Lesson 1Operator roles and governance model: internal reporting officer(s), deputy, Legal, HR and external provider rolesThis section clarifies the governance model and operator roles. It defines responsibilities of internal reporting officers, deputies, Legal, HR, and external providers, and explains escalation paths, independence safeguards, and backup arrangements.
Mandate of the internal reporting officerDeputy arrangements and business continuityInterfaces with Legal, HR, and ComplianceUse of external ombuds or hotline providersIndependence, conflicts, and reporting linesLesson 2Process mapping: intake, triage, preliminary assessment, formal investigation, corrective action, closureThis section explains how to map the end-to-end reporting process, from intake to closure. It defines triage, preliminary assessment, formal investigation, corrective actions, and documentation, ensuring clarity of roles, timelines, and decision points.
Designing the intake and registration stepsTriage rules and risk-based prioritizationPreliminary assessment and scopingFormal investigation workflow and controlsCorrective action, closure, and lessons learnedLesson 3Access control and role-based permissions for intake, investigation, and archive systemsThis section defines access control concepts for reporting systems. It covers role-based permissions, segregation of duties, least privilege, and secure archiving, ensuring that only authorised staff can view, edit, or export sensitive case data.
Role design for intake and investigation teamsLeast privilege and need-to-know principlesSegregation of duties and conflict checksAccess reviews and recertification cyclesSecure archive access and export controlsLesson 4Technical and organizational measures for confidentiality: encryption, pseudonymisation, audit logs, retention schedulesThis section details technical and organisational safeguards for confidentiality, including encryption, pseudonymisation, access controls, logging, and retention. It links these measures to legal requirements, risk assessments, and internal security policies.
End-to-end encryption for reporting channelsPseudonymisation and data minimization rulesSecure storage, backups, and key managementAudit logging and monitoring of accessRetention schedules and secure deletionLesson 5Escalation governance and board reporting: when to involve senior management, Legal, Compliance CommitteeThis section explains escalation rules, governance structures, and board reporting. It clarifies when to involve senior management, Legal, or Compliance bodies, and how to document decisions, protect independence, and avoid retaliation risks.
Escalation criteria and materiality thresholdsRoles of senior management in case handlingInvolvement of Legal and Compliance bodiesBoard and committee reporting formatsDocumenting escalation decisionsLesson 6Selection and specification of reporting channels (secure online intake forms, telephone hotline, postal, in-person, delegated email)This section explains how to select and specify reporting channels, including online forms, hotlines, postal, in-person, and email. It covers security, usability, availability, and documentation to ensure trusted, compliant access for all reporters.
Channel mix: online, phone, postal, in-personSecurity requirements for each channel typeDesigning usable and clear intake formsDelegated email and mailbox managementBusiness continuity and fallback channelsLesson 7Deadlines and SLAs aligned with HinSchG: acknowledgment timeframe, investigation milestones, feedback to reporterThis section focuses on deadlines and SLAs under HinSchG. It explains acknowledgement timelines, investigation milestones, and feedback obligations, and shows how to embed them into procedures, tools, and monitoring dashboards for compliance.
HinSchG timelines and legal benchmarksAcknowledgement and status update deadlinesInvestigation duration and milestone trackingFeedback obligations to the reporterMonitoring SLA breaches and remediationLesson 8Multilingual and accessibility requirements (German, English, and German-Austrian language considerations; anonymous reporting options)This section addresses multilingual and accessibility needs for reporters. It covers German and English usage, Austrian variants, plain language, anonymous options, and accommodations for disabilities, ensuring equal, safe access to all reporting channels.
Language strategy for German and EnglishHandling Austrian-German terminologyPlain language and easy-to-read draftingAccessibility for disabilities and assistive techAnonymous and confidential reporting optionsLesson 9Third-party provider assessment and contract clauses (DPA, confidentiality, audit rights, SLA for response times)This section guides the assessment of external hotline or platform providers. It covers due diligence, DPAs, confidentiality, audit rights, SLAs, and ongoing monitoring to ensure legal compliance, data security, and reliable service delivery.
Due diligence on hotline and platform vendorsData Processing Agreement key clausesConfidentiality and conflict-of-interest termsAudit and inspection rights in contractsSLAs for uptime and response timesLesson 10Template documents and recordkeeping: intake forms, acknowledgement letters, investigation plans, final reports, redaction templatesThis section covers mandatory templates and records across the case lifecycle. It explains how to standardise intake, acknowledgements, investigation plans, reports, and redactions to ensure consistency, auditability, and compliance with HinSchG and GDPR.
Standardized intake and case opening formsAcknowledgement and follow-up letter templatesInvestigation planning and scoping templatesFinal report and management summary formatsRedaction standards for shared documents
