Information regarding controller / processor relationship(s) for PiP
| Authority | Cabinet Office |
|---|---|
| Date received | 2025-08-13 |
| Outcome | Some information sent but part exempt |
| Outcome date | 2025-09-23 |
| Case ID | 4870145 |
Summary
The request sought the Data Protection Impact Assessment (DPIA) and documents identifying controller/processor relationships for the PiP payroll system. The authority provided a partial response containing risk assessments and mitigation strategies from the DPIA, though some information was withheld under exemptions.
Key Facts
- The PiP system stores sensitive employment data including trade union membership, bank details, and special categories like ethnicity and religion.
- Access to special category data is restricted to employees and limited OHR system administration accounts.
- Document attachment functionality was switched off pending assessment to prevent excessive data collection.
- Redirection features are currently disabled until technical and organizational controls can be implemented.
- Bespoke user access roles are attached to individuals rather than posts, creating a risk of incorrect access if not revoked upon role changes.
Data Disclosed
- 2025-08-13
- 2025-09-23
- 83
- 2
Exemptions Cited
- Part exempt
Original Request
Please could you provide a copy of the DPIA which was undertaken in order to implement PiP being implemented by OHR /Cabinet Office. Please could you provide any documents which would identify which Departments, Boards or Offices are listed as either A. Controller B. Processor or C. Joint Controller.
Data Tables (38)
| Pay data will include trade union membership | Disclosure of trade union membership | Sensitive category of data visible to payroll. | Reputational Financial Legal |
|---|---|---|---|
| Organisational structure | Employment records, including personal contact details, stored in PiP | Incorrect reporting lines may result in employee data being visible to incorrect manager. | Reputational Financial Legal |
| Internet-based threats | Employee data stored in PiP | Personal information could be at risk from Internet-based threats. | Reputational Financial Legal |
| Devices (mobiles, tablets, PCs etc.) | Employment and personal data stored in PiP | People could leave themselves logged on – ESS/MSS. | Reputational Financial Legal |
| Shared Inbox Access | MSS emails will go to gov.im emails and ESS emails will if an employee selects this as their contact email. | Officers may allow colleagues delegate access into inboxes, which if used inappropriately could allow access to personal/management information. | Reputational Financial Legal |
| Structural changes across IOMG | Personal information is available to a previous manager or an incorrect manager. | Continual changes to organisational structures and occasional time lag in OHR being informed of changes by Departments increase risk of reporting lines becoming incorrect or being amended incorrectly by Dept or OHR. | Reputational Financial Legal |
| Customer identification checks | Employee details being shared with incorrect employee or manager. | Data disclosed in error. | Reputational Financial Legal |
| Training | Teams handling the personal data in PiP and managing the system require data protection training. | Data Protection principles not applied to system design, particularly data governance rules. Failure to meet legal obligations. | Reputational Financial Legal |
| Admin roles, Finance Manager, Fast Input roles and other bespoke user access accounts. | Incorrect access. | Bespoke roles are attached to the person not the post in PiP. Failure to revoke bespoke user access could result in incorrect access to employee personal data based on the needs of a previous role. | Reputational Financial Legal |
| Redirections | Employee tasks could be redirected to incorrect manager. Redirections currently switched off until technical/organisation controls can be implemented. | Redirections restrictions limited ability to redirect tasks to managers within a Department; however the system provider now advises that redirections can go across all IOMG. Managers can be sourced via a PiP by forename, surname or user name. Managers could redirect to an incorrect manager outside of the immediate work area and there is a risk of manager inputting the incorrect details. | Reputational Financial Legal |
| Document attachments: retention | Excessive collection of personal data, including special categories Document categories switched off (excluding receipts and expenses) until fully assessed. | HR, manager and employees can attach documents to a PiP record. Unless managed and cleansed, the system could become full of old data. There is a risk of excessive collection of data. | Reputational Financial Legal |
|---|---|---|---|
| Log in rates | Data made available in the full roll out includes sensitive categories | If an employee has not logged in and checked their reporting lines and personal details, data may be disclosed in error. | Reputational Financial Legal |
| Document attachments: upload functionality | Disclosure of personal data | There are several ways to upload data on to PiP which appear to vary access rights to the data. Need to fully understand the functionality to consider acceptable use. | Reputational Financial Legal |
| Assigning accounts | Employee assigned to incorrect account. | Data may be disclosed in error. | Reputational Financial Legal |
| Technical Failure: Data Loss | Technical error resulting in data loss | Data may be lost, destroyed, deleted. | Reputational Financial Legal |
| Technical Failure: Unauthorised disclosure | Technical error resulting in unauthorised disclose/access | Data may be disclosed in error. | Reputational Financial Legal |
| Workflows | Structural issue causes a workflow email to be sent to the wrong manager | Data may be disclosed in error. | Reputational Financial Legal |
| functionality. Communications to managers to ensure they check correct employees are showing. System is auditable so inappropriate access can be identified. MSS can only be accessed via Government device. | unable to check but majority of employees will be able to check correct management details. Risk accepted. | to an acceptable level. Approach to be reviewed as each Dept ‘Go Live’ | |
|---|---|---|---|
| Bank Details | Restricted access to employee, payroll officers and system admin users only. | Mitigated | Yes, access is only available to OHR officers who require the data to complete their duties. |
| Special categories of data – Ethnic Origin Religion Disability Sexual Orientation | Restricted access, visible to employee and limited OHR system administration accounts only. System designed to prevent email being sent to OHR for disability status and tested. Only anonymised MI data will be available to OHR roles for the purpose of equal opportunities monitoring. System admin accounts would only be require access in the event of system error or by the system admin team providing assistance at the employee request. | Mitigated | Yes, OHR has a Public Sector Equality Duty. Access is restricted, the individual can amend/delete data at any point and additional information has been provided on the PiP to advise employees completion is optional. |
