Safeguarding personal employee data must be a priority

Safeguarding personal data about employees must be a priority for employers and their benefits providers, says Amanda Wilkinson

Data security is an issue that is never far from the headlines and has major ramifications for benefits professionals.

Employers, as custodians of employee data that includes bank details, salary and bonus information, email and home addresses, dates of birth and national insurance numbers, cannot simply hope that information security is being taken care of by their IT department or providers of benefits schemes and tax-efficient perks, such as childcare vouchers and bicycle loans.

The idea of computer hackers breaking into an employer’s payroll database or the benefits system of a flexible benefits provider might seem far-fetched, but it is not beyond the realms of possibility.

And there are other ways data security breaches can occur, for example, through human error, software glitches and a general lack of knowledge. In February, it was revealed that software updates to Busy Bees Childcare Vouchers’ website had left personal information about parents and employers, including names and addresses, potentially exposed to registered users of the site. A spokeswoman for the business, which was bought by Computershare last September and is no longer part of the same company as Busy Bees Nurseries, says: “We were making a series of updates to our website to improve performance and, unfortunately, during one of the updates, a bug was introduced that led to a security hole in the site.”

The part of the site affected by the security hole has now been rebuilt and tested by Deloitte for potential security breaches.

Computershare, which runs the site independently from its other websites and data systems, plans to introduce a new site for Busy Bees Childcare Vouchers in September, which will be tested annually for data security by an external company.

Legal responsibility for data security lies with the recipient of the data and anyone to whom it is passed. In many cases, this means the employer and benefits provider must both take steps to ensure employee information is used only for the purposes it was originally given and that it is secure. Susan Hill, a partner specialising in information and communications technology issues at law firm Cobbetts, says: “If staff entrust, for example, payroll details to their employer, they have passed on confidential information relating to themselves, which is, either expressly or impliedly, subject to the obligation of the employer that it will use it only for the purposes that it has been passed on for. If the employer is passing it on to a third party, it needs to be aware that it must have the third party bound to at least as strong an obligation as it is bound to and to maintain the confidentiality of that data and the proper use of that data, because otherwise it will be sued by the employees for breach of confidence.”

Employers and providers must also consider a raft of other legislation, including the Data Protection Act (see box on page 12). Failure to comply with the law can result in criminal prosecution and fines, as well as a public and employee relations disaster. Glenn Elliott, managing director at Asperity Employee Benefits, says: “People often think the only information you have to look after is banking details, but this is completely wrong. The law says anything that is identifiable as being about a person must be held securely.”

So employers must examine their own data security practices as well as those of their providers – but simply calling in the IT department is not enough. Information security specialist Alan Woodroffe, founder of Secure Systems Support, says: “This is not an IT problem, it is a business process problem. It does not matter how you might implement something, which may be a card index or a computer. It is the process you are running and the data you are handling that matters.

There is no point in having complex passwords on a system if someone prints something out, stores it in a filing cabinet and a thief can steal it.”

Fears of internet-based attacks on software systems often overshadow other security issues that should be considered, such as exposure of information within the organisation, whether an employer or provider, to prying eyes. Staff vetting and data encryption can help with this.

Peter Wood, chief of operations at First Base Technologies, which specialises in checking systems security, says: “Systems such as payroll have convincing-looking authentication processes upfront, but people do not consider that the data is stored in a flat file on the server. It is rarely encrypted unless we are talking about a very security-conscious organisation, it can be copied with no audit trail at all, and it can be exported out of the business relatively easily.”

When it comes to benefits providers, employers should ensure they are contractually obliged to protect employee data. Employers also need to work out what information needs to be sent where and then check the security processes for each supplier in the chain.

The first step is to submit a security questionnaire that goes beyond merely asking for a copy of the provider’s security policy and includes questions about software testing and building security. A questionnaire may help employers cover themselves legally if a provider has said it is taking all reasonable steps to secure the data but then this goes missing. However, Asperity’s Elliott says: “I think everyone needs to do more to reduce the risk, rather than just have somewhere to apportion the blame.”

He suggests employers should conduct a site visit to check whether security is evident. Things to look out for include computer hard drive encryption, CCTV, building entry restrictions, burglar and smoke alarms, and locked doors and windows.

Perhaps most important for benefits professionals is the employee helpdesk. Some providers will put this in a secure location and restrict access to relevant staff. It is also worth asking to see security training presentations or manuals for staff and talking to them about the issue.

Employers that are keen to ensure their provider’s software has been built securely should also consider hiring a specialist firm to carry out a penetration test, which involves trying to break into the systems. This can cost £5,000- £15,000, depending on the work required, and the tester will produce a report listing issues it has found and ways to fix them.

However Pete Craghill, chief technical officer at Thomsons Online Benefits, explains: “The trouble is that, for smaller employers, penetration testing is relatively expensive, so I would instead ask for evidence that this has been done by the supplier. If it has not been done, then there is something wrong.”

Most reputable providers will employ an independent third party to carry out penetration tests every year. But employers should bear in mind that a system will be given the all-clear only at the time it is tested and that the software could subsequently be updated, possibly creating a security hole in the system.

A quick way of assessing whether a provider has met acceptable standards is to ask whether it has been certified as complying with ISO/IEC 27001:2005, the information security management system standard. However, it is an expensive and laborious process to achieve accreditation, so not all providers will have done so.

Before employers pass on any employee data to benefits providers, they should check that the appropriate employee permissions are in place. Dorian Hannington, manager, flexible benefits at Enrich, says: “Unions are particularly hot about this and any perceived breach, real or otherwise, is jumped on and can create enormous problems for the running of schemes.”

Employers should also ensure they do not send more information than is required. Most importantly of all, the data should be encrypted and sent in a secure fashion. Craghill says: “Something like secure file transfer with PGP encryption ensures that you have both encrypted the file before you have sent it and then you have transported it across the internet in a secure transport.”

There are many practical steps employers can take to minimise the risk of employee data being exposed by themselves or providers, but perhaps the most important measure is to check that security is embedded into the organisation’s culture

How to protect employee data:

• Encrypt employees’ personal information so it is secure and password protected.
• Ensure providers are bound by contract to the same obligations around data security that the employer must meet.
• Vet providers through: – a security questionnaire – an on-site visit – an audit of their software systems, otherwise known as a penetration test.
• Check whether providers are accredited to ISO/IEC 27001 standard.
• When transferring data to a provider, send only what information is needed and ensure that it is encrypted.

The Data Protection Act:

The Data Protection Act (DPA) requires anyone who handles personal information to comply with a number of principles. The data must be:

• fairly and lawfully processed
• processed for specified purposes
• adequate, relevant and not excessive
• accurate and, where necessary, kept up to date
• not kept for longer than is necessary
• processed in line with an individual’s rights
• kept secure
• not transferred to other countries outside the European Economic Area without adequate protection.

Broadly, the data is classified as personal if it relates to a living individual who can be identified from it. For example, this could include names, addresses and dates of birth.

The Information Commissioner’s Office (ICO) has legal powers to ensure organisations comply with the requirements of the DPA and can issue an enforcement notice to make them do so.

Failure to comply with a notice can be a criminal offence punishable by a fine.

Employers and providers that hold and process data on employees or their customers should check whether they need to notify the ICO.