Keeping private data out of the wrong hands
It is a payroll nightmare: Finishing the arduous task of issuing T4s then realizing somehow two must have gotten into the same envelope.
Unfortunately, it’s not an entirely uncommon scenario, according to Gilles Champagne, owner of Ottawa-based payroll consulting firm Mosaic Advisory Group. In an industry with privacy as one of its main tenets, this scene would spell disaster.
“If there’s going to be any breach of privacy, it will tend to happen at the end of the year,” he said. “Heaven forbid two T4s get in the same envelope for those still doing physical T4s.”
But now that T4 time is over, hopefully most departments have avoided such an issue. And there are steps that can be taken year-round to ensure private information stays private.
“The biggest thing, of course, is that payroll is the holder — or the generator — of a lot of data that must remain private,” he said. “The biggest single item is you have to make sure the data you’re creating is only available to those who should have access to it.”
In a department that handles social insurance numbers, date of birth, home addresses, salaries and benefit information, it is of utmost importance that information stays between payroll and the employee.
“Payroll by its very nature has operated under the assumption of confidentiality and non-disclosure of its employees’ personal information,” said Janet Spence, manager of compliance services and programs at the Canadian Payroll Association in Toronto. “Payroll practitioners should always be safeguarding employees private information.”
As a rule, if the information wouldn’t be on an employee’s business card, it shouldn’t leave the walls of the payroll department, she said.
“Think about it from the perspective of (the following): Would you share this information with anybody else? When in doubt, if it’s not on your business card, handle it in a way that it’s supposed to be private.”
Spence recommends having a clean desk policy. This will ensure private employee information isn’t on display if other employees come through the payroll office or if outside staff, such as maintenance and cleaning teams, are around after hours. This potentially opens the door for information to be thrown out without being shredded.
“Don’t leave payroll information and employee records out in the open for all eyes to see,” she said.
It may seem obvious, but the department should always ensure information stored in desks is in drawers that are locked at all times.
“This type of information should be locked away in a desk or secure cabinet at the end of each day.”
In companies with remote or satellite offices, where hiring managers may be collecting sensitive information from a new employee, it’s essential to stress the importance of keeping data private.
For example, hiring managers should take a look at a social insurance number (SIN) card to make sure it belongs to the employee — but should never make a photocopy of the card, said Spence.
Now that most payroll systems are automated, it makes some privacy issues less likely, said Champagne.
“A lot of companies are doing electronic transmission of pay now,” he said, adding that means there’s no chance of cheques going to the wrong employee.
But automated systems bring their own worries. Computer data security should be a concern in payroll departments, said Spence.
“Don’t send payroll information across the Internet, ensure that you have some kind of secure method for transmitting and receiving data,” she said.
Payroll databases should be password protected when an employee leaves her work station for any reason, she adds.
Practitioners should never discuss personal information with anyone outside of their payroll colleagues.
Payroll is often asked for information from places such as payday loan lenders or mortgage companies who want to know if an employee is working at a company.
“If you can’t validate who the person is, do not leave anything to chance,” she said. “Ensure there is written authorization and in some cases you have to receive consent from the employee.”
Don’t throw personal information in the recycling bin or garbage. Payroll departments should make sure they have a reputable shredding company to perform the task of destroying such information.
The main risk if information falls into the wrong hands is fraud, said Spence.
Identity theft is a growing problem in Canada. According to the RCMP, the Canadian Anti-Fraud Centre received identity fraud reports from 11,095 people in 2009. These fraud victims recorded losses of more than $10 million, which is $1 million more than what was reported in 2008.
People can use the personal information stored by payroll to get credit, said Spence.
“So that’s something that definitely needs to be protected by payroll,” she said.
For payroll, protecting privacy means always being diligent, which isn’t something payroll managers can necessarily train new employees on, said Champagne.
“If you’re in payroll, you really have to keep your eyes and your wits about you,” he said.