| Pay data will include trade union membership | Restricted access to employee, payroll officer and System Admin only. Payroll requires access to make accurate salary payments and System Admin team require access to all fields within the system to maintain and audit it. Introduction to GDPR training undertaken by payroll officers. Payslips are not accessible to managers. | Mitigated | Yes, consent sought from deductions to pay. Role based access only. |
| Organisational structure | Full organisational structure check prior to ‘Go Live’ Department will have the responsibility to maintain the structure of their organisation, with the support of the system support team. | Risk accepted – to remain under review and be subject to an Article 36 consultation | Yes, Departments maintained their organisational structure in Oracle, however there was limited access to the system to ensure changes have been actioned and were correct. This will be easier and more transparent |
| Department have PiP Reps in place and PiP buddies to support communications. Discussed with DPOs who can support the messages within the Department to ensure the structure is appropriately maintained | under PiP, enabling managers and OHR to identify and correct inaccurate records earlier. | ||
|---|---|---|---|
| Internet-based threats | System hosted by GTS, Cabinet Office who maintains security of Government systems. | Risk accepted | Yes - system protected by government firewalls |
| Devices (mobiles, tablets, PCs etc.) | Training materials reiterate importance of logging out of the system. Any changes made trigger an email to the employee, so unauthorised activity would be detected. PiP is following password and timeout rules of GTS whether an individual log on to the system using a Gov device or personal devices. When using a personal device, rules are set up by the individual on a personal phone/tablet/computer Government Employees who have active directory network access already will use their network user name and password. Government Employees who don’t have network access will receive a PiP log in – which will be set up with the below rules – ESS access only Password Rules: Expiry: 90 days Length: 9 Passwords must include both upper and lower case characters Passwords must include both alpha and numeric characters Users will be allowed to logon once using an expired password | Risk accepted | Yes, ESS accounts need to be accessible on personal devices. |
| Users are not able to select a password they have previously used. Users are required to logon before changing their password User lockout after 3 Failed Log on Attempts Password expiry warning: 10 days. Forgotten password recovery: Expiry Link Email. Time Outs: These are currently set to log off after 20 minutes of inactivity – with a warning 2 minutes before this time out. If window closed, system automatically log out – tested. | |||
|---|---|---|---|
| Shared Inbox Access | Officers allowing colleagues access to their inbox varies across IOMG. This is controlled by permissions and Depts will take their own steps to assure themselves delegates know what they can and can’t access within someone else’s folder. Personal information will already exist in these inboxes as there will be management emails, JobTrain and absence records which go to manager inboxes along with other confidential business data. If a data breach occurred due to the Departmental access in to a colleague’s inbox, the reporting requirements will rest with the Department. Workflow emails will contain employee reference numbers, making it harder to identify a particular individual without MSS access. | Risk accepted | Yes, to be managed in line with current Departmental controls. |
| Structural changes across IOMG | Self service enables Departments to keep organisational structure accurate. Identification of inaccuracies, either by the management chain or employee. Only employees with an MSS account would see MI information so information could not be incorrectly disclosed to any officers without experience of handling confidential management information. | Risk accepted – to remain under review and be subject to an Article 36 consultation | Yes, to remain under review. |
| PiP team to continue to work with IOMG DPOs and encourage them to communicate with their Depts on importance of maintaining the organisational structure. Key contact in each Department managing the structure. DSA to set out clear responsibilities for system maintenance. | |||
|---|---|---|---|
| Customer identification checks | 2 key identifiers now used across OHR to ensure identity is confirmed. OHR processes are undergoing review to use employee number/payroll number which ensure correct employee record is accessed. | Risk mitigated | Yes |
| Training | Director of HR Services attended GDPR certification and 4 x individual training days to provide team with access to specialist knowledge and regular PiP meetings in place to provide oversight. Support from 2 x IG officers with the same level of training. Local training being arranged for OHR. | Risk mitigated | Yes, to remain under review. |
| Admin roles, Finance Manager roles, fast input roles and other bespoke user access | Department requesting bespoke user access. Admin role form has been created to confirm requirements and ensure access to data is lawful, justified and limited to appropriate part of the organisation structure. These are approved by Departmental DPOs prior to submitting to OHR> Appropriate user training given to all individuals when roles are provided. | Risk mitigated | Yes, to remain under review with annual reviews to reconfirm Admin Access is still required. |
| Redirections | To be explored. MHR confirmed restrictions were available in September 2019. Redirections will need to be limited to area/manager hierarchy. System functionality is currently being changed to ensure these limitations are in place prior to the system going live. If this is not possible, alternative options will be | To be monitored | To be incorporated into the project plan and monitored. |
| considered including OHR managing this process. | |||
|---|---|---|---|
| Document attachments: Retention | Document upload functionality switched off for now as retention functionality being explored. Receipts will be uploaded due to requirement to process pay in PiP Full. The documents are not accessible elsewhere in pay and are only attached and visible via the employee pay record. | Risk mitigated | Yes, document attachments are not being progressed until retention functionality is explored. |
| Log in rates | PiP steering board determined log in of 90% required to roll out full Phase 1 functionality. Where an employee is long term absence i.e. MAT leave, the manager will be contacted to discuss with employee and encourage log in. Roll out across Departments will be determined based on log in rates. Where employees have not logged in, PiP team will liaise with line managers to confirm accuracy before going live. | Risk accepted – subject to ongoing review and Article 36 consultation? | Yes, will manual checks complete on ESS accounts if an employee has not logged in. |
| Document attachments: upload functionality | This functionality will not be switched on at this stage and will be moved to phase 2 to allow OHR to fully understand how it works and how access rights are managed across roles. | Risk mitigated | Yes document attachments are not being progressed until upload functionality is explored. |
