whistleblower-compliance
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese⚠️ EXPERIMENTAL — This skill is provided for educational and informational purposes only. It does NOT constitute legal advice. All responsibility for usage rests with the user. Consult qualified legal professionals before acting on any output.
⚠️ EXPERIMENTAL — 本技能仅用于教育和信息目的,不构成法律建议。使用责任完全由用户承担。根据输出采取行动前,请咨询合格的法律专业人士。
Whistleblower Compliance Skill
举报人合规技能
Overview
概述
Production-ready whistleblower compliance toolkit for auditing existing reporting systems and drafting compliant policies. Covers EU Directive 2019/1937, US SOX Section 806, US Dodd-Frank, and UK Public Interest Disclosure Act 1998. Operates in two modes: Mode A (Assessment) runs an 8-phase, 56-checkpoint audit of existing systems; Mode B (Drafting) generates jurisdiction-specific reporting policies.
可投入生产的举报人合规工具包,用于审计现有举报系统并起草合规政策。涵盖欧盟2019/1937号指令、美国SOX法案第806条、美国多德-弗兰克法案以及英国1998年公共利益披露法。支持两种模式:模式A(评估)对现有系统进行8阶段、56个检查点的审计;模式B(起草)生成特定司法管辖区的举报政策。
Table of Contents
目录
Tools
工具
1. Compliance Checker (scripts/whistleblower_compliance_checker.py
)
scripts/whistleblower_compliance_checker.py1. 合规检查器 (scripts/whistleblower_compliance_checker.py
)
scripts/whistleblower_compliance_checker.pyAssess an existing whistleblower system against regulatory requirements. Takes organizational parameters and outputs a compliance score with priority-classified gaps.
bash
python scripts/whistleblower_compliance_checker.py \
--jurisdiction EU --headcount 300 --sector financial \
--channels internal,external --has-designated-person \
--has-confidentiality --has-gdpr-measures --has-dissemination
python scripts/whistleblower_compliance_checker.py \
--jurisdiction US --headcount 5000 --sector healthcare \
--channels internal --json
python scripts/whistleblower_compliance_checker.py \
--jurisdiction UK --headcount 50 --sector technology \
--channels none根据监管要求评估现有举报人系统。接收组织参数,输出带有优先级分类缺口的合规评分。
bash
python scripts/whistleblower_compliance_checker.py \
--jurisdiction EU --headcount 300 --sector financial \
--channels internal,external --has-designated-person \
--has-confidentiality --has-gdpr-measures --has-dissemination
python scripts/whistleblower_compliance_checker.py \
--jurisdiction US --headcount 5000 --sector healthcare \
--channels internal --json
python scripts/whistleblower_compliance_checker.py \
--jurisdiction UK --headcount 50 --sector technology \
--channels none2. Policy Scaffolder (scripts/whistleblower_policy_scaffolder.py
)
scripts/whistleblower_policy_scaffolder.py2. 政策框架生成器 (scripts/whistleblower_policy_scaffolder.py
)
scripts/whistleblower_policy_scaffolder.pyGenerate a whistleblower policy skeleton pre-populated with required sections per regulatory framework.
bash
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction EU --org-type private --headcount 500 \
--org-name "Acme Corp"
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction US --org-type public --headcount 10000 \
--org-name "MegaCorp Inc" --json
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction UK --org-type nonprofit --headcount 100 \
--org-name "CharityOrg" --output policy-draft.md生成举报人政策框架,预先填充各监管框架要求的章节。
bash
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction EU --org-type private --headcount 500 \
--org-name "Acme Corp"
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction US --org-type public --headcount 10000 \
--org-name "MegaCorp Inc" --json
python scripts/whistleblower_policy_scaffolder.py \
--jurisdiction UK --org-type nonprofit --headcount 100 \
--org-name "CharityOrg" --output policy-draft.mdReference Guides
参考指南
| Reference | Purpose |
|---|---|
| Multi-jurisdiction whistleblower regulations, comparison matrix |
| 8-phase, 56-checkpoint assessment with priority classifications |
| 参考文档 | 用途 |
|---|---|
| 多司法管辖区举报人法规及对比矩阵 |
| 8阶段、56个检查点的评估及优先级分类 |
Workflows
工作流程
