Home Business Risks Payroll & HR Risk
Payroll & HR Risk

How Many People Have Access To Payroll Information?

Payroll data - salaries, bank account details, employment terms and personal records - is among the most sensitive information held by any business. In most organisations, access to it is far broader than anyone realises.

2
What This Looks Like In Practice

"During a routine internal audit, the auditor requests a list of everyone with read access to the payroll folder in your shared drive. Management expects four names: the payroll administrator, the CFO, the HR manager and the CEO. The list comes back with eighteen names - including six former employees, two junior staff with no legitimate need, and three 'temporary' accesses granted over a year ago and never revoked."

3
Potential Consequences
Payroll data - including salaries and banking details - accessible to far more people than authorised
POPIA violation: personal financial information processed without a legitimate basis
Risk of accidental disclosure or internal misuse of salary information
Non-compliance finding if the access list is reviewed in an audit
Internal trust issues if staff become aware of how broadly their salary data is accessible
4
Questions Management Should Ask
?
Do you know exactly which employees currently have access to payroll files and salary spreadsheets?
?
Has payroll access been reviewed in the past six months?
?
Are payroll documents stored separately from general business files with restricted access?
?
Do staff who handle payroll information understand what appropriate handling looks like in practice?
5
The Technical Side

Payroll data constitutes personal information under POPIA and must be processed with appropriate security safeguards. Under POPIA's processing limitation condition, personal information may only be processed to the extent it is adequate, relevant and not excessive given its purpose. Providing read access to payroll records to staff who have no operational need fails both the processing limitation and security safeguards conditions. Role-based access control (RBAC) is the standard approach: each role is assigned only the minimum permissions required for its function. In cloud environments (Google Workspace, Microsoft 365, SharePoint), RBAC is configurable without specialist tools but requires periodic review because permissions accumulate as staff join, change roles and leave.

6
Practical Steps to Improve Visibility
1
Conduct an immediate access review: generate a list of every person with access to payroll files and verify each name is a current employee with a legitimate need
2
Remove access for all former employees, all staff whose roles don't require payroll access, and all 'temporary' accesses that were never revoked
3
Apply the minimum access principle going forward: grant payroll access only to specifically named individuals who require it
4
Store payroll documents in a dedicated restricted folder - not in a general shared drive accessible to all staff
5
Schedule a payroll access review every six months as a standing management item
Section 7 - Assessment
Find Out Where Your Business Stands

ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used.

Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.

Start Your Risk Assessment Download Free Checklist
From R750 • Delivered online • No commitment required
Related Risks
Access Risk
Could A Former Employee Still Access Company Data?
Read more →
Information Visibility
Would You Know If Sensitive Information Left Your Business?
Read more →
Financial & Payment Risk
Could Supplier Banking Details Be Changed Without Detection?
Read more →
← View all common business risks