HSBC has been fined €5,000 by the Data Protection Commissioner for monitoring an employee’s bank account to see whether he was receiving payments other than the bank’s salary. 

The complainant, Mark Muscat, had alleged that the bank had carried out excessive monitoring of his bank account data and also that it had been monitoring his social media posts.

Mr Muscat’s employment with the bank was terminated in December 2018, shortly after he had set up the Independent Bankers’ Union.

Data Protection Commissioner Saviour Cachia heard how, in 2013, Mr Muscat had requested permission to perform part-time work. This was acceded to but in 2017, the bank suspected that this was being done in breach of conditions it had laid down.

As part of its internal investigations, the bank began what the Data Protection Commissioner described as a “fact-finding mission” to see whether he was receiving any remuneration other than the bank’s monthly salary. 

The Data Protection Commissioner said Mr Muscat was never made aware that his accounts were being investigated and that the bank had taken advantage of its position, given that, as a bank it had access to the complainant's bank transactions. The exercise was also in violation of data protection laws, the IDPC said.

The Data Protection Commissioner also investigated a complaint by Mr Muscat that the bank had processed two social media posts on a closed group at a time when he was suspended from work.

One of the posts was deemed to be defamatory and the bank started legal proceedings in court, which it later dropped following changes to defamation laws.

The IDPC ruled that Mr Muscat had been aware of a bank policy regarding social media use so it found that the bank had not breached any data protection laws.