Ahead of the General Data Protection Regulation (GDPR) coming in May 2018, it's time, if you haven't already, to review the way you collect, store and transmit sensitive employee data.
We're not lawyers so what we say here can't be taken as legal advice, but we're experts in transmitting payroll and HR data and want to share our knowledge and experience with you to help you make those important decisions surrounding GDPR.
I'm sure you've read the recent headlines in Payroll and HR press such as "Emailed PDFs the ticking security time bomb" and "Employers could be the first to feel the repercussions”, which have been created to scare you in to thinking if you issue emails with personal information attached, for example payslips and reward statements, and find you have a data breach you'll be fined millions.
In this article, we’ll try to reassure you that the world will not end of the 25th May 2018 if you are emailing employee documents. And we hope you’ll take away a better understanding of why email is being put in the spotlight. GDPR needs to be taken seriously but scare tactics aren't necessary so here’s some helpful advice to help you make informed decisions about the way you process personal employee data.
There is nothing in GDPR that explicitly states you can't email documents to employees, but GDPR is about ensuring the privacy and appropriate collection, management and storage of personal employee information.
Data controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
It is your responsibility to minimise opportunities for personal data to be seen by the wrong people or have an impact on someone's privacy. Therefore you need to ask yourself is email the most secure method to deliver personal and sensitive employee documents?
To help you in your thinking we’ve compiled the six most important things you need to consider before deciding whether to email employee documents that contain sensitive information.
1. Email was never meant to be secure
Email was first launched in 1969 and not much has changed since. It was originally designed as a quick way to send messages between people using electronic devices, it was never designed to be secure. Email lacks protection in transit and at rest, so when it is being sent from one inbox to another and when it is sat in an inbox, it is more susceptible to being intercepted by data hackers. Between April and June 2017, there was a 46% increase in breaches related to email (ICO, 2017).
If the emails you send employees become vulnerable to a data hack or breach, as the data controller, you will be held responsible. Therefore you need to evaluate the risks associated with emailing employee documents that contain sensitive information and whether it is the most appropriate method of delivery you could use. Even if an employee has agreed to receive documents by email it is still your responsibility as a data controller to make sure it is delivered in the most secure way.
2. Employees have the right to be forgotten
GDPR enhances individual rights, one being the right to erasure or the 'right to be forgotten'. This allows individuals, whether a consumer or an employee, to ask for their personal data to be removed when there is no compelling justification for its continued processing by a company. A recent CIPP survey found 21% of consumers said they will request for personal data to be removed from current or previous employers.
If an employee was to leave the company and requested their right to be forgotten then using a centralised system, like a secure online portal, the deletion and removal of all their personal data would be relatively simple and easily traceable. However if you were to use a fragmented process, for example using data from payroll/HR software to populate an email which is sent from Outlook, then the process of removing an employee's personal data becomes very labour-intensive and tedious. You will need to go through email archives to make sure all email contact has been deleted.
3. Wrong document to the wrong employee
During April and June 2017 there was a 27% increase in data sent by email to the wrong person (ICO, 2017). When GDPR comes into force this will be considered a data breach. If this happens it is unlikely you'll be fined the tens of millions threatened by the ICO, but you may have to face some sort of financial repercussion, and damage to brand reputation.
If sending documents to an employee's personal email address you need to consider that some families and couples may share one email account. Employee documents that contain personal information, such as a payslip or pay award letter, should only be opened by the individual it is addressed to and they may feel uncomfortable knowing other people who have access to that email can view this information.
4. Lose all control
Once an email has been sent it's no longer under your control. The email could be intercepted during transit and once received by the intended inbox. The GDPR provides specific suggestions for the kinds of security actions that might be considered "appropriate to the risk", including the "ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services". If you can’t control what happens to an email once it has been sent, then you can't demonstrate your ability to the above.
5. Storage limitations
One of the key data protection principles is that data is kept for no longer than necessary. Employers will need to have data retention and removal policies in place to determine how long an employee's personal data will be kept for. In relation to Employee PAYE and NI data this should be kept for seven years as HMRC have the ability to review this information going back seven years.
Once again, if emailing employee documents that contain personal data, such as P60s and payslips, then the process of removing all email traces for the employee whose data needs removing, becomes labour-intensive. For example, if an employee has been with the company for five years and is paid monthly, the employer will need to go through the inboxes of those who have sent payslips via email to that employee and delete every email sent to that employee containing a payslip.
6. Secure email isn't user friendly
Email encryption is an added layer of protection to email and some believe this to be a secure method of delivery. However, not only does the communication channel you choose need to be secure, it also needs to be accessible and user-friendly.
In order to use secure email, the sender and receiver will generally need a physical key or specific software installed on every device to be able to open and read the email and its attachments. This can be IT intensive and restricts access for employees who want to access their pay information outside of the workplace. Engaging with employees and making sure they have access to the information you send at any time, from anywhere is important, therefore security and usability must go hand in hand.
Hopefully this article has given you some food for thought, and if anything we recommend ahead of GDPR that you review what personal employee information you communicate, how you communicate that information and how you store it. If you feel a change to the way you communicate important employee documents is needed then there are other solutions available: email isn’t the only option.
We've always questioned how secure email is to use as a communication channel, so if you found this article interesting read our 8 reasons against emailing payslips post.
Image already added