Going Paperless in HR: The Legal Guidelines
Tim Myatt | 05 Jun 2019

Going Paperless in HR: The Legal Guidelines

If your business has, or will be embarking on a full-scale digitisation project for the HR department, you may be looking to fully understand the legalities of GDPR surrounding employee documents. Especially where retention of data in both paper and digital form is concerned and how document scanning falls under these legal guidelines.

The Role of HR under GDPR

Retention of employee records is an extremely complex and ever evolving subject, one that all HR employees need to keep up to date. Since the implementation of GDPR, organisations should follow best practice and ensure that they have a document retention policy and monitoring programme in place that’s communicated to all team members.

They should also follow both physical and electronic data security methods. The policy should ensure that records are kept as long as they are required and no longer and that records which have surpassed the retention date are destroyed securely. Such programmes may involve training employees, not only about the legal issues involved but also why having organised records benefits the business.

“For GDPR compliance, the first step is knowing what data you actually hold on people. If you don't have a good system with disciplined document practices, then you won’t know if you are compliant” - Jacqui Taylor, Group Chief HR Officer, EDM Group

What constitutes a ‘HR Record’?

HR records can be in any number of formats including written, charts, pictorial etc. providing important information about an organisation and how that organisation carries out certain functions. As such, these are business-critical documents containing vital and often times, data that is sensitive to the organisation and individuals within it.

More organisations are looking to moving to digital ways of working and one of the first departments to undergo digital transformation is the HR department - one of the most beneficial areas in an organisation to go paperless. This is especially true in regards to the storing and retention of these records to not only remain compliant with GDPR legal guidelines but to help by providing easier access to important information.

Pros & cons of going paperless

As with any move to a new type of system, some may have their reservations about going paperless. We take a look at some of the pros and cons of a paperless system.

Pros:

  • Electronic records reduce the need for physical storage space and sometimes the cost of that space
  • Documents can be retrieved instantly rather than requiring manual sifting through physical files
  • Multiple people can view the same document from different locations and devices at the same time allowing for collaborative working
  • Allows retention rules to be applied at document level and in an automated way

Cons:

  • With electronic records comes new security threats from both inside and outside the office
  • Portable and ‘bring your own device’ (BYOD) generally come with very little security and could pose risks
  • Costs of maintaining and storing electronic records (although storing and maintaining paper records onsite comes at a cost)

Generally, so long as your organisation ensures security for electronic records and systems, the pros of going paperless highly outweigh the cons.

Pros & cons of keeping paper records

Employees may be against the idea of a digital transformation within their department and essentially changing the very way they work going forward. Therefore they might be less inclined to adopt it. Nevertheless, there are both pros and cons to keeping hold of paper records.

Pros:

  • Paper records tend to be stored on site and some view this as being an easier way of accessing them
  • Less training required for employees to deal with how to store and maintain paper records without the need for uploading and scanning in-house or even requesting files from an outsourced vendor

Cons:

  • Paper records can be easily lost or misfiled due to human error
  • Documents can be easily accessed, copied and left lying around - risking a breach of data
  • Paper records are at risk of being physically damaged
  • Filing paper records in cabinets and/or unlocked rooms can put them at easy risk of theft
  • Records could be kept well past retention
  • No audit trail of documents being handled/processed


Related blog: 5 ways your data is subject to GDPR compliance violations

The legal guidelines that must be followed when a company goes paperless

The actual retention periods aren’t wholly defined by the GDPR, but it does state guidelines for organisations to understand and decide what their retention should be (within reason):

  • Article 5.1. (e), as a summary. states: Personal data should not be kept for longer than is necessary for the purposes for which it is being processed.
  • Recital 39 summarises that: The period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (otherwise referred to as “erasure”) or for a periodic review.

Using these guidelines, organisations need to consider:

  • How long they are required to keep employee records on file for both:
    • Statutory retention periods and;
    • Recommended (non-statutory) retention periods
  • What to store and what to shred/erase?
  • Document destruction - what your record disposal responsibilities are

Important factors to consider when converting to an electronic format

These are the vital factors that organisations must consider when converting HR records such as personnel files from hard copy format to an electronic format:

  • The costs and security of your cloud storage and computing systems
  • Choosing an electronic record storage vendor that will meet your compliance and business requirements
  • Preservation of document metadata – Recording the identity of the author, when the file was created as well as information in calendar-keeping software - all of which could all be crucial for litigation purposes
  • Security, both internal and external – Systems need to be secure from outside intruders through the use of passwords, firewalls, and encryption. Systems need to be secure from insiders who shouldn’t have access to certain documents
    • Just as with paper personnel files, electronic personnel files must have separate folders with access granted on a “need to know” basis
  • Readability and accessibility of data over time
  • Saving data permanently
  • Maintenance of databases – How secure is the database long term? – What if it crashes? – Is there a backup? – Does the company know how to retrieve data from backup?
    • Additionally, maintaining databases also means having a strategy in place to prevent possible data breaches

Key takeaways for retaining and storing employee records and next steps

It’s entirely possible for organisations to begin their digital transformation by starting with the HR department and gaining a deeper understanding of compliance requirements of retaining and storing records. Using the GDPR legal guidelines you could update your HR processes by keeping the following in mind:

  • You typically don’t need duplicate paper and digital records unless absolutely required to do so
  • Electronic records tend to be more secure from tampering, fire and floods as they are kept off-site in a cloud-native network with the latest security updates as well as sophisticated user permissions
  • You still have the option to print out digital records, if necessary
  • Government agencies consider electronic records legal and fully compliant

With all this in mind, it’s also worth considering looking at using an outsourced document scanning vendor to help you realise your paperless dream. An outsourced vendor can help you determine your whole paperless strategy from beginning to end - and even help you set up retention rules for your electronic records based on how your organisation needs to deal with them.

The next step? Find out how to fully replace HR paper records and go paperless. Learn more by following the steps in our useful eBook ‘Buyers Guide to going paperless: 10 crucial questions you should ask your Document Scanning Vendor’.

ebook-10-questions

About the author

Tim Myatt