IDPC admonishes Central Bank

Miguela Xuereb

The Information and Data Protection Commissioner (IDPC) Saviour Cachia has served the Central Bank of Malta with a reprimand over a case involving a former employee.

The former bank employee filed a complaint with the IDPC alleging that the Central Bank of Malta had violated provisions of the General Data Protection Regulations (GDPR) when unlawfully processing his personal data. The complaint was filed on 2 October 2019.

The former employee who was an active member of the Union Haddiema Bank Centrali (UHBC) had been working for the bank for 13 years. He was then dismissed as a result of disciplinary proceedings which related to the inappropriate use of information concerning the Governor’s Award, the IDPC’s decision read. The man argued that during the proceedings, the Bank was in breach of data protection and confidentiality obligations.

The IDPC found the bank had been in breach in two out of the four allegations leveled against the Central Bank. The bank was served with a reprimand over the violations.

The former employee alleged that the Central Bank had informed a third party, the UHBC President, when the investigation was launched and that the employee had been suspended pending the outcome. The complainant argued that this information was disclosed without legitimate reason and without his consent.

The IDPC found that the Chief Officer Human Resources had made the Union’s president aware that a member of the executive of the union was suspended pending the outcome of an internal investigation. The IDPC found that the communication happened prior to the decision and this was not in line with the collective agreement Further, the IDPC found that the Central Bank went beyond the collective agreement and failed to satisfy a lawful ground when disclosing the information.

The complainant also alleged that he was not afforded any privacy. He was forced to access personal banking data in the presence of other bank officials. The Central Bank declined to uphold his request to delete his personal and Union data from the bank’s hardware. Further he claimed he was asked to sign a declaration that granted the Central Bank consent to access any information on its property.

On this point, the Commissioner found that the Bank had a right to conduct the necessary investigation and for such a reason extract the information contained on the workstation and any related documentation kept on the bank’s servers. On this point, the Commissioner found that the bank had acted within the parameters of the law.

The third allegation made by the complainant concerned the divulging of information of which the complainant was accused of mishandling and which was subsequently shared with other bank employees. All those who applied for the Governor’s Award received an email from the Bank and this resulted in the applicants getting to know each other’s identity. The man was also an applicant himself, and therefore, his information was disclosed in the email sent out by the Bank.

The IDPC found that the Governor’s personal assistant had erroneously copied the email addresses of the applicants to the ‘to’ field instead of using the ‘bcc’ option. The Central Bank was found at fault with the relevant legal article when it disclosed that the complainant was one of the applicants to the Governor’s Award to all the other applicants.

The fourth allegation concerned a report which was drafted by an investigation team that was appointed by the bank to investigate the alleged inappropriate use of information by the former employee. Systemic failure was established within the bank’s Information Security Risk Management. Further, it was alleged that the bank had prioritized productivity over security.

The IDPC found that there was insufficient evidence to establish that the complainant’s privacy had been breached.

The Commissioner served the Central Bank with a reprimand. He also instructed the Bank to take the necessary measures to ensure that mitigating procedures were in place to avoid a repeat or similar incidents from taking place.