Civil Service payroll system to be audited following data breach

Data Protection Commissioner to scrutinise PeoplePoint system due to data mishaps

The payroll service for about 31,000 civil servants, which has been the subject of multiple complaints and at least two inadvertent data breaches, is being audited by the Data Protection Commissioner.

PeoplePoint, part of the Government’s National Shared Services Office (NSSO), was established in 2013 and handles payroll and leave requests from civil servants.

In April, the details of 1,914 Civil Service staff, including their names, PPS numbers, grades and details of special leave they had taken, were sent on a spreadsheet to a HR manager in one Government department who had sought details about their own staff. There was also a data breach last November when the personal details of more than 300 civil servants were sent by PeoplePoint to HR departments other than their own.

Since PeoplePoint’s introduction there have also been reports of other instances of personal information being disclosed to the wrong managers or departments.


Salary recovery

In addition, there have been complaints about how the system recovers salary amounts overpaid when an individual is on sick leave over and above the allowance.

Among numerous complaints from one government department last year was one from a person who had been told they owed PeoplePoint more than €8,000 as the correct protocols didn’t exist when they suffered a serious illness. The information was contained in records released under the Freedom of Information Act.

Another person’s application for carer’s leave following their retirement was inadvertently sent to their line manager.

Other complaints concerned the “hassle” and “time-wasting” in procedures for applying for special leave, which covers a range of scenarios including training and trade union business.

More than €1.4 million was overpaid to staff in the Department of Social Protection last year. The highest amount was more than €23,000.

Department of Health staff also voiced their “concerns and unhappiness” with the PeoplePoint system over a two-year period.

The department said at the end of last year that, in the main, staff had been concerned about losing the “personal service” provided by local HR when the transition to PeoplePoint took place.

Some €41,250 was overpaid to 10 Department of Health staff last year through the PeoplePoint system.

Findings welcome

The NSSO, which comes under the remit of the Department of Public Expenditure and Reform, said it took data protection very seriously. It welcomed any findings of the scheduled data protection audit and any recommendations the Data Protection Commissioner might have.

A spokeswoman for the Data Protection Commissioner said its audit of PeoplePoint was taking place as part of the office's planned programme of audits for 2016 and was expected to be concluded at the end of July.

“We will be making best practice recommendations at that point, as appropriate.”

The spokeswoman confirmed that six formal complaints had been opened and investigated by the office – one in 2013 and five in 2015.

Seán Carabini, assistant general secretary of the Public Service Executive Union said: “The PSEU has met with PeoplePoint to highlight the serious concerns of our members in relation to the recent data breach . . . we will continue to engage with them to ensure that the risk of a repeat is minimised.”