Share this content

How to keep payslip passwords secure?

I'm unsure how to send the passwords across.

Didn't find your answer?

Hi Everyone,

I've now set up my new payroll business and thank you for the help with my other couple of questions in the last few weeks.

I also wanted to ask, if clients choose to have the payslips e-mailed directly to their employees as password protected pdfs, how do you usually communicate the passwords to the employees? The whole point of password protecting them is so that if anyone intercepts their e-mails then the payslip can't be accessed by anyone else. But if I send them their password also via e-mail, then surely this defeats the point, as anyone who's gotten access to their e-mails would then also have the password?

Sam

Replies (18)

Please login or register to join the discussion.

By James Green
18th Jul 2018 09:39

You send the password hard copy by snail mail

Thanks (2)
avatar
By SXGuy
18th Jul 2018 09:40

Send a letter by post direct to the employee showing a password

Thanks (1)
avatar
By ohwhatnow
18th Jul 2018 10:47

i use their DOB, or postcode (in a particular format) - and communicate this in the email header to them. i also invite them to specify an alternative password if not happy with the one i use (they can choose the method used to advise me of a new password)

Thanks (2)
Replying to ohwhatnow:
By coops456
18th Jul 2018 11:18

yes ditto

Thanks (0)
Replying to ohwhatnow:
avatar
By sam1412
18th Jul 2018 11:28

That’s a great idea thank you!

Thanks (0)
Replying to ohwhatnow:
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
18th Jul 2018 14:33

Sorry

But I really do not regard that as secure under GDPR rules and really is not that secure A hacker would find that very easy to work out Date of birth in a certain format, plus the name of the person on the email and then the payslip. Hackers would have a field day and work that out very simply.

Can I suggest you do not communicate this to them in the email header. You should always send passwords from a different source.

Thanks (1)
Replying to sarah douglas:
avatar
By ohwhatnow
18th Jul 2018 14:47

i do not communicate the actual password in the email header FGS !
but say it is your DOB, postcode or whatever. also who is to say that the email address uses their name either.........
do not make criticisms based on assumptions. and for the record i take my own, an others, security seriously.

Thanks (0)
avatar
By ohwhatnow
18th Jul 2018 11:32

if you use their postcode it also prompts them if they've changed address details recently......their new postcode wont work !!!!!!

Thanks (1)
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
18th Jul 2018 12:07

I use My PAYE Ltd, which encrypts all the reports if I send my email and encrypts the individual emails with payslips automatically.

It is really quite simple.

Thanks (1)
avatar
By SXGuy
18th Jul 2018 12:10

I fail to see the point using postcodes or any other form of data that can easily be worked out.

Surely the point of passwords are they should not be something which can be determined easily. If someone has your address details what good is a password associated with their postcode?

Thanks (3)
Replying to SXGuy:
Sarah Douglas - HouseTree Business Ltd
By sarah douglas
18th Jul 2018 14:50

Totally agree. Hackers would have a field day I cannot believe what I am reading. OP is a Payroll agent as well.

If you are doing payroll then encrypt file correctly or pay for a payroll package like MyPaye Ltd or others that do it correctly. I use My Paye so I cannot speak for others.

It is not acceptable to be so flippant with security, if I was them I would get Cyber insurance fast. As Hackers can break into that system pretty easily and they may have to answer to clients

Thanks (2)
avatar
By ohwhatnow
18th Jul 2018 12:26

and what good is putting a password, or for that matter,a payslip in the post to their home address?
perhaps we should only pass on the relatively innocuous details of a payslip by personally arranging to meet them all individually at an undefined address and all in a secret code only - sychronised watches anyone?
i think a bit of reality is needed here.....

Thanks (2)
Replying to ohwhatnow:
avatar
By sam1412
18th Jul 2018 13:11

Haha that gave me a giggle

Thanks (0)
avatar
By sam1412
18th Jul 2018 16:04

I don’t think it’s necessary for people to start arguing, I simply wanted to know what other people did with regards to communicating passwords to individual employees. I am hoping that most clients will prefer to use an online portal which I am offering, rather than having the password protected payslips emailed out. But thank you everyone for your suggestions on how you do it. I am fully committed to compliance with GDPR of course.

Thanks (1)
Replying to sam1412:
ALISK
By atleastisoundknowledgable...
18th Jul 2018 17:46

We use their NINOs, text in the default email says something along the lines of “password is your NINO, unless you’ve previously informed us of another password”.

You need to draw the line somewhere in the GDPR v realistic v practical arena.

Thanks (3)
Replying to atleastisoundknowledgable...:
avatar
By yaakovgrant
30th Jul 2018 10:40

we use NINOs too.

Just out of interest, are hackers looking to intercept random payslip emails.

I thought they're mainly after the emails that ask a client to make a payment.

A couple of clients recently had emails where the hacker intercepted the email and changed the sort code and account number for the payment details.

Thanks (0)
avatar
By johnacarpenter
29th Jul 2018 14:56

I agree the password by telephone or personal contact.
You could always use fax; as that's what HMRC uses!!

Thanks (0)
avatar
By pauljohnston
30th Jul 2018 08:08

We need to put things in perspective. GDPR is not a stick to beat business with.

I would have no concerns with advising an employee that the password is "apples followed by your date of birth in the format NNNNNN, eg apples100694".

Thanks (1)
Share this content