Mode A: Assessment Workflow
模式A:评估工作流程
- Gather Parameters -- Collect jurisdiction, headcount, sector, and system description
- Run Compliance Checker -- Execute with parameters
whistleblower_compliance_checker.py - Review Gaps -- Prioritize CRITICAL gaps first, then IMPORTANT, then IMPROVEMENT
- Cross-Reference Checklist -- Walk through for manual verification
assessment_checklist.md - Generate Remediation Plan -- Address gaps by priority, set deadlines per regulatory timelines
- 收集参数 — 收集司法管辖区、员工人数、行业及系统描述
- 运行合规检查器 — 使用参数执行
whistleblower_compliance_checker.py - 审查缺口 — 优先处理CRITICAL(严重)缺口,其次是IMPORTANT(重要),最后是IMPROVEMENT(优化)
- 交叉参考检查清单 — 对照进行手动验证
assessment_checklist.md - 生成整改计划 — 按优先级处理缺口,根据监管时间线设定截止日期
Mode B: Drafting Workflow
模式B:起草工作流程
- Determine Jurisdiction -- Identify applicable regulations based on headquarters and operations
- Generate Scaffold -- Run with organization details
whistleblower_policy_scaffolder.py - Customize Sections -- Replace placeholders with organization-specific information
- Legal Review -- Route draft through legal counsel for jurisdiction-specific validation
- Approval & Publication -- Obtain board/management approval and disseminate to all personnel
- 确定司法管辖区 — 根据总部及运营地点确定适用法规
- 生成框架 — 使用组织详情运行
whistleblower_policy_scaffolder.py - 自定义章节 — 用组织特定信息替换占位符
- 法律审查 — 将草案提交法律顾问进行特定司法管辖区的验证
- 批准与发布 — 获得董事会/管理层批准并向所有员工发布
8-Phase Assessment Framework
8阶段评估框架
| Phase | Focus | Checkpoints |
|---|---|---|
| 1. Applicability | Regulatory scope determination | 3 |
| 2. Reception Channel | Reporting channel adequacy | 5 |
| 3. Designated Persons | Personnel and independence | 7 |
| 4. Verification/Processing | Investigation procedures | 8 |
| 5. Confidentiality | Identity and data protection | 9 |
| 6. Dissemination/Information | Awareness and accessibility | 10 |
| 7. Data Protection/GDPR | Privacy compliance | 12 |
| 8. Sector-Specific | Industry requirements | 6 |
| Total | 60 |
| 阶段 | 重点 | 检查点数量 |
|---|---|---|
| 1. 适用性 | 确定监管范围 | 3 |
| 2. 接收渠道 | 举报渠道充分性 | 5 |
| 3. 指定人员 | 人员配置与独立性 | 7 |
| 4. 核实/处理 | 调查流程 | 8 |
| 5. 保密性 | 身份与数据保护 | 9 |
| 6. 传播/信息 | 认知度与可访问性 | 10 |
| 7. 数据保护/GDPR | 隐私合规 | 12 |
| 8. 特定行业 | 行业要求 | 6 |
| 总计 | 60 |
Three Reporting Channels
三种举报渠道
| Channel | When Used | Key Requirements |
|---|---|---|
| Internal | First preference; report to organization | Acknowledge within 7 days; feedback within 3 months |
| External (Regulatory) | When internal fails or is inappropriate | Report to competent authority; same protections apply |
| Public Disclosure | Last resort; imminent danger or retaliation | Protected only if internal/external channels exhausted |
| 渠道 | 使用场景 | 核心要求 |
|---|---|---|
| 内部渠道 | 首选;向组织举报 | 7天内确认收到;3个月内反馈 |
| 外部(监管)渠道 | 内部渠道失效或不适用时 | 向主管部门举报;适用相同保护措施 |
| 公开披露 | 最后手段;存在紧急危险或报复风险 | 仅在内部/外部渠道均已用尽时受保护 |
Whistleblower Protections
举报人保护措施
| Protection | Description |
|---|---|
| Civil immunity | No liability for breach of confidentiality obligations |
| Criminal immunity | No criminal liability for acquiring reported information |
| Prohibited retaliation | Dismissal, demotion, harassment, blacklisting, discrimination |
| Burden of proof reversal | Employer must prove action was not retaliatory |
| Interim relief | Provisional protection during investigation |
| Legal aid access | Access to legal counsel and support |
| 保护措施 | 说明 |
|---|---|
| 民事豁免权 | 不因违反保密义务承担责任 |
| 刑事豁免权 | 不因获取举报信息承担刑事责任 |
| 禁止报复 | 禁止解雇、降职、骚扰、列入黑名单、歧视等行为 |
| 举证责任倒置 | 雇主必须证明其行为并非报复性的 |
| 临时救济 | 调查期间提供临时保护 |
| 法律援助 | 获得法律顾问及支持的权利 |
Priority Classification
优先级分类
| Priority | Definition | Example |
|---|---|---|
| CRITICAL | Legal non-compliance; immediate regulatory risk | No reporting channel exists; no confidentiality measures |
| IMPORTANT | Significant gap reducing system effectiveness | Acknowledgment timeline exceeds 7 days; no designated person |
