Any staff who either submits, or manages a shared service or payroll provider who submits, end of year data to the Scheme Administrator (MyCSP)
Summary
As the employer, you are responsible for your payroll/payroll provider passing accurate and timely information to the Scheme Administrator by means of an electronic interface.
All payroll interface data must be transferred to the Scheme Administrator by an approved secure method.
Actions
To ensure that your payroll interface data is transferred to the Scheme Administrator by a secure method.
To ensure that you are using one of the secure file and data transfer methods listed below.
Timing
Immediate
Detail
As the 2015 Remedy programme gains momentum, there is a requirement for employers to provide the data needed by the scheme to undertake the necessary corrective action for members. This will involve you utilising your existing data transfer processes.
We requested the Commercial Information Assurance Team and National Cyber Security Centre assess the risks associated with the transfer of personal data for the 2015 Remedy programme (data collection tool) and for existing Business as Usual (BAU) processes.
Based on their assessment and recommendations we are increasing the security protocols around the provision of data to the Scheme Administrator.
If you are not already providing data through a secure transfer method, you must do so by following these instructions:
Stage One: to be implemented by 31 March 2022.
As a minimum, you must:
Password protect emails using a complex password which must be at least 10 characters long, have both upper and lowercase letters, at least one numerical digit and one special character.
Establish two separate email accounts (one to send the encrypted file and the second to send the password). The Scheme Administrator will establish two separate email addresses one for file transfer and the second for receipt of the password.
Stage Two: to be implemented after the 31 March 2022.
Ensure you transfer data using a secure file transfer method.
Some of the secure transfer file methods you can use include:
Connect (this is the Scheme Administrator’s solution and approved by Cabinet Office’s Security Working Group)
Egress
PGP
Please note these are just some examples already in use and are by no means exhaustive. If you have an alternative secure file transfer solution it may be considered and would need to be discussed with the Scheme Administrator.
Where data is provided to the Scheme Administrator on portable media (for example a USB stick) this should be done in a secure environment. The data should be encrypted to AES 256 bit standard and protected by a complex password at least 10 characters long, have both upper and lowercase letters, at least one numerical digit and one special character. All portable media should be transported by a secure courier using a tracked service.
All new employers joining the scheme will be instructed to adopt recognised secure methods of data transfer. This will predominantly be New Fair Deal employers.
Data Interface team will remind employers when changing payroll providers that transfer of interface data must comply with the agreed data transfer protocols.
In parallel and throughout 2022, every quarter we will focus on 10 of the largest and most sensitive employers to drive up take of the most secure transfer protocols. This will include focus on 2015 Remedy affected employers.
It is likely that a mandate to adopt recognised secure methods of data transfer will be introduced in 2023 and form part of the Annual Assurance process thereafter.
Contacts
If you have any queries, or for help using or implementing Connect, please email connect@mycsp.co.uk
If you have a question about the distribution of EPNs, or would like to receive them in a different format, please contact EPN@MyCSP.co.uk
