Internal Whistleblowing System (SII-UIB)
In compliance with Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight Against Corruption, and through Agreement of the Governing Council of 26th July 2023, the UIB has established an internal whistleblowing system to report regulatory breaches and protect individuals who report them (SII-UIB).
The SII-UIB comprises:
- An internal whistleblowing channel
- A system coordinator
- A management procedure for all information submitted over the channel.
Regulatory Framework
- Directive (EU) 2019/1937 of the European Parliament and of the Council of 23rd October 2019 on the Protection of Persons who Report Breaches of Union Law
- Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight against Corruption
- Regulatory Agreement 14985 of 26th July 2023 that establishes and governs the UIB Internal Whistleblowing System to Report Regulatory Breaches and Protect Whistleblowers
- Resolution of the Office of the President and Vice Chancellor 15163 of 2nd November 2023 that publishes the List of UIB Internal Whistleblowing System Supervisory Committee Members (CORESINFO).
FAQs
What can be reported through the SII-UIB?
The UIB Internal Whistleblowing System (SII-UIB) is the channel to report actions or ommissions at the UIB that may constitute serious or very serious criminal or administrative offences or, where applicable, violate EU law, as per the conditions set out in Article 2 of Act 2/2023.
Nevertheless, any actions or ommissions not covered by the previous paragraph, as well as those listed below, fall outside the scope of the SII-UIB:
- Information linked to interpersonal disputes or solely affecting whistleblowers and individuals included in the report or disclosure
- Information in reports rejected by any internal reporting channel
- Information already made publicly available or based on mere rumour
- Information containing reasonable evidence it was obtained illegally.
Who can submit reports over the SSI-UIB?
Within the framework of the provisions of Article 3 in Act 2/2023, UIB employees who have obtained information about employment or professional breaches may use the SII-UIB. In all instances, these include:
- Civil servants or contract employees
- The self-employed
- Shareholders, stakeholders and other individuals who are part of corporate administration, management or oversight bodies, including non-executive members
- Any individual working for or under the supervision and management of contractors, subcontractors and suppliers.
The system may also be used by individuals wishing to report or publicly disclose information on infringements obtained within the framework of a terminated employment or statutory relationship, volunteers, grant holders, workers on paid or unpaid traineeships, as well as anyone whose employment relationship has not yet started, provided the relevant information was obtained during the selection process or pre-contract negotiations.
What requirements must information reported over the SII-UIB meet?
Reported information must be sufficiently detailed in order to identify the facts and timeframe, the infringement committed and alleged perpetrator or, at the very least, the unit or body where the events took place.
All available documents or evidence enabling analysis of the factual basis of events must be provided or, failing this, the location where they are kept, in order to correctly process the submitted information.
Reports may be made anonymously. Where whistleblowers wish to be identified, they may provide an e-mail address for notifications when submitting a report.
In accordance with Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight against Corruption, it is essential reasonable grounds exist regarding the veracity of the submitted information for whistleblowers' protection. In turn, the aforementioned act specifies that reporting or publicly disclosing information known to be false constitutes a very serious infringement (Article 63.1 (f)). False accusations or reports shall entail consequences, as laid out by the Spanish legal system.
What is the confidentiality system for reports?
Reports will be managed in strict confidentiality to ensure whistleblowers' identities remain anonymous, including any related details. The confidentiality system will also apply to any third parties mentioned and the individual being reported.
How can I make a report through the SSI-UIB?
Users can report information (anonymously or otherwise) by filling in the relevant form over the UIB Integrity website on the Transparency Portal.
Can I submit a report over non-UIB channels?
Any individual may submit a report to the Independent Whistleblower Protection Authority (AAI) or relevant regional authorities or bodies with regard to any action or omission within the scope of Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight against Corruption. This applies regardless of whether the individual submits a report to these bodies or over the relevant internal whistleblowing channel.
Who coordinates the SII-UIB?