| Assigning accounts | Processes for creating accounts for new starters established. | Risk mitigated | Yes |
| Technical Failure Data Loss | Data loss: System support team in place to resolve issues with GTS and/or system supplier. Service Level Agreement in place to identify approach to issue resolution across GTS, OHR and MHR – App M. | Risk mitigated | Yes |
| Technical Failure: Unauthorised disclosure | Unauthorised disclose/access: System support team in place to resolve issues with GTS and/or system supplier. OHR System Support team control role based access to the system. This is allocated to named individuals in GTS/MHR on an as needed basis for specific reasons. This access is often time bound so is only in place for the period required to carry out actions requested by OHR – e.g. environment control processes, upgrades to system, upgrades to server, investigating a specific issue Service Level Agreement in place to identify approach to issue resolution across GTS, OHR and MHR – App M. | Risk mitigated | Yes |
| Process name |
|---|
| IOMG PERS - ESS Address (Change) |
| IOMG PERS - ESS Address (New) |
| IOMG PERS - ESS Bank Details (Change) |
| IOMG PERS - ESS Contact Details (Change) |
| IOMG PERS - ESS Contact Details (New) |
| IOMG PERS - ESS Emergency Contact Details (Change) |
| IOMG PERS - ESS Emergency Contact Details (New) |
| IOMG PERS - ESS Personal Details (Change) |
| IOMG PERS - ESS Private Vehicle (Change) |
| IOMG PERS - ESS Private Vehicle (New) |
| IOMG PERS - ESS Sensitive Information (Change) |
| Notes |
|---|
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| As detailed in process map below |
| Process name | Notes |
|---|---|
| IOMG ABS - Batch Confirm Return to Work | Where employee updates end date of an open sickness absence a notification e-mail is sent to the manager |
| IOMG ABS - Batch Open Ended Sickness 14 Days | Overnight process to identify any open absences with a duration of 14 calendar days for those within Clerk of Tynwald structure only. Triggers notifications to employee and manager |
| IOMG ABS - Batch Open Ended Sickness 28 Days | Overnight process to identify any open absences with a duration of 28 calendar days. Triggers notification to respective HR Advisory Team and manager. |
| IOMG ABS - Batch Open Ended Sickness 7 Days | Overnight process to identify any open absences with a duration of 7 calendar days. Triggers notifications to employee and manager respectively. |
| IOMG ABS - Batch Open Ended Sickness Monthly Reminder | Overnight process to identify any open absences once a month. Triggers notification to respective employee and manager |
| IOMG ABS - Batch Sick Pay Expiry | Monthly process to identify individuals moving to nil pay due to half pay sickness entitlement expiry within the next 60 and 30 days. Triggers notification to respective employee and manager |
| IOMG ABS - Batch Sick Pay Reduction | Monthly process to identify individuals moving to half pay due to full sickness entitlement expiry within the next 60 and 30 days. Triggers notification to respective employee and manager |
| IOMG ABS - Batch Unknown Sickness Reason Monthly Reminder | Overnight process to identify any absences that have a reason of "unknown". Triggers notification to respective employee and manager |
| IOMG ABS - ESS Flagged Sickness Reason (Change) | As detailed in process map below |
| IOMG ABS - ESS Flagged Sickness Reason (New) | As detailed in process map below |
| IOMG ABS - ESS Sickness Absence (Change) | As detailed in process map below |
| IOMG ABS - ESS Sickness Absence (New) | As detailed in process map below |
| IOMG ABS - HR Flagged Sickness Reason (Change) | As detailed in process map below |
| IOMG ABS - HR Flagged Sickness Reason (New) | As detailed in process map below |
| IOMG ABS - MSS Sickness Absence (Change) | As detailed in process map below |
| IOMG ABS - MSS Sickness Absence (Delete) | As detailed in process map below |
| IOMG ABS - MSS Sickness Absence (New) | As detailed in process map below |
| IOMG ABS - MSS Sickness Certifcate (New) | As detailed in process map below |
| Process name | Notes |
|---|---|
| IOMG ABS - ESS Holiday Request (Change) | As detailed in process map below |
| IOMG ABS - ESS Holiday Request (Delete) | Confirmation e-mail is triggered to the employee and manager where a holiday period is deleted by the employee. An authorisation task is also triggered to the manager. |
| IOMG ABS - ESS Holiday Request (New) | As detailed in process map below |
| IOMG ABS - MSS Holiday (Change) | As detailed in process map below |
| IOMG ABS - MSS Holiday (Delete) | Confirmation e-mail is triggered to the employee where a holiday period is deleted by the manager |
| IOMG ABS - MSS Holiday (New) | As detailed in process map below |
| IOMG ABS - MSS Holiday Entitlement Adjustment | Workflow e-mail triggered to the employee where a manager makes an adjustment to their holiday or TOIL entitlement |
| Process name | Notes |
|---|---|
| IOMG ABS - ESS Other Absence Request (Change) | As detailed in process map below |
| IOMG ABS - ESS Other Absence Request (Delete) | Confirmation e-mail is triggered to the employee and manager where an other leave period is deleted by the employee. An authorisation task is also triggered to the manager. |
| IOMG ABS - ESS Other Absence Request (New) | As detailed in process map below |
| IOMG ABS - MSS Other Absence (Change) | As detailed in process map below |
| IOMG ABS - MSS Other Absence (Delete) | Confirmation e-mail is triggered to the employee where an other leave period is deleted by the manager |
| IOMG ABS - MSS Other Absence (New) | As detailed in process map below |
| Process name | Notes |
|---|---|
| IOMG ABS - MSS Adoption (Change) | As detailed in process map below |
| IOMG ABS - MSS Adoption (New) | As detailed in process map below |
| IOMG ABS - MSS Adoption KIT Day (New) | Manager can enter a KIT day against an adoption absence which will notify payroll to pay a day's pay |
| Process name | Notes |
|---|---|
| IOMG ABS - MSS Maternity (Change) | As detailed in process map below |
| IOMG ABS - MSS Maternity (New) | As detailed in process map below |
| IOMG ABS - MSS Maternity KIT Day (New) | Manager can enter a KIT day against a maternity absence which will notify payroll to pay a day's pay |
| Process name | Notes |
|---|---|
| IOMG ABS - MSS Paternity (Change) | As detailed in process map below |
| IOMG ABS - MSS Paternity (New) | As detailed in process map below |
| Process name | Notes |
|---|---|
| IOMG EMP - Batch Expected Occupancy End | As detailed in extension of LTA process map below |
| IOMG EMP - Batch Expected Position End in 30 Days | As detailed in extension of LTA process map below |
| IOMG EMP - Batch Expected Position End in 60 Days | As detailed in extension of LTA process map below |
| IOMG EMP - MSS Contracted Hours Change | As detailed in change of hours process map below |
| IOMG EMP - MSS Expected Occupancy End Change | As detailed in extension of LTA process map below |
| IOMG EMP - MSS Pattern (New) | When manager makes a change to employee working pattern a notification is sent to the employee |
| IOMG EMP - MSS Position Element (Change) | As detailed in TLR process map below |
