Chartered Accountants Ireland (CAI) has raised data protection concerns relating to the new online employer registration portal for the incoming auto-enrolment pensions system.
The largest accounting body in the State warned its members in a note in recent days that the portal may potentially allow individuals who should have restricted access to sensitive staff information to view certain details.
CAI’s director of members and advocacy, Cróna Clohisey, wrote an email to the general secretary of the Department of Social Protection, John McKeon, last Thursday expressing concerns about the matter and asking if there was any planned remediation.
A spokeswoman for the department, which is ultimately responsible for auto-enrolment, said that the National Automatic Enrolment Retirement Savings Authority (Naersa) has “rigorous controls in place that limit access to data to those data controllers that are entitled to access the data concerned”. However, he said additional steps may be taken.
READ MORE
The CAI’s concern centres around the method through which firms access the employers portal, which was launched early last week and allows companies to complete their profile and choose a payment method in advance of the start of the system – known as My Future Fund – on January 1st. Auto-enrolment is aimed at some 800,000 employees who have no workplace or private pension provision.
Employers access the portal using a revenue online service (ROS) certificate, which acts as a digital signature when combined with a password.
In accountancy practices, firm principals typically hold full certificates, while staff members use sub-certificates with restricted access to specific tax numbers, the CAI highlighted in the email. There are also strict rules on what individuals can hold full ROS certificates and sub-certificates, or sub-accounts, in businesses across the economy.
“However, initial use of the live system, as reported to us by members, suggests that when logging into the portal with any ROS certificate or sub-certificate, the system provides access to all active payroll tax registrations associated with the practice. This means that sub-certificates, despite being restricted on ROS, appear to have unrestricted visibility on the auto-enrolment portal,” Ms Clohisey said in the email.
The CAI said the apparent issue creates significant risk, including certain staff being able to infer colleagues’ salaries by reviewing employer contributions to My Future Fund. Even unintended visibility of who is enrolled constitutes a potential data breach under EU general data protection regulation (GDPR) principles, it said.
A spokeswoman for the department said that employers, as data controllers, are responsible for data access. However, he said that Naersa is considering if it can offer a similar facility to that of Revenue.
“While this may be enabled in the future, where any individual data controller wishes to restrict access to MyFutureFund data within its own organisation it is advised to implement appropriate controls via its own processes or systems,” he said.
Auto-enrolment will apply to workers aged between 23 and 60 who earn at least €20,000 per year across one or more jobs and who are not already members of an occupational pension scheme. Employers and employees will each initially contribute 1.5 per cent of gross earnings to their pension pot, with the Government adding a further 0.5 per cent. The contributions are due to increase in stages, reaching 6 per cent and 2 per cent respectively in year 10.
Minister for Social Protection Dara Calleary promised in recent weeks to bring forward last-minute legislation to prevent businesses putting employees in company schemes with low contribution rates – keeping them out of scope for auto-enrolment.
The planned new rule will require company pension schemes to have a minimum contribution rate of 3.5 per cent of employee earnings when auto-enrolment goes live in January – including both employer and employee contributions.
