Frequently asked questions
A report can be submitted through Trumpet by anyone who is in any way professionally active in the organisation that the report concerns. This includes board members, all employees (permanent employees, probationary staff, fixed-term employees, full-time and part-time employees), trainees and hired staff (recruited staff).
Whitepaper Advisors is the company behind the Trumpet service — a whistleblower function for all kinds of organisations (everything from associations to companies, corporations, municipalities and states). Trumpet offers a secure channel of reporting for people who have something they wish to share and who, for some reason or other, do not dare to directly contact the organisation in question.
Whitepaper Advisors is a company that believes that credibility and a high degree of integrity are prerequisites for our business to exist. We have extensive experience in examining and helping organisations in preventing improprieties.
The entire purpose of Trumpet is to offer organisations a function that complies with valid legislation, in which potential whistleblowers are able to report misconduct in a secure manner. The system is a technically secure solution, in which the whistleblower is anonymous, and in which, as administrators of the system, we cannot identify the whistleblower if the person does not actively choose to be open with their contact details.
As suppliers of this service, we must comply with valid legislation. Based on how the system and function have been designed, we may not — and we cannot — collect personal data about the whistleblower if he/she chooses to remain anonymous. Even if the whistleblower chooses to disclose his/her identity to the case worker, we act in the role of controller and may not pass on the whistleblower’s personal data. The laws that directly regulate the handling of a case are:
- The EU’s General Data Protection Regulation (GDPR) — protects your basic rights and freedoms, especially your right to have your personal data protected.
- The EU directive for the protection of people who report infringements of EU law. The directive requires third party suppliers to guarantee that the whistleblower system is independent, confidential, data protected and observes the rules of non-disclosure.
- The Swedish Whistleblowing Act, which provides special protection for people who raise the alarm about misconduct.
Our role is to create conditions for our client organisations that receive cases that whistleblowers would otherwise have refrained from reporting. A prerequisite for this is that you, as the whistleblower, know your rights and can trust the system. We have an agreement with our clients (e.g. the organisation that your report concerns) that we will only disclose the information that the whistleblower has submitted in the free text, as well as any files that the whistleblower attaches to his/her report. In those cases that the whistleblower provides his/her contact details to facilitate communication with the case worker, there is an agreement with the client, stating that the client will never have access to these contact details. The only manner in which our client is able to access your contact details is if you actively choose to share this information with the client.
The type of information that the whistleblower system receives is sensitive. Those of us who are behind the service have worked with these types of issues since the beginning of the 2000s, have a good understanding of the complexity and sensitivity of these types of cases, and have experience in how to handle them.
Read more about the technical safety in What guarantees that my identity is not divulged?
In the whistleblower system, you will always start off by being anonymous. When you are anonymous, your personal data is not saved. If you wish to disclose your identity, this is something you can choose to do at a later stage — when you create your report. Then you will receive the question of whether you wish to disclose your identity to the case worker who is handling the report. You can also choose to disclose your identity to the organisation that the report concerns.
We hope that you will choose to disclose your contact details to the case worker, as this facilitates the handling of the case. Please note that when you choose this option, you will only disclose your identity to the external case worker, and not to the organisation that your report concerns.
Yes, you will always start off as anonymous in the system. You will then later make an active choice as to whether you wish to submit your contact details.
If you do not state your name in the report, it will not be possible to see who submitted the case to the system. Trumpet has been developed based on the highest standards of confidentiality and security:
- All submitted information is encrypted according to a method that allows only the whistleblower and case worker to access your personal data or read the complete report. The encryption algorithms that we use (AES-256) are always updated, secure and evaluated methods that follow the highest security standards.
- All communication with the service, i.e. between the visitor’s computer and the service’s servers, is encrypted according to the most secure internet standard SSL OV. "SSL" means encrypting the information, which effectively protects against interception. "OV" is an extension that, in addition to encryption, also guarantees the protection of the identity of the server with which the visitor is communicating, which protects against fraudsters.
- The system has been designed to not store any information regarding either those visiting the web service, or those submitting reports. Traceable information is not stored in either visitor statistics or system logs. Only the personal data submitted by you, as a whistleblower, in your report will be stored, and you yourself can choose who is given access to that information.
Being anonymous means that neither your personal data nor information from your computer, such as the IP address, will be stored or can be traced. In the whistleblower system, you will always start off by being anonymous. If you wish to disclose your identity, this is something you can choose to do at a later stage when you create your report. There are two options. Either you can choose to only disclose your identity to the case worker handling the report. You can also choose to disclose your identity to both the case worker and the organisation that the report concerns.