| IOMG EMP - MSS Position Element (New) | As detailed in TLR process map below |
| Process name | Notes |
|---|---|
| IOMG EMP - MSS Other Employment Change (People>Position) | As detailed in process maps below |
| IOMG EMP - MSS Other Employment Change (Position) | As detailed in process maps below |
| IOMG EMP - MSS Actual Position End Date Change | As detailed in process maps below |
| IOMG EMP - MSS Expected Position End Change | As detailed in process maps below |
| Process name | Notes |
|---|---|
| IOMG EMP - HR Leaver Notification | As detailed in process maps below |
| IOMG EMP - MSS Org Leaver Notification | As detailed in process maps below |
| Process name | Description | Checks List |
|---|---|---|
| IOMG PERS - Batch Check Expiry | Overnight process to identify any individuals with an expiring check (as listed) within 90 days. Triggers notification to direct reporting manager and HR. | Basic Police Check Conditional Appointment Counter Terrorism Check Enhanced DBS Medical Post 65 Medical Qualifications References Security Clearance Standard DBS |
| IOMG PERS - Batch Driving Licence Expiry | Overnight process to identify any individuals with an expiring driving licence within 60 days. Triggers notification to direct reporting manager. | |
| IOMG PERS - Batch Passport Expiry | Overnight process to identify any individuals with an expiring passport within 90 days. Triggers notification to direct reporting manager. | |
| IOMG PERS - Batch Person's Birthday | Overnight process to identify individuals with birthdays the following day. Triggers notification to respective employee and direct reporting manager | |
| IOMG PERS - Batch Probationary Review Due | Overnight process to identify any individuals with a probationary review due within 90 and 30 days. Triggers notification to direct reporting manager. | |
| IOMG PERS - Batch Work Permit Expiry | Overnight process to identify any individuals with an expiring work permit within 60 days. Triggers notification to direct reporting manager and HR. |
| Process name | Notes | |
|---|---|---|
| IOMG T&E - ESS Expense Claim (New) | As detailed in process maps below | *Please note that managers will have the ability to redirect tasks as appropriate to another manager within their area. This is done by searching for the alternate manager's name within PiP, identify the correct person and entering a password to confirm the redirection. Redirections have been turned off temporarily and any redirected tasks will need to be requested via the support helpdesk |
| IOMG T&E - ESS Expense Claim (Saved) | *Please note that managers will have the ability to redirect tasks as appropriate to another manager within their area. This is done by searching for the alternate manager's name within PiP, identify the correct person and entering a password to confirm the redirection. Redirections have been turned off temporarily and any redirected tasks will need to be requested via the support helpdesk |
| Category | Data processing practise | Mandatory informaiton | Shared with MSS | Is this data currently collected by OHR | Is this data currently shared with stationed employer | Location of data and processing | Basis for processing | System Adminsitrator | System Host | Is the data shared with other processors or parties within PiP | Who has access to data in PiP | Data Input by | Data maintained by | Changes authroised by | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Personal Information | |||||||||||||||
| Personal Information | Full name and title | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | D ata Subject | Relevant government agency | |
| Personal Information | Previous name / Change of name | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b j e c t | D ata Subject | Relevant government agency | |
| Personal Information | Date of birth | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Personal Information | Gender | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | D ata Subject | Relevant government agency | |
| Personal Information | National Insurance Number | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Personal Information | Marital status | No | No | Yes | Yes | Isle of Man | Consent - optional to provide this information and data can be removed at any point by data subject | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Data Subject | Data Subject | Data Subject | Relevant government agency | |
| Personal Information | Address | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b j e c t | D ata Subject | Relevant government agency | |
| Personal Information | Contact details (telephone number, email address) | No | Yes | Yes | Yes | Isle of Man | Consent - optional to provide this information and data can be removed at any point by data subject | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b j e c t | D ata Subject | Relevant government agency | Optional field |
| Personal Information | Work contact details (email address) | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | D ata Subject | - | |
| Personal Information | Work contact details (telephone number) | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b j e c t | D ata Subject | - | |
| Personal Information | Payroll Number and Personal reference | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Personal Information | Grade | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | S t a t io ned Employer | OHR | |
| Personal Information | Location | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | Data Subject / Relevant Government agency | Relevant government agency | |
| Personal Information | Job Title and Position Ref | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | Data Subject / Relevant Government agency | Relevant government agency | |
| Personal Information | Emergency contact | No | Yes | Yes | Yes | Isle of Man | Consent - optional to provide this information and data can be removed at any point by data subject | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b je c t | D ata Subject | - | Optional field |
| Personal Information | Bank details | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | No | OHR - role based access Data Subject | OHR | Data Subject | - | |
| Personal Information | Private vehicle details (Where vehicle is used for work purposes) | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b je c t | D ata Subject | Relevant government agency | Only required if claiming expenses are being claimed for work use of a private vehicle |
| Personal Information | Driving licence (where an essential requirement of the role) | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | Data Subject / Relevant Government agency | Relevant government agency | |
| Personal Information | Vehicle insurance (Where vehicle is used for work purposes) | No | Yes | No | No | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | D a t a S u b j e c t | D ata Subject | Relevant government agency | Employee can upload insurance certificate on to PiP or provide a hard copy to their line manager for checking and just confirm the insurance has been checked on PiP. It is a requirement to have business insurance when using a car for work purposes and the mileage allowance factors in this cost. The employer has a duty of care to ensure appropriate insurance is held. |
| Personal Infrormation | Police check (where an essential requirement for the role). Detail is limited to date check completed, expiry data and certificate number only. | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Personal Information | Qualifications | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Personal Information | Pre-employment medical | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Employment Records: Collecting, storing, disclosing and deleting records. Workers must be aware what personal information is retained, what it is used for, is it shared and how long it will be stored. | |||||||||||||||
| Employment Record | Contractual: Maternity records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Contractual: Adoption leave records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Contractual: Paternity leave records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Contractual: Terms and conditions of employment, working pattern | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Contractual: Changes to T&Cs of employment or contractual variation | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Contractual: Parental leave records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Employment record: Employment history | Yes | No | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Employment record: Immigration status and passport details | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Employment Record | Equal Opportunities: Equal opportunities information | No | No | Yes | No | Isle of Man | Consent - optional to provide this information and data can be removed at any point by data subject | CABO - OHR | CABO - GTS | - | System admin accounts only Data Subject | Data Subject | Data Subject | - | |
| Employment Record | Leave: Annual leave records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | |
| Employment Record | Long Service | No | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | CABO - OHR | CABO - GTS | Relevant Government agency | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | ||
| Employment Record | Pay: Pension records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Pay: Retirement Benefit Schemes - records of notifiable events i.e. incapacity | Yes | Yes | Yes | Yes | Isle of Man | Necessary for compliance with legal obligaiton | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Pay: Wage/salary records (including overtime, expenses and timesheets) | Yes | Yes | Yes | Yes | Isle of Man | Necessary for compliance with legal obligaiton | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Probation: Probation start and end dates and outcome | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant Government agency | |
| Employment Record | Sickness absence: Sickness Absence records (reasons, date, calculations, certificates, absence stages, OHS referral and RTW information) | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | C ABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Special leave records | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Termination of employment: Correspondance / Confirmation of last day of service | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract | C A B O - O H R | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | Data Subject / Relevant Government agency | Data Subject / Relevant Government agency | Relevant government agency | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Employment Record | Work Permit: Work permit including extensions | Yes | Yes | Yes | Yes | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | Relevant Government agency | OHR - role based access Government agency -management Data Subject | O H R | - | - | |
| Pensions | |||||||||||||||
| Pensions | Personal Detail (break down above) | Yes | No | Yes | No | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | No | OHR - role based access | OHR | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Pensions | Pension records | Yes | Yes - change request submitted to prevent this data being shared. | Yes | No | Isle of Man | Necessary for performance of contract Necessary for compliance with legal obligation | CABO - OHR | CABO - GTS | No | OHR - role based access | OHR | - | - | Data from PiP is shared with PSPA if there is an impact to Pension calculations |
| Department and Division: | |
|---|---|
| This Administrative Role request is for the following position/s: | |
| Current post holder/s: | |
| The specific parts of the organisation this position/s will have access to are: |
| Information Type | Access Required | Business Need |
|---|---|---|
| Personal Details (Including name, marital status and D.O.B) | ☐ | |
| Address Details | ☐ | |
| Emergency Contact Details | ☐ | |
| Contact Details (including e-mail, telephone etc.) | ☐ | |
| Key Dates (organisational start date, D.O.B and age) | ☐ |
| Driving Licence Details | ☐ | |
|---|---|---|
| Reckonable Service Dates | ☐ |
| Leave Type | Access Required | Business Need |
|---|---|---|
| Annual Leave (including Flexi and TOIL) | ☐ | |
| Other Leave (including Special Leave and Training Days) | ☐ | |
| Holiday Entitlement | ☐ | |
| Bank Holiday Records | ☐ |
| Sickness Absence Options | Access Required | Business Need |
|---|---|---|
| Opening/Closing Sickness Records | ☐ | |
| Viewing/Uploading Doctors Certificates | ☐ |
| Employment Information Options | Access Required | Business Need |
|---|---|---|
| View Current Position Details | ☐ | |
| Change Expected Occupancy End Date (LTA) | ☐ | |
| Change Contracted Hours | ☐ | |
| Change Working Pattern | ☐ | |
| Person Transfers (i.e. acting up, secondment) | ☐ | |
| Requesting Other Employment Changes (i.e. Grade Change Requests, Ex-Gratia payments etc.) | ☐ |
| Fast Input Option | Access Required | Business Need |
|---|---|---|
| Overtime (all applicable rates) | ☐ | |
| Mileage Claims | ☐ | |
| Expense Claims | ☐ | |
| Additional Allowances (all applicable rates) | ☐ | |
| Other (please detail in the box below) | ☐ | |
| Personal Information Type | Access Granted | Decision Comments |
|---|---|---|
| Personal Details (Including name, marital status and D.O.B) | ☐ | |
| Address Details | ☐ | |
| Emergency Contact Details | ☐ | |
| Contact Details (including e-mail, telephone etc.) | ☐ | |
| Key Dates (organisational start date, D.O.B and age) | ☐ | |
| Driving Licence Details | ☐ | |
| Reckonable Service Dates | ☐ |
| Leave Type | Access Granted | Decision Comments |
|---|---|---|
| Annual Leave (including Flexi and TOIL) | ☐ | |
| Other Leave (including Special Leave and Training Days) | ☐ | |
| Holiday Entitlement | ☐ | |
| Bank Holiday Records | ☐ |
| Sickness Absence Options | Access Granted | Decision Comments |
|---|---|---|
| Opening/Closing Sickness Records | ☐ | |
| Viewing/Uploading Doctors Certificates | ☐ |
| Employment Information Options | Access Granted | Decision Comments |
|---|---|---|
| View Current Position Details | ☐ | |
| Change Expected Occupancy End Date (LTA) | ☐ | |
| Change Contracted Hours | ☐ |
| Change Working Pattern | ☐ | |
|---|---|---|
| Person Transfers (i.e. acting up, secondment) | ☐ | |
| Requesting Other Employment Changes (i.e. Grade Change Requests, Ex-Gratia payments etc.) | ☐ |
| Fast Input Option | Access Granted | Decision Comments |
|---|---|---|
