Auto-enrolment pensions: Accounting body raises GDPR concerns over employer portal
The Chartered Accountants Ireland (CAI) has raised data protection concerns regarding the new online employer registration portal for the upcoming auto-enrolment pensions system. The CAI warns its members that the portal may allow individuals with restricted access to sensitive staff information to view certain details, potentially compromising data security.
CAI's director, Cróna Clohisey, expressed these concerns in an email to the Department of Social Protection's general secretary, John McKeon, seeking clarification on any planned remedies. The department, responsible for auto-enrolment, assures that the National Automatic Enrolment Retirement Savings Authority (Naersa) has robust controls to limit data access to authorized controllers. However, they acknowledge the possibility of additional measures.
The issue stems from the portal's access method, which allows employers to complete their profiles and choose payment methods before the system's launch on January 1st. Employers use a revenue online service (ROS) certificate and password for access. CAI highlights the distinction between full certificates held by firm principals and sub-certificates with restricted access to specific tax numbers for staff members.
However, initial portal usage reports indicate that any ROS certificate or sub-certificate grants access to all active payroll tax registrations associated with the practice. This means sub-certificates, despite their restricted nature, appear to have unrestricted visibility on the auto-enrolment portal. Ms. Clohisey emphasizes the significant risk, including the potential for staff to infer colleagues' salaries by reviewing employer contributions to the My Future Fund.
The CAI argues that even unintended visibility of enrolled individuals constitutes a potential data breach under EU GDPR principles. The department's spokeswoman acknowledges employers' responsibility as data controllers but notes Naersa's consideration of similar access facilities. They advise that data controllers can implement appropriate controls via their processes or systems to restrict access to MyFutureFund data within their organizations.
Auto-enrolment pensions are set to benefit workers aged 23 to 60 earning at least €20,000 annually across multiple jobs, not already enrolled in an occupational pension scheme. Employers and employees will each contribute 1.5% of gross earnings initially, with the government adding 0.5%. Contributions are scheduled to increase in stages, reaching 6% and 2% respectively by year 10.
Minister for Social Protection Dara Calleary has pledged to introduce last-minute legislation to prevent businesses from enrolling employees in company schemes with low contribution rates, ensuring their inclusion in the auto-enrolment scheme.
