An employer distributes payslips in the workplace by hand, and when an employee is not in the office to receive their payslip it is left on their desk. Is this a GDPR breach? Three professionals who advise on GDPR give their opinions.
In our recent blog post about the impact of increased employee awareness about the GDPR and rights to their data, we referenced an enquiry that PayDashboard received via our website in June 2018. An individual (not a user of our services) had read some of our blogs about GDPR and payslips, and thought we might be able to answer the following query:
“I receive printed payslips from my employer by hand, but when I am off work my payslip is left on my desk. My home address is printed on there and other employees can see it. Is this a GDPR breach?”
We asked three professionals who advise on GDPR issues to give us their thoughts on this. While each took a slightly different angle on the situation they were unanimous in one aspect… This employer is in breach of the GDPR.
Richard Preece - Director at DA Resilience, provides consultancy to organisations around GDPR data protection advisory, consultancy, education and exercises services.
Richard feels that this is a GDPR breach, but probably not one that the employer would need to report to the ICO unless the employee asked them to. However, if this employer takes the correct internal actions, Richard believes there is an opportunity for them to turn this negative situation into a more positive outcome.
“Is this a GDPR breach? Yes, in simple terms.
This is a breach of confidentiality of personal data, in that people who are not expected to see this personal information are likely to have access to it. This goes against the underpinning privacy concept that individuals own their personal data and should have the ability to control, edit, manage and delete information about themselves and to decide how such information is communicated to others.
The question is, what is the impact on the data subject as a result of this? In the worst case, an individual may have their home address used for malicious purposes by someone. In the basic context described this is hopefully unlikely. A more likely situation is that the individual feels that a breach of privacy and trust has occurred and doesn’t wish it to be repeated. In this case the privacy event should certainly be recorded by the employer and appropriate action taken to ensure the situation doesn’t happen again."
An opportunity to build trust
"The next question is, should the employer report themselves to the ICO? This is probably not required, but a good way of dealing with incidents such as this is to apologise, recognise the issue, articulate the steps that will be taken to stop a repeat of the situation, and ask the individual concerned whether they believe the company should report themselves. This is good leadership. A timely and genuine apology, with measures put in place to stop it occurring again, normally leaves the wronged party satisfied and with no desire for further action. So use it as an opportunity to build trust and engagement with members in your team, rather than it becoming a ‘them versus us’ situation.
‘Data Protection by Design by Default’ (Article 25 of the GDPR) is ultimately about adopting a win/win approach for both individuals and companies. In this case the individual’s privacy concerns are recognised and action taken; whilst the employer has an opportunity to turn a potentially negative situation with a member of their team into a more positive outcome that improves trust and engagement.”
Keith Dewey - a GDPR and Information Security advisor for Data GRC Ltd, also provides interim & part time CISO & DPO Services to a number of businesses
Keith observes that if the company is not actually posting the payslip, the GDPR data minimisation principle suggests that the employee’s address is not required to be on the outside of the payslip. His main concern is the potential risk of fraudulent activity that comes with leaving financial information in a unsecure location.
“I’d address this as two questions.
Firstly, whether it’s reportable to the ICO. The ICO hotline may help advise on this. Fundamentally, it is reportable if the organisation believes that unauthorised access to personal data has created a risk for an individual. It is arguable whether peers having access to a home address will create risks or damages. It is also questionable whether that information needs to be on the front of the payslip in the first place (data minimisation principle), if the payslip is not being put in the post.
However, if someone opens the envelope, that will up the stakes in terms of risk. Sharing salary details between peers can have messy consequences for individuals and companies, even where there are no discriminatory pay imbalances. There is also a potential risk of fraud, if peers are that way inclined."
Is the practice suitably secure?
"Secondly, the important question of whether this practice is acceptably secure - which is a legal requirement. Having previously headed European fraud management teams, I’ve seen far too many cases of stolen and forged documents being used to obtain credit cards and loans in other peoples’ names. Often, those people and their company didn’t even know their documents had been used. So, if the company wouldn’t leave a few hundred pounds lying on the desk, I’d suggest they shouldn’t leave payslips lying around either.
The company may also consider the environmental and operational cost perspective, with all those payslips being printed unnecessarily. Assuming staff have computers, mobiles or tablets, I’d suggest a secure employee application, secured online shared folders, or encrypted email would considerably reduce security risks, reduce costs and hopefully avoid the need to consider ICO breach reporting.”
Andrew Crow, Director of Chorus Business Advisors, works with clients on a range of business advisory areas and is an IBITGQ® certified GDPR Practitioner.
Andrew thinks that this employer is in breach of GDPR due to the lack of “appropriate technical and organisational measures” (Article 32) put in place. He has three suggestions for how this company could rectify this.
“All organisations are expected to use appropriate and technical measures to ensure that personal information is protected. In this case I would say the company is in breach of GDPR.
It would be more appropriate (depending on the size of the organisation) for HR or payroll to either:
a) Keep the payslip in a safe until the employee returns,
b) Send payslips by recorded or special delivery,
c) Introduce an online system with secure employee ID.”
All three GDPR professionals raised concerns that this practice of payslip delivery represents a breach of the GDPR. Their reasons included:
Breach of confidentiality of personal data (the employee's address on the exterior of the payslip)
Risk of a data breach with regards to the employee’s financial information if the payslip is opened by someone else (details of their pay, and potentially their bank details if these are also printed on the payslip)
The lack of appropriate organisational and technical measures to protect this personal data
Their suggestions for an employer in this situation:
Review the process that is currently in place and find an appropriate new process proportionate to the risk and the concerns raised by their employee
Communicate with the employee who has raised the issue in a positive way, ensuring they understand the measures that will be put in place to protect their information
Review whether employee addresses should be removed from the front of the payslips if there is no intention to post the payslip (data minimisation)
Review their payslip delivery methods and consider whether a secure digital solution would be more appropriate
If the decision is made to continue distributing printed payslips, put a process in place whereby if the employee is not available to be handed their payslip directly then their payslip is stored securely and given to the employee at the next opportunity