HSBC fined €5,000 for illegal monitoring of trade unionist’s bank accounts

HSBC Bank Malta fined €5,000 for investigating the transactions of employee to see whether his account was being credited by other sources aside from the bank’s salary

HSBC Bank Malta has been fined €5,000 by the Information and Data Protection Commissioner (IDPC) for clandestinely investigating the transactions of an employee – an active trade union member – in order to monitor his part-time work.

Former bank employee Mark Muscat had filed a complaint with the Information and Data Protection Commissioner, alleging that HSBC had been carrying out potential excessive monitoring of his personal data without his knowledge, and sharing it with third parties. These included Facebook posts on his social media accounts.

Muscat had worked with HSBC until 22 June 2018 when his employment was effectively terminated. As the law had subsequently changed, the IDPC ruled that the law in force at the time of the alleged breaches would be used.

Muscat had obtained permission from his employer to perform part-time work in 2013, but in 2017 it was brought to the attention of the bank that he was undertaking part-time work in breach of the conditions the bank had specified.

In order to verify whether this was the case and confirm whether Muscat had been receiving remuneration for other work which was not in line with the specified conditions, the bank conducted a “fact-finding exercise”, subjecting Muscat’s bank account to internal investigations and confirming that his account was being credited by other sources aside from the bank’s salary.

But Muscat was unaware of this and had not been informed that his account was being accessed or investigated for such reasons.

The Information and Data Protection Commissioner said that from the investigation, it became evident that the access to the man’s account details “exceeded what would generally be expected in the conduct of a relationship between a bank and an account holder.”

It was held that in this specific case, the bank had taken advantage of its position and used the visibility which it had over the transactions conducted by the complainant, to its advantage.

The bank’s processing of the transactions did not fulfil any of the lawful grounds established by the Act and did not comply with the principles of proportionality and purpose limitation, said the Commissioner, ruling that the data was accessed for a purpose which violated the Data Protection Act.

For this breach the bank was fined €5,000.

It also resulted that the bank had in its possession copies of social media posts made by the complainant in a Facebook group which he administered, posted by Muscat himself using his own facilities, at a time when he was suspended from work. Thus, the Commissioner had immediately ruled out the monitoring of facilities used at the workplace.

The Commissioner noted that once Facebook posts were made available to the group, Muscat lost control of the content, which could have been reproduced or further disseminated by other users.

The posts themselves – one containing statements in relation to the bank’s CEO which were considered defamatory and the other, wherein Muscat shared an internal circular on staff accounts – ended up in the HSBC HR department, where they were deemed as unacceptable and in breach of bank policy.

The bank had filed criminal defamation proceedings against Muscat on account of the statements, which were later withdrawn after a change in criminal defamation laws.

In this case, the Commissioner said that in view of the fact that the processing of this data took place amidst a series of employment disputes between Muscat and HSBC, the bank did have a legitimate interest to process this personal data in order for legal or disciplinary action. Muscat had also specifically been made aware of it being in the bank’s possession within the parameters of the law.