Payroll professionals need to know privacy laws because of their access to sensitive data
Payroll professionals, whether working in-house for an employer or for an outsourced payroll provider, handle sensitive information as part of their job. They often have access to information on salaries, bank account numbers, addresses and other tidbits that appear in an employee’s file.
However, not all of this information is necessary for payroll to have, so it’s important to know the limits of privacy policies and legislation to avoid getting into hot water for mishandling personal information.
Payroll professionals must determine the difference between what they have a right to know, as someone with access, and what they need to know to do their job, says Ian Turnbull, executive director of the Canadian Privacy Institute and managing director of Toronto-based consulting firm Laird & Greer.
Payroll professionals deal with information that is of interest to the government for tax purposes and to the employer for payment purposes. Sometimes, especially in smaller companies that share entire employee files, they can have access to more.
But the main things payroll needs to know about employees is whether a person is employed by the company and how she is being paid, says Turnbull. Little else is needed, unless the employee is being paid on the basis of time or type of job being performed — then time cards or records of duties are necessary. Addresses aren’t really necessary, unless something is being mailed that can’t be given to the employee at work, he says.
What privacy legislation applies?
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy in all jurisdictions except British Columbia, Alberta and Quebec, which have separate privacy legislation. Interprovincial transactions fall under the federal scope, even if an employer is located in one of those three provinces.
There can be confusion among employers and employees about how much personal information actually is protected, what obligations employers have in handling it and what are the consequences of failing to protect it.
If an employee provides the employer with information specific to the individual, it’s generally accepted she is giving consent for the employer to use it for the reasons it’s being collected, such as payroll or other HR purposes, says Turnbull.
“Generally speaking, everyone accepts the federal definition of personal information,” he says. “The primary issue is consent.”
Consequences of a breach
Privacy laws don’t necessarily have a lot of teeth when it comes to punitive measures for failing to protect employee information, but that doesn’t mean there aren’t consequences.
“The reality is that the penalties in privacy law pertain mainly to a lack of co-operation or a coverup of a breach,” says Turnbull.
“It’s mainly a post-preventative thing to change faulty privacy policies.”
But even if the legislative consequences aren’t severe for a breach, an employer can be hurt if word gets out to the public and employees — current and future — about inadequate privacy practices, he says. And with the particularly sensitive information payroll can have access to, more severe cases, such as breaches that lead to identity theft, could lead to criminal charges for facilitation.
There is the potential for more significant consequences with certain information that could be more harmful if leaked, says Paul Jones, principal with Toronto law firm Jones and Company.
“Payroll handles so much sensitive information, there can be legal liability, even if just for increased legal costs associated with consulting with lawyers” in the event of a breach, he says.
PIPEDA doesn’t require employers to automatically notify employees of a breach of security that potentially exposes their personal information, but it’s a good policy to do so, says Jones. Providers should also notify client employers who would then make the decision to notify employees.
“Not every breach warrants full notification but making that decision is going to bring legal costs,” says Jones.
Outsourced payroll providers
“Privacy law was initially about compliance but these days the number one issue (for payroll) is security and who has access to information,” says Jones.
Privacy policies and audits
A chief privacy officer, who is required under federal law for all companies, should be responsible for ensuring the policy is followed.
To ensure proper security measures are being implemented and followed, there should be regular audits of company policy and practices and a comparison with industry standards. Encryption is an important tool to use, particularly where data is transferred between an employer and an outsourced provider, says Jones. It is also important to have a retention policy so unnecessary records aren’t kept for too long, especially if a contract has expired with a provider, he says.
There are also privacy consultants who offer advisory services and organizations for corporate privacy officers to exchange ideas, in addition to the federal and provincial privacy commissioners who provide information.
In the end, the best way to handle sensitive employee information is to respect it.
“Treat employee information as you would your own personal data,” says Turnbull. “Employers have a responsibility to be good custodians of it.”
Jeffrey R. Smith is the editor of Canadian Payroll Reporter, a sister publication to Canadian HR Reporter that focuses on information and trends for payroll practitioners. For more information, visit www.hrreporter.com/payroll.