Bank Transfer and Counseling – How is sensitive data protected in Austria?
Author: Sabrina Zehetner (TVP)
Bank Transfer is getting more and more popular among psychoanalysts and psychotherapists. Is the data protected and what are the potential risks? We checked with psychotherapists as well as banks and looked at the current legal situation in Austria.
There are two payment options offered by psychoanalysts and counselors in Austria –cash and credit card. Whilst bank transfer presents the easiest and fastest option, one not only transfers money but also data on who receives the money and to what purpose. The argument that the vitreous human is a phenomenon of the digital age is all too common and serves as a reminder of the careless attitude towards data protection.
Cash register and bank transferSince its implementation in 2016, the cash register hasn’t been very well-received by psychoanalysts and counselors. According to the ÖBVP (The Austrian Federal Association for Psychotherapy) there are no exact figures on how many psychotherapists own a register. For many psychotherapists, using a register entails high investment but low revenue. The widespread uncertainty, high effort and lack of information regarding technical requirements and legal status prevent many from obtaining a register.
ConfidentialityLegally, therapy data is defined as sensitive personal data meaning it must be protected from inappropriate and unauthorized use by third parties except for the purpose of investigation of criminal offences. Sensitive personal data consist of information relating to the data subject with regard to race, political opinion, health, religion, sexual preferences, previous convictions, etc. While non-sensitive personal data such as age and place of residence is protected, it is legal to use them for marketing purposes. By law, counselors are under the obligation to maintain confidentiality and make every effort to prevent personal data leakage. From a counselor’s perspective, sensitive data is confidential information a counselor acquired or was entrusted with. To maintain confidentiality, The Austrian Federal Association for Psychotherapy suggests stating the invoice number without the job title, thus rendering the bank transfer anonymous. However, the job titles are known to the banks for tax purposes and most counselors and psychoanalysts own a business account. Anonymization and encryption neither hides the transfer nor the name of the account owner. We asked the association for further explanation but haven’t received a reply yet.
Lending When the bank receives the transferred money – encrypted or not - the bank is obliged to protect their clients’ data. The bank secrecy law changed when the central account register was implemented in Austria in 2016. Prosecution, revenue board and tribunals can now get access in cases of suspicion of fraud. Despite that, the use of sensitive personal data is still prohibited. The “Convention on the protection of individuals with regard to automatic processing of personal data” is part of a treaty under international law that regulates the exchange and misuse of personal data. When asked on the subject, The Austrian banks BAWAG and Erste Bank gave different responses. While the BAWAG referred to the data protection law, the Erste Bank claimed not to receive any medical or therapeutic data from clients that could be used. As mentioned above, this is not correct since banks do receive data through the transfers. Using the data for marketing purposes or to determine a client’s creditworthiness or credit limit, however, is prohibited. The release of information is authorized in the case of criminal prosecution, or if the client is unable to repay a loan. Concealing a serious mental illness that could pose a risk from the bank is social fraud. If the loan is placed on nonperforming status, the bank will gather information – in this case banks usually ask for a personal meeting to discuss the loan status. Moreover, risk departments have the right to deem a specific group “high-risk”, thus unworthy of credit.
De facto, it cannot be ruled out that a bank will use the personal data provided by a client, e.g. in personal meetings, or define a high-risk group. Consequently, the question of personal data is a legal grey zone. There are, however, legal safeguards and control mechanisms at play – personal data protection, bank secrecy laws and therapy confidentiality.
I’m looking forward to the forum discussion! What do you know about data protection in other countries and what is your personal experience with data protection?