What voluntary organisations can learn from the Morrisons data leak

Gary-Webb3Gary Webb looks after PR, marketing and communications for FMP Global, driving the understanding of payroll outsourcing and in-house payroll software. He has over 25 years of experience working with National Express, Halifax Bank of Scotland (HBOS) and Camelot (The National Lottery). Gary is also a Member of the Chartered Institute of Marketing.

For any voluntary sector organisation, protecting your reputation is important both internally and externally, and while you might think that there is little bad publicity that could be generated by payroll, you’d be wrong.

In December, supermarket chain Morrisons was hit with legal action from staff, along with a good deal of negative national tabloid and television comment, when sensitive personal payroll information relating to thousands of employees was stolen from the company in September. So what can voluntary organisations learn from this?

Know the risks and review your systems

The Morrisons payroll data theft should be a wake-up call for all voluntary organisations that employ and pay people and volunteers, to check systems and procedures. Furthermore it should also prompt a wider investigation to ensure that any sensitive data is handled, stored and used correctly.

Not only has Morrisons been hit with reputational damage to repair, but there is also now a trust issue between management and the staff. In a voluntary organisation where the goodwill of the team is probably just as – if not more – important, keeping employees on side is vital.

Teams need to start by identifying who touches the payroll process, and who else has access to data. Smaller, hard-pressed voluntary organisations are at risk from the ‘shared password’ approach internally, where ‘one licence’ systems may be accessed by lots of different people and the audit chain breaks down.

Larger organisations with more transient staff and higher churn need to look at a number of factors, including:

  • the surroundings where payroll is processed
  • procedures and back-up systems
  • physical security arrangements (including the disposal of IT hardware)
  • having strong encryption arrangements.

Here, organisations need to go back and ensure staff are properly checked and trained. Robust checks should start as part of the employment process.

Using a third party? Audit their security

Don’t think you’re off the hook by employing an outsourced payroll provider. One of the key things you should be asking your provider is the searching questions around who they employ, who has access and where is data housed, how is it transported, and what systems, procedures and accreditations are in place to protect your valuable data.

I always tell people to visit the offices of any outsourced payroll provider before they commit, as you’ll get a good feel as to whether they have robust data security arrangements. Check to ensure they have accreditations such as ISO 27001 – the information security management certification, BACs approved bureau status, and the CIPP Payroll Assurance Scheme certification. If they have all three you can be assured data protection is high on their list of priorities.

In a world where data theft is on the increase voluntary organisations should make a resolution in 2016 to ensure their payroll data is not at risk.

Further information

For more information, read our ‘How to’ guide to protecting your charity’s payroll data.


Data privacy and security for leaders

Find out how to manage the risks of your organisation’s data management in our Annual Conference workshop AM2 ‘Data Privacy and security for leaders’.

Find out more about NCVO Annual Conference 2016


This entry was posted in Practical support and tagged . Bookmark the permalink.

Like this? Read more

Posts written by guests who have contributed to NCVO projects and events.

Comments are closed.