Information Governance Office HR Records Alan Carter Information Governance Office

HR Records University holds data about: Current employees Past employees Job applicants Consultants Contractors Interns Academic visitors Compliance & Risk

HR Records 2 Contact details, date of birth, gender, marital status, next of kin, NI no, financial details, salary details, annual leave, pension and benefits information, passport, visa and right to work information, recruitment information, disciplinary and grievance information, CCTV and swipe card information, use of IT systems, photographs, use of facilities, register of interests, correspondence Compliance & Risk

Sensitive data Racial or ethnic origin Political opinions Religious beliefs Trade Union membership Health Sexual orientation Genetic and biometric data Criminal convictions and offences Compliance & Risk

Use of data in HR records Personal data in HR records is processed by the University for contractual purposes, legal obligations and legitimate interests. Also vital interests and public interests. List of activities in the privacy notice Sensitive data used by consent, or for legal obligations, vital interests, legal claims, equal opportunities monitoring, sickness absence monitoring, fitness to work, workplace health and safety, Trade Union subscriptions Compliance & Risk

Use of data in HR systems (2) Criminal records and offences data needs to be used only in accordance with the law and in very limited circumstances

Where should HR data be held? HR data is held centrally by HR Services unless noted below HR Services need to receive the data for which they are responsible It may be that some HR records are held both locally and centrally for short periods of time HR data which is held centrally should not be held locally for longer than necessary In any case it should never be held locally for longer than the retention schedule allows

Locally held HR data Staff development data – courses, conferences, induction, training Performance assessment – probation, academic reviews, performance improvement plans, exceptional performance and thank you scheme. P&DRs (but only if not on system) References- received and sent Self certification forms, return to work meetings, occupational health and DASS reports Annual leave records, special leave etc

Locally held HR Records (2) Recruitment data of successful and unsuccessful candidates: Interview notes Score cards Unsuccessful CVs Speculative CVs

Locally held HR Records (3) Grievances and disciplinaries- but passed to HR when process complete Distinction between formal and informal proceedings Possibility of multiple copies: HR partner, manager, TU Rep Compliance & Risk

Other data not held by HR Services Health data and referrals kept by DASS, Occupational Health, Counselling Accident investigations and reports kept by Safety Services Job evaluation data kept by HERA Team SLDU keep some training records Correspondence! Attachments Compliance & Risk

Unstructured data Local areas keep data relating to HR matters : Correspondence Emails Informal meeting minutes Notes of conversations Working copies Compliance and Risk

Managing local HR records If you keep local records you are responsible for managing them Local responsibility for HR records should be clear Local areas should have clear directions on the accuracy, security and accessibility of HR data

Managing local HR records Preferably saved electronically, not as paper Certainly not both! Copies kept to a minimum Not overshared, and if possible not by email

File structures Local HR records should be kept in their own distinct filing system, not mixed up with other material Emails containing personal data in relation to staff should be removed from Outlook and filed in the same system Structure of the filing system should be fixed and not changeable

Filing of HR data Naming conventions- everybody calls documents the same thing Sensible filing- chronological so that retention periods can be respected Surnames first! Staff numbers Fixed numbering and dating conventions Compliance & Risk

Virtual personnel files Tempting to file all material for an individual under that individual’s name But may have different policies and retention periods To aid management filing should reflect retention classifications So maybe electronic personnel files are virtual? Can file everything with the same retention period together Compliance & Risk

Records and documents When does a piece of data become a record? It provides evidence of a business transaction or activity It needs to be retained for legal purposes It needs to be retained for financial purposes It provides evidence of a decision It authorises an action It approves a policy It provides useful data for a future decision It sets an important precedent It provides details of liabilities or responsibilities It provides information to protect rights or assets It contains information of historical value

Records and documents Records need to be treated in accordance with the retention schedule Documents which are not records do not Documents which are not records but which contain personal data should be destroyed as soon as possible

Masters and copies Only the master counts as a record Masters should have clear ownership HR Services owns HR records which it keeps Other HR records are kept by owners of processes or functions Owners are responsible for correct filing Masters should be kept for the length of time dictated by the retention schedule Copies for a SHORTER period of time

Permissions Permissions models for HR records on shared drives may be different to the model for the rest of the area drive Particularly for sensitive data, access should be on a need to know basis Compliance & Risk

Responsibilities If you keep local HR records you must: Be familiar with the retention schedule as it applies to HR data Be familiar with the privacy notice for staff, and the purposes and processes for which we can use HR data Be familiar with the appropriate security and storage standards which apply to personal and highly restricted data

Responsibilities (2) If you keep local HR records you should: Be aware that data subjects have the right to know where their data is held Be aware that local records should be available for inclusion in SARs when appropriate Be aware that local records should be available for legal purposes where necessary Be aware that local records, particularly copies, are subject to other data subject rights

Personal data held on email Email at the root of over 50% of data protection incidents Email is releasable Email forms part of the audit trail for some processes Emails about processes should be filed with that process Attachments are not a suitable storage mechanism for HR documents Emails are subject to the retention schedule