Now the General Data Protection Regulation (GDPR) – introduced May 2018 – is in force, it’s even more important (if you haven’t done so already) to review the way you collect, store and transmit sensitive employee data.
We are not lawyers, so what we say here isn’t legal advice, but we are experts in transmitting payroll and HR data securely and want to share our knowledge and experience with you, to help you make important decisions to support your GDPR compliance.
If you’re short on time today, this quick video below (by our Head of Products – Karensa Maton) will give you a sense of the limitations of email. If you’re ready for more detail, please read on for the full article.
In this article, we’ll encourage you to consider what you send to employees and how you send it and we hope you’ll take away a better understanding of why email was, and continues to be, in the data security spotlight. Here’s some helpful advice you can use now and in the years ahead to make informed decisions about the way you process personal employee data.
There is nothing in the GDPR that explicitly states you can’t email documents to employees, but GDPR is about ensuring the privacy and appropriate collection, management and storage of personal employee information.
Data Controllers and Processors are required to “implement appropriate technical and organisational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
It is your responsibility to minimise opportunities for personal data to be seen by the wrong people or have an impact on someone’s privacy. Therefore you need to ask yourself is email the most secure method to deliver personal and sensitive employee documents?
To help you but this in context, we’ve compiled the six most important things you need to consider before deciding whether to email employee documents that contain sensitive information.
1. Email was never meant to be secure
Email was first launched in 1969 and not much has changed since. It was originally designed as a quick way to send messages between people using electronic devices, it was never designed to be secure. Email lacks protection in transit and at rest, so when it is being sent from one inbox to another and when it is sat in an inbox, it is more susceptible to being intercepted by data hackers. Between April and June 2017, there was a 46% increase in breaches related to email (ICO, 2017).
If the emails you send employees become vulnerable to a data hack or breach, as the Data Controller, you will be held responsible. Therefore you need to evaluate the risks associated with emailing employee documents that contain sensitive information and consider whether it is the most appropriate method of delivery you could use. Even if an employee has agreed to receive documents by email it is still your responsibility as a Data Controller to make sure it is delivered in the most secure way.
2. Employees have the right to be forgotten
The GDPR enhances individual rights, one being the Right to Erasure or the ‘right to be forgotten’. This allows individuals, whether a consumer or an employee, to ask for their personal data to be removed when there is no compelling justification for its continued processing by a company. A CIPP survey in 2017 found 21% of consumers said they will request for personal data to be removed from current or previous employers.
If an employee was to leave your company and request their right to be forgotten then using a centralised system, like a secure online Epay portal, the deletion and removal of all their personal data would be relatively simple and easily traceable. However if you were to use a fragmented process, for example using data from payroll/HR software to populate an email which is sent from Outlook, then the process of removing an employee’s personal data becomes very labour-intensive and tedious. You will need to go through email archives to make sure all email contact has been deleted.
3. Wrong document to the wrong employee
Between April and June 2017 there was a 27% increase in data sent by email to the wrong person (ICO, 2017). Since the GDPR came into force, this is considered a data breach. It is unlikely you’ll be fined the tens of millions threatened by the ICO for this type of breach, but you may have to face some sort of financial repercussion and damage to your brand reputation.
If sending documents to an employee’s personal email address you need to consider that some families and couples may share one email account. Employee documents that contain personal information, such as a payslip or pay award letter, should only be opened by the individual it is addressed to and they may feel uncomfortable knowing other people, who have access to that email, can view this information.
4. Lose all control
Once an email has been sent it’s no longer under your control. The email could be intercepted during transit and once received by the intended inbox. The GDPR provides specific suggestions for the kinds of security actions that might be considered “appropriate to the risk”, including the “ability to ensure on-going confidentiality, integrity, availability and resilience of processing systems and services”. If you can’t control what happens to an email once it has been sent, then you can’t demonstrate your ability to the above.
5. Storage limitations
One of the key data protection principles is that data is kept for no longer than necessary. Employers need to have data retention and removal policies in place to determine how long an employee’s personal data is kept. In relation to Employee PAYE and NI data this should be kept for seven years, as HMRC have the ability to review this information going back seven years.
Once again, if emailing employee documents that contain personal data (such as P60s and payslips) the process of removing all email traces, for the employee whose data needs removing, becomes labour-intensive. For example, if an employee has been with the company for five years and is paid monthly, the employer will need to go through the inboxes of those who have sent payslips via email to that employee and delete every email sent to that employee containing a payslip.
6. Secure email isn’t user friendly
Email encryption is an added layer of protection to email and some believe this to be a secure method of delivery. However, not only does the communication channel you choose need to be secure, it also needs to be accessible and user-friendly.
In order to use secure email, the sender and receiver will generally need a physical key or specific software installed on every device to be able to open and read the email and its attachments. This can be IT intensive and restricts access for employees who want to access their pay information outside of the workplace. Engaging with employees and making sure they have access to the information you send at any time, from anywhere is important, therefore security and usability must go hand in hand.
Hopefully this article has given you some food for thought, and if anything we recommend that you review what personal employee information you communicate, how you communicate that information and how you store it. If you feel a change to the way you communicate important employee documents is needed then there are other solutions available: email isn’t the only option.