Due to Sarbanes-Oxley and privacy legislation, information management is more complex than ever
With new challenges and standards for accountability, technology, privacy and security, HR professionals need to be more sophisticated than ever about how they keep, use, destroy and preserve employee information.
For HR professionals, information and records are absolutely vital to making well-informed decisions about employees, ensuring the employment relationship is well-documented and managing change and growth in staffing requirements.
If all, or even some, employee records were lost or destroyed, the impact on the organization would be dramatic.
How do HR professionals ensure the information is accurate, secure and retrievable? How long should that information be kept and what’s the best way to preserve or destroy it?
These aren’t new issues for HR but now, due to some key pressure points, the urgency to resolve these questions has increased.
First, there are the ever-present legal risks. In a grievance or court action, employee records are key evidence. If an organization cannot produce records it’s expected to have kept, courts can assume the missing records would have supported the worker.
In the wake of major fraud and securities scandals in the United States, such as Enron and WorldCom, the Sarbanes-Oxley Act (SOX) raised the standards for documenting and reporting the financial standing of a publicly traded company. Any records relating to revenues, expenditures and liabilities must meet these standards. Employee compensation and benefits transactions are a significant financial component in any organization, so payroll and benefits financial documentation is key.
SOX requires companies to conduct internal and external audits on a regular basis and the stakes for non-compliance are high. Destroying records improperly can land an official in jail and fines can run into the millions.
In Canada, this standard of financial accounting for public companies will be set by what’s commonly known as Canadian SOX or CSOX, in effect in Ontario since 2004. While the level of controls are not as onerous as those in SOX, the key requirements for employee information accountability are just as clear.
Complicating this is the often overlooked, but perhaps more relevant, compliance requirements of Canadian privacy legislation for personal employee information, now governing both the public and private sectors in some jurisdictions. At the core of privacy legislation is the need to develop controls and accountability for personal information, including:
•identifying the types of information and the reasons for collecting, using and disclosing it for proper notification and consent;
•implementing security and authenticity controls to ensure the personal information is protected and that it is accurate;
•a policy for retaining personal information for a set and limited amount of time; and
•processes for allowing individuals access to their own personal information.
These requirements mean HR professionals need to have documentation, policies and controls in place for retaining, retrieving, destroying and securing personal employee information, including information held by any outsourced services such as payroll processors.
The privacy rules cover personal information in any form and in any location currently in an employer’s custody. An HR manager may have forgotten about the e-mail exchange she has in her inbox from six months ago with a supervisor. But when an employee formally requests all relevant information the organization holds about her, the HR manager is obligated to check for all those messages and include them in the package as well.
If the company finds itself party to an inquiry by an information and privacy commissioner, the burden of proof, as in a court action, is on the company to substantiate what records at issue may have been destroyed and when and how this occurred.
Lastly, information technology solutions for managing personnel that have proven effective for recording, disseminating and analysing employee information don’t always work well with systems for classifying, tracking and scheduling records for destruction. For instance, how does an HR department deploy a standardized system (remember the central file room?) when staff are making storage, retention and disposal decisions about electronic records all the time at their workstations?
There was a time when digital information was touted as the ultimate solution for the problem of retaining records. Since so much data can now be stored in such as small space, why not simply retain everything? There are many problems with this premise, not least of which is that digital information, the media that holds it and the software and machines needed to read them don’t always preserve well. A software upgrade can make retrieving data from years past difficult or impossible.
At a basic level, HR professionals should look at the following kinds of actions to manage employee information:
Functional classification: Build a business classification scheme based on the business functions rather than on format, subject or organization structure. The HR function could include such common activities as recruiting, compensation, supervision, development and termination.
Since most policy and process decisions about information relates directly to the function that created it, it makes sense to link information to the functional scheme of the organization. Since it is not limited to a business unit, such as the HR department, this kind of scheme is effective for HR information kept by supervisors as well as HR professionals.
Retention policy: Use verifiable rationale for retention periods for the records generated by each function and activity. All jurisdictions have laws that stipulate a minimum retention period for employee information, but there are other important factors to consider including ongoing liabilities and operational obligations.
But don’t fall into the trap of keeping too much employee information for too long. There is a commonly held belief that laws require employers to keep personnel records indefinitely. But in Alberta, the Employment Standards Code stipulates a minimum retention period of three years from the time the record is created. The important thing is to be consistent, reasonable and accountable.
Destruction and transfer tracking: Track and document clearly what, when and how information is transferred or destroyed. A signed records destruction order covering the records in question is effective evidence when the organization’s motives and methods are questioned.
Transitory records: Come up with policies and tools to let staff immediately destroy transitory records such as duplicates, background data or frivolous documents at their desks before they enter the classification system. The extent of this kind of information in most organizations, especially in an electronic form, is astounding. Keep in mind as well that although a document may be a copy, all the responsibilities and risks associated with improper destruction or access still apply to the copy as well. That’s all the more incentive to get rid of this information as quickly as possible.
Electronic records: Use the same classification and policies for administering electronic records. For records that need to be kept longer, develop a plan for migrating or reformatting data. Choose an electronic document management system that fits the records management classification and policy standards, not the other way around.
