Public Statement:

Reprimand issued to HSBC Bank PLC (Guernsey Branch) for inappropriate reliance on consent

Published: 8 August 2022

NOTE: This public statement was the first to include a Plain English element

The Data Protection (Bailiwick of Guernsey) Law, 2017 ("the Law")
Public Statement
Issued: 10:00 Monday 8th August 2022
Controller: HSBC Bank PLC (relating to the Guernsey Branch, referred to below as "HSBC") 

What happened? 
An employee of HSBC felt obliged to consent to providing sensitive information (known as ‘special category data’*) about themselves in connection with what they believed was a possible internal disciplinary matter. The employee felt they had no choice but to provide that consent. The employee then made a formal complaint about HSBC to the Data Protection Authority about how their data was being processed.

Why was that a problem? 
For the processing of personal data to be lawful, a controller must use one of several ‘lawful processing conditions’**. Consent is one such condition but must be freely given and only for specified purposes that have been clearly explained to the individual whose data is being processed. Given the imbalance of power that exists in an employer / employee relationship, it is unlikely consent could be considered as freely given.

What has happened as a result? 
Following an investigation, the ODPA found that HSBC had breached the law because the lawful processing condition it was relying on to use the employee’s personal information – consent - did not meet the legal requirements necessary. 

The Authority issued a reprimand to HSBC, which is a formal recognition of wrongdoing and one of the sanctions available under the local data protection law.

Comment of the Bailiwick of Guernsey’s Data Protection Commissioner, Emma Martins: 

“Consent for processing is only valid where an individual is free to make a choice. Where there is a significant power imbalance, such as in an employer/employee relationship, consent is rarely appropriate as it cannot realistically be easily withheld. We welcome the changes that the Controller has now put in place to ensure individuals are treated fairly and lawfully as the Law requires.”

What can be learned from this? 
The issues in this case were complex, but some broad learning points for local employers to take note of include: 
• Organisations must have a clear understanding of the specific lawful processing conditions they are relying upon to process individuals’ personal data.
• Consent is commonly misused, particularly in cases where a clear imbalance of power exists, making it difficult to demonstrate that consent has been freely given.
• Organisations must document the specific legal basis they are using for any given use of people’s personal information, and must ensure its use is appropriate.

More information on data protection in an employer/employee relationship here

* “Special category data” is any information (facts, speculation, or opinion) that relates to a person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation, or any criminal matters. Special category data is a sub-set of 'personal data' which is considered more sensitive, and therefore needs greater protection.
** A “lawful processing condition” is the reason (or reasons) an organisation can point to in data protection law that legally justifies why they are using someone’s personal information to do something. Examples of lawful processing conditions could include: you have a contract with the person that covers how information about them is used, you need to use data for public health reasons, you have the information about the person because they deliberately put it in the public domain. More at: Lawful processing conditions for personal data 

Technical statement 
1. In July 2021, a complaint was made to the Authority under section 67 of the Law relating to the processing of personal data in an employment context. It was alleged that the Complainant had been required to provide their consent to the collecting, recording and use of their personal data for what the Complainant believed was a possible internal disciplinary matter. The Complainant had expressed their discomfort at what they saw as being forced to provide their consent.

2. For the processing of personal data to be lawful, a controller must rely on one of a number of lawful processing conditions. Consent is one such condition. Section 10 of the Law outlines that when relying on consent, that consent must be freely given and for only specified purposes of which the individual has been fully informed in a clear and unambiguous manner.  

3. As a result of the investigation, the Authority has determined that the Controller breached the Law in relation to its failure to ensure that the consent upon which it was relying met all the requirements of section 10.

4. The Controller recognised that the reliance on consent was misconceived. They further acknowledged that an increased focus on the complainant’s wellbeing would have been beneficial.  

5. The Controller emphasised that it does not consider the processing to have been contrary to any legal obligations, claiming to have understood that it had the Complainant’s consent. However, they confirmed that as soon as the Complainant informed them that was not the case, they ceased further processing.

6. The Controller acknowledged it had been an unpleasant experience for the Complainant and confirmed that it had since updated its policy to provide additional clarity. 

7. The Authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case, the Controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing to the Authority.

8. In accordance with the powers contained in Section 73 of the Law, the Authority has issued a Reprimand to the Controller, reflecting its incorrect use of consent in a circumstance that meant it could not meet the requirements of the Law.

Legal Framework
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law). 
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.  
3. The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
4. In this case, the Controller is HSBC Bank PLC. 
5. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law following a complaint made by a data subject. 
6. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made. 
7. Having considered the details of this case, the Authority has imposed a Reprimand under section 73 of the Law. 
8. Section 84 of the Law provides for an appeal by the Controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The controller has not made an appeal in this case. 
9. Consent is one of a number of lawful processing conditions, more information on which can be found on our website. In a situation where there is an imbalance of power, such as an employer/employee relationship, consent is unlikely to be the most appropriate lawful processing condition. Other conditions available to a controller that would likely be more appropriate include reliance on the performance of a contract with the individual or where there is a legal obligation to process.