This month, we are looking at security of ePayslip data. Some of the people we speak to about ePayslips, already have an electronic payslip solution in place. Their ePayslips are protected using passwords but are sent using standard unsecure email. Let’s look at what the Data Protection Act says:
The Data Protection Act is concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. The act is mandatory and all organisations that hold or process personal data must comply.
All staff have a responsibilities under the Act to ensure that their activities comply with the Data Protection Principles.
Now, let’s go back to item 7 on that list above; “data should be kept secure”. It is a bit of an odd one. Password protection is secure, right?
Wrong. Time and time again, we read in the press about password protected files being accessed and leaked, misused or the information being utilised for malicious purposes. I have lost count of the number of times I have received hacked emails from a “desperate friend, abandoned, with no money, in Spain……” Only closer inspection of the content highlights grammatical errors that my “friend” would not make, ever, even under stress. How about those weird emails from your “friend” that only contain a hyperlink and nothing else? Their password has been hacked and their email intercepted. They are completely unaware of the issues until someone tells them. Have a read of this story in the Telegraph the other day – even professionals can get caught out!
What about the security of the data on the server?
Usually, employee ePayslip data is kept on a server located in the office or at a datacentre. If the server has encryption “wall”, what’s to stop someone breaking through that “wall” and accessing all the ePayslip data inside?