The Central Bank of Malta has been served with a reprimand by the Information and Data Protection Commissioner (IDPC) Saviour Cachia, over a case involving a former employee.
On 2 October 2019, a former employee filed a complaint with the IDPC alleging that the Central Bank of Malta violated the provisions of the General Data Protection Regulations (GDPR) when unlawfully processing his personal data.
The complainant, an active member of the Union Haddiema Bank Centrali (UHBC) had been working for the Central Bank for 13 years, until July 2019, when he was dismissed as a result of disciplinary proceedings relating to inappropriate use of information concerning the Governor’s Award, the IDPC’s decision read. The complainant argued that the Central Bank had breached data protection and confidentiality obligations during the proceedings.
The first allegation was that, when the Central Bank launched the investigation, it informed a third party, namely the UHBC President, that he was being suspended pending investigations for alleged gross misconduct. The complainant argues that this information was disclosed without legitimate reason and without his consent.
The second allegation was that the complainant was not afforded any privacy when he was forced to access personal banking data in the presence of other bank officials and when his request to delete his personal and Union data from the Central Bank’s hardware was declined. He was also allegedly asked to sign a declaration granting the Central Bank consent to access any information on its property, namely his computer, network and corporate email account.
The third allegation was that during the proceedings, the complaint to the IDPC read, “it emerged that the same information which the complainant was accused of mishandling was divulged and shared by the Central Bank with other bank employees by means of an email sent to all applicants of the Governor’s Award, which resulted in the applicants getting to know each other’s identity. The complainant himself was also an applicant of the Governor’s Award and consequently his information was also disclosed in such email.”
The fourth allegation was that a report drafted by an investigation team appointed by the Central Bank to investigate the inappropriate use of information by the complainant, it was established that there existed a systemic failure within the Central Bank in relation to Information Security Risk Management. The report explicitly affirmed that ‘meanwhile the Bank needs to review its data access strategy as regards the deployment and use of the privileged accounts to avoid similar, information leak-related incidents in future.’ Furthermore it is being alleged that such deficiencies had been already escalated by the Chief Officer Internal Audit Compliance and Legal Division, however, the bank kept prioritising productivity over security.”
On the first allegation, the IDPC noted that the Chief Officer Human Resources had communicated with the UHBC’s President to make him aware that an executive member of the union was being suspended pending the outcome of an internal investigation. The IDPC noted that while communicating a decision of the disciplinary board following an investigation would have been considered to be in line with the collective agreement and therefore legitimate in terms of the article in the GDPR, the disclosure of information prior to the decision was not in accordance with such article. The IDPC found that the Central Bank went beyond the collective agreement and failed to satisfy a lawful ground when disclosing information concerning the suspension of the complainant to the UHBC.
On the second allegation regarding the complainant’s privacy, the IDPC found that it is unarguable that the Central Bank had a right to conduct the necessary investigation and for such a reason extract the information contained on the workstation assigned to the complainant and any related documentation kept on the bank’s servers. The IDPC found that the Central Bank acted within the parameters of the law on this point.
On the third allegation, regarding the email sent to inform staff of who applied for the Governor’s Award, the IDPC noted that the personal assistant to the Governor erroneously copied the email addresses of the applicants to the ‘to’ field instead of the ‘bcc’ option. The IDPC found that the Central Bank failed to comply with the relevant legal article when disclosing that the complainant was one of the applicants of the Governor’s Award to all the other applicants.
On the fourth allegation regarding the report drafted by an investigation team, the IDPC noted that there was no sufficient evidence to prove that the complainant’s data protection rights were infringed.
As a result of all the above, the Central Bank was “served with a reprimand” over violations concerning the first and third allegations, and was instructed to ensure that risk mitigating procedures are in place and followed to avoid similar violations.