4 minute read

Since the General Data Protection Regulation (GDPR), the subject of how safe it is to email sensitive employee documents has never been more important. GDPR means organisations are legally responsible for the privacy and processing of personal employee information and secure documents. Failing to handle sensitive employee documents securely can result in severe penalties and damage to a company’s reputation.

The threat of cyber-attacks is at an all-time high. According to the ONS, there were approximately 2.39 million instances of cybercrime across all UK businesses in the last 12 months. Hackers constantly target email communication systems as a potential entry point. If a role requires sensitive employee documents to be sent via email, organisations expose themselves to the risk of data breaches and subsequent legal and financial consequences.

As a result, organisations are responsible for prioritising the security and privacy of sensitive employee data by implementing security measures.

In this article, we encourage you to consider the types of sensitive documents payroll and HR teams send to employees in light of why email poses a greater potential security risk.

Employee privacy with payroll documents

Employees expect organisations to safeguard their personal information, particularly payroll information. The global shift towards remote working further emphasises the need to safeguard sensitive employee data as organisations increasingly rely on email to access documents. Sending sensitive payroll documents via email compromises employee privacy if unauthorised individuals intercept or access emails.

However, the security risks posed by email are not the channel’s fault. Traditional email systems were not designed with robust security measures, making them more vulnerable to attacks. Organisations must adopt alternative technologies and more secure methods of transmitting sensitive employee documents to improve security and avoid potential threats.

Can you email sensitive employee documents?

The GDPR does not state that you can’t email documents to employees. The guidelines cover the privacy and appropriate collection, management and storage of personal employee information.

The GDPR says:

Data Controllers and Processors are required to “implement appropriate technical and organisational measures,” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The question payroll and HR teams should ask is, is email the most secure method to deliver personal and sensitive employee documents?

We are not lawyers, so what we say here isn’t legal advice, but we are experts in securely transmitting payroll and HR data. So here are our tips on ensuring your email to employees is GDPR compliant.

1. Email was never meant to be secure

As mentioned, email has been largely unchanged since its inception in 1969. Originally designed as a quick way to send messages between electronic devices, email can lack protection in transit and at rest. Anyone can read and forward emails if they have access. Still, as the Data Controller, you may be held responsible if any emails you send to employees become vulnerable to a data hack or breach.

Therefore you need to evaluate the risks associated with emailing employees documents containing sensitive information and consider whether it is the most appropriate delivery method you could use. Even if an employee has agreed to receive documents by email, it is still your responsibility as a Data Controller to ensure it is delivered most securely.

2. Securing multiple distribution lists

An employer must store certain personal information about its workforce for legitimate reasons. It should, however, only keep data as long as necessary and follow the rules of processing and usage. HMRC policies recommend keeping employee PAYE and NI data for seven years. Employers must have data retention and removal policies for keeping employee data.

That said, GDPR enhances individual rights, including the Right to Erasure or the ‘right to be forgotten’. Individuals can ask for their data to be removed when there is no compelling justification for its continued processing, and all records must be deleted. With a fragmented process, such as using payroll/HR software data lists, teams face the labour-intensive task of deleting details from multiple locations. For example, suppose an employee has been with the company for five years and is paid monthly. In that case, the employer will need to go through the inboxes of those who have sent payslips via email to that employee and delete every email sent to that employee containing a payslip.

Using a centralised system, like a secure online Epay portal, makes the process quicker, simpler and more effective.

3. Sensitive documents can be sent to the wrong people

In the last quarter of 2022, there were 5,754 reported incidents of data being emailed to the incorrect recipient. In 3,769 cases, data was posted or faxed to the wrong person. Since the GDPR came into force, this is considered a data breach. Although minor, an organisation can face legal action for this error.

For example, a family might share an email address. The payroll documents containing personal information, such as a payslip or pay award letter, should only be opened by the individual it is addressed to. In that case, they may feel uncomfortable knowing others can view this information.

4. Documents sent via email can be intercepted

Once an email has been sent, it is no longer under your control and can be intercepted during transit. The GDPR provides specific suggestions for the kinds of security actions that might be considered “appropriate to the risk”. Appropriate risk includes the “ability to ensure on-going confidentiality, integrity, availability and resilience of processing systems and services”.

If your organisation can’t control what happens to an email once it has been sent, it cannot guarantee GDPR compliance.

5. Secure email isn’t user friendly

Email encryption offers an added layer of protection to email, and 33% of organisations distribute payslips via email. However, it is not always accessible and user-friendly.

Both parties generally need a physical key, password, or software to send, open and read the document via secure email. Not only can this be IT-intensive, but it also restricts access for employees using different devices. Engaging with employees and ensuring they have secure access 24/7 on any device must go hand in hand.

We recommend that HR and payroll teams find an alternative to sending payslips by email. Use a secure payslip portal to distribute sensitive documents to employees and safeguard personal employee information according to the GDPR.