Payroll Disaster Recovery

Information Security

by Ian Congreave, published in October 2001 issue of Pay Magazine

Most of the new requirements of the Data Protection Act 1998 take effect on 24 October 2001, including the "fair and lawful" processing requirements, special rules for handling sensitive data, the inclusion of new terms in contracts with bureaux, and a number of new employee rights.

Many of the provisions also apply to manual files for the first time. The information contained in the many documents stored in employee record files now falls within the definition of "personal data" and, from 24 October, the use of that information is subject to some of the eight data protection principles. One of those principles, the seventh, states:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

All of the employee data processed in the computerised payroll is "personal data" and has been subject to all of the data protection principles since the legislation was originally introduced in 1984. The new Act reinforces the need to protect personal data from loss or damage, not only by extending the application of the principle to paper records, but also by requiring all "data controllers", the organisations that own and control the use of personal data, to commit themselves to "information security" measures when notifying the Information Commissioner that they are processing personal data.

Commitment
The notification process, as defined in the new Act, requires data controllers to supply the details that will appear in the public data protection register and, in addition, provide "a general description of measures to be taken for the purpose of complying with the seventh data protection principle".

This requirement is achieved by asking data controllers to complete a security statement as part of the notification process. The statement measures an organisation's commitment to protecting its personal data. It asks: "Have you taken any measures to guard against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage?" Although this question is aimed at an organisation in its entirety, the manager of any department with a business-critical system, such as payroll, should ask the same question.

Specific measures
The statement then enquires about seven specific measures that organisations should already have in place. It asks if the measures include:

  • adopting an information security policy? This is a company policy statement, issued to all employees from the highest level in the organisation, that provides clear management direction on responsibilities and procedures in order to protect personal data.
  • taking steps to control physical security? This can be as simple as providing a locked environment for computer equipment and measures to prevent the theft of computers or their components.
  • putting in place controls on access to information? Such controls include password protection for critical systems and files, like the payroll, that contain personal data, and encryption when data is transferred to other systems or over the Internet.
  • establishing a business continuity plan? A very basic requirement is the creation of backup files and their storage off-site, to provide recovery in the event of a disaster of some kind. The payroll system, along with every other business-critical system in an organisation should already have undergone a risk assessment exercise and be protected by workable contingency plans.
  • training your staff on security systems and procedures? Staff using the payroll system should not simply be taught how to use it, but what controls and procedures must be followed routinely to protect it from damage or loss.
  • detecting and investigating breaches of security when they occur? Any event that has put payroll processing at risk should be reported, investigated, and the necessary measures to prevent it occurring again introduced.
  • adopting the British Standard Code of Practice for Information Security Management BS7799? There is no statutory requirement to apply this British Standard but it provides a comprehensive set of standards and controls that constitute best practice in information security management.
How can you tell whether your organisation has applied the recommendations of BS7799? As one of the very basic requirements is the issuing of an information security policy, the existence of such a policy is a good indication that at least some of its measures have been introduced.

Standards and controls
The BS7799 Code of Practice realistically recognises that the information security needs of each organisation are unique to that organisation. It recommends a broad range of standards and controls that may apply to some businesses but not others, but it includes a number of "key" controls that every business should apply. The measures listed in the Data Protection security statement above are taken from those "key" controls.

Even if your organisation has not yet undertaken a business-wide risk assessment of its systems and developed business continuity plans to implement in the event of a "disaster", it would be sensible to employ appropriate measures within the payroll office. The following check list draws ideas from the Code of Practice and includes practical suggestions contributed by a number of payroll software developers.
  • Have you undertaken a risk assessment exercise within the payroll operation, and developed flexible contingency responses to the identified risks, in conjunction with other departments on whom the payroll process depends? For example, what will you do if your system fails after office hours, your IT staff have gone home, and your BACS file must be transmitted by 9 o'clock? Is your contingency programme gathering dust or is it a live working document, being updated as your routine processes evolve?
  • When did you last check that you can recover from losing all of your payroll data? You may do regular backups, but does the restore process actually work? Some companies test their emergency plans once a year by running a live payroll once a year under their contingency programme.
  • Are your PCs and related equipment secure from theft and from unauthorised use? If you have a standalone PC and you use the Internet, does it have a "firewall" to prevent hacking? Is your BACSAFE device locked away when not in use?
  • If you run an in-house payroll system, have you put into practice all of the information security training provided by your software supplier, and applied the measures built into the system itself, e.g. prompted backups? Some payroll developers have a clause in their contracts that limit their liabilities if the client has not followed their advice or complied with the security procedures that they have put in place. The implications of this are that, in the event of a payroll failure, the supplier may have no contractual obligation to support you.
  • Many payroll system developers offer to run your payroll on their own computers in the event of a failure of your systems. Is that built into your contingency plans?
  • If you have outsourced your payroll, in whole or in part, have you discussed your contract with your service provider in advance of the 24 October 2001 deadline imposed by the Data Protection Act 1998. From that date, you must have a written contract with your processing bureau that includes a requirement that the bureau (1) will only act on your instructions, and (2) will comply with the obligations imposed by the seventh data protection principle in their care of your payroll data. Has your service provider implemented all of the relevant provisions of the BS7799 Code of Practice, and applied for or obtained information security accreditation under the c:cure scheme?
  • Although this question is really directed at the wrong person, do you and any other staff in the payroll department have sole responsibility for the entire payroll process, from start to finish? If so, do your directors realise that this poses a serious risk of fraud?
  • Do you have a routine of making random checks at all stages of the payroll process, not just to ensure that procedures are being followed and the computerised system is correctly calculating wages, but also to deter fraud or even detect it?
  • Have you a clear policy on what to do when a member of the payroll team is dismissed or made redundant? Are they required to leave immediately so they have no access to your business-critical systems? Even more difficult: do you do the same when someone resigns?

For information about BS7799, visit www.bsi-global.com, and about c:cure accreditation, visit www.c-cure.org.

The author would like to thank the following companies for their contributions to this article:


Top Index of Payroll & HR Articles - Specific to UK Send E-mail Home Page








Payroll & Human Resources - PayPerShop Logo For Payroll and Human Resource Professionals

UK Payroll & HR US Tax Resources Worldwide Payroll & HR
Google
Home Contact

Copyright © 2006 PayPerShop Ltd - Payroll, Human Resources (HR) & Payroll Taxes


Popular UK Pages:
UK Payroll News Categories | Payroll & HR Events - Photos | Payroll | UK Payroll Software A-Z | Payroll Software Downloads | Payroll Question | Payroll Search / Swicki | Deductions From Wages | UK Holiday Pay | National Insurance Numbers | Tax Codes | Employed or Self-Employed | Data Protection | Identity Fraud | BACS Payment - BACSTEL-IP

Popular US Pages:
US Payroll Software A-Z | Income Tax Withholding | Prevailing Wages and Hours | US Minimum Wage | US Workers' Compensation | US Labor Standards | US Unemployment Insurance | US State Holidays / Legal Holidays