| Overtime (all applicable rates) | ☐ | |
| Mileage Claims | ☐ | |
| Expense Claims | ☐ | |
| Additional Allowances (all applicable rates) | ☐ | |
| Other (please detail in the box below) | ☐ | |
| Special category of data | Purpose of processing | Exemption |
|---|---|---|
| Racial or ethnic origin | Equal Opportunity data only | Refer to Appendix F |
| Religious or philosophical beliefs | Equal Opportunity data only | Refer to Appendix F |
| Trade union membership | Payroll officers only. Payroll deducts Union membership fees directly from salary when requested by the employee via a consent based form. | Article 9 (2) (a) – explicit consent for a specified purpose |
| Health data | Absence data for the purpose of • To maintain a record of the operation of IOMG corporate absence procedures. • To ensure that employees receive statutory and contractual sick pay element or other pay elements and benefits. • To meet health and safety obligations. • To comply with the requirement to make reasonable adjustments. • For HR and business administration purposes. • For defence against potential legal claims. | Article 9 (2) (b) – Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law. Article 9 (2) (f) – Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. Article 9 (2) (h) – Processing is necessary for the purposes of preventative or occupational medicine, for assessment of the working capacity of the employee. |
| Sexual Orientation | Equal opportunity data only | Article 9 (2) (g) – Substantial public interest. Refer to Appendix F |
| Criminal Convictions | Criminal conviction data will not be stored within PiP, however for those posts which require regular Disclosure and Barring Service (DBS) checks, an expiration date will be stored to trigger reminders to the employee and manager that a new DBS check is required. | Article 9 (2) (b) – Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment law. |
| Department/ Office/Board | Division/Area | Variation | Rationale | Additional requirements |
|---|---|---|---|---|
| Department of Home Affairs | Fire and Rescue Service | Not utilising the annual leave and time off in lieu recording functionality. | New system implemented within the Fire and Rescue Service | None. This variation results in reduced processing of personal data. |
| Department of Home Affairs | IOM Constabulary (Police T&Cs) | Not utilising the annual leave and time off in lieu recording functionality. | Trialled the annual leave functionality for one month but the processes weren’t working for them. Duplication in work in keeping both the All Island Duty Board and PiP up to date. | None. |
| Department of Infrastructure | Transport Services (Bus Drivers and Railway Operations Teams) | Not utilising the absence (annual leave, sickness and special leave) functionality. | Existing system called Omnidas in place which works for them. | Sickness absence load required from Omnidas into PiP |
| Information Commissioner Office | Information Commissioner | Information Commissioner requires modified reporting – PiP team reviewing. Annual leave Absence records | No reporting manager. The Information Commissioner is the independent authority responsible for upholding the public's information rights and promoting and enforcing compliance with the Island's information rights legislation. The ICO will not enter AL and absence data to the system as they maintain this data themselves and liaise with payroll to ensure any reduction in pay is processed. | None, mirrors current practice. |
| General Registry | Deemsters | Infrequently use PiP so won’t be using the functionality | General Registry have two people who have approved admin roles to input the Deemsters claims into PiP on their behalf | None |
| Attorney Generals Chambers | Attorney Generals Chambers | AG requires modified reporting – PiP team reviewing. Not utilising the annual leave, flexi leave and time off in lieu recording functionality. | AGC’s will continue to use the Etarmis system for annual leave and flexi leave. Only leave that has the potential to impact pay will be entered (absence, unpaid special leave, Maternity/Paternity leave etc.) | None. This variation results in reduced processing of personal data. |
| Parliament | Clerk of Tynwald | CoT requires modified reporting – PiP team reviewing. Not utilising annual leave, flexi leave or paid leave recording functionality. Unpaid leave will be recorded for payroll purposes. | COT have their own system for recording annual leave | None. This variation results in reduced processing of personal data. |
|---|---|---|---|---|
| Manx Industrial Relations | Industrial Relations Officer | Industrial Relations Officer requires modified reporting – PiP team reviewing. | No reporting manager. The Manx Industrial Relations Service (MIRS) is an independent organisation funded by Government and provides a free and impartial industrial and employment relations service. | None, mirrors current practice. |
| Cabinet Office | Chief Secretary | No reporting manager | The Executive Assistant to the Chief Secretary has an admin role to support the Chief Secretary with requests from his direct reports as well as his own absence and mileage and expense claims | None |
| PSPA | Chief Executive | No reporting manager | The Governance and Legislation Manager has an admin role to support the CEO with requests from his direct reports as well as his own absence and mileage and expense claims | None |
| GSC | Chief Executive | No reporting manager | The Director has an admin role to support the CEO with requests from his direct reports as well as his own absence and mileage and expense claims | None |
| CC | Chief Executive | No reporting manager | The Chief Operating Officer has an admin role to support the CEO with requests from his direct reports as well as his own absence and mileage and expense claims | None |
| Security Role | Areas can Access | Read Only or Editable |
|---|---|---|
| Absence Team Leader | Data Conversion for loading online sickness forms in bulk | Editable |
| Absence Reports | Editable | |
| HR | IOMG Employees Only (not pensioners) | |
| Personal Details | Editable | |
| Key Dates (not pensionable age) | Editable | |
| Position Details including salary | Editable | |
| Absence Details | Editable | |
| Management Information Reports | Editable | |
| Organisation Structure | Read Only | |
| User Defined Forms | Read Only | |
| Payroll | IOMG Payroll | Editable |
| No personal details – other than full name | Read Only | |
| Bank Details and pay method | Editable | |
| Position Details including salary | Read Only | |
| Allowances and other pay elements | Editable | |
| No access to absence | N/A | |
| Payroll (Tax & Time Sheet Loading) | Data Conversion for loading pay information/claims in bulk | Editable |
| Payroll Cleardown | Cleardown function only | Editable |
| Payroll Manager | Element Loading | Editable |
| Person Details including contact details | Read Only | |
| Absence Details | Read Only | |
| All access as per “payroll” security role | ||
| System Administrator | Access to all areas of the system including all information entered by employee and manager | Editable |
Full Response Text
Pay data will include trade
union membership
Disclosure of trade union
membership
Sensitive category of data visible to payroll.