The Whistleblowing System Supervisory Committee (CORESINFO) coordinates the SII-UIB. The committee members are listed in Resolution of the Office of the President and Vice Chancellor 15163 of 2nd November 2023.
How are reports managed?
The relevant committee or, where applicable, delegated individuals depending on the specific nature and circumstances, will take charge of processing reports and, where relevant, undertake internal investigations. After preliminary analysis or assessment looking into evidence of a crime, serious infringement or violation of EU law, the report will be admitted or rejected. Where admitted, an initial internal investigation will begin.
The detailed procedure may be viewed in Regulatory Agreement 14985 of 26th July 2023 that establishes and governs the UIB Internal Whistleblowing System to Report Regulatory Breaches and Protect Whistleblowers.
What happens if I withdraw my report?
After the report has been admitted, the process remains open regardless of whether whistleblowers wish to withdraw their statement.
Is there a monitoring system for submitted reports?
Reports may be monitored using the system code provided when a report is submitted. Whistleblowers must keep this code safe since, for security and confidentiality reasons, it cannot be retrieved or a new one provided.
How are personal data included in reports processed?
a) Purpose of the Processing
The purpose is for the UIB to manage the procedure set out in Article 9 in Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight against Corruption.
b) Interested Parties
Whistleblowers, reported individuals and third parties whose personal details are deemed necessary to manage the aforementioned procedure.
c) Types of Personal Data subject to Processing
In accordance with the data minimisation principle, only the necessary details shall be processed based on the relevant procedure in each specific instance.
These details may include:
- Personal details: name and surname(s); ID document (DNI, NIF, passport, etc.); address; phone number; signature and electronic signature
- Other details: those included in the report.
d) Recipients of Reported Data
Data will only be transferred in the instances set out by legal authorities, the Prosecution Service or the relevant administrative body within the framework of criminal or disciplinary proceedings.
e) International Transfers
No international transfers are foreseen.
f) Data Retention Timeframe
All data collected will be retained for the necessary and legally established timeframe in compliance with the purpose for which they were collected and to determine any possible liabilities arising from said purpose and data processing. The Archiving and Documentation Regulations shall apply.
g) Technical and Organisational Security Measures
The adopted organisational, operational and protection measures align with what is set out in Appendix II (Security Measures) to Royal Decree 311/2022 on the National Security Framework for e-Government.
h) Legal Basis
Processing personal data is required to comply with the public duties bestowed on the university, as well as the relevant legal obligations and explicit consent of the interested parties where applicable, as set out in the following regulations:
- Article 6.1 (c) in the General Data Protection Regulation (GDPR)
- Act 2/2023 of 20th February on the Protection of Individuals who Report Regulatory Breaches and the Fight against Corruption
- The relevant UIB-specific regulations:
What protection measures are in place for whistleblowers and reported individuals?
Provided the conditions set out in Article 35 of Act 2/2023 are met, individuals who report or disclose information concerning regulatory breaches, within the framework of Regulatory Agreement 14985 governing the SII-UIB, are entitled to full immunity and to receiving support and protection from any possible retaliation set out in Chapter VII in Act 2/2023.
Individuals reporting or disclosing the following types of information are strictly excluded from the protection measures included in the SII-UIB:
- Information contained in reports rejected by any internal reporting channels or due to any of the reasons set out in Article 18.2 (a) of Act 2/2023
- Information linked to interpersonal disputes or solely affecting whistleblowers and individuals included in the report or disclosure
- Information already made publicly available or based on mere rumour
- Information concerning actions or omissions not covered by Article 2 in Act 2/2023.
Within the framework of the SII-UIB, and whilst the file is being processed, the parties affected by the report will have the right to the presumption of innocence, defence and access to the file in accordance with the terms of Act 2/2023. In turn, they will have the right to the same protection as whistleblowers, i.e. their identities will remain anonymous, and all facts and details included in the procedure shall remain confidential.