Privacy fundamental to payroll’s success, reputation

Know legislative requirements for compliance

The first lesson of privacy is that confidentiality and privacy, while similar, are not the same thing. When two payroll practitioners privately compare notes about employees’ pay rates, benefits deductions or vacation accruals, they may well not be breaking their company’s confidentiality or security rules.

After all, both are authorized to access that data and confidentiality is about organizational responsibility for data. However, if that conversation is outside the context of actually processing payroll or doing a job-related task, their chat almost certainly has violated privacy.

Privacy is about respect for individuals and information about them. It is critical for an understanding of privacy to comprehend its distinction from confidentiality.

Some employers may have a legal obligation to provide privacy protection for employees. If an organization is subject to the Canada Labour Code, then it is subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) in respect of employee data.

If there is a collective agreement in place, there is likely a requirement to provide employees with rights similar to those provided by legislation in a contract, supported by arbitration decisions.

If the organization is a private sector organization with employees in British Columbia, Alberta or Quebec, it is subject to provincial private sector privacy legislation that includes employee data.

It’s important to understand the terminology associated with privacy legislation. When an organization finds itself with the custody and control of personally identifiable information, however it arrived at the organization, it has collected that data.

When the organization processes (by itself or by using a third party) or retains that data it is using it.

Finally, if an organization transfers that information to another organization, it is disclosing that data.

Organizations are responsible for ensuring adequate data safeguards are in place. Confidentiality is accomplished by focusing on those safeguards. By moving beyond simple safeguards and focusing on how and why the data is collected, used and disclosed, an organization can also protect the privacy of its employees.

In practical terms, an organization should set goals that can be achieved by their payroll staff. These will be reasonable first steps to enable privacy protection.

First, payroll departments should collect, use and disclose the minimum amount of information absolutely necessary to process payroll, including deductions and remittances, and no more.

Second, payroll departments should provide technical, physical and administrative safeguards appropriate for the sensitivity of the data in their custody and control.

Finally, organizations must be cognizant of the fact they must dispose of the data as soon as reasonably possible, after all the business uses for it have been exhausted.

Payroll practitioners should take an inventory of their operations for privacy best practices:

Collection: Review onboarding and payroll forms and systems to ensure the information collected is actually necessary for payroll processing. This is where a payroll department specifies the purposes for the collection of data.

Such purposes would include paying employees, managing tax deductions and remittances, managing benefits deductions and remittances. Each field or screen used for data collection should be associated with one or more of these purposes.
If the purpose for collection is not payroll-related, or is not clear, the payroll practitioner should consider not collecting that information.

Other HR or management uses or interest in employee data do not necessarily justify collecting extra information in payroll forms. If uses other than payroll are envisaged for data collected on payroll forms, then consent from the employee for those uses should be sought and respected.

Separate forms and databases are a good way to maintain this distinction.

Use: Review payroll business processes to ensure payroll data is used only for payroll and related purposes such as statutory remittances and benefits deductions. Over time, other departments may have come to payroll and asked for access to data. This may include non-payroll HR personnel. Review these data flows to ensure there is employee consent for the intended use of that data. Check back from time to time to make sure other uses for it haven’t crept in.

It is critical to remember that having data does not confer a right to use it for any other purpose. If an employee has given consent for his information to be used for a non-payroll-related purpose, he should have the right to withdraw it as well.

Disclosure: Review flows of payroll data to other organizations to ensure only the data related to the processing of payroll is going to other organizations and that they, in turn, use it only for purposes your organization has specified. Payroll staff should be able to answer questions from individuals about where their data has gone and for what purposes.

They should structure third party data transfer agreements with that in mind. Transferring payroll data to an external payroll processor is a use, not a disclosure, but the same precautions apply. Transferring data to Canada Revenue Agency for taxes is a disclosure — and a disclosure authorized by legislation.

Unauthorized collections, uses or disclosures of personal information are known as privacy breaches. In many cases, and always with disclosures, these breaches are also confidentiality failures and security incidents. Most organizations already pay close attention to preventing disclosures, so privacy reviews may profit from focusing on the safeguards put in place to prevent unauthorized collections or uses.

Organizations that follow privacy guidelines will be well on their way to implementing a culture that protects the organization and their employees’ privacy.

John Wunderlich is the principle at John Wunderlich and Associates, an information privacy and security consultancy in Toronto. He can be reached at [email protected]

To read the full story, login below.

Not a subscriber?

Start your subscription today!