Key Takeaways
Payroll systems have quietly become some of the most data-rich platforms in modern organisations.
Beyond salary and wage information, payroll databases routinely store bank account details, tax file numbers, KiwiSaver and superannuation information, home addresses, emergency contacts, leave records and, in some cases, sensitive health information. Increasingly, this data is managed through cloud-based platforms, outsourced payroll providers and integrated HR systems that operate across multiple countries.
For employers in Australia and New Zealand, this creates a new challenge. While payroll technology has become more sophisticated and globally connected, privacy regulation is moving in the opposite direction, towards greater transparency, stronger accountability and stricter expectations around how personal information is stored, secured and shared.
Recent reforms on both sides of the Tasman have significant implications for payroll functions, particularly where employee data is transferred, processed or accessed across borders.
Few organisations today maintain payroll systems entirely in-house.
A payroll platform may be hosted in Australia, backed up in Singapore, supported by technical staff in the Philippines and integrated with HR software headquartered in the United States. Even organisations that believe their employee data remains local may discover that information is routinely transferred between jurisdictions as part of standard service delivery.
This matters because privacy regulators increasingly expect organisations to understand exactly where employee data resides, who can access it and how it is protected throughout its lifecycle.
The days of simply relying on a vendor's assurance that data is "secure" are rapidly disappearing.
Australia's Privacy and Other Legislation Amendment Act 2024 represents the most significant update to privacy law in years.
While much of the public attention focused on the introduction of a statutory tort for serious invasions of privacy and stronger enforcement powers, several reforms are particularly relevant to payroll data management. The legislation introduced new provisions relating to data security, retention and destruction obligations, strengthened accountability for overseas data flows, and reinforced expectations that organisations take reasonable steps to protect personal information throughout its lifecycle.
For payroll teams, this has practical consequences.
Employee information should not be retained indefinitely simply because storage is inexpensive. Organisations are increasingly expected to understand what payroll information they hold, why they hold it, how long it needs to be retained, and when it should be securely destroyed.
Similarly, where payroll information is transferred to overseas providers or cloud environments, employers must be able to demonstrate appropriate due diligence and governance over those arrangements.
The regulatory direction is clear: accountability follows the data, regardless of where that data is stored.
Historically, discussions about data residency were often left to IT teams.
Today, payroll leaders need to understand the distinction between data residency and data sovereignty.
Data residency refers to the physical location where payroll records are stored. Data sovereignty concerns the legal framework governing that information and the circumstances under which it may be accessed.
An Australian employer may utilise a payroll platform hosted locally, yet still have employee records processed or accessed by personnel in another jurisdiction. Likewise, a New Zealand employer may engage a software provider whose infrastructure spans multiple countries.
Under evolving privacy expectations, organisations must understand these arrangements and be prepared to explain them to regulators, employees and stakeholders.
While Australia's reforms focus heavily on accountability and governance, New Zealand's latest changes focus on transparency.
A new Information Privacy Principle, known as IPP 3A, came into effect on 1 May 2026 through the Privacy Amendment Act 2025. The principle requires organisations that collect personal information indirectly (that is, from someone other than the individual concerned) to take reasonable steps to notify that individual about the collection.
This represents a significant development for employers and payroll providers.
Under IPP 3A, organisations collecting employee information integrated Core HR systems, recruitment platforms, applicant tracking systems, background screening providers, former employers, related entities or other third parties may now need to ensure individuals are informed about:
For payroll professionals, this means employee onboarding processes and privacy notices may require review. Information that was historically exchanged between HR systems, recruitment providers, payroll platforms and workforce management systems with limited visibility to employees may now trigger notification obligations. Employers should review whether existing privacy notices adequately explain how employee data is shared between these systems.
One of the most important lessons emerging from recent reforms is that outsourcing payroll processing does not outsource accountability; whether payroll processing is managed internally or by a third-party provider, employers remain responsible for ensuring employee information is handled appropriately.
Regulators increasingly expect organisations to understand:
This is particularly relevant given the growing volume of payroll-related cyber incidents globally and the increasing sensitivity of workforce information. Recent incidents in Australia and New Zealand have highlighted the risks associated with employee and payroll data. In Australia, the 2022 Medibank and Optus breaches continue to influence regulatory expectations because they exposed large volumes of personal information and demonstrated how employee and customer data can be compromised through cyber attacks.
More recently, the 2024 MediSecure ransomware attack resulted in the theft of personal and health information relating to millions of Australians, reinforcing concerns about the security of sensitive data held by third-party providers. In New Zealand, the 2023 Latitude Financial cyber incident affected hundreds of thousands of New Zealanders and highlighted the risks associated with identity information being held across multiple systems and jurisdictions. While these incidents were not payroll breaches specifically, they have heightened regulatory scrutiny of all organisations that hold sensitive personal information, including payroll and HR functions. They demonstrate that payroll data is an attractive target for cybercriminals because it combines financial information with personally identifiable data that can be used for fraud, identity theft and social engineering attacks.
As privacy obligations evolve, payroll leaders should move beyond viewing data management as solely an IT or legal responsibility.
A practical starting point is to conduct a payroll data mapping exercise. Organisations should identify where employee information is collected, where it is stored, who can access it and whether any overseas transfers occur. Privacy notices should also be reviewed to ensure they accurately reflect current payroll practices and vendor arrangements. New Zealand employers, in particular, should assess whether IPP 3A obligations may apply when employee information is sourced indirectly.
Finally, organisations should review retention schedules. Payroll records often need to be retained for statutory purposes, but that does not justify indefinite storage of all employee information. Retention and secure destruction policies are becoming an increasingly important component of privacy compliance.
The regulatory landscape in Australia and New Zealand is moving towards greater transparency, stronger accountability and more active oversight of personal information.
For payroll professionals, the implications extend well beyond paying employees accurately and on time. Payroll systems now sit at the intersection of privacy law, cyber security, employment regulation and organisational governance. As employee information flows across cloud platforms, service providers and national borders, understanding where payroll data travels (and ensuring employees understand how it is used) has become a core compliance responsibility.
In the years ahead, the organisations best positioned to manage privacy risk will be those that treat payroll data not merely as an operational asset, but as a strategic governance issue requiring ongoing oversight and accountability.
For ANZ enterprises requiring a human resources company and payroll platform with genuine in-region compliance capability, Ramco Payce provides ISO 27001-certified security infrastructure, role-based data access controls, and a compliance framework monitored and continuously updated across all supported jurisdictions.
Ramco Payce is whitelisted by the ATO and aligned with DSPANZ in Australia and New Zealand, meeting the regulatory expectations set by the 2024 and 2025 privacy reforms for third-party payroll providers.
Get in touch with the team at Ramco to book a free 1:1 consultation and start streamlining your employee data processes.