Reputational
Financial
Legal
Organisational structure
Employment records, including
personal contact details, stored in
PiP
Incorrect reporting lines may result in employee data being
visible to incorrect manager.
Reputational
Financial
Legal
Internet-based threats
Employee data stored in PiP
Personal information could be at risk from Internet-based
threats.
Reputational
Financial
Legal
Devices (mobiles, tablets,
PCs etc.)
Employment and personal data
stored in PiP
People could leave themselves logged on – ESS/MSS.
Reputational
Financial
Legal
Shared Inbox Access
MSS emails will go to gov.im emails
and ESS emails will if an employee
selects this as their contact email.
Officers may allow colleagues delegate access into inboxes,
which if used inappropriately could allow access to
personal/management information.
Reputational
Financial
Legal
Structural changes across
IOMG
Personal information is available to
a previous manager or an incorrect
manager.
Continual changes to organisational structures and
occasional time lag in OHR being informed of changes by
Departments increase risk of reporting lines becoming
incorrect or being amended incorrectly by Dept or OHR.
Reputational
Financial
Legal
Customer identification
checks
Employee details being shared with
incorrect employee or manager.
Data disclosed in error.
Reputational
Financial
Legal
Training
Teams handling the personal data
in PiP and managing the system
require data protection training.
Data Protection principles not applied to system design,
particularly data governance rules.
Failure to meet legal obligations.
Reputational
Financial
Legal
Admin roles, Finance
Manager, Fast Input roles
and other bespoke user
access accounts.
Incorrect access.
Bespoke roles are attached to the person not the post in
PiP. Failure to revoke bespoke user access could result in
incorrect access to employee personal data based on the
needs of a previous role.
Reputational
Financial
Legal
Redirections
Employee tasks could be redirected
to incorrect manager.
Redirections currently switched off
until technical/organisation controls
can be implemented.
Redirections restrictions limited ability to redirect tasks to
managers within a Department; however the system
provider now advises that redirections can go across all
IOMG. Managers can be sourced via a PiP by forename,
surname or user name. Managers could redirect to an
incorrect manager outside of the immediate work area and
there is a risk of manager inputting the incorrect details.
Reputational
Financial
Legal
Document attachments:
retention
Excessive collection of personal
data, including special categories
Document categories switched off
(excluding receipts and expenses)
until fully assessed.
HR, manager and employees can attach documents to a PiP
record. Unless managed and cleansed, the system could
become full of old data. There is a risk of excessive
collection of data.
Reputational
Financial
Legal
Log in rates
Data made available in the full roll
out includes sensitive categories
If an employee has not logged in and checked their
reporting lines and personal details, data may be disclosed
in error.
Reputational
Financial
Legal
Document attachments:
upload functionality
Disclosure of personal data
There are several ways to upload data on to PiP which
appear to vary access rights to the data. Need to fully
understand the functionality to consider acceptable use.
Reputational
Financial
Legal
Assigning accounts
Employee assigned to incorrect
account.
Data may be disclosed in error.
Reputational
Financial
Legal
Technical Failure: Data
Loss
Technical error resulting in data
loss
Data may be lost, destroyed, deleted.
Reputational
Financial
Legal
Technical Failure:
Unauthorised disclosure
Technical error resulting in
unauthorised disclose/access
Data may be disclosed in error.
Reputational
Financial
Legal
Workflows
Structural issue causes a workflow
email to be sent to the wrong
manager
Data may be disclosed in error.
Reputational
Financial
Legal
functionality.
Communications to managers to ensure they check correct employees are showing.
System is auditable so inappropriate access can be identified.
MSS can only be accessed via Government device. unable to check but majority of employees will be able to check correct management details.
Risk accepted.
to an acceptable level. Approach to be
reviewed as each Dept ‘Go Live’
Bank Details
Restricted access to employee, payroll officers and system
admin users only.
Mitigated
Yes, access is only available to OHR
officers who require the data to
complete their duties.
Special categories of
data –
Ethnic Origin
Religion
Disability
Sexual Orientation
Restricted access, visible to employee and limited OHR
system administration accounts only.
System designed to prevent email being sent to OHR for disability status and tested. Only anonymised MI data will be available to OHR roles for the purpose of equal opportunities monitoring.
System admin accounts would only be require access in the
event of system error or by the system admin team
providing assistance at the employee request.
Mitigated
Yes, OHR has a Public Sector Equality
Duty. Access is restricted, the individual
can amend/delete data at any point
and additional information has been
provided on the PiP to advise
employees completion is optional.
Pay data will include
trade union
membership
Restricted access to employee, payroll officer and System
Admin only. Payroll requires access to make accurate salary
payments and System Admin team require access to all
fields within the system to maintain and audit it.
Introduction to GDPR training undertaken by payroll
officers.
Payslips are not accessible to managers.
Mitigated
Yes, consent sought from deductions to
pay. Role based access only.
Organisational
structure
Full organisational structure check prior to ‘Go Live’
Department will have the responsibility to maintain the structure of their organisation, with the support of the system support team.
Risk accepted – to remain under review and be subject to an Article 36 consultation Yes, Departments maintained their organisational structure in Oracle, however there was limited access to the system to ensure changes have been actioned and were correct. This will be easier and more transparent Department have PiP Reps in place and PiP buddies to support communications.
Discussed with DPOs who can support the messages within
the Department to ensure the structure is appropriately
maintained
under PiP, enabling managers and OHR
to identify and correct inaccurate
records earlier.
Internet-based
threats
System hosted by GTS, Cabinet Office who maintains
security of Government systems.
Risk accepted
Yes - system protected by government
firewalls
Devices (mobiles,
tablets, PCs etc.)