| IMPROVEMENT | Enhancement opportunity; not currently non-compliant | Training frequency below best practice; limited channel types |
| 优先级 | 定义 | 示例 |
|---|---|---|
| CRITICAL(严重) | 不符合法律规定;存在即时监管风险 | 无举报渠道;无保密措施 |
| IMPORTANT(重要) | 显著缺口降低系统有效性 | 确认时间超过7天;无指定人员 |
| IMPROVEMENT(优化) | 提升机会;目前不违反合规要求 | 培训频率低于最佳实践;渠道类型有限 |
Troubleshooting
故障排除
| Problem | Cause | Solution |
|---|---|---|
| Checker reports all CRITICAL | No system parameters provided | Provide accurate |
| Wrong jurisdiction requirements | Multi-jurisdiction entity using single jurisdiction | Run checker separately per jurisdiction; use strictest requirements |
| Policy scaffold missing sections | Jurisdiction flag incorrect | Verify |
| Headcount threshold confusion | EU directive has different thresholds by entity type | Private sector: 50+ employees; public sector: all municipalities |
| Sector-specific gaps not flagged | Generic sector value used | Use specific sector: |
| GDPR checks fail for US entity | US entities may still need GDPR compliance | If processing EU citizen data, add |
| Timeline requirements unclear | Different jurisdictions have different timelines | EU: 7-day ack, 3-month feedback; SOX: 180-day filing deadline |
| Policy output too generic | Minimal parameters provided | Add |
| 问题 | 原因 | 解决方案 |
|---|---|---|
| 检查器报告所有缺口为CRITICAL | 未提供系统参数 | 提供准确的 |
| 适用错误的司法管辖区要求 | 多司法管辖区实体使用单一司法管辖区参数 | 针对每个司法管辖区单独运行检查器;采用最严格的要求 |
| 政策框架缺失章节 | 司法管辖区标志错误 | 确认 |
| 员工人数阈值混淆 | 欧盟指令针对不同实体类型有不同阈值 | 私营部门:50名以上员工;公共部门:所有市政机构 |
| 未标记特定行业缺口 | 使用了通用行业值 | 使用特定行业: |
| 美国实体的GDPR检查失败 | 美国实体可能仍需符合GDPR要求 | 若处理欧盟公民数据,添加 |
| 时间线要求不明确 | 不同司法管辖区有不同时间线 | 欧盟:7天确认,3个月反馈;SOX:180天申报截止日期 |
| 政策输出过于通用 | 提供的参数极少 | 添加 |
Success Criteria
成功标准
- Compliance Coverage: Assessment covers 100% of applicable regulatory requirements for specified jurisdiction
- Gap Identification: All CRITICAL and IMPORTANT gaps identified with clear remediation guidance
- Policy Completeness: Generated policies include all mandatory sections per applicable regulation
- Timeline Compliance: Policies reflect correct acknowledgment (7 days) and feedback (3 months) timelines
- Audit Readiness: Assessment output sufficient for regulatory audit preparation and evidence gathering
- 合规覆盖范围:评估涵盖指定司法管辖区的所有适用监管要求
- 缺口识别:识别所有CRITICAL和IMPORTANT缺口,并提供明确的整改指导
- 政策完整性:生成的政策包含适用法规要求的所有强制性章节
- 时间线合规:政策反映正确的确认(7天)和反馈(3个月)时间线
- 审计就绪:评估输出足以支持监管审计准备和证据收集
Scope & Limitations
范围与限制
This skill covers:
- Compliance assessment against EU Directive 2019/1937, US SOX/Dodd-Frank, UK PIDA
- Policy scaffolding with jurisdiction-specific mandatory sections
- Gap analysis with priority classification and remediation guidance
- Multi-sector considerations (financial, healthcare, defense, nuclear, transport)
This skill does NOT cover:
- Actual whistleblower case management or investigation procedures
- Legal advice or attorney-client privileged analysis
- Real-time regulatory monitoring or automatic updates when laws change
- Whistleblower hotline software implementation or vendor selection
- Cross-border reporting coordination between multiple regulators
本技能涵盖:
- 针对欧盟2019/1937号指令、美国SOX/多德-弗兰克法案、英国PIDA的合规评估
- 带有特定司法管辖区强制性章节的政策框架生成
- 带有优先级分类和整改指导的缺口分析
- 多行业考量(金融、医疗、国防、核能、交通)
本技能不涵盖:
- 实际举报人案件管理或调查流程
- 法律建议或律师-客户特权分析
- 实时监管监控或法律变更时的自动更新
- 举报热线软件实施或供应商选择
- 多个监管机构之间的跨境举报协调
Anti-Patterns
反模式
| Anti-Pattern | Why It Fails | Better Approach |
|---|---|---|
| Copy-pasting policy from another jurisdiction | Regulations differ materially; EU requires 7-day ack, SOX has 180-day filing | Run scaffolder with correct jurisdiction; customize per local requirements |
| Treating all gaps as equal priority | Wastes resources on improvements while CRITICAL gaps remain | Address CRITICAL first, IMPORTANT second, IMPROVEMENT last |
| Single assessment for multi-jurisdiction org | Each jurisdiction has unique requirements and thresholds | Run separate assessments per jurisdiction; merge into unified policy |