When you choose to disclose your identity to your case worker, direct contact can be established by phone, etc. This facilitates the processing of the case , as we are able to have a fast and open dialogue with you. It is possible to have a dialogue via the system, even if you choose to remain anonymous; however, this is not as effective, as it relies on the frequency of your logins to update you about the case’s status, and to answer any questions that may be crucial to the process.
The people who handle cases that come in via the whistleblower system work on behalf of Whitepaper Advisors. In order to work within this service, all case workers have a duty of confidentiality in accordance with an established confidentiality agreement.
Read more under Why can I trust Trumpet?
When you create your report, you will be asked whether you wish to disclose your identity. You can do this in two ways:
- Only disclose your identity to the case worker handling the report. If you choose this option, only our case worker will gain access to your personal data in order to conduct communication with you. (Therefore, White Paper Advisors are responsible for personal data. ) The case worker is always an external, independent party, and the information regarding your identity will not be disclosed to the organisation in question.
- Disclose your identity to both your case worker and the organisation to which the case pertains. In this case, we will share your personal data with the organisation’s committee that is responsible for deciding how to handle the case. (Therefore, the organisation is responsible for your personal data.)
If your report states that someone in the committee is involved, this person will be excluded from participating in the decision and further management of the case.
Start by identifying the problem, and think through what occurred. Describe all the facts you are aware of. Develop your statement carefully, as well as anything else that is relevant to the report. The information you provide must be as accurate and detailed as possible. Omit private opinions or speculations.
Use the questions below to provide as clear a picture as possible:
- What type of event the complaint concerns?
- Who is/are involved?
- When it happened?
- Where it happened?
- If it was a one-off event, or if the problem is ongoing or recurring?
Include contact information of potential witnesses, or state where to find any evidence (e.g. in paper or electronic format).
You may report what you feel is a problem, on the condition that it is subject to the requirements set out in your organisation’s whistleblower policy, e.g. that it constitutes violations of legislation in specially designated areas. A problem often consists of one or more events that are connected to a time and a person. By events, we mean observable behaviour or occurrences, i.e. some type of course of events that has occurred, is occurring, or is about to occur. It facilitates the process if you highlight who is involved, but you are not required to do so in order to submit a report.
The report is always received by an independent case worker. (The case worker is independent of the organisation that your report concerns. As a whistleblower, you always start out being anonymous to the case worker. You can, however, choose to disclose your personal data to the case worker. If you wish, you can also choose to disclose your identity to both the case worker and the organisation that your report concerns.) We will provide you with feedback about the case’s status via this channel. The case worker raises the issue to the organisation’s committee that handles whistleblower cases. It is ultimately the organisation’s committee that decides whether an investigation should take place. What happens depends on the scope and significance of your report. Read more in Who can read my report?
The system is owned and run by Whitepaper Advisors, and a case worker who works for Whitepaper Advisors will be the first to receive and handle the case with your report. All contact via the whistleblower system is conducted with the case worker.
All organisations that use our service have a committee, to which the case worker reports any incoming cases. It is ultimately the organisation’s committee that decides how each case should be handled. Before the committee gains access to the case, it is reviewed to ensure that the report does not name anyone in the committee as being is involved. If this is the case, the person(s) will be excluded from any further handling of the case. A description of how the committee works is available on your organisation’s website (where you found the login information for the whistleblower system).
The system has been technically constructed in such a way that no one without authorised access is able to retrieve your report, according to the choice you made when the report was created. Read more in What guarantees that my identity is not divulged?
The event that you report causes a case to be directly created in the whistleblower system with a unique case number. The content will be stored as long as the case remains open. (You will receive feedback about the case’s status through the whistleblower system. In connection with a case being closed, all the content that has been saved in the whistleblower system will be erased, i.e. all the information that you submitted in your report. No personal data given in your report will remain in the whistleblower system once the content of a case has been erased.)
If you have found your way here, it means that you belong to, or know of, an organisation that you wish to report in some way. It may be a company or a public organisation, such as the authorities or municipalities. A financial or non-profit association is also considered to be an organisation.
Each organisation that uses Trumpet has its own identity in our system. Each identity has an associated committee that decides how the case will be assessed, as well as potentially investigated.
When you use the address or link on your organisation’s website, the case will be created for the correct organisation whose whistleblower service we are managing. This ensures, from the very beginning, that we will refer your report to the correct committee.
