This month, we are looking at security of ePayslip data. Some of the people we speak to about ePayslips, already have an electronic payslip solution in place. Their ePayslips are protected using passwords but are sent using standard unsecure email. Let’s look at what the Data Protection Act says:
The Data Protection Act is concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. The act is mandatory and all organisations that hold or process personal data must comply.
The Data Protection Act contains 8 principles:
- personal data should be processed fairly and lawfully
- data should be obtained only for one or more specified and lawful purposes
- the data should be adequate, relevant and not excessive
- it should be accurate and where necessary kept up to date
- any data should not be kept for longer than necessary
- personal data should be processed in accordance with the individuals rights under the act
- data should be kept secure
- personal data should not be transferred outside the European Economic Areas unless the country offers adequate data protection.
All staff have a responsibilities under the Act to ensure that their activities comply with the Data Protection Principles.
Now, let’s go back to item 7 on that list above; “data should be kept secure”. It is a bit of an odd one. Password protection is secure, right?
Wrong. Time and time again, we read in the press about password protected files being accessed and leaked, misused or the information being utilised for malicious purposes. I have lost count of the number of times I have received hacked emails from a “desperate friend, abandoned, with no money, in Spain……” Only closer inspection of the content highlights grammatical errors that my “friend” would not make, ever, even under stress. How about those weird emails from your “friend” that only contain a hyperlink and nothing else? Their password has been hacked and their email intercepted. They are completely unaware of the issues until someone tells them. Have a read of this story in the Telegraph the other day – even professionals can get caught out!
What about the security of the data on the server?
Usually, employee ePayslip data is kept on a server located in the office or at a datacentre. If the server has encryption “wall”, what’s to stop someone breaking through that “wall” and accessing all the ePayslip data inside?
Stopping the hackers
- It is the employer’s responsibility to ensure employee data is protected and secure and that includes sensitive data such as ePayslips. Act now. Do not leave it until a breach occurs; regaining credibility is very painful and usually, very public.
- Your ePayslip data needs to be encrypted individually, to ensure that each file is protected whilst in transit and at rest on the server so that if the “wall” is breached; access is confined to one ePayslip file and not all files.
- Think about how you communicate with your clients and employees. Would a secure communication portal be a better option?
- Introduce a policy of regular password changes in your organisation and enforce it. Actively discourage the use of “familiar” passwords (family names, dates of birth or pet names).
- Talk to SSLPost about how to secure sensitive data in transit and at rest on the server, including epayslips, P60, P11D and employee communications.
