Loading...
Loading...
Audit whistleblower systems and draft compliant reporting policies. Use when assessing or building whistleblower programs.
npx skill4agent add borghei/claude-skills whistleblower-compliance⚠️ EXPERIMENTAL — This skill is provided for educational and informational purposes only. It does NOT constitute legal advice. All responsibility for usage rests with the user. Consult qualified legal professionals before acting on any output.
scripts/whistleblower_compliance_checker.pypython scripts/whistleblower_compliance_checker.py \
--jurisdiction EU --headcount 300 --sector financial \
--channels internal,external --has-designated-person \
--has-confidentiality --has-gdpr-measures --has-dissemination
python scripts/whistleblower_compliance_checker.py \
--jurisdiction US --headcount 5000 --sector healthcare \
--channels internal --json
python scripts/whistleblower_compliance_checker.py \
--jurisdiction UK --headcount 50 --sector technology \
--channels nonescripts/whistleblower_policy_scaffolder.pypython scripts/whistleblower_policy_scaffolder.py \
--jurisdiction EU --org-type private --headcount 500 \
--org-name "Acme Corp"
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction US --org-type public --headcount 10000 \
--org-name "MegaCorp Inc" --json
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction UK --org-type nonprofit --headcount 100 \
--org-name "CharityOrg" --output policy-draft.md| Reference | Purpose |
|---|---|
| Multi-jurisdiction whistleblower regulations, comparison matrix |
| 8-phase, 56-checkpoint assessment with priority classifications |
whistleblower_compliance_checker.pyassessment_checklist.mdwhistleblower_policy_scaffolder.py| Phase | Focus | Checkpoints |
|---|---|---|
| 1. Applicability | Regulatory scope determination | 3 |
| 2. Reception Channel | Reporting channel adequacy | 5 |
| 3. Designated Persons | Personnel and independence | 7 |
| 4. Verification/Processing | Investigation procedures | 8 |
| 5. Confidentiality | Identity and data protection | 9 |
| 6. Dissemination/Information | Awareness and accessibility | 10 |
| 7. Data Protection/GDPR | Privacy compliance | 12 |
| 8. Sector-Specific | Industry requirements | 6 |
| Total | 60 |
| Channel | When Used | Key Requirements |
|---|---|---|
| Internal | First preference; report to organization | Acknowledge within 7 days; feedback within 3 months |
| External (Regulatory) | When internal fails or is inappropriate | Report to competent authority; same protections apply |
| Public Disclosure | Last resort; imminent danger or retaliation | Protected only if internal/external channels exhausted |
| Protection | Description |
|---|---|
| Civil immunity | No liability for breach of confidentiality obligations |
| Criminal immunity | No criminal liability for acquiring reported information |
| Prohibited retaliation | Dismissal, demotion, harassment, blacklisting, discrimination |
| Burden of proof reversal | Employer must prove action was not retaliatory |
| Interim relief | Provisional protection during investigation |
| Legal aid access | Access to legal counsel and support |
| Priority | Definition | Example |
|---|---|---|
| CRITICAL | Legal non-compliance; immediate regulatory risk | No reporting channel exists; no confidentiality measures |
| IMPORTANT | Significant gap reducing system effectiveness | Acknowledgment timeline exceeds 7 days; no designated person |
| IMPROVEMENT | Enhancement opportunity; not currently non-compliant | Training frequency below best practice; limited channel types |
| Problem | Cause | Solution |
|---|---|---|
| Checker reports all CRITICAL | No system parameters provided | Provide accurate |
| Wrong jurisdiction requirements | Multi-jurisdiction entity using single jurisdiction | Run checker separately per jurisdiction; use strictest requirements |
| Policy scaffold missing sections | Jurisdiction flag incorrect | Verify |
| Headcount threshold confusion | EU directive has different thresholds by entity type | Private sector: 50+ employees; public sector: all municipalities |
| Sector-specific gaps not flagged | Generic sector value used | Use specific sector: |
| GDPR checks fail for US entity | US entities may still need GDPR compliance | If processing EU citizen data, add |
| Timeline requirements unclear | Different jurisdictions have different timelines | EU: 7-day ack, 3-month feedback; SOX: 180-day filing deadline |
| Policy output too generic | Minimal parameters provided | Add |
| Anti-Pattern | Why It Fails | Better Approach |
|---|---|---|
| Copy-pasting policy from another jurisdiction | Regulations differ materially; EU requires 7-day ack, SOX has 180-day filing | Run scaffolder with correct jurisdiction; customize per local requirements |
| Treating all gaps as equal priority | Wastes resources on improvements while CRITICAL gaps remain | Address CRITICAL first, IMPORTANT second, IMPROVEMENT last |
| Single assessment for multi-jurisdiction org | Each jurisdiction has unique requirements and thresholds | Run separate assessments per jurisdiction; merge into unified policy |
| Skipping sector-specific phase | Regulated sectors (financial, healthcare) have additional requirements | Always complete Phase 8 for regulated industries |
| No periodic reassessment | Regulations evolve; transposition deadlines pass | Schedule annual reassessment; monitor legislative changes |
scripts/whistleblower_compliance_checker.pyusage: whistleblower_compliance_checker.py [-h] [--json]
--jurisdiction {EU,US,UK}
--headcount HEADCOUNT
--sector SECTOR
[--channels CHANNELS]
[--has-designated-person]
[--has-confidentiality]
[--has-gdpr-measures]
[--has-dissemination]
[--has-acknowledgment-timeline]
[--has-feedback-timeline]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--headcount Number of employees in the organization
--sector Industry sector (financial, healthcare, technology, etc.)
--channels Comma-separated channel types: internal, external, none
--has-designated-person Designated person(s) appointed for handling reports
--has-confidentiality Confidentiality measures in place
--has-gdpr-measures GDPR/data protection measures implemented
--has-dissemination Policy disseminated to all personnel
--has-acknowledgment-timeline 7-day acknowledgment timeline met
--has-feedback-timeline 3-month feedback timeline metscripts/whistleblower_policy_scaffolder.pyusage: whistleblower_policy_scaffolder.py [-h] [--json]
--jurisdiction {EU,US,UK}
--org-type {public,private,nonprofit}
--headcount HEADCOUNT
[--org-name ORG_NAME]
[--output OUTPUT]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--org-type Organization type
--headcount Number of employees
--org-name Organization name (used in policy template)
--output Write policy to file instead of stdout