THE SYSTEM SET up by the government to streamline its HR and payroll systems has been faced with hundreds of data breaches and millions of euro in overpayments since being set up.

The National Shared Services Office covers Peoplepoint – a HR platform for civil servants – and the payroll shared service centre – which provides payroll and pension services.

Earlier this month, figures from the National Shared Services Centre appeared before the Public Accounts Committee faced with questions about these overpayments.

That figure was over €4 million at the end of 2016, and TDs probed the office on why this was the case, with the figure expected to be higher in 2017.

In many cases, how much was overpaid had not been calculated and even in cases where it had been identified, there was a delay in initiating the process to get the money back. In one case cited, it took 2 years to initiate the process to get it back.

Separately, the number of notifications of data breaches at Peoplepoint in 2017 is understood to be similar to the 150+ breaches in previous years, and has been told by the Data Protection Commissioner to address its problems here.

What is Peoplepoint?

It now covers 35,000 civil servants across the country.

Peoplepoint – officially called HR Shared Services – was launched in June 2013 by then-Minister for Public Expenditure and Reform, Brendan Howlin.

He called the opening of Peoplepoint “a significant achievement for the civil service”.

A statement said that the service would drive greater efficiency in HR service delivery through optimising and standardising civil service HR processes into one shared service centre.

In practice, this means civil servants can book holidays, claim expenses, claim sick leave, and calculate promotion and pension entitlements through an online portal.

It involved 40 departments, offices and agencies folding HR processes under the one umbrella of Peoplepoint.

By doing this, Howlin said that the annual cost of HR services for the civil service would be reduced by €12.5 million a year, and reduce the number of staff engaged in the transactional HR process across the system by 17%.

In the payroll section of the National Shared Services Office, payments totalling €3 billion were made to over 100,000 people in 2016, including 70,000 who are retired.

A spokesperson for the office told TheJournal.ie that it received and responded to 85 complaints last year, as well as dealing with thousands of queries.

Issues

Overpayments

Within the National Shared Service Office, the Comptroller and Auditor General Seamus McCarthy has pinpointed a number of instances where overpayments of staff happened within the payroll section, and told the PAC that there were overpayments totalling €4.6 million at the end of 2016.

He said that while overpayments were to be expected in any large and complex payroll system, his annual report for 2016 report point to flaws in how the office handled overpayments.

McCarthy said: “In a sample examined, this mainly occurred because the payroll shared services centre were only notified weeks, and, in some cases, months, after an employee should have been put on a zero rate or a reduced rate of pay, for example, due to extended sick leave.

There can be late notification by the relevant employer department to PeoplePoint, and-or by PeoplePoint to PSSC.

We found that, at the end of 2016, there were almost 650 identified overpayment cases where the amount of the overpayment had not yet been recorded.

Even in cases where the overpayment amount had been calculated, there was evidence of delays in commencing recovery action.

He added that recovery of overpayments is often by means of regular deduction from future pay, but the systems in place did not provide the necessary information to allow for effective management of overpayments.

Murphy said that there was a lack of clarity over who was responsible for managing overpayment cases that had been identified, and the average time taken to issue the first letter requesting repayment was 13 weeks.

At the PAC, Labour TD Alan Kelly asked Murphy-Fagan how the organisation would address overpayments this year, given the level has risen year-on-year. He also asked how could overpayments be recouped if there was a dispute with the employee involved.

“There is legislation in relation to how one can deduct somebody’s wages. One cannot actually just do it,” he said.

The response to the query was that it was ultimately a local HR decision, even though it is the responsibility of the office to recoup the money on an incremental basis.

He even cited a case where he was contacted by somebody “over no real issue” who had been notified they’d been overpaid for something two years after the fact.

“Two years later, he was contacted to pay back a small amount of money. That is not the issue,” Kelly said. “The issue was it took two years. He did not even realise he was overpaid. In fact, he was only contacted recently.”

Fianna Fáil’s Bobby Aylward said that the millions in overspending “sounds like a lot of money to the ordinary Joe soap”, albeit perhaps not a lot of money relevant to the amount of money handled by the office.

