Cyber Law Compliance Center
Promoted by www.naavi.org
Contact: naavi@vsnl.com
PS:. This model policy is based on the appointment of an "Ombudsman". The users may appoint an ombudsman of their choice though in this policy, the use of certain services of Naavi has been indicated. Users may consider making necessary changes.
Model Whistle Blower Policy
[Version: 3rd August 2016]
Objective
The objective of this policy is to define the responsibilities of people to bring to the notice of appropriate authorities any information that has the potential to be considered as a security incident or could lead to discovery of a security incident.
Interdependencies
This Whistle Blower policy is part of the comprehensive HR Policy, the Information Security Incident Management Policy, Data Breach Notification Policy and the Background Verification policy of the Company.
Applicability
This policy is applicable to all employees of the Company and also to vendors and Sub Contractors.
Who is a Whistle Blower?
A “Whistle Blower” is any employee of the organization who is in possession of any information that reasonably indicates that a security breach incident has occurred or has been occurring or is likely to occur in the organization and involves any employee of of the organization or an employee of any of its customers or business associates, and intends to bring it to the knowledge of the management.
Responsibility
The essence of this policy is that every employee of the organization is responsible for the security of any information and any other asset that belongs to the company and it shall be the duty of every employee of the Company to bring to the notice of the designated representative of the Company, any information that comes to his knowledge which is likely to indicate an adverse impact on the security of any of the assets of the Company
The organization also believes that it is a duty cast upon itself to protect the “Whistle Blower” from any adverse consequences solely for the reason of having discharged his duty as a “Whistle Blower” and commits itself through this policy to provide an effective information disclosure infrastructure to ensure that the whistle blower may disclose any information without the fear that such disclosure may adversely affect him in any manner.
Vendors and Sub Contractors
This Whistle Blower Policy also extends to Vendors and Sub Contractors and urge them to bring to the notice of the Management any information that reasonably indicates that a security breach incident has occurred or has been occurring or is likely to occur in the Company and involves any employee of the organization and shall include it as an obligation in the contracts that the Company enters into with such Vendors and Sub Contractors.
Procedures for Management of the Policy
The detailed procedure for filing a complaint and the manner in which it shall be disposed is contained in the procedures separately prescribed for the purpose.
P.S: Following is the suggested Procedure for implementation of the Policy.
Reporting Mechanism
The Company designates "e-Ombudsman.in" as the designated representative of the Company to administer this policy and adopts the following procedure for implementing the Whistle Blower Policy.
e-Ombudsman.in has designated Sri Na.Vijayashankar, popularly known as "Naavi" and a well known Cyber Law and Cyber Dispute Management Consultant as the Ombudsman for the purpose of this policy until further notice. The Ombudsman shall be available at the e-mail : .........................................
Any stakeholder intending to report a complaint under this policy shall send an "E-mail of Intent " (EOI) to the Ombudsman at the designated e-mail address indicating his own e-mail, mobile number, name and designation/role in the company.
The EOI shall not disclose either the name of the person on whom a whistleblower's complaint is to be lodged or the incident itself.
The Ombudsman shall register the EOI and send an encryption key to the intending Whistle Blower who shall then formulate his complaint with all relevant details, encrypt them as advised and send it to the Ombudsman.
If the Ombudsman considers that the complaint has substance, he shall declare and enquiry and inform the Company without revealing the identity of the complainant.
The Company shall designate a "Co-ordinator for Ombudsman" as and when the Ombudsman announces an enquiry to assist the Ombudsman for smooth conduct of the enquiry.
The Ombudsman may at his discretion obtain any information on the complainant from the CEO or Head of the department of HR of the Company.
The Ombudsman shall on receipt of the complaint conduct an enquiry of his own which may include meeting of the complainant or any other person either personally or through video conference and obtain such other details as he may deem fit. Ombudsman at his discretion may exclude the complainant from participation in the enquiry to ensure confidentiality of his identity. He may document all meetings as he deems fit including a recording of such deliberations.
The Ombudsman shall have the discretion of deciding on the time and manner in which such enquiry is to be conducted and the persons who may be involved and the Company shall facilitate such enquiry to the best of its ability.
The information shared with the Ombudsman during the enquiry shall be considered as confidential and shall not be shared with any person either within the Company or otherwise unless
a) There is a compulsion of law
b) Considered necessary in the larger interest of the Company
c) Considered necessary for implementation of the decision following the enquiry.
d) Considered necessary for rewarding the Whistle Blower.
It shall be the sole discretion of the Ombudsman to decide what information has to be shared and with whom and to what extent.
The Company including its CEO and Directors expressly disclaim any overriding powers to demand such information from the Ombudsman.
Based on the enquiry conducted, the Ombudsman shall take such action as may be appropriate to protect the Company's interest and keep the complainant informed. Such decision includes a rejection of the complaint in toto.
Where found necessary the Ombudsman may recommend a suitable reward to the complainant for the management to consider.
Where found necessary, the Ombudsman may recommend the Company to pursue further legal action against any person found to have adversely affected the interests of the Company.
The Board of Directors of the Company shall however reserve its right to accept, reject or partially implement the recommendation of the Ombudsman.
A copy of the Company's Whistle Blower Policy and the Procedures have been shared with the designated Ombudsman who shall be informed of any subsequent changes that may be made in these documents.
P.S: This document is created by Naavi and all rights of usage are reserved. Any person intending to use this document shall contact Naavi and obtain necessary permission.
If you intend using any of these documents, the documents can be licensed upon request.
The license to use the documents may be provided free for non commercial use.
Requests may be sent to naavi along with particulars such as the Name and contact details of the persons making the request and the purpose of use.