Auto-enrolment pensions are almost here, but a potential data protection issue has been raised by the Chartered Accountants Ireland (CAI). The new online employer registration portal, launched early last week, allows companies to complete their profiles and choose payment methods ahead of the system's start on January 1st. However, the CAI has expressed concerns that the portal may allow individuals with restricted access to sensitive staff information to view certain details. This could potentially lead to data breaches under the EU General Data Protection Regulation (GDPR) principles.
The CAI's director, Cróna Clohisey, wrote to the Department of Social Protection's general secretary, John McKeon, to express these concerns and request any planned remediation. The department's spokeswoman acknowledged the issue, stating that the National Automatic Enrolment Retirement Savings Authority (Naersa) has rigorous controls in place to limit data access to authorized controllers. However, additional steps may be necessary.
The concern stems from the method of accessing the employers' portal, which requires a revenue online service (ROS) certificate and password. CAI highlighted that firm principals typically hold full certificates, while staff members use sub-certificates with restricted access to specific tax numbers. However, initial use reports suggest that sub-certificates may have unrestricted visibility on the auto-enrolment portal, creating a significant risk.
Even unintended visibility of enrolled individuals constitutes a potential data breach under GDPR. The department's spokeswoman acknowledged the issue and stated that Naersa is considering offering a similar facility to Revenue. They advised that data controllers should implement appropriate controls via their own processes or systems to restrict access to MyFutureFund data within their organizations.
Minister for Social Protection Dara Calleary has promised to bring forward legislation to prevent businesses from putting employees in company schemes with low contribution rates, keeping them out of the auto-enrolment scope. The new rule will require a minimum contribution rate of 3.5% of employee earnings for company pension schemes when auto-enrolment goes live in January, including both employer and employee contributions.
