Organisations are in some cases on their 3rd or 4th generation of HRIS System. These systems are not like a car, where you can sell your old one. Removing your old HRIS System needs to be a key part in any project. This is to ensure the old HRIS System is not just left like a ship wreck, bobbing around on a server somewhere!
All to often, I have found that old redundant HRIS systems are just left in situ. Little or no regard is given to the security, validity and cost of legacy systems. It is amazing that some still have the passwords set up by the supplier, many moons ago.
We are currently in an age where organisations have a vast amount of data on all parts of their business. This means that more consideration needs to be given to formalising the shut down and also the removal of the redundant HRIS System. Data protection is coming into the limelight much more now. However, how is this being applied to an old redundant HRIS System that contain very sensitive people data?
Decommissioning your old HRIS system
This generally gets forgotten about on most projects, but it is vital that there is a plan and it is made a part of the project closure process. There are costs, data security and legislative requirements that need to be considered and factored into your overall project plan. It should also have it’s own specific project milestone.
IT departments do not want a redundant HRIS System being left on the server. The departments are generally keen to uninstall them as soon as possible. The business should have a data retention policy. This will become more prevalent with the GDPR changes that are coming into force from April 2018.
Depending on the size of the organisation, it will largely determine some of your decisions around the options that you take. A small organisation would be fine with outputting their data to .csv files. However, the security of this method should be considered. Larger organisations would most likely need a more robust and secure solution.
What are your options?
- Purchase a read only licence from your old supplier. This will allow you to leave all your historic data in the HRIS System in case you need to access it.
- Output all data into either a spreadsheet or csv file to enable you to look up the data as required. This is the cheapest option.
- Output your data into a database that will provide it with a level of security. A cost would incur as it would require some technical resources to undertake the work.
- Output payslips to hard copy format and store as manual copies. The difficulty with this option will be the retrieval of the paper records which will be difficult. Some software solutions include functionality that saves payslips to a .pdf file which could be retrieved as required.
What drives your decisions on the above choices
- How long should we retain the data?
This will vary from business to business and there is no hard and fast rule around certain data. