Payroll handles some of the most sensitive and confidential information that a business has. Employee information ranges from personal details and what staff are being paid to what deductions are being made from their pay by government departments and agencies.
Payroll is entrusted with the security of the information it collects, processes and retains and it is essential that payroll protects its data. The consequences of not doing so are that the creditability of payroll is eroded, the business is put at risk (potential court action, public outcry and being published for all to know) and, most importantly, the privacy of employees is put at risk.
There is a range of legislation that covers privacy in payroll but the core one is the Privacy Act 1993. The Privacy Act has 12 principles that set the rules for how privacy should be applied. In this post I want to cover the privacy issues that impact or are unique to payroll. We will call them payroll privacy issues.
These are the issues I want to cover in this post:
- Everything in payroll must be locked down.
- Email + payroll data = disaster.
- An open plan office does not work for payroll!
Everything in payroll must be locked down
NZPPA sees issues with this all the time because over time it is easy for it to slip into the background and so it’s not at the forefront of every payroll activity.
Locking down payroll applies to the physical systems (manual and automated) involved in paying an employee.
The physical systems will be looked at more closely in a later section of this post, but in a nutshell the physical environment is all about limiting access to payroll data. So, lock the door to the payroll office, the filing cabinet and any other physical access to payroll information.
More and more, technology is impacting on what we do: from the payroll software accessed or stored in the cloud to accessing payroll data from a smartphone. Payroll has progressed from a fully paper driven activity that involved a pen, paper, physical tax tables, some type of adding machine (if you’re lucky!) and the employee being paid in cash. Today’s payroll is heavily reliant on computerised payroll systems (overly so but that will be a topic in an upcoming article). How and where employee data is stored and accessed is an area that must be fully investigated in regard to payroll. Many employees do not realise that their payroll data is sitting in a database overseas in places such as the Philippines or India.
With new technology, access to a payroll system doesn’t just mean the traditional sitting in front of a desktop computer and logging on, it can mean remote access via a laptop, or any mobile device such as a smartphone. Any type of remote access needs to be reviewed to determine who could get access to this information other than the actual employee and what information they can see. In New Zealand there is no legal requirement to provide a payslip, but this is seen as best practice because employees can ask for a range of information on how and what they have been paid.
If there is a range of ways employees can access payroll information through technology, then make sure you apply the adage “less is more” as the more ways provided to access payroll data, the more opportunities there are for employee privacy to be breached. In addition, more work is involved in managing and monitoring the different access points and the different formats required. Access to payroll data is great, but keep it simple. Ask yourself this question, does payroll data for employees really need to be accessed in multiple ways?
For a manager accessing payroll data is essential as there is a wealth of information that can be used. For payroll the key to this is to talk to managers within the business and find out what they want, when they want it and how they want to access it. The privacy aspect to this is concerned with what the manager can actually see in relation to a lawful business purpose. This needs to be assessed to ensure only payroll information that the manager needs to see is made available.
Email + payroll data = disaster
Email is an essential communication tool for payroll in today’s world. I come from a time when the payroll officer would walk around the workplace handing out employees’ weekly payslips and when every change that happened in payroll for an individual employee would mean a conversation with them. Times have changed and for a geographically spread organisation, email is the most effective way in terms of time and cost to communicate with an employee. The difference between a phone call and an email is a phone call can be more personal if you want to put on a fluffy HR hat, but an email leaves a paper trail that is essential for the payroll information we are seeking from the employee.
The key to email is to ensure you are sending it to the right person. One of the worst mistakes I made was in my early years of using email I wrote to a colleague complaining about the boss. However, I then sent the email to the boss rather than the colleague! (My boss did not talk to me for a week afterwards, so I guess that was a good outcome overall!) My example shows how easy it is to send an email to the wrong person. Any confidential payroll information in the body of an email could end up anywhere. Once sent, payroll loses control of where the information ends up. Also, how that information is used can also impact on payroll as information can be copied and pasted anywhere.
Along with email, it is common to attach related documents such as payroll reports, spreadsheets and other payroll information. These of course can be password protected, but once again after they are emailed payroll loses control of where they go next. Documents have the potential of multiplying the risk of a major payroll privacy breach because a document can include a vast amount of information not just on one employee but all employees depending on the type of report. This makes emailing payroll documents a risky option. This can be easily resolved by creating a series of secure drives for retaining and storing all payroll reports with managers having access with the correct authorisation. This secures the information and removes the risk of a major privacy breach in payroll.
An open plan office does not work for payroll!
The nature of payroll’s work does not fit with an open plan office environment. It is one of the most common complaints we hear at NZPPA. The payroll practitioner having to constantly hide what they are working on as people walk by or trying to do work with a noisy bunch of salespeople sitting over the partition, or even having to sprint across the office to a shared printer that does not have a security code before anyone else sees the confidential document being printed. We hear many stories about payroll in open plan offices having to position the desk in a corner of the office to ensure no one can get behind the screen to see what the payroll practitioner is working on.
“Let’s create an open communication environment where we can share ideas and work as a team la la la…(from HR)”.
Payroll is one part of the business that does need its own office because it must secure and control access to payroll information, and it helps in separating the business from payroll when payroll is processing pay. Payroll is not asking for the penthouse or the dungeon, but something in between would be greatly appreciated! It is also a good idea for payroll to be by itself even when reporting to finance or HR as there is information that only payroll should have access to and vice versa. The ideal situation would be a lockable office and one of the best setups I have seen is a payroll office with a counter that separates the payroll team from anyone trying to just walk into the middle of payroll. Even if there is only one sole charge payroll person in the business, they should still be provided with a secure and separate office so payroll can be run effectively to ensure the privacy and security of payroll information.
Hot desking for payroll – NO WAY!
There should be legislation passed to keep HR people away from payroll. The idea of payroll hot desking was put forward by one of our members as the latest idea to come out of HR (they must not have had any real work to do that day!). Just on the privacy side alone it’s impractical given the confidential nature of the information that a payroll professional needs to access and work on every day. Say, for example, you are dealing with confidential calls from IRD, this would involve finding an available office which wastes valuable time and defeats the purpose of hot desking. I also have to state I like my own chair, my desk, my stuff, my monitor at the height I like it at, it makes me feel at home (at work) so I can focus on the hard work that is payroll.
If you want to find out more on the Privacy Act, the Privacy Commissioner has developed a series of FREE e-learning modules available from the website www.privacy.org.nz. It is worthwhile for payroll to have a look.
So, in this post I have highlighted some payroll-focused concerns and risks. In summary, lock payroll down, be smart with email, and please, please, give payroll an office.
NZPPA supporting NZ payroll since 2007!