HSBC reprimanded for “inappropriate reliance on consent”

Tuesday 09 August 2022

HSBC has been formally reprimanded by the Office of the Data Protection Authority (ODPA) after the local branch breached data protection law.

Following an investigation, the ODPA found that HSBC had not appropriately gained consent for the use of an employee’s ‘special category data’, which is data considered to be more sensitive than general personal details.

What happened?

An employee of the Guernsey branch of HSBC made a complaint to the ODPA on July 2021. It was in relation to the processing of their employment data in an employment contract.

The employee said they had been asked to provide their consent to the collection of data for a possible internal disciplinary matter. They said they were uncomfortable at being – in their estimation – forced to provide consent for this information to be gathered.

Under The Data Protection (Bailiwick of Guernsey) Law, 2017 data processing can only be lawful as long as a number of conditions are met, one of which is the freely given consent to the collection of personal data.

“Following an investigation, the ODPA found that HSBC had breached the law because the lawful processing condition it was relying on to use the employee’s personal information – consent - did not meet the legal requirements necessary,” said the ODPA. 

“The Authority issued a reprimand to HSBC, which is a formal recognition of wrongdoing and one of the sanctions available under the local data protection law.”

Commenting on the incident, the Data Protection Commissioner, Emma Martins, said: “Consent for processing is only valid where an individual is free to make a choice. 

“Where there is a significant power imbalance, such as in an employer/employee relationship, consent is rarely appropriate as it cannot realistically be easily withheld. We welcome the changes that the Controller has now put in place to ensure individuals are treated fairly and lawfully as the Law requires.” 

The ODPA said the incident raises “some broad learning points for local employers to take note of”: 

• Organisations must have a clear understanding of the specific lawful processing conditions they are relying upon to process individuals’ personal data. 
• Consent is commonly misused, particularly in cases where a clear imbalance of power exists, making it difficult to demonstrate that consent has been freely given. 
• Organisations must document the specific legal basis they are using for any given use of people’s personal information, and must ensure its use is appropriate.