoring.

As a result, a mailbox intended for whistleblower reports should be accessible only to appropriately authorized persons, and any monitoring arrangements should not undermine the confidentiality requirements imposed by whistleblower protection regulations.