In your report, you can state specifically whether it concerns, for example, a certain department.
You do not need to add the person’s title. The field exists, as it facilitates the identification of the person if you state their title. In the title field, you can also briefly describe where the person works, or what he/she works with. For example, in the title field, you can write which department the person works in, or any other information that you may have about the person’s work that may help us to identify the person.
Yes, that works just as well. The purpose of the title field is to help the case worker identify the person(s) highlighted in your report, and how they are violating the areas that are reportable in the whistleblower system.
If you are unsure, you can write it in the field designated for the person’s name. In the field, describe what you know about the person, and try to describe the person as well as you can: What is the person’s role? Perhaps the person works in a specific department, or as part of a specific work team?
There is no requirement that you name a person. You are allowed to judge the need of either naming the person or not. The relevance of naming the person depends on what you wish to report.
The most clear and simple communication is via the online form. Regardless of how you wish to make a report, a case will be created for your report in the whistleblower system. We offer different channels to allow you the opportunity to choose the reporting manner in which you feel most comfortable communicating.
Regardless of which channel you choose, no data about who has submitted the report will be saved.
You have 180 minutes to create and submit your report, and then the window will close down automatically, and all your data will disappear.
There is always a risk of leaving traces on the device and networks used. If you wish to ensure that your employer does not have the opportunity to trace your activity, you should use a private computer or phone, and visit the service from a network you trust, such as your home network.
“Incognito mode” is a way to reduce the number of traces that your visit to the service leaves on the computer or phone you are using. The web browser will not save information, such as website history and the temporarily downloaded files that the computer receives every time you visit a website (web pages, images, cookies, etc.).
However, if you want to be completely sure that you are not leaving any traces in your employer’s IT environment, you should use your own private computer or phone, and visit the service from a network you trust, such as your home network.
We do not erase any metadata in the files that you attach. This is because we need to use the information as evidence.
If you submit files that you have not created yourself, there will be no information connected to your computer or to you, as a person, if you have not opened the files and then saved them.
If you want a guarantee that we will not be able to obtain any information that identifies you, we recommend that you do not attach files that you have saved.
You are responsible for the information that you submit in the body of the text, and that you attach as documentation — make sure that your identity is not written down or that someone else can reveal who you are. Enter only your contact details when they are requested in our system.
We are able to communicate with you via this tool, even if you choose to remain anonymous. When you submit your report, you will receive a report key and a password that allow you to log in to the case. Therefore, we ask that you log in regularly to monitor whether we have asked you any questions, and to check the status of the case. You are also able to ask us questions, or add information to your case.
Our operators are available 24/7. All information is processed in a confidential manner. The information you provide is written down and reported as a case in the whistleblower system. Thereafter, a case worker will handle the case.
The person who receives your phone call is an independent party, who has been trained to confidentially accept and register the information that you submit in the whistleblower system. The recipient has a duty of confidentiality and is bound by a confidentiality agreement.
The conversation will not be recorded, and your phone number will not be registered.
There will be no recording of the conversation. You will speak to a person who will take notes and register, in text, whatever you wish to report as a case in the whistleblower system. The person you speak to will ask the same questions as you would receive if you used the online form. A written record of your report will be published on your case page, so you can check that you have been correctly understood.
You can do whichever you prefer. You do not have to disclose your identity regardless of whether you place the letter in the postbox or send it via a postal representative. If you want to ensure that the letter reaches its intended destination, there are services available when you send your letter via a postal representative, which allow you to monitor the letter.
It is entirely up to you. The reason that you can choose between various channels of reporting is that we wish to provide you with an opportunity to report in the manner that you feel most comfortable. For this same reason, you are welcome to write by hand. If you do write by hand, it is important that you write clearly, in order to avoid misunderstanding when the case worker reads your report.
Your letter will be received by an independent case worker. We will not search for any fingerprints. The letter will be scanned in and saved as a case in the whistleblower system, and thereafter the original letter will be destroyed.
You can log in to your case, read messages from the case worker, and send messages to the case worker. If you wish to make changes or additions to the report that you submitted, you can do so by using the message feature. You log in to the case using the login details you were given when submitting the report. However, you cannot log in and see the entire case. This is because we wish to ensure that no unauthorised person is able to obtain the login details and access the entire case.
You can change your choice of being anonymous and choose to disclose your identity, but not vice versa. To make this change, you log in using the login details you were given when you submitted your report. When you are logged in, you are able to send us messages, in which you can choose to change your status regarding your anonymity, as well as attach your personal data.