| Skipping sector-specific phase | Regulated sectors (financial, healthcare) have additional requirements | Always complete Phase 8 for regulated industries |
| No periodic reassessment | Regulations evolve; transposition deadlines pass | Schedule annual reassessment; monitor legislative changes |
| 反模式 | 失败原因 | 更佳方案 |
|---|---|---|
| 复制粘贴其他司法管辖区的政策 | 法规存在实质性差异;欧盟要求7天确认,SOX有180天申报截止日期 | 使用正确的司法管辖区运行框架生成器;根据当地要求自定义 |
| 将所有缺口视为同等优先级 | 在CRITICAL缺口仍存在时浪费资源在优化项上 | 先处理CRITICAL,再处理IMPORTANT,最后处理IMPROVEMENT |
| 对多司法管辖区组织进行单一评估 | 每个司法管辖区有独特的要求和阈值 | 针对每个司法管辖区单独运行评估;合并为统一政策 |
| 跳过特定行业阶段 | 受监管行业(金融、医疗)有额外要求 | 对于受监管行业,始终完成第8阶段 |
| 不进行定期重新评估 | 法规不断演变;转换截止日期已过 | 安排年度重新评估;监控立法变化 |
Tool Reference
工具参考
scripts/whistleblower_compliance_checker.py
scripts/whistleblower_compliance_checker.pyscripts/whistleblower_compliance_checker.py
scripts/whistleblower_compliance_checker.pyAssess whistleblower system compliance against regulatory requirements.
usage: whistleblower_compliance_checker.py [-h] [--json]
--jurisdiction {EU,US,UK}
--headcount HEADCOUNT
--sector SECTOR
[--channels CHANNELS]
[--has-designated-person]
[--has-confidentiality]
[--has-gdpr-measures]
[--has-dissemination]
[--has-acknowledgment-timeline]
[--has-feedback-timeline]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--headcount Number of employees in the organization
--sector Industry sector (financial, healthcare, technology, etc.)
--channels Comma-separated channel types: internal, external, none
--has-designated-person Designated person(s) appointed for handling reports
--has-confidentiality Confidentiality measures in place
--has-gdpr-measures GDPR/data protection measures implemented
--has-dissemination Policy disseminated to all personnel
--has-acknowledgment-timeline 7-day acknowledgment timeline met
--has-feedback-timeline 3-month feedback timeline met根据监管要求评估举报人系统合规性。
usage: whistleblower_compliance_checker.py [-h] [--json]
--jurisdiction {EU,US,UK}
--headcount HEADCOUNT
--sector SECTOR
[--channels CHANNELS]
[--has-designated-person]
[--has-confidentiality]
[--has-gdpr-measures]
[--has-dissemination]
[--has-acknowledgment-timeline]
[--has-feedback-timeline]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--headcount Number of employees in the organization
--sector Industry sector (financial, healthcare, technology, etc.)
--channels Comma-separated channel types: internal, external, none
--has-designated-person Designated person(s) appointed for handling reports
--has-confidentiality Confidentiality measures in place
--has-gdpr-measures GDPR/data protection measures implemented
--has-dissemination Policy disseminated to all personnel
--has-acknowledgment-timeline 7-day acknowledgment timeline met
--has-feedback-timeline 3-month feedback timeline metscripts/whistleblower_policy_scaffolder.py
scripts/whistleblower_policy_scaffolder.pyscripts/whistleblower_policy_scaffolder.py
scripts/whistleblower_policy_scaffolder.pyGenerate jurisdiction-specific whistleblower policy skeleton.
usage: whistleblower_policy_scaffolder.py [-h] [--json]
--jurisdiction {EU,US,UK}
--org-type {public,private,nonprofit}
--headcount HEADCOUNT
[--org-name ORG_NAME]
[--output OUTPUT]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--org-type Organization type
--headcount Number of employees
--org-name Organization name (used in policy template)
--output Write policy to file instead of stdout生成特定司法管辖区的举报人政策框架。
usage: whistleblower_policy_scaffolder.py [-h] [--json]
--jurisdiction {EU,US,UK}
--org-type {public,private,nonprofit}
--headcount HEADCOUNT
[--org-name ORG_NAME]
[--output OUTPUT]
options:
-h, --help Show help message and exit
--json Output in JSON format
--jurisdiction Regulatory jurisdiction: EU, US, or UK
--org-type Organization type
--headcount Number of employees
--org-name Organization name (used in policy template)
--output Write policy to file instead of stdout