Privacy Statement
We Are Compliant with the GDPR
Payman have progressed through the 12 steps for GDPR as stated by the ICO, we have also taken the 6 steps noted by many other sources in the following ways.
- Understand the GDPR Legal Framework.
- Placing one employee in charge of ensuring that Payman are compliant has enabled Payman to do detailed investigations into the new regulations including multiple community discussions and presentations on the subject.
- Create a Data Register
- Understanding where we store the data has always been incredibly important to Payman. However to ensure all is as expected, Payman upgraded their technological systems and have also improved their paper-based systems. Payman has not noted in writing, the data storage details as this increases the risk of a breach.
- Classify your Data
- Payman has continued to not only group different data terms of usage but also in terms of personal, sensitive, business and general information.
- Start with Top Priority
- Because of the data Payman utilises the risks are strong and potential dangers of data breaches could be severe. Looking at these risks and dangers has aided in Payman’s choice to upgrade the information systems security in terms of passwords, anti-virus, anti-malware protection, including upgrading to a new payroll management system.
- Assess and document additional risks and process
- Payman completed a data risk assessment on the 24th May and will proceed to monitor all data protection risks and privacy impact risks, Payman will also carry out a data risk assessments annually as done on the 24th May 2018.
- Revise and Repeat
- Payman have put together templates for a full data audit, risk assessment and policy and will maintain records of documents stating all data risks and any changes made to the data systems.
How we store what
As a Payroll bureau we store a lot of different information and store that information in different ways. Payman assesses how to store information based on the level of risk the data possesses and stores data together in groups depicted by how the data is used. The main 4 categories of data that we store are personal, sensitive, business and general payroll data, each of which are handled differently. Personal data is data that can be used to identify one person from another, such as names and addresses. Sensitive data however is data that is unique to one person and therefore can be used for identity theft and can cause a lot of damage such as medical history in the form of sick certificates. This includes bank details and national insurance numbers as they can be used to identify a singular person as opposed to a group of people with the same name. Due to the different risks that these different types of data have they must be stored differently.
Payman stores all personal data about client’s employees in a digital file only, as these documents are only used once and are then only required upon request of the subject or law enforcement. If the subject is no longer an employee of the client then the information stored about the subject is moved to a more secure location so that it is harder to access as it is no longer required unless specifically requested.
Business information about clients are stored in both digital and paper format, this is for ease of access and use and means that we can ensure that all necessary checks are in place and enables Payman personnel to use the information already at hand to check the client’s identity at any given time. As client details include personal data about directors and sensitive data about the business, it is stored behind multiple locks, both in physical and digital format.
General payroll data such as input, hours and salaries are stored in paper format only for the current tax year before being scanned and saved as digital files at the start of a new tax year. This is because during the current tax year confirming previously entered figures may be required and therefore the paper format allows easy access and annotations for changes made. These details include pension details for the client, however this data is stored in a different folder next to the input as it is normally referenced separately.
Sensitive data such as payroll information used by the payroll manager is kept only in the system that require this information. Sensitive data in the nature of bank details are stored in the files for the subject and are locked with an extra digital lock. All paper copies with sensitive data are scanned and either discarded or sensitive information blacked out.
Processes for all data
Of all the data we hold about a subject we have 6 total data subjects, they are as follows; businesses (clients), client’s employees, subcontractors, Agents for clients (Accountants/Pension Providers etc), persons of significant control in the business (access to accounts) and the main contacts for clients.
Any unique identifiable data for the client as a business is gathered for communications on behalf of the business such as with HMRC, The Pension Regulator and other governing bodies. Therefore all personal information about a client is passed to third parties but only with consent of the client unless required by law. All sensitive information stored about the business is only used for setting up direct payments with pension providers and other payroll related payment schemes.
All personal identifiable information stored about employees of clients are for payroll purposes only, in order to calculate pay for example, national insurance numbers for contributions and pension purposes or dates of birth for purposes of entitlement. Payman uses personal addresses for detailing on payslips and for documents that the client can request be sent to the employee directly. Sensitive information stored about an employee of a client is used when producing payslips and payment sheets for the clients. These pay sheets include BACS sheets to instruct payments to be made. As with employees all data requested of subcontractors CIS verification and production of certificates.
Accountant’s details that we store are accessible on their websites as this information is simply a name for a contact; the business, name a contact number and the postcode of the accountant. This information is generally located on the contact us page of their website. The sole purpose of this information is to ensure that we can communicate in the most efficient way with our client and ensure that all communications are secure and safe.
We request personal and sensitive data from persons with significant control in the business for Money Laundering Regulations. By checking the details of those that have access to the money for the business through Creditsafe, Payman ensure that they are compliant with the law. All processes at Payman are lawful and fair. They are all handled in the strictest confidence. All identification requested is in order to protect data.
Access and permissions
To gain access to identifiable personal or business information that we store you must fill in a subject request form. Once submitted, Payman has 4 weeks to provide the requested data without charge unless the request is deemed unreasonable or excessive. When requesting payroll details or details about a client, it must be the client or authorised by the client in a manner that Payman can verify.