Whistleblowing-Reporting Information on Illegal Conduct

Internal Reporting to the Anti-Corruption and Transparency Officer

What can be reported

Reports must be about breaches of Italian or EU legal provisions, of which the reporting person (or whistleblower) became aware while working for or at the University.

These include, for example, criminal, civil, administrative or accounting offences that may harm the public interest or the integrity of the University.

Who can make a report

The following individuals can submit a report:

  • professors and research fellows, university managers and members of the technical-administrative and library staff;
  • self-employed persons and those who have an ongoing collaboration with the University, including PhD students and post-doctoral fellows (so-called "assegnisti");
  • any person employed by or collaborating with enterprises that provide goods, services or work to the University;
  • freelance professionals and consultants;
  • volunteers and paid or unpaid trainees/interns;
  • persons who hold administrative, managerial, control, supervisory or representative roles.

Reports may also be submitted by persons whose legal relationship with the University is yet to begin, if the information on breaches was acquired at a pre-contractual stage, or by persons whose legal relationship with the University has ended, if the information was acquired during said relationship.

Protections for reporting persons

The University ensures full and effective compliance with the system of legal protections for reporting persons. More specifically, the University protect the confidentiality of the identity of the reporting person, excludes whistleblowing reports from the scope of document access requests, and enforces compliance with the provisions on the prohibition of retaliations against reporting persons and the categories referred to in art. 3, para. 5 of Legislative Decree no. 24/2023.

The categories listed under art. 3, para. 5 of Legislative Decree no. 24/2023 are:

  • internal facilitators, i.e. individuals who work within the University and assist the reporting person during the reporting process;
  • third persons who have a legal relationship with the University and are either the reporting person’s partner or his/her relatives within the fourth degree of kinship;
  • colleagues of the reporting person;
  • legal entities that the reporting person owns or works for, or legal entities that operate in the same work-related context.

How to contact the RPCT

Individuals can report to the Anti-Corruption and Transparency Officer ("Responsabile della Prevenzione della Corruzione e della Trasparenza", RPCT), if, in the course of their work for or at the University of Milan, they become aware of illegal conduct that may harm the public interest or the integrity of the University. Reports can be submitted as follows:

  1. in writing, via an ad-hoc online platform that uses a cryptographic protocol to separate the identity of the reporting person from the contents of the report;
  2. in writing, by letter to the RPCT (delivered by hand, regular mail or using the internal mail service); 
  3. orally, by sending a recorded voice message via the platform mentioned in point 1
  4. orally, during a confidential one-to-one meeting with the RPCT.
     
How to access the Whistleblowing Platform

N.B.:

The whistleblowing platform should be preferred over the other reporting channels, as it ensures that the identity of the reporting person remains confidential. In fact, the system separates the identity of the reporting person from the report itself, so that neither the RPCT nor the working group can access this information, even if it was actually entered onto the platform. Moreover, the system does not disclose the email address of the reporting person. If the report is submitted using the TOR network, not even the IP address of the computer can be identified.

The whistleblowing platform is available at: https://whistleblowing.unimi.it/.

The platform encrypts all personal data entered by the reporting person, ensuring confidentiality and anonymity while complying with accessibility and integrity requirements. The email address of the reporting person is encrypted using a web secure protocol (https), so that not even system administrators can see it. Moreover, the access logs of the system hosting the platform store no sensitive data.

Personal data entered by the reporting person are separated from the report. This process ensures maximum confidentiality, as neither system administrators nor the working group have access to the identity of the reporting person. The only way for them to obtain information on the identity of the reporting person is to submit a motivated request to the appointed “identity guardian”, as provided for by Italian regulations.

Alternatively, the whistleblowing platform is also accessible via TOR at http://orvmsgkxjgibh7eybau7v63sohd4ca2ity4rodk4f7jswxo2aupd75id.onion (but only outside the University’s own internet network and the Eduroam network). Access via TOR ensures even greater protection for reporting persons in terms of anonymity and untraceability.

In order to access the TOR network, you have to download the TOR browser from https://www.torproject.org/projects/torbrowser.html.en

The TOR network not only hides your online activity, but also ensures that any information exchanged between you and the websites you are visiting remains anonymous. This means that the recipient of the report and all intermediaries have no access to your IP address (see https://www.torproject.org/ for further details).

We remind you that for security reasons, the TOR network cannot be accessed from the UniMi internet network, nor from Eduroam. If you click on any link, you will receive a message stating that the website has been blocked or that no safe connection could be established. Therefore, we suggest you use an external network.

Please note that the whistleblowing platform has been updated to version 4.14.4.

Attention!

After entering a report on the platform, you will receive a unique identifier called key code, which you will have to use to communicate anonymously with the University and to receive feedback and updates on the processing of your report.

We advise you to store your key code carefully, because we won’t be able to retrieve it or duplicate it if you lose it.

For information on the whistleblowing platform, please contact [email protected].

RPCT Working Group

The RPCT is supported by a working group made up of university managers and members of the technical and administrative staff holding managerial positions (except for the Head of the Disciplinary Proceedings Office, who cannot be a member of the group). The working group is appointed a by Rector's decree and assists the RPCT in following up on the reports, bringing to bear a wide range of skills in different fields.

External Reporting to A.N.AC. and Public Disclosure

The reporting person can report directly to the Italian National Anti-Corruption Authority (A.N.AC.) in the following cases:

  • he/she has submitted a report to the RPCT, but the University has not followed up on the report within the expected timeframe;
  • he/she has reasonable grounds to believe an internal report would not be effectively addressed or may lead to retaliation;
  • the breach may constitute an imminent or manifest danger to the public interest.

Lastly, the reporting person can publicly disclose the breach in question, but only if:

  • he/she has already reported the breach to the University’s RPCT and to A.N.AC., or directly to A.N.AC. (if the conditions for external reporting were met), but they did not follow up on the report within the expected timeframe;
  • he/she has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest;
  • he/she has reasonable grounds to believe that reporting to A.N.AC. would lead to retaliation or would result in the breach not being effectively addressed, due to the particular circumstances of the case (e.g. evidence may be concealed or destroyed, or there is a well-founded suspicion that the person receiving the report is in collusion with the perpetrator or directly involved in the breach).
Ultima modifica
Giovedì, 29 Febbraio, 2024 - 10:56