Growing Security Concerns

WhatsApp declared that it will be amending its privacy policies which would allow Facebook, its parent company, and its subsidiaries to gather users’ location, phone numbers and their contacts’ phone numbers in addition to other private information.

With a large number of privacy concerns in 2021, it is important to consider, not only, whether your privacy concerns are met but also the types of data security processes your payroll provider practices.

While Asia’s data privacy requirements vary greatly, there are key payroll security questions we’re routinely asked by clients (especially banking and FI clients) who outsource their Asia payroll.

The Complexities of Asia Data Privacy

Due to Asia’s data privacy laws remain particularly disintegrated, it is very complex for companies to ensure they host, protect and retain data in accordance with data privacy laws. For example, the personal data of Chinese citizens are required to be hosted in China while Taiwanese privacy laws can prevent companies from hosting Taiwanese citizens’ personal data in China. This may pose issues for companies with a presence in Taiwan if they are headquartered in China.

As such companies operating in Asia need to ensure they and in particular their HR and payroll providers who handle their employee’s personal information take adequate measures to comply with data privacy laws.

Why Your Payroll Provider Should Be ISO 27001 Compliant!

While this can be concerning, especially for overseas companies investing in Asia, the best payroll companies will voluntarily adopt security standards and the provider you use should be compliant with ISO 27001!

ISO 27001 is part of a family of standards that helps organisations keep their information assets secure and is published by the International Organization for Standardization. Asia payroll providers that meet the standard are certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit. Leading Asia payroll outsourcing companies choose to implement the standard to benefit from the best security practices and reassure clients that its recommendations have been followed. 

Other common standards that good Asia payroll outsourcing companies will hold include SOC 1 SOC 1SSAE 16/ISAE 3402, SOC 2 (it’s worth noting that a large number of common US and UK standards will not be widely used in Asia). However, asking your provider whether they hold ISO 27001 is a good way of quickly weeding out risky vendors. 

Where Is the Payroll Data Hosted? Who Has Access to The Data?

Virtually all payroll clients with an IT or compliance function will be keen to understand the following when determining the level of risk associated with an Asia payroll outsourcing company hosting confidential HR information:

Where the payroll data is hosted – where will the payroll data be physically hosted? Is the server physically owned or leased?  How is the network structured?

Data should always be hosted in a way that complies with local data privacy laws. It is worth noting that some industries in specific countries (e.g. banking) will have statutory requirements that information be hosted and stored in-country, as opposed to in off-shore processing centres in low-cost countries (e.g. India, Philippines, Malaysia, etc.).  

IT teams (and payroll providers) will also generally prefer flexible and scalable hosting where possible (e.g. Microsoft Azure, Google, Amazon Web Services or Alicloud) as it ensures a faster user experience for employees when logging into HR Portals to access employee payslips, apply for leave, etc. A good Asia payroll provider will host the data in a way that satisfies local data laws but will also be able to provide flexible hosting options like geo-replication to enhance disaster recovery plans if required.

How the Data Is Stored and Transmitted – How Is the Payroll Data Secured When Being Stored and Transmitted?

Assuming the payroll provider is compliant with ISO 27001 best practices, most questions from clients about data storage and transmission will be in respect of whether the payroll data is encrypted at rest (e.g. data is protected while on disk/in storage, and encrypted in Transit, e.g. data is protected between the client and the payroll provider against snooping).

Good Asia payroll providers will have data encrypted at both stages and ensure client HR teams can obtain compliance sign-off easier. A lot of compliance and IT teams will not be comfortable transmitting confidential payroll data over unsecured email (even if password protected), so it is important that your Asia payroll provider can provide other options for data transmission, e.g. FTP-S.

In addition, compliance teams will also be interested in how data is retained and destroyed when no longer required. Ensuring that your Asia payroll provider has clear data retention policies is your first port of call.

Who Has Access to The Data? – What Is the Framework for Access to Data and How Is Access Monitored?

Restricting user access to client payroll data to a strict need-to-know basis should be the Asia payroll service provider’s basic starting point, and their policies in respect of data access should be standardised for user access and reflect this principle. 

However, arguably more important and what is often overlooked is the practicality of monitoring user access to payroll data at scale and detecting any potential data breaches. It is all well and good to use an Asia payroll provider with a great documented security policy. However, what systems and processes do they have to check for breaches? What proof do they have to show that they actually follow the processes? 

“Will the Payroll Provider Even Know A Breach Has Occurred?” 

Good questions to answer this include:

• Does the provider have a Data Loss Prevention system in place to prevent breaches as well as analytics and alerts to notify of a potential breach?
• Does the provider conduct vulnerability and penetration testing on a regular basis?
• Can the provider utilise Multi-Factor Authentication to prevent unauthorised access?
• Can the payroll provider discover, restrict and monitor privileged identities and their access to resources from a single system?
• Does the payroll provider maintain an access log and can the access log be edited?
•  

A concerning number of Asia HR technology is renowned for lagging behind the rest of the world. Thoroughly understanding your vendor’s ability to detect and monitor potential breaches is key to reducing your chances of being in the headlines for all the wrong reasons.

What other information security questions should we ask?

While this list is not exhaustive, other important security questions that large clients will ask include:

• What on-premise security is there? E.g. in office CCTV (with readily available access to records), monitored alarm systems, etc.
• How does the provider communicate InfoSec policies and procedures to staff? Can they provide evidence such as email communications, training records, memos, etc.?
• How does the provider reference check new staff? What is the disciplinary process in the event of a security incident with a staff member?
• How are change and access requests processed? Can proof of requests be given?
• What firewalls/antivirus protection is used? How are updates and patches distributed systematically to all users? 

Having a good understanding of your Asia payroll outsourcing provider’s information security is key to having a successful and stress-free payroll experience, and asking the right questions makes all the difference.    

Want to Know More About Payroll Security?

If you would like to know more about payroll security or looking to outsource your payroll, contact us now to see how our professional HR team can help!

Related Articles:

• Quick Guide to Calculating Hong Kong’s Average Daily Wage Examples
• Onboard- APAC 2021 Q1 Legislation Update
• The 5 Benefits of Running Cloud-Based Payroll in Asia
• How to Integrate Workday with Payroll in Asia
• 2020 Legislation Updates & Stimulus Measures Comparison Chart

Links International is an industry leader in innovative HR outsourcing with services such as payroll outsourcing, visa application, PEO/EOR Secondment, outplacement, recruitment and more! Contact us for more information on how we can help leverage your HR function.