Training materials reiterate importance of logging out of the
system.
Any changes made trigger an email to the employee, so unauthorised activity would be detected.
PiP is following password and timeout rules of GTS whether an individual log on to the system using a Gov device or personal devices. When using a personal device, rules are set up by the individual on a personal phone/tablet/computer
Government Employees who have active directory network access already will use their network user name and password.
Government Employees who don’t have network access will receive a PiP log in – which will be set up with the below rules – ESS access only
Password Rules:
Expiry: 90 days
Length: 9
Passwords must include both upper and lower case
characters
Passwords must include both alpha and numeric characters
Users will be allowed to logon once using an expired
password
Risk accepted
Yes, ESS accounts need to be
accessible on personal devices.
Users are not able to select a password they have
previously used. Users are required to logon before
changing their password
User lockout after 3 Failed Log on Attempts
Password expiry warning: 10 days.
Forgotten password recovery: Expiry Link Email.
Time Outs: These are currently set to log off after 20 minutes of inactivity – with a warning 2 minutes before this time out.
If window closed, system automatically log out – tested.
Shared Inbox Access
Officers allowing colleagues access to their inbox varies
across IOMG. This is controlled by permissions and Depts
will take their own steps to assure themselves delegates
know what they can and can’t access within someone else’s
folder. Personal information will already exist in these
inboxes as there will be management emails, JobTrain and
absence records which go to manager inboxes along with
other confidential business data. If a data breach occurred
due to the Departmental access in to a colleague’s inbox,
the reporting requirements will rest with the Department.
Workflow emails will contain employee reference numbers,
making it harder to identify a particular individual without
MSS access.
Risk accepted
Yes, to be managed in line with current
Departmental controls.
Structural changes
across IOMG
Self service enables Departments to keep organisational
structure accurate.
Identification of inaccuracies, either by the management chain or employee.
Only employees with an MSS account would see MI information so information could not be incorrectly disclosed to any officers without experience of handling confidential management information.
Risk accepted – to
remain under review
and be subject to an
Article 36 consultation
Yes, to remain under review.
PiP team to continue to work with IOMG DPOs and
encourage them to communicate with their Depts on
importance of maintaining the organisational structure.
Key contact in each Department managing the structure.
DSA to set out clear responsibilities for system
maintenance.
Customer
identification checks
2 key identifiers now used across OHR to ensure identity is
confirmed.
OHR processes are undergoing review to use employee
number/payroll number which ensure correct employee
record is accessed.
Risk mitigated
Yes
Training
Director of HR Services attended GDPR certification and 4 x
individual training days to provide team with access to
specialist knowledge and regular PiP meetings in place to
provide oversight.
Support from 2 x IG officers with the same level of training.
Local training being arranged for OHR.
Risk mitigated
Yes, to remain under review.
Admin roles, Finance
Manager roles, fast
input roles and other
bespoke user access
Department requesting bespoke user access.
Admin role form has been created to confirm requirements
and ensure access to data is lawful, justified and limited to
appropriate part of the organisation structure. These are
approved by Departmental DPOs prior to submitting to
OHR>
Appropriate user training given to all individuals when roles
are provided.
Risk mitigated
Yes, to remain under review with
annual reviews to reconfirm Admin
Access is still required.
Redirections
To be explored. MHR confirmed restrictions were available
in September 2019.
Redirections will need to be limited to area/manager
hierarchy. System functionality is currently being changed
to ensure these limitations are in place prior to the system
going live. If this is not possible, alternative options will be
To be monitored
To be incorporated into the project plan
and monitored.
considered including OHR managing this process.
Document
attachments:
Retention
Document upload functionality switched off for now as
retention functionality being explored. Receipts will be
uploaded due to requirement to process pay in PiP Full. The
documents are not accessible elsewhere in pay and are only
attached and visible via the employee pay record.
Risk mitigated
Yes, document attachments are not
being progressed until retention
functionality is explored.
Log in rates
PiP steering board determined log in of 90% required to roll
out full Phase 1 functionality.
Where an employee is long term absence i.e. MAT leave,
the manager will be contacted to discuss with employee and
encourage log in.
Roll out across Departments will be determined based on
log in rates.
Where employees have not logged in, PiP team will liaise
with line managers to confirm accuracy before going live.
Risk accepted –
subject to ongoing
review and Article 36
consultation?
Yes, will manual checks complete on
ESS accounts if an employee has not
logged in.
Document
attachments: upload
functionality
This functionality will not be switched on at this stage and
will be moved to phase 2 to allow OHR to fully understand
how it works and how access rights are managed across
roles.
Risk mitigated
Yes document attachments are not
being progressed until upload
functionality is explored.
Assigning accounts
Processes for creating accounts for new starters
established.
Risk mitigated
Yes
Technical Failure
Data Loss
Data loss: System support team in place to resolve issues
with GTS and/or system supplier.
Service Level Agreement in place to identify approach to
issue resolution across GTS, OHR and MHR – App M.
Risk mitigated
Yes
Technical Failure:
Unauthorised
disclosure
Unauthorised disclose/access: System support team in place
to resolve issues with GTS and/or system supplier.
OHR System Support team control role based access to the
system. This is allocated to named individuals in GTS/MHR
on an as needed basis for specific reasons. This access is
often time bound so is only in place for the period required
to carry out actions requested by OHR – e.g. environment
control processes, upgrades to system, upgrades to server,
investigating a specific issue
Service Level Agreement in place to identify approach to
issue resolution across GTS, OHR and MHR – App M.
Risk mitigated
Yes
PiP functionality
MSS workflow emails and personal accounts
As IOMG need to ensure that PiP is accessible to all public servants, PiP will need to allow non- government email addresses to be used. Due to the diverse nature of our workforce, not all employees have routine access to an IOMG device and a significant number of employees do not hold a Government email address. Employees will need access to key employment data such as payslips, submitting expenses claims and to receive workflow emails which act as an additional security measure to identify any changes to an ESS a
[Response truncated — full text is 122,488 characters]