Payroll practitioners have access to vast amounts of personal, financial and health-related information of staff.

Arlene Leggat, president of the South African Payroll Association, points out that the impact of European Data Protection Regulation (GDPR) and the Protection of Personal Information Bill falls on payroll in terms of action and accountability.

“When an employee joins a firm, they provide a wide range of personal information. If they join the company’s medical and provident funds, they supply their health and financial information as well, but at no point did they consent to this information ever being shared. If an employee’s personal information is being requested, what you need to say is: Who’s asking for it? And Do I have permission to give it to them?”

Can you send personal information internally? Not necessarily

Managers and exco often request personal information from the payroll department, but they might not be entitled to this information. Leggat says many employees don’t think they are distributing personal information when it is sent internally, but they are.

“Employees didn’t sign away their rights to privacy when they joined the company. If someone is requesting that you access and share an employee’s health records, for example, you might need their consent first. Instead of retrieving and forwarding on information when asked, you need to stop and find out if you need approval to share the information first. Don’t just do something because that’s the way it have always been done,” says Leggat.

Other information that cannot be shared without permission includes location information such as phone numbers, email address and physical addresses, biometric data, and employees’ private communication.

“A rising number of businesses are using fingerprints and retinal data to give employees access, and with Bring-Your-Own-Device policies at many companies, employees are communicating in their private capacities throughout the day. All of this information is considered ‘personal’ and needs to be processed lawfully,” says Leggat.

Robust, documented procedures around payroll are needed

‘Processing’ is broadly defined as being any operation or activity, including the collection, recording, organisation, collation, storage, updating or modification, retrieval, consultation or use of information. It doesn’t matter whether this processing is automatic or not, and the dissemination of this information in any way also falls under the term.

“It’s pivotal for businesses to recognise that the definitions are very broad and that procedures need to be implemented and communicated to manage data security, which has affected every industry in every country across the globe,” says Leggat.

Leggat says that payroll professionals should be working with their business’ legal department to create a robust, documented procedure around payroll. Making sure that employees have signed everything before the information is disseminated is key to avoiding future problems.

“As the custodians of employees’ data, we are vulnerable to becoming the disseminator of personal information. Payroll and legal professionals need to make sure they are working in an environment where personal data protection is taken seriously. The necessary processes also need to be in place so that payroll professionals can respond to requests promptly,” concludes Leggat.