Payslips with address visible - GDPR fail?

[The Pom]

Payroll go round each month & put your payslip on your desk. On the front is your full address for everyone to read.
As far as I can tell from what I've read, this is an unauthorised release of my personal data, to which I have not consented.

Any thoughts? (Other than that there are bigger things to worry about!)

 

[Newchodge]

No other thoughts, really, no.

If it REALLY bothers you, point out the issue to the payroll department.

 

[Mike Kilby PC.dp]

Payslips on paper? That's so last century!

Most payroll systems that deliver payslips by email now have a facility to encrypt or password protect the payslips so that personal data is not transmitted and at risk of unauthorised viewing.

With paper payslips, I expect that it's not entirely necessary for the employer (data controller) to have the full home address visible, unless they're being sent by post. That said, it is in your interest for it to be printed on them, perhaps for example when you apply for a loan or mortgage and the lender expects to see payslips.

Is it a breach of GDPR? Probably yes, because it could be mitigated and it is leaving personal data in plain view for anyone to see, use or steal.

What is the real risk here? Without knowing how big your company is, its not possible to do a "risk assessment". I also do not know how many people are likely to walk past your desk that are not employees of the company, or how trustworthy the office is or even if there is CCTV which might deter someone from stealing a payslip from your desk.

If I were the privacy officer for your company, I would likely recommend one of three possible alternative practices.

1. upgrade to new software and practices and use email like many employers do now.
2. change the envelopes so the address is not visible, even if they just stick a label over it!, or if the addresses are printed on envelopes, the printing ought to be amended to not print the address. Just your name, and maybe department would be sufficient.; or much simpler
3. you collect your payslips from the payroll/accounts department in person so they are not left lying around on desks.

 

[Mr D]

OK so work colleagues not allowed to know where you live.

Perhaps as a solution all payslips should be posted out. That way the address being on it and shown to your postie is legal.

 

[Mike Kilby PC.dp]

OK so work colleagues not allowed to know where you live.

Technically yes, why do they need to know your address?
It's not just work colleagues though. You could have customers walking through your office, external contract cleaners, an IT support supplier or other external company providing services in your office. All people who you don't know and may not like having your address handed to!

Perhaps as a solution all payslips should be posted out

Ironically, Royal Mail and Courier Firms are "exempt" from certain processing by virtue that the information has got to be provided in order for them to provide their service. So yes, sending by post would be considered lawful.

 

[Mr D]

Technically yes, why do they need to know your address?
It's not just work colleagues though. You could have customers walking through your office, external contract cleaners, an IT support supplier or other external company providing services in your office. All people who you don't know and may not like having your address handed to!


Ironically, Royal Mail and Courier Firms are "exempt" from certain processing by virtue that the information has got to be provided in order for them to provide their service. So yes, sending by post would be considered lawful.

Is there by any chance anything else on your desk that such people should not be seeing?
Anything on your screen perhaps? Any letters, paperwork, phone numbers etc?

And yes royal mail would be lawful hence me mentioning it being legal. Maybe in time both employer and royal mail will use barcodes only and not printed address.

 

[Mike Kilby PC.dp]

@Mr D, there probably is, hence why most companies implementing GDPR implement Information Security policies as well. Clear Desk, clear screen, lock your screen when you are not there. Some even go as far as to fit filters to screens so you can't see it unless you are sat directly in front of it and cannot photograph it, even blocking out the screen print function especially in call centres in India.

This is why there's no "one size fits all" solution to GDPR. Every business and working practice is unique.

FYI, Royal Mail already use "mailmark" which is one step away from exactly what you mention.

 

[Mr D]

@Mr D, there probably is, hence why most companies implementing GDPR implement Information Security policies as well. Clear Desk, clear screen, lock your screen when you are not there. Some even go as far as to fit filters to screens so you can't see it unless you are sat directly in front of it and cannot photograph it, even blocking out the screen print function especially in call centres in India.

This is why there's no "one size fits all" solution to GDPR. Every business and working practice is unique.

FYI, Royal Mail already use "mailmark" which is one step away from exactly what you mention.

LOL - yes, mailmark still in its infancy yet but another decade can see it being commonplace without need for printed other information on an envelope.

 

[Simon Plummer]

Are you happy that your name and address isn't in the public domain...'anywhere'? Can you demonstrate this practice would cause you any damage or distress? My challenge is that the process of giving out the payslips is a contractual obligation, performed in a secured environment (I assume your desk isn't in a public space?) where appropriate policies apply to staff (I Hope!) and I would guess that your name and address is already in the public domain. Obviously, if your payslip wasn't in a sealed envelope then this would be a very different story! Happy new year!

 

[Newchodge]

Are you happy that your name and address isn't in the public domain...'anywhere'? Can you demonstrate this practice would cause you any damage or distress? My challenge is that the process of giving out the payslips is a contractual obligation, performed in a secured environment (I assume your desk isn't in a public space?) where appropriate policies apply to staff (I Hope!) and I would guess that your name and address is already in the public domain. Obviously, if your payslip wasn't in a sealed envelope then this would be a very different story! Happy new year!

You seem to be arguing 'why should your colleagues not know your personal address'. That is the wrong argument. The right argument is 'why should your employer tell your colleagues about your personal address'. That gives the right starting point.

The fact that payslip distribution is a contractual obligation is irrelevant - there is no contractual obligation to display the address or to distribute the payslips so they are publicly visible.

 

[The Pom]

Thanks to everyone for their input. We have regular external visitors to the premises who could see such information if they were in an office area.
For what it's worth, I'm not particularly fussed if a colleague knows where I live. I'm more interested to know the regulatory rights & wrongs of the situation, purely out of interest.

 

[paulears]

I'd love to work with people who wanted to keep everything about them secret! People are sadly getting paranoid about some things while amazingly open about others. The house on Google street view that is blobbed out took all of ten minutes to find out what it looked like, who lived there and what they paid for the house two years ago!

Your address is hardly a secret, after all - if anybody really cared they'd just follow you home! Wanting privacy and actually getting it is becoming laughably impossible. A colleague could of course steal your payslip, open it up in the toilet and find out a lot more than your home address - now that sounds like a security issue?

 

[Alan]

Last time I had printed payslips ( over 11 years ago ) they had your name and department on the outside, and no address. Whilst I couldn't care two hoots if my address was on it, I can see no reason why it should be on the outside of the envelope if it is not going to be posted. As mentioned, raise it with your HR dept, we can't do that for you.

 

[Awinner2]

On a similar theme, my son had to go into his Nationwide branch to change his home address 9 months ago (because, quite properly he could not do it online, even through his online banking). Imagine his horror when his ex-partner called him before Xmas to say she had received a statement on his Savings account at his previous address and that she had opened the letter! I know that is illegal but even worse she saw that he had several thousands of pounds in the account. Still waiting for reply from Nationwide.