Technology insight
Given GDPR, is emailing payslips safe?
John Borland, managing director Payescape, relates his experiences and provides helpful advice
W hen ARPANET engineer Ray Tomlinson sent the world’s first email message in 1971 he decided to make it easy by sending it to himself from a computer sitting some inches away from the recipient system. Nearly half a century later, this idea of sending messages has turned from a straightforward technical challenge into an organisational, legal, and occasionally political minefield (just ask Hillary Clinton). Every email user in the world has at some point accidentally sent a message to the wrong person or received a misdirected one. For years this was just an annoying mishap and then data protection laws started to bite and the issue turned darker. For me, emailing payslips has always had the potential to fall foul of data protection legislation. Changes coming in May 2018 with the General Data Protection Regulation (GDPR) have simply highlighted the issues. It is quite simple: would you be happy to leave paper payslips lying around in a staffroom? If not, why would you leave them lying about on the internet? As far as I am concerned, irresponsible emailing of payslips is the electronic equivalent of this. While I accept that, if carefully administrated, emailing can be secure and compliant, for us at Payescape maintaining email addresses wasn’t practical. Checking and maintaining email addresses for large numbers of employees with spurious email addresses was burdensome, time- consuming and open to data breach. ● Maintaining non-company email addresses – You might imagine in an ideal world that Joe’s email address will be joe@ companyname.co.uk, but that has not been our experience. Joe’s email turned out to be sally5278@madasafish.com. This scenario left us uncomfortable with the possibility of payslips being sent to the wrong person. As the list of possibilities grows this
became more of an issue. We have Hotmail, iCloud, madasafish, Gmail, btinternet, live. co.uk … and the list goes on. Even when we had established email addresses, these changed with alarming frequency. Apparently, Joe and Sally had fallen out and he now wanted his payslip emailed to jessica8957@live.co. The absence of suffix ‘.uk’ took a phone call to confirm, eating into processing time, and we were still unsure of data security. Also, if we failed to act immediately on Joe’s instruction to change the email address, would we be in breach of data protection? Could Sally receive Joe’s payslip? ● Maintaining company email addresses – Let’s return to the ‘ideal’ email address joe@companyname.co.uk. It turns out Joe frequently asks colleagues to check his emails for work purposes, so he is not happy that his payslip is now exposed to those colleagues. ...data protection laws started to bite and the issue turned darker In our experience, despite emails being sent and received securely, employees lacked the discipline to archive historic payslips and frequently relied on our payroll operators to furnish them with copies, eating into our valuable time. In addition, if Joe leaves the firm, access to his payslips is lost. Too frequently, Payescape received requests for copy payslips and P60 certificates, adding unnecessary, additional workload. ● No email address – Another scenario which cropped up regularly is employees with no email address or desire to have one. The alternatives here were to go back to paper or look for a better solution. We found
an excellent alternative in a secure online portal. Though this may read like an agony column, it is a fair account of just a few of our experiences with emailed payslips when dealing with hundreds of clients with thousands of payslips. We all have personal bank accounts, but the banks would never dream of emailing confidential, sensitive information, such as bank statements. Likewise, HM Revenue & Customs (HMRC) would not email sensitive and confidential information. Instead, the banks and HMRC have opted for secure online portals to address this dilemma. Payescape chose to follow their lead. A secure online portal uses the prefix ‘https’ (hypertext transfer protocol) which is the secure version of http. This means that all communication between the browser and the https website are encrypted and therefore secure. The green padlock – which represents https – gives our clients and their employees surety and confidence that we at Payescape are taking our GDPR responsibilities seriously. For us, an online solution for payslip distribution that offered employees independence from their employer was essential. This ensured that employees would always have access to historic payslips even if they changed jobs, removing the need to reprint from our staff. Since the introduction of our payslip portal, we have eliminated the need for email addresses, and are no longer asked for copy payslips – a significant time saving. Our staff have 100% confidence that their GDPR responsibilities are fulfilled. (Joe always gets his payslip.) In conclusion, my advice is don’t saddle yourself with maintaining email addresses. Obligations under the GDPR about payslip distribution can be met most easily by means of a secure online portal. n
49
| Professional in Payroll, Pensions and Reward |
Issue 34 | October 2017
Made with FlippingBook Online newsletter