Access by employees to customers’ data has to be subject to stringent privacy restrictions and limitations according to a decision of the Italian data protection authority.
The decision of the Italian data protection authority
An individual had complained to the Italian privacy authority about the breach of his privacy rights due to the illegal access to his bank account transactions. Indeed, a list of the claimant’s bank account transactions had been filed in a court proceeding by the defendant whose spouse used to work for the same bank where the individual held a bank account.
The bank initially denied any access to the bank account by its employee arguing that employees of each branch can access only to the bank accounts of their branch customers, while the claimant had a bank account with a different branch. However, subsequently the bank recognised such access which had occurred 5 years before.
The data protection authority held that:
- the processing of the customer’s personal data performed by the bank through its employee was unlawful since the employee had performed a number of accesses to the claimant’s bank account with no valid reason from a different branch; and
- the bank had to check the possibility to adopt further and more adequate measures aimed at implementing checks on the lawfulness of accesses to data performed by its officers and to educate them in relation to the instructions provided.
Are you adequately protecting your customers’ data from your employees?
We are running a number of GDPR audits to financial institutions and insurance companies and a very frequent scenario is that
- there are different profiles of access by employees to customers’ data as well as employees’ data, but the databases to which each employee can access are determined by the manager to whom he reports. This has the consequence that there are no objective criteria of identification of profiles and none supervising the proper allocation of the profiles;
- a large number of employees has access to a large part of customers’ data since they consider such access necessary for their working activity, even if there are databases to whom some employees never need to access which makes such assessment inevitably wrong;
- log files are recorded, but in most of the cases they relate to just the login and logout and changes to software components with the possibility for system administrators and developers in some cases to even delete log files and without recording log files relating to the activity performed once logged in the system;
- data leakage systems are implemented only by banks since in Italy there were specific tracking obligations imposed by the data protection authority in 2014, while financial institutions and insurance companies do not have such technologies in place, even though some companies have systems preventing documents containing sensitive data to be sent outside of the company (e.g. via email or uploading it to cloud platforms) or even printed.
The lack of implementation of the measures above might represent a major issue if it is not possible to otherwise prove that the security measures are adequate to prevent an unlawful usage of personal data because of the further security tools implemented.
Also, even the adoption of measures aimed at monitoring potential unlawful conducts by employees might create privacy issues. Indeed, the recent conservative position on the matter by the Article 29 Working Party as to the usage of technologies at workwould require at least a deep privacy impact assessment. It seems at least unusual that in order to comply with privacy laws, it is necessary to adopt measures that might put employees’ privacy at risk if such measures are not adequately balanced. But this is the result of the EU General Data Protection Regulation which is based on principles that are often too broad.
The puzzle of the GDPR is getting exponentially complex and May 2018 is no longer so far. Companies need to get ready and need to do it now.