He also highlighted cases where the individual amounts overpaid were not small, in some cases reaching as high as €78,600.

Paula Lyons, head of employee shared services, said that while their position is to “recoup all monies where we can, there may be circumstances where we cannot do so”.

The spokesperson for the office told TheJournal.ie that the number of cases of overpayment of salary last year “is currently being finalised”.

They added that employees are obliged to pay it back, and the office is obliged to make the arrangements to take it back.

Data breaches

Concerns have also been raised about Peoplepoint over the number of data breaches it has, although in many cases human error is the cause rather than systemic issues.

In Data Protection Commissioner Helen Dixon’s 2016 annual report, she singled out Peoplepoint when talking about data protection concerns within public sector bodies.

She said: “The audit of the civil service shared-services provider Peoplepoint demonstrated a concerning level of front-line human error in the handling of personal data and sensitive personal data in many cases, and the DPC intends to follow up on its audit recommendations during 2017.”

As noted in that report, Peoplepoint was “selected for close examination on foot of the large number of data breaches being reported to the office”.

In 2016, 163 breaches were notified by the data breach unit followed by 155 in 2015.

It notes: “Overall, the team considered that there was not an acceptable level of awareness of data-protection principles in evidence generally within Peoplepoint in light of the number of breaches being reported by Peoplepoint to the DPC.

We accept, however, that the vast majority of data breaches occurred through the issuing of data in error belonging to one public-sector body to an HR official (or officials) in another public-service body, with all HR officials concerned governed by the Official Secrets Act.

It also pointed to a case study involving a husband and wife who were both public servants.

The man had applied for annual leave, and then subsequently sought to change this request to sick leave. After the Data Protection Commissioner investigated the incident, it found that a Peoplepoint official accessed the personal information of the spouse of this man without her or her employers consent.

“It became apparent that the Peoplepoint official had informed the complainant’s spouse and their colleagues about information in relation to the complainant when they had no legal basis to do so and without any authority from the data controller of their personal data, i.e. the employer,” it said.

Despite this being a case of human error, the report noted: “It is not acceptable for data processors and data controllers to rely on an excuse that an employee did not realise that what they were doing was a breach of data-protection law.

It is the responsibility of such employers to ensure that all staff are appropriately trained and supervised in relation to the processing of personal data, in order to minimise, to the greatest degree possible, the risks to the fundamental rights and freedoms of data subjects whose personal data they process.

It is understood the number of breaches notified to the body over the past year is broadly similar compared to recent years.

In response to a query from TheJournal.ie, a spokesperson for the Data Protection Commissioner said: “DPC conducted an audit of Peoplepoint and issued a final audit report to Peoplepoint in Feb 2017.

We’ve continued to receive breach notifications after that report, and we follow up with each one.

The spokesperson for the National Shared Services Office said that it has implemented all the recommendations that the Data Protection Commissioner recommended, and that it “actively takes measures to ensure that personal data is only accessed in connection with the purposes for which it has been provided”.

Political attention

Such are the problems that some civil servants are having, they have gone to their local TDs to try to get it sorted.

A number of them have subsequently submitted parliamentary questions after concerns were raised by their constituents regarding the Peoplepoint system.

Fine Gael TD for Dublin North West, Noel Rock, put in two queries about it late last year, and got the same reply to each, in a copy and paste manner.

Rock told TheJournal.ie that the matter had been raised to him by two civil servants about the system and their interactions with it around issues such as sick leave and being treated unfairly.

Fianna Fáil TD for Clare Timmy Dooley told TheJournal.ie that he received one such query to his office in recent weeks.

“Someone had a difficulty trying to sort contributions made to their pension over a switch in department,” he explained.

They’d tried a whole pile of times to get it sorted. They made contact with my constituency office then to try to get it expedited, so I put in that query to the Minister [Paschal Donohoe].

Dooley said that the person had faced “considerable difficulty” trying to get it sorted.

In his response, Donohoe said the request would be addressed in a “timely manner”.

Dooley said that the problems his constituent faced “seemed unusual”, and added: