COVER - Payroll beyond national borders

The debate about whether to keep payroll operations in-house or to outsource continues to rage, but what happens when the debate shifts from in-house to offshore?

The headline in the 2 November 2017 edition of the Canberra Times said it all: ‘Data breach sees records of 50,000 Australian workers exposed’.

The report revealed that nearly 50,000 Australians and 5,000 federal public servants had sensitive personal information exposed online as part of one of the nation’s biggest-ever data breaches.

Employees of the Department of Finance, the Australian Electoral Commission and the National Disability Insurance Agency were caught up in the massive leak caused by a private contractor, who was not named, along with more than 40,000 private sector workers from insurer AMP, utility UGL and Dutch multinational Rabobank.

This case was just one of countless breaches that have raised concerns about data security in Australia. Indeed, it’s a global problem. It’s estimated that more than five million personal records are stolen globally every day.

A new era

Data breach activity continues to escalate in Australia, with Equifax, Uber and the public service facing some of the biggest breaches of 2017 and many smaller breaches going unreported. While not all of these breaches relate to payroll, employers do have certain obligations under the new Mandatory Data Breach Notification Law.

Mandatory Data Breach Notification Law

Effective from 22 February 2018, organisations subject to the Privacy Act 1988 (Cth) (e.g. many Australian Government agencies and private sector organisations with an annual turnover of more than $3m) have an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. This notification must include recommendations about the steps individuals should take in response to the breach and the Australian Information Commissioner must also be notified of eligible data breaches.

What kind of information could cause serious harm? PwC suggests examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:

  • sensitive information, such as information about an individual’s health
  • documents commonly used for identity fraud including Medicare card, drivers licence, and passport details
  • financial information
  • a combination of types of personal information (rather than a single piece of personal information) that allows more to be known about the individuals.

If a data breach fits the eligible criteria, within 30 days of becoming aware of the breach the organisation must:

  1. alert the Australian Information Commissioner of the incident
  2. notify the affected person(s) of the data breach

If these steps are not followed, incidents can attract a maximum penalty of $360,000 for individuals and $1.8m for organisations.

Offshore vs onshore

Every organisation has its own unique set of needs when it comes to payroll. From budget to workforce complexity to tax considerations, there’s guaranteed to be a software or outsourcing service to suit your business. 

However, there are endless offerings to investigate, and these are magnified when there is an option to offshore payroll operations to another country. 

Eugene LaFontaine, national payroll services manager at Frontier Software, says there are a number of key reasons why an organisation might opt to offshore payroll. These might include:

  • costs associated with managing the payroll function in-house
  • payroll being considered a non-core business activity
  • payroll being a transaction-based function that delivers a low value proposition
  • to direct staff to more tactical and strategic functions
  • to minimise business risk
  • to utilise world-class technology and expertise
  • to have the ability to swiftly scale up and thus support business growth
  • to allow the organisation to focus on its core business activity
  • to consolidate disparate multi-country operations into a single global shared services arrangement

However, with data security top of mind in 2018 – especially given the previously mentioned Mandatory Data Breach Notification Law – it’s natural to assume that once data is moved overseas it is more susceptible to data breaches. Is that true?

LaFontaine responds: “Where data is moved overseas as part of the offshore outsourcing arrangement, it becomes difficult for an organisation to conduct security audits to ensure compliance with the organisation’s Information Security Management Systems [ISMS]. The reliance will be on the offshore outsourcing provider to demonstrate they are complaint with the customer’s ISMS framework.”

In addition, LaFontaine says data that is managed by offshore outsourcing providers will be subject to jurisdiction of more than one country, which may cause an issue in data sovereignty. This can raise concerns around:

  1. data protection and security
  2. compliance with privacy obligations
  3. notification of data breaches

“Customers should ensure these important factors are adequately covered in their contract with their service provider,” LaFontaine says. 

However, he adds that it’s easy to make assumptions, including the key misnomer that data saved on Australian shores is somehow ‘safer’ than data saved overseas.

Indeed, the Gemalto Breach Level Index recorded 22 incidents in Australia in the first half of 2016, far more than the 13 recorded in India and seven in Japan and New Zealand.

Act now

When it comes to assessing the security of an organisation’s payroll data, KPMG has urged employers to consider these questions:

  • Is the payroll information entrusted to my entity really secure?
  • What safeguards and measures does my entity really have in place to secure the integrity of payroll information?
  • Does my entity have the right governance and risk appetite for cyber security and data protection?

“Do not wait until you have to report an eligible data breach. Financial and reputational damages can be devastating. Get your safeguards tight or even tighter. Now is the time to act,” the professional service firm urged.

“The APAC region accounted for 8% of incidents worldwide, compared with 79% that targeted North America. The probable flaw with these statistics is that they are of recorded incidents and provide no view as to the number of unreported incidents,” LaFontaine says.

“As the volume of data increases with varying levels of sensitivity, it is clear that data breaches will occur, therefore organisations must shift their focus from breach prevention to strategies that will help them secure the breach.”

Employers are urged to ensure their payroll service provider has taken steps to maintain the highest standards of data security. For example, the Frontier Software IT Security Team has developed its ISMS framework, which outlines the Security Protocols in the management and storage of client and company data. This now incorporates the new Australian NDB and United Kingdom GDPRS requirements.

In addition, Frontier Software educates its staff on compliance of the ISMS framework and in particular how classification of data is to be treated and protected as part of its new employee-onboarding process. This is no more pertinent than in relation to the data breach provision recently added to the Privacy Act.

Frontier Software also conducts an annual Information Management Security test with its employees to ensure compliance and understanding of the ISMS framework. The company is ISO 27001 accredited and conducts an Annual ASEA 3402 Audit to ensure security compliance.

Other key challenges of offshoring

Of course, data security is just one challenge for business leaders to consider in their decision to offshore or onshore their payroll systems.

There are cultural differences in communication styles, attitude towards conflict resolution, and simply different ways of getting work done.

“Organisations need to ensure the staff who have direct contact with the offshore outsource providers have been educated in these areas to ensure the cultural gap has been addressed to allow seamless service delivery of the contracted services,” LaFontaine suggests.

“In addition to the cultural differences, there is the difference in time zones which would make it difficult for organisations to communicate effectively with the offshore outsource provider.” And of course, pay obligations for Australian employers are constantly changing and it’s up to payroll professionals to stay on top of these changes.

LaFontaine says payroll professionals must be trained on all Australian and state employment legislative frameworks to ensure compliance of payroll processing has been adhered to. Payroll professionals must be proficient in providing guidance and support on up-to-date employment legislative information at frequent intervals both for operational processing and software compliance.

Organisations are also dealing with fundamental changes to how, when and where people are working. The concept of nine-to-five, Monday to Friday jobs is being challenged amid the rise of gig-economy workers. It stands to reason that all processes that support the workforce, including payroll, must be constantly revised.

“As Stephen Hawking rightly said, ‘Intelligence is the ability to adapt to change’, so as service providers we not only plan but we focus on the execution of the change,” says LaFontaine. “Progress and long-term sustainability is not possible without change, simply because ‘change is inevitable and growth is optional’ [John C Mowell]. Our concentration is on the rules and regulations that apply in the changing landscape and enhancing our software and services to cater for such change.”

Indeed, while many might assume that offshoring is a cheaper option, there are other factors to consider. And while most would agree there are savings to be made, the damage caused by a data breach would quickly negate any cost benefits.

This article was published in HRD Human Resources Director Magazine on 2 May 2018