Private payroll property

Payroll professionals, whether working in-house for an employer or for an outsourced payroll provider, handle sensitive information on employees as part of their job. They can have access to information such as salaries, bank account numbers, addresses and anything else that could appear in an employee’s file. However, not all of this information is necessary for payroll to have, so it’s important to know the the limits of privacy policies and legislation to avoid getting into hot water for mishandling someone’s personal information.

Normally, payroll professionals deal with information that is of interest to the government for tax purposes and to the employer for payment purposes. Sometimes, especially in smaller companies that share the entire employee files, they can have access to even more data. If this is the case, they must determine the difference between what they have a right to know, as someone with access, and what they need to know to do their job, says Ian Turnbull, executive director of the Canadian Privacy Institute and managing director of Toronto-based consulting firm Laird and Greer.

The main things payroll needs to know about employees, says Turnbull, is whether the person is employed by the company and how she is being paid. Little else is needed, unless the employee is being paid on the basis of time or type of job being performed —then time cards or records of duties are necessary. Addresses aren’t really necessary, unless something is being mailed that can’t be given to the employee at work, he says.

What privacy legislation applies?

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy in all jurisdictions except British Columbia, Alberta and Quebec, which have their own privacy legislation. Interprovincial transactions fall under the federal scope, even if the employer is located in one of those three provinces. There can be confusion among both employers and employees about how much personal information actually is protected, what obligations employers have in handling it and what are the consequences of failing to protect it.

It’s generally accepted if an employee provides the employer with information specific to the individual, she is giving consent for the employer to use it for the reasons it’s collecting it, such as payroll or other HR purposes.

“Generally speaking, everyone accepts the federal definition of personal information,” says Turnbull. “And the primary issue is consent.”

Consequences of breaching privacy laws

Privacy laws don’t have a lot of teeth when it comes to punitive measures for failing to protect employee information, but that doesn’t mean there aren’t consequences.

“The reality is that the penalties in privacy law pertain mainly to a lack of co-operation or a cover-up of a breach,” says Turnbull. “It’s mainly a post-preventative thing to change faulty privacy policies.”

But even if the legislative consequences aren’t severe, Turnbull says an employer can be hurt if word gets out to the public and employees —current and future — about inadequate privacy practices. And with the particularly sensitive information payroll can have access to, more severe cases, such as breaches that lead to identity theft, could lead to criminal charges for facilitation.

Paul Jones, principal with Toronto law firm Jones and Company, says there could be serious consequences if sensitive information is leaked.

“There can be legal liability, even if just for increased legal costs associated with consulting with lawyers” in the event of a breach, says Jones.

PIPEDA doesn’t require employers to automatically notify employees of a breach of security that potentially exposes their personal information, but Jones suggests it’s a good policy to do so. Providers should notify client employers who would then make the decision to notify employees.

Not every breach warrants full notification, but an employer who takes it upon itself to make the decision rather than automatically notify employees will face increased legal costs from consultations with lawyers, Jones says.

Outsourced payroll providers

When payroll is outsourced, it’s the responsibility of the employer to comply with privacy legislation and the outsourcing agreement should define privacy parameters as well as clarify its own privacy policy to be followed by the provider. However, the provider should inform the employer if too much information is being given, says Jones.

In addition to following an employer’s privacy policy, a provider’s main concern should be security, something which is being reflected more in privacy trends.

“Privacy law was initially about compliance but these days the number one issue is security and who has access to information,” says Jones. “Security is the number one issue for payroll.”

Privacy policies and audits

The best thing payroll departments and employers can do to avoid confusion and problems with handling sensitive employee information is to have a privacy policy consistent with both federal and the most stringent of the provincial privacy laws, says Turnbull. A chief privacy officer, which is required under federal law for all companies, should be responsible for ensuring the policy is followed.

To ensure proper security measures are being implemented and followed, Jones recommends regular audits of company policy and practices and a comparison with industry standards. Particularly where data is transferred between an employer and an outsourced provider, encryption is an important tool, says Jones. He also stresses the importance of having a retention policy so unnecessary records aren’t kept for too long, especially for providers for whom a contract has expired.

There are also privacy consultants who offer advisory services and organizations for corporate privacy officers to exchange ideas, in addition to the federal and provincial privacy commissioners who provide information.

In the end, the best way to handle sensitive employee information is to respect it.