Emailing Payslips, Employee Consent & GDPR Recommendations
Businesses must provide their employees with information on what happens to their data, for example sharing employee’s personal data with a third party (payroll bureau) who processes the payroll. Employee personal data can be stored and managed by a payroll bureau, bookkeeper or accountant for the sole benefit of correctly paying their wages, paying the correct tax and providing a payslip. All of this legitimately falls under the remit of the GDPR legislation.
By law, you must provide employees with payslips which include personal data such as proof of earnings, tax paid and any pension contributions. It is advisable that bureaus take steps to protect and securely send this payslip information.
Many bureaus have expressed concern and confusion in relation to getting consent from client’s employees and securely distributing payslips. Payroll bureaus do not need to seek consent from individual employees that the payroll is processed for. However, the employer will need to inform their employees that they are sharing their personal information with a third party. It is also an employers responsibility to ensure that their payroll bureau or accountant is taking action to protect their employees’ payroll information under GDPR.
An employee cannot withdraw their consent for their personal data to be used as part of the payroll processing. It should be noted that bureaus should keep only the personal data that is strictly required for the purpose of the payroll. This is referred to as data minimisation or privacy by default.
There is nothing in the GDPR legislation that states it is no longer permissible to post payslips. Payroll bureaus who post payslips will need to ensure that all appropriate security measures are in place to protect the payslip. This may include using security payslip envelopes, marking the envelope as ‘Private and Confidential’ and ensuring that it is addressed to a specific person. In some cases, you may decide to use registered post.
There is nothing in the GDPR legislation that states it is no longer permissible to email payslips. However, payroll bureaus should take steps to securely protect each employee’s payslip. When emailing payslips, bureaus should ensure that all payslips are password protected with a password that is uniquely chosen by the employee. The payslip should be sent directly to the employee’s chosen email address.
Where a generic and identical password is used for all employees, this could be considered a breach of GDPR. In this scenario, the bureau could be seen as not taking sufficient steps to offer the most secure environment to protect employee’s personal pay information.
Furthermore, your payroll provider should provide secure encryption on all payslips and automatically delete payslips that are being sent from their server. Check with your provider to be certain that they are offering this level of protection. If not, you should look for another payroll provider who does. For maximum security, it is recommended (but not mandatory) to offer a secure self-service portal to securely send and store payslips and other sensitive payroll documents.
Recommended Self-Service Option
The GDPR legislation includes a best practice recommendation for businesses to provide individuals with a secure self-service platform offering remote access to information held. On a self-service system, employees would be able to remotely access payroll information including payslips, contact details, and employee documents such as employment contracts and handbooks. Employees may also be able to request leave and view their annual leave entitlements including leave taken and leave remaining, which are also considered as personal data.
According to the Information Commissioner's Office (ICO)
The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63).
The employee self-service portal should be password protected for every employee. Again, identical or a generic password must not be used for all employees. Each employee's password should be unique, chosen by the employee and confidential, offering maximum protection. Accessing payslips and personal contact details through a remote access secure system will provide flexibility and full transparency for employees to retrieve their information at any time.
A self-service portal offers significant benefits for payroll bureaus to comply with the GDPR legislation. Remote access will provide clients and their employees with direct access to their payroll information anywhere, anytime. Clients can login 24/7 to view their employees' payslips, HR documents, amounts due to HMRC and other payroll reports.
Payroll bureaus also benefit as they can now automate the distribution of payslips and payroll reports. With some systems, payslips and payroll reports will be automatically available on the self-service portal as soon as the payroll has been finalised. This offers additional security against cyber attacks and eliminates email hacks that could occur when sending payslips or payroll reports by email. Additionally, a self-service option allows payroll bureaus to keep their data updated and accurate as employees can edit their contact information.
Free CPD Webinar: GDPR for Payroll Bureaus
Payroll bureaus process large amounts of personal data, not least in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated. In this CPD accredited webinar, we will peel back the legislation to outline clearly:
- What is GDPR and why is it being implemented?
- Why employers need to take it seriously
- How it will impact payroll bureaus
- How to prepare for GDPR
- How we are working to help you
- GDPR will affect your payroll processing.
- GDPR Unravelled: You need to get this right.
- How BrightPay Connect can help with GDPR.
BrightPay Newsletter - Are you missing out?
GDPR is changing how we communicate with you. After May 2018, we will not be able to email you about webinar events, special offers, legislation changes, other group products and payroll related news without you subscribing to our newsletter. You will be able to unsubscribe at anytime. Don’t miss out - sign up to our newsletter today!