The Malta Independent 19 August 2019, Monday

HSBC fined by data protection commissioner for investigating employee’s bank accounts

Wednesday, 14 August 2019, 18:30 Last update: about 4 days ago

HSBC has been fined €5,000 by the Data Protection Commissioner over undue processing of the account data of an employee it suspected of breaching conditions by performing part-time work.

The complainant, Mark Muscat, had alleged that the bank had carried out excessive monitoring of his bank account data and also that it had been monitoring his social media posts.

Muscat’s employment with the bank was terminated in December 2018.

ADVERTISEMENT

Data Protection Commissioner Saviour Cachia found that, in 2013, Muscat had asked to perform part-time work but the bank later suspected that this was being done in breach of conditions it had laid down.

In order to verify this, the bank subjected Muscat’s bank accounts to an internal investigation. The complainant was never made aware that his accounts were being investigated.  The data protection commissioner said the bank had taken advantage of its position, given that, as a bank it had access to the complainant's bank transactions. Any other employer would not have been able to do this. The exercise was also in violation of data protection laws, the IDPC said.

During the investigation, the commissioner also confirmed that the bank had processed two social media posts by the complainant. These were posted online, in a closed group, at a time when the complainant was suspended from work. One of the posts, which was about the bank’s CEO, was considered to be defamatory by HSBC. The bank had instituted legal action but withdrew the case after changes to defamation laws.

The bank had also brought these posts to the attention of the complainant, informing him that such posts were in breach of the bank’s policies. The data controller deemed the processing of these posts by the bank to be in line with the law.

For the first allegation, the bank was ordered to pay an administrative fine of €5,000. For the second allegation, the IDPC said no violation had occurred, however said the bank should destroy any copies of the social media posts related to this investigation once the information becomes time-barred from any further legal action.

  • don't miss