HSBC fined by data protection commissioner for investigating employee’s bank accounts

The notorious HSBC, involved in numerous money-laundering scandal over the recent years, is now subject of data protection issues. HSBC has been fined €5,000 by the Data Protection Commissioner over undue processing of the account data of an employee it suspected of breaching conditions by performing part-time work.

The whistleblower was in fact an ex-employee – Mark Muscat, has stated that the bank had carried out excessive monitoring of his bank account data and also that it had been monitoring his social media posts. The employment of the employee was terminated in December 2018.

According to the investigation of the Data Protection Commissioner Saviour Cachia in 2013, Muscat had asked to perform part-time work but the bank later suspected that this was being done in breach of conditions it had laid down.

In order to verify this, the bank subjected Muscat’s bank accounts to an internal investigation. The complainant was never made aware that his accounts were being investigated.  The data protection commissioner said the bank had taken advantage of its position, given that, as a bank it had access to the complainant’s bank transactions. Any other employer would not have been able to do this. The exercise was also in violation of data protection laws.

During the investigation, the commissioner also confirmed that the bank had processed two social media posts by the complainant. These were posted online, in a closed group, at a time when the complainant was suspended from work. One of the posts, which was about the bank’s CEO, was considered to be defamatory by HSBC. The bank had instituted legal action but withdrew the case after changes to defamation laws.

The bank had also brought these posts to the attention of the complainant, informing him that such posts were in breach of the bank’s policies. The data controller deemed the processing of these posts by the bank to be in line with the law.

For the first allegation, the bank was ordered to pay an administrative fine of €5,000. For the second allegation, the IDPC said no violation had occurred, however said the bank should destroy any copies of the social media posts related to this investigation once the information becomes time-barred from any further legal action.