HSBC has been reprimanded by Guernsey's data protection watchdog for how it handled an employee during a disciplinary process.
Following an investigation, the ODPA found that HSBC had not appropriately gained consent for the use of an employee’s ‘special category data’, which is data considered to be more sensitive than general personal details.
An employee of the Guernsey branch of HSBC made a complaint to the ODPA on July 2021. It was in relation to the processing of their employment data in an employment contract.
The employee said they had been asked to provide their consent to the collection of data for a possible internal disciplinary matter. They said they were uncomfortable at being – in their estimation – forced to provide consent for this information to be gathered.
Under Guernsey's data protection law, which was introduced in 2017, data processing can only be lawful as long as a number of conditions are met, one of which is the freely given consent to the collection of personal data.
"Following an investigation, the ODPA found that HSBC had breached the law because the lawful processing condition it was relying on to use the employee's personal information – consent - did not meet the legal requirements necessary," said the ODPA.
"The Authority issued a reprimand to HSBC, which is a formal recognition of wrongdoing and one of the sanctions available under the local data protection law."
Commenting on the incident, the island's Data Protection Commissioner, Emma Martins, said: "Consent for processing is only valid where an individual is free to make a choice.
"Where there is a significant power imbalance, such as in an employer/employee relationship, consent is rarely appropriate as it cannot realistically be easily withheld.
"We welcome the changes that the Controller has now put in place to ensure individuals are treated fairly and lawfully as the Law requires."
The ODPA said the incident raises "some broad learning points for local employers to take note of":
Organisations must have a clear understanding of the specific lawful processing conditions they are relying upon to process individuals' personal data.
Consent is commonly misused, particularly in cases where a clear imbalance of power exists, making it difficult to demonstrate that consent has been freely given.
Organisations must document the specific legal basis they are using for any given use of people's personal information, and must ensure its use is appropriate.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.