Lesson 1Operator roles and governance model: internal reporting officer(s), deputy, Legal, HR and external provider rolesDis section clear up di governance model an operator roles. It define responsibilities of internal reporting officers, deputies, Legal, HR, an external providers, an explain escalation paths, independence safeguards, an backup arrangements.
Mandate of the internal reporting officerDeputy arrangements and business continuityInterfaces with Legal, HR, and ComplianceUse of external ombuds or hotline providersIndependence, conflicts, and reporting linesLesson 2Process mapping: intake, triage, preliminary assessment, formal investigation, corrective action, closureDis section explain how fi map di end-to-end reporting process, from intake to closure. It define triage, preliminary assessment, formal investigation, corrective actions, an documentation, ensuring clarity of roles, timelines, an decision points.
Designing the intake and registration stepsTriage rules and risk-based prioritizationPreliminary assessment and scopingFormal investigation workflow and controlsCorrective action, closure, and lessons learnedLesson 3Access control and role-based permissions for intake, investigation, and archive systemsDis section define access control concepts fi reporting systems. It cover role-based permissions, segregation of duties, least privilege, an secure archiving, ensuring dat only authorized staff can view, edit, or export sensitive case data.
Role design for intake and investigation teamsLeast privilege and need-to-know principlesSegregation of duties and conflict checksAccess reviews and recertification cyclesSecure archive access and export controlsLesson 4Technical and organizational measures for confidentiality: encryption, pseudonymisation, audit logs, retention schedulesDis section detail technical an organizational safeguards fi confidentiality, including encryption, pseudonymisation, access controls, logging, an retention. It link dese measures to legal requirements, risk assessments, an internal security policies.
End-to-end encryption for reporting channelsPseudonymisation and data minimization rulesSecure storage, backups, and key managementAudit logging and monitoring of accessRetention schedules and secure deletionLesson 5Escalation governance and board reporting: when to involve senior management, Legal, Compliance CommitteeDis section explain escalation rules, governance structures, an board reporting. It clear up when fi involve senior management, Legal, or Compliance bodies, an how fi document decisions, protect independence, an avoid retaliation risks.
Escalation criteria and materiality thresholdsRoles of senior management in case handlingInvolvement of Legal and Compliance bodiesBoard and committee reporting formatsDocumenting escalation decisionsLesson 6Selection and specification of reporting channels (secure online intake forms, telephone hotline, postal, in-person, delegated email)Dis section explain how fi select an specify reporting channels, including online forms, hotlines, postal, in-person, an email. It cover security, usability, availability, an documentation to ensure trusted, compliant access fi all reporters.
Channel mix: online, phone, postal, in-personSecurity requirements for each channel typeDesigning usable and clear intake formsDelegated email and mailbox managementBusiness continuity and fallback channelsLesson 7Deadlines and SLAs aligned with HinSchG: acknowledgment timeframe, investigation milestones, feedback to reporterDis section focus pon deadlines an SLAs under HinSchG. It explain acknowledgement timelines, investigation milestones, an feedback obligations, an show how fi embed dem into procedures, tools, an monitoring dashboards fi compliance.
HinSchG timelines and legal benchmarksAcknowledgement and status update deadlinesInvestigation duration and milestone trackingFeedback obligations to the reporterMonitoring SLA breaches and remediationLesson 8Multilingual and accessibility requirements (German, English, and German-Austrian language considerations; anonymous reporting options)Dis section address multilingual an accessibility needs fi reporters. It cover German an English usage, Austrian variants, plain language, anonymous options, an accommodations fi disabilities, ensuring equal, safe access to all reporting channels.
Language strategy for German and EnglishHandling Austrian-German terminologyPlain language and easy-to-read draftingAccessibility for disabilities and assistive techAnonymous and confidential reporting optionsLesson 9Third-party provider assessment and contract clauses (DPA, confidentiality, audit rights, SLA for response times)Dis section guide di assessment of external hotline or platform providers. It cover due diligence, DPAs, confidentiality, audit rights, SLAs, an ongoing monitoring to ensure legal compliance, data security, an reliable service delivery.
Due diligence on hotline and platform vendorsData Processing Agreement key clausesConfidentiality and conflict-of-interest termsAudit and inspection rights in contractsSLAs for uptime and response timesLesson 10Template documents and recordkeeping: intake forms, acknowledgement letters, investigation plans, final reports, redaction templatesDis section cover mandatory templates an records across di case lifecycle. It explain how fi standardize intake, acknowledgements, investigation plans, reports, an redactions to ensure consistency, auditability, an compliance wid HinSchG an GDPR.
Standardized intake and case opening formsAcknowledgement and follow-up letter templatesInvestigation planning and scoping templatesFinal report and management summary formatsRedaction standards for shared documents