Rick Klumpenhouwer is a manager specializing in privacy and information management at Cenera, a Calgary-based HR consulting firm. He may be reached at (403) 290-0466.
For HR professionals, information and records are absolutely vital to making well-informed decisions about employees, ensuring the employment relationship is well-documented and managing change and growth in staffing requirements.
If all, or even some, employee records were lost or destroyed, the impact on the organization would be dramatic.
How do HR professionals ensure the information is accurate, secure and retrievable? How long should that information be kept and what’s the best way to preserve or destroy it?
These aren’t new issues for HR but now, due to some key pressure points, the urgency to resolve these questions has increased.
First, there are the ever-present legal risks. In a grievance or court action, employee records are key evidence. If an organization cannot produce records it’s expected to have kept, courts can assume the missing records would have supported the worker.
In the wake of major fraud and securities scandals in the United States, such as Enron and WorldCom, the Sarbanes-Oxley Act (SOX) raised the standards for documenting and reporting the financial standing of a publicly traded company. Any records relating to revenues, expenditures and liabilities must meet these standards. Employee compensation and benefits transactions are a significant financial component in any organization, so payroll and benefits financial documentation is key.
SOX requires companies to conduct internal and external audits on a regular basis and the stakes for non-compliance are high. Destroying records improperly can land an official in jail and fines can run into the millions.
In Canada, this standard of financial accounting for public companies will be set by what’s commonly known as Canadian SOX or CSOX, in effect in Ontario since 2004. While the level of controls are not as onerous as those in SOX, the key requirements for employee information accountability are just as clear.
Complicating this is the often overlooked, but perhaps more relevant, compliance requirements of Canadian privacy legislation for personal employee information, now governing both the public and private sectors in some jurisdictions. At the core of privacy legislation is the need to develop controls and accountability for personal information, including:
•identifying the types of information and the reasons for collecting, using and disclosing it for proper notification and consent;
•implementing security and authenticity controls to ensure the personal information is protected and that it is accurate;
•a policy for retaining personal information for a set and limited amount of time; and
•processes for allowing individuals access to their own personal information.
These requirements mean HR professionals need to have documentation, policies and controls in place for retaining, retrieving, destroying and securing personal employee information, including information held by any outsourced services such as payroll processors.
The privacy rules cover personal information in any form and in any location currently in an employer’s custody. An HR manager may have forgotten about the e-mail exchange she has in her inbox from six months ago with a supervisor. But when an employee formally requests all relevant information the organization holds about her, the HR manager is obligated to check for all those messages and include them in the package as well.
If the company finds itself party to an inquiry by an information and privacy commissioner, the burden of proof, as in a court action, is on the company to substantiate what records at issue may have been destroyed and when and how this occurred.
Lastly, information technology solutions for managing personnel that have proven effective for recording, disseminating and analysing employee information don’t always work well with systems for classifying, tracking and scheduling records for destruction. For instance, how does an HR department deploy a standardized system (remember the central file room?) when staff are making storage, retention and disposal decisions about electronic records all the time at their workstations?
There was a time when digital information was touted as the ultimate solution for the problem of retaining records. Since so much data can now be stored in such as small space, why not simply retain everything? There are many problems with this premise, not least of which is that digital information, the media that holds it and the software and machines needed to read them don’t always preserve well. A software upgrade can make retrieving data from years past difficult or impossible.
At a basic level, HR professionals should look at the following kinds of actions to manage employee information:
Functional classification: Build a business classification scheme based on the business functions rather than on format, subject or organization structure. The HR function could include such common activities as recruiting, compensation, supervision, development and termination.
Since most policy and process decisions about information relates directly to the function that created it, it makes sense to link information to the functional scheme of the organization. Since it is not limited to a business unit, such as the HR department, this kind of scheme is effective for HR information kept by supervisors as well as HR professionals.
Retention policy: Use verifiable rationale for retention periods for the records generated by each function and activity. All jurisdictions have laws that stipulate a minimum retention period for employee information, but there are other important factors to consider including ongoing liabilities and operational obligations.
But don’t fall into the trap of keeping too much employee information for too long. There is a commonly held belief that laws require employers to keep personnel records indefinitely. But in Alberta, the Employment Standards Code stipulates a minimum retention period of three years from the time the record is created. The important thing is to be consistent, reasonable and accountable.
Destruction and transfer tracking: Track and document clearly what, when and how information is transferred or destroyed. A signed records destruction order covering the records in question is effective evidence when the organization’s motives and methods are questioned.
Transitory records: Come up with policies and tools to let staff immediately destroy transitory records such as duplicates, background data or frivolous documents at their desks before they enter the classification system. The extent of this kind of information in most organizations, especially in an electronic form, is astounding. Keep in mind as well that although a document may be a copy, all the responsibilities and risks associated with improper destruction or access still apply to the copy as well. That’s all the more incentive to get rid of this information as quickly as possible.
Electronic records: Use the same classification and policies for administering electronic records. For records that need to be kept longer, develop a plan for migrating or reformatting data. Choose an electronic document management system that fits the records management classification and policy standards, not the other way around.
Rick Klumpenhouwer is a manager specializing in privacy and information management at Cenera, a Calgary-based HR consulting firm. He may be reached at (403) 290-0466.