The Guernsey Branch of HSBC has been reprimanded by the Data Protection Authority for collecting sensitive data from a member of staff who felt forced to share it.
An employee of the Guernsey branch of HSBC felt obliged to consent to providing sensitive information (known as ‘special category data’ ) about themselves in connection with what they believed was a possible internal disciplinary matter. The employee felt they had no choice but to provide that consent. The employee then made a formal complaint about HSBC to the Data Protection Authority about how their data was being processed.
Why was that a problem?
For the processing of personal data to be lawful, a controller must use one of several ‘lawful processing conditions’ . Consent is one such condition but must be freely given and only for specified purposes that have been clearly explained to the individual whose data is being processed. Given the imbalance of power that exists in an employer / employee relationship, it is unlikely consent could be considered as freely given.
What has happened as a result?
Following an investigation, the ODPA found that HSBC had breached the law because the lawful processing condition it was relying on to use the employee’s personal information – consent – did not meet the legal requirements necessary.
The Authority issued a reprimand to HSBC, which is a formal recognition of wrongdoing and one of the sanctions available under the local data protection law.
The Bailiwick of Guernsey’s Data Protection Commissioner, Emma Martins said: “Consent for processing is only valid where an individual is free to make a choice. Where there is a significant power imbalance, such as in an employer/employee relationship, consent is rarely appropriate as it cannot realistically be easily withheld. We welcome the changes that the Controller has now put in place to ensure individuals are treated fairly and lawfully as the Law requires.”
What can be learned from this?
The issues in this case were complex, but some broad learning points for local employers to take note of include:
- Organisations must have a clear understanding of the specific lawful processing conditions they are relying upon to process individuals’ personal data.
- Consent is commonly misused, particularly in cases where a clear imbalance of power exists, making it difficult to demonstrate that consent has been freely given.
- Organisations must document the specific legal basis they are using for any given use of people’s personal information, and must ensure its use is appropriate.
- ‘Special category data’ is any information (facts, speculation, or opinion) that relates to a person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation, or any criminal matters. Special category data is a sub-set of ‘personal data’ which is considered more sensitive, and therefore needs greater protection.
- A ‘lawful processing condition’ is the reason (or reasons) an organisation can point to in data protection law that legally justifies why they are using someone’s personal information to do something. Examples of lawful processing conditions could include: you have a contract with the person that covers how information about them is used, you need to use data for public health reasons, you have the information about the person because they deliberately put it in the public domain. More at: Lawful processing conditions for personal data · ODPA