HSBC censured for data law infringement
HSBC has been formally reprimanded by the Office of the Data Protection Authority for its handling of an employee’s personal data.
The issue came to the attention of the ODPA last summer, when a complaint was made.
The complainant alleged that they were required to provide their consent to the collecting, recording and use of their personal data for what they believed was a possible internal disciplinary matter.
However they felt uncomfortable, as they felt forced to give consent.
For the processing of personal data to be lawful, a controller must rely on one of a number of lawful conditions. Consent is one such condition.
It must be freely given and for only specified purposes, of which the individual has been fully informed in a clear and unambiguous manner.
This handling did not comply with these conditions, leading to the reprimand.
‘Consent for processing is only valid where an individual is free to make a choice,’ said data protection commissioner Emma Martins.
‘Where there is a significant power imbalance, such as in an employer/employee relationship, consent is rarely appropriate as it cannot realistically be easily withheld.
‘We welcome the changes that the controller has now put in place to ensure individuals are treated fairly and lawfully as the law requires.’
An HSBC spokesman said it took note of the statement from the ODPA.
‘The ODPA’s finding relates only to the incorrect legal basis cited by the bank for the processing in this case,’ they said.
‘It does not question the lawfulness of the bank’s data processing more generally.
‘HSBC takes its data protection responsibilities seriously and welcomes feedback from the ODPA in this case.’
