Data Protection in payroll (part 1)

The latest Payroll Handbook Special Report gives an overview of the Data Protection Act 2000 and its application in the payroll environment. In the first of a series of articles, Ian Congreave looks at some of the specific issues facing payroll departments in complying with the requirements of this critical legislation.

All "data controllers", the term used for organisations and individuals that own and control the use of personal data, have to ensure that details of their processing appears in the public data protection register, unless the processing is exempt. Any individual may contact the office of the Data Protection Commissioner to obtain a copy of a particular register entry. Alternatively, the register database can be interrogated on the Internet (www.dpr.gov.uk) .

The process of adding an entry to the register is known as "notification". Few payroll managers or staff will be involved directly in this process. It is more likely to be handled by a data protection officer who, in addition to a regular job, is required by the business to maintain the register entry. Notification is an annual process and costs £35 per year. It involves completing a draft notification form that is either obtained by telephone or completed on the Internet.

Because the Data Protection Act 1998 is all about the handling of personal data, and all of the data processed by computerised payroll systems is personal data, payroll departments must be as familiar with their statutory obligations under this Act as they are with the income tax and national insurance regulations. This article will concentrate on the notification of payroll processing and on compliance with the register entry.

The fact that a data controller is processing payroll data should appear in the register entry unless the provisions of an exemption apply. The exemption will be discussed later. Payroll processing does not appear separately in the register entry; rather it appears as part of a broader description of processing called "staff administration". Within that description are listed :

a) the "data subjects" e.g. staff including volunteers, agents, temporary and casual workers
b) the "data classes", e.g. employment details; trade union membership
c) the "recipients" to whom data is disclosed, e.g. the data subjects themselves; current, past or prospective employers of the data subject
d) overseas transfer, e.g. world-wide, or specific countries.

The "staff administration" heading will normally incorporate the computerised data held for both payroll and general personnel use. As a result, the data classes and recipients listed in the register entry will usually be much broader than those that apply strictly for payroll purposes. Nevertheless, the entry must include all of those categories of data classes and recipients that are relevant to payroll.

Once notification is complete, it is essential that the payroll department retain, as a working document, a copy of the "staff administration" section of the register entry. This is critically important to ensure that no disclosure of personal data is made to any individual or organisation that does not appear in the list of recipients, unless the employee concerned has given specific approval, as is often the case with status enquiries from banks and building societies. Everyone working in the payroll office should know precisely to whom personal information may be given, how to handle telephone enquiries and demands from exertive managers, and be capable of saying "no", especially when the register does not permit it.

Exemption from notification

There are three situations where a data controller either does not have to notify processing at all, or does not have to include a certain type of processing in the register entry. The exempted "core business" purposes are:

- staff administration
- advertising, marketing and public relations
- accounts and records.

If these are the only purposes for which personal data is processed, the organisation is exempt from notification altogether, as long as the conditions for the exemption continue to be met. For example, many small businesses have computer systems just to handle the accounts and pay the employees and do not, therefore, have to notify at all. However, just because an organisation does not have to notify, it does not prevent it from notifying voluntarily.

Larger businesses, however, process personal data for many purposes and must comply with the notification requirement. If the conditions for one of the exemptions can be satisfied, that particular purpose does not need to be included in the notification. Instead, the register entry must include the statement "This data controller also processes personal data which is exempt from notification".

The staff administration exemption covers the following activities: "appointments or removals, pay, discipline, superannuation, work management or other personnel matters in relation to the staff of the data controller". Although the Data Protection Commissioner's guidance notes on notification are not clear on the point, this exemption only appears to cover general personnel administration and payroll, but not more strategic uses of personnel data, such as performance appraisal, training and career planning.

The conditions placed upon the exemption indicate the limits to which it may be used. The four restrictions are:

a) the data subjects may be only those whose personal data is necessary for staff administration
b) the data classes are limited to personal data necessary for staff administration
c) disclosures are only made where necessary for staff administration, of where required by law, or otherwise with the data subject's authorisation
d) the personal data is only kept after the data subject's contract ends for as long as is necessary for staff administration.

If the exemption is made use of, there will either be no register entry at all, or the register entry will make no reference to staff administration. There will, therefore, be no details for the payroll department to use as a guide to handling their data. In this situation, the payroll department should prepare its own guidelines, including a list of recipients to whom payroll data may be disclosed, within the limitations given above.

Compliance

The exemptions are designed to reduce the time and work involved in notification and are limited to processing that is not considered to be detrimental in any to the employees concerned. Exemption does not mean that the processing does not have to comply with the eight data protection principles or any of the other requirements. Exemption from notification does not, therefore, mean that payroll staff do not need to be as familiar with this legislation as they are with tax and NICs regulations. Failure to handle personal data legally can lead to prosecution and fines, in just the same way as failure to deduct and pay over tax and NICs. Data protection training is as important as payroll training.