We define compliance as something being in line with all the relevant laws and specific guidelines of a company. Broadly speaking, compliance can be reached if employee personnel files are complete, secure and if they are properly retained. Before these three aspects of compliancy are discussed, a first interesting point needs to be taken into consideration. If guidelines of a company contradicts any law, compliancy is per definition impossible. Trying to reach any degree of compliancy with dubious rules is, in essence, pointless. But the opposite is also true. Many legal systems allow space for employees to keep additional documents in their personal files. There are many specific company regulations possible, allowing non-law controlled documents that are important to the organization to be kept. Ignoring these regulations also make compliancy impossible.
The lessons that should be taken from this are the following:
There is very little to say about completeness in a specific context. In general there are three golden rules of what should be in a personnel file. Meaning: I am not aware of any situation where these did not apply, but it doesn’t mean that this is always enough to reach completeness.
Already naming these three bring many differences between countries. For example, when is the employee incapable? What handicap makes someone incapable and until what age is a person incapable. What kind of ID is allowed? Passport and an ID card? Or also driver license? Work and residence permit are sometimes applicable. In the European Union however, everybody from EU countries can work in whatever country they want inside this zone.
It is clear, that it is nearly impossible to make an exclusive list that is valid for all countries, let alone all companies. But these documents do form, in general, the base of a personnel file. Research is key in setting a standard for what makes a dossier complete. A first good step is contacting a labor lawyer and asses inside the company which documents are relevant to store. Due to changing laws and company requirements, it is very well possible that what is compliant today, is incomplete tomorrow. Checking the standards we set, must remain a continuous process.
An often overlooked part of proper HR file management, is security. This is partially the fault of the laws around this subject, which remain in general terms. For example: “It is the responsibility of the company to keep personal information appropriately stored and secure, and will not be handed to a third party without this party to have reasonable cause to access the files or without consent from the employee” .This one long and twisting sentence, or a variation on it, is normally found it contracts and already gives a lot of room for interpretation. What exactly is personal information? The definition can differ from company to company. For example, is salary personal information? In transparent companies it is known who makes how much money, does this still makes the information personal? What exactly is appropriately stored and secure? And what is a reasonable cause to access files?
The guideline as described above leaves so much room for interpretation and negotiation, that it comes as no surprise that concessions are easily made on this subject. From a moral standpoint it is, however, the most important one. Security is an increasingly important part of the everyday live, and this development continues in the HR document management.
When thought intensively through, security is a wide subject that can be, although broadly, divided in three separate subjects: authorization, safety and accessibility.
Being possibly the most obvious one, authorization plays the biggest part in perception of security. But this specific part might be underestimated. When we speak of authorization, it is about who can access the files and how is it guaranteed that those who cannot will not access the files.
Authorization starts with how to determine who can access the files. What roles within a company may see the personnel files, are they allowed to see the entire file and allowed to add or remove documents? These basic questions are fundamental for security since it determines when a company violates the promise of storing documents appropriately and securely. As a general rule, and not only in this subject, less is more. The less people have access to the files, the more security you can offer. To reach this a separation needs to be made who wants to have access to the files, and who needs to have access to the files. Many employees claim to be the latter, but are definitely the former.
Safety in itself is a tough subject. A storage that is save protects from intruders, makes sure that the quality of files degenerate as little as possible with time and ultimately protects against the consequences of natural or man made disaster. The answer to when a storage is safe enough is not only subjective but also dependent on many factors, like the occurrence of disasters and the kind of personnel files storage that is used.
Paper administration can be locked behind a door, with a set amount of keys and give a stable, albeit somewhat old fashioned, approach to safety. At the same time, paper files are more easily subject to degeneration through time and circumstances like moist. Digital administrations, for example in the cloud, spawn completely new challenges, while solving others. Cloud-like solutions protect against more grave happenings like disasters but make protection from intruders more difficult. You can find more information on pro's and con's of digital and paper administration in this blog.
You don’t think immediately about accessibility when you talk about security. It is even debatable if this is the right place to mention it. However, there is a strong connection between the two, which is often overlooked. Accessibility might be the counterweight in security, which has to be balanced with safety and authorization. It is not difficult to think of solutions which are secure and properly arranged authorization, but remain completely inaccessible. Or solutions which are very accessible, but not safe and complicated to organize authorization for.
Especially in large corporations, accessibility is an important feature that can boost or obstructs proper working procedures. Examples of people needing access to personnel files are plenty, and include but are not limited to: managers, HR personnel, often the Payroll department and the employee of which the files is about. Especially the latter is easily forgotten, but in most countries the employee of which the file is about is allowed to have full insight in his own personnel file, without reservation. For all these people, and often more, proper ways to access these files is necessary.
The difficulty in security, is that it often may feel like a trade-off between usability and protection. How can be determined what is reasonable, enough protection and proper usability? Unfortunately, it is impossible to provide a concrete answer that will cover all possible instances. Be reasonable, but strict. Hold high standards, but not impossible ones. There is no such thing as a 100% secure or a 100% accessible.
The third and final part of compliancy is record retention for personnel files. Where completeness is the most often focused on and security the easiest to overlook, retention management might be the most difficult to organize properly. From a distance it looks like an uncomplicated process, basically throwing stuff away. But there are many buts, if’s and and’s that make it much more difficult to reach compliancy.
The first problem is, unsurprisingly, finding out what can be stored for how long. Unlike other aspects of compliancy, in almost all cases this has a set standard by law. For most document types it has been determined for long they can be kept. Even for document types that are not specifically mentioned some indication is given for time a document can be retained.
The second and biggest problem, is executing the retention process. It might be surprising to learn that smaller companies encounter the exact same problems as large ones. For a couple of documents it is not too difficult to remember when they need to be thrown away, but the number of documents rise at an alarming rate with every new employee. Every employee has, on average, at least ten pages in his or her file and more than ten employees becomes almost impossible to handle already, especially if you consider that retention times wildly vary, from two weeks to more than twenty years. Though, there is yet to be seen a company where a paper administration has a well-organized retention process. The above mentioned problem makes it nearly impossible to follow this process without investing a large amounts of FTE’s in it. Digital solutions are more likely to be successful. A largely automated procedure, removing the human factor.
The third and last problem is destruction of documents. When a document is found and it is determined that it should be destructed, the destruction itself remains crucial to succeed in compliancy. Again, a separation needs to be made between digital and paper administrations.
A digital administration is relatively easy for destruction of documents. Fully deleting a file happens continuously. Admittedly, it is different than just pushing the delete button and the file disappears, but the principle is the same. Paper administration offer a more challenging situation, because destruction can also be treated as a subjective term. A torn document can already be considered destroyed, but still readable. As a general rule the destruction of documents needs to guarantee that documents stay private until they are destroyed, leads to documents that are completely unreadable, doesn’t enable in whatever way that information is copied beforehand and is executed within the set time. There are companies who specialize in this business and fulfill all these standards.
It is understandable that with so many rules, regulations and common mistakes, compliancy is difficult to reach. But as stated before, full value is generated by full compliancy.