Can voluntary organisations learn from the Morrisons payroll data leak?

4th January 2016


Gary Webb, from NCVO trusted supplier IRIS FMP Payroll Services, gives a wake-up call to voluntary organisations, following the recent scandal at Morrisons

So, the last thing any charity wants right now is a front page tabloid scandal over any issue.

Protecting your reputation is important both internally and externally and you’d think that there is little bad publicity that could be generated by payroll. You’d be wrong.

Supermarket chain Morrisons were hit with legal action from staff and a good deal of negative national tabloid and television comment when sensitive personal payroll information relating to thousands of employees was stolen from the company. So what can voluntary organisations learn from this?

The Morrisons payroll data theft should be a wake-up call for all voluntary organisations that employ and pay people and volunteers, to check systems and procedures. Furthermore it should also prompt a wider investigation to ensure that any sensitive data is handled, stored and used correctly.

Not only has Morrisons been hit with reputational damage to repair, but there is also now a trust issue between management and the staff. In a voluntary organisation where the goodwill of the team is probably just as, if not more, important keeping employees on side is vital.

Teams need to start by identifying who touches the payroll process, and who else has access to data. Smaller hard pressed voluntary organisations are at risk from the ‘shared password’ approach internally, where ‘one licence’ systems may be accessed by lots of different people and the audit chain breaks down. Larger organisations with more transient staff and higher churn need to look at the surroundings where payroll is processed, procedures and back-up systems, physical security arrangements (including the disposal of IT hardware) and having strong encryption arrangements. Here organisations need to go back and ensure staff are properly checked and trained.  Robust checks should start as part of the employment process.

And don’t think you’re off the hook by employing an outsourced payroll provider. One of the key things you should be asking your provider is the searching questions around who they employ, who has access and where is data housed, how is it transported, and what systems, procedures and accreditations are in place to protect your valuable data.

I always tell people to visit the offices of any outsourced payroll provider before they commit, as you’ll get a good feel as to whether they have robust data security arrangements. Check to ensure they haveaccreditations such as ISO 27001 – the information security management certification, BACs approved bureau status, and the CIPP Payroll Assurance Scheme certification. If they have all three you can be assured data protection is high on their list of priorities.

In a world where data theft is on the increase voluntary organisations should make a resolution in 2016 to ensure their payroll data is not at risk.