HSBC bank in Malta has been fined €5,000 by the Data and Information Protection Commissioner after it was found that it had searched through the personal accounts of its employee to see whether he had any other income from some other job.
Mark Muscat alleged that the bank had searched through his account and even searched through the job titles he has listed on his social media account. Muscat’s employment with the bank ended in 2018.
The Data Protection Commissioner, Saviour Cachia, found that in 2013, Muscat had asked to carry out part-time work, however the bank had suspected that this was being done in breach of the established employment conditions.
In order to verify this, the bank placed Muscat’s bank accounts under an internal investigation. On his part, Muscat complained that he was never informed that his bank accounts were being investigated.
The Commissioner said that the bank took advantage of its position because it had access to Muscat’s banking transactions and pointed out that not all employers are in a position to do this. He added that this exercise by the bank is in breach of Data Protection laws.
During the investigation, the Commissioner confirmed that the bank had analysed two posts by Muscat on his social media. These were posted in a closed group while Muscat was suspended from work. One of the posts, about the Bank’s CEO, was considered defamatory. This led the bank to take legal action against Muscat, but it withdrew the case when the defamatory law was changed.
HSBC bank had drawn Muscat’s attention to these posts and had informed him that they constituted a breach of the bank’s policies. The Data Protection Commissioner said that the analysis of these posts was made according to law.
With reference to the first allegation, the Bank was ordered to pay an administrative fine of €5,000. As for the second allegation, the Commissioner did not find any breach of the law. However the bank was told to destroy any copies of posts on social media which are related to the investigation.