It is the old fashioned 'who guards the guards'. Eventually, someone does have access to all sorts of 'not good' things. Here, it is only surprising that it was HR.
Once we had a system that allowed notifications on employee changes, and an admin who ticked a fun box that resulted in everybody with an email on their employee profile getting notified in plaintext on SSN changes with before and after values.
Many processes on the payroll vendor's side and our company were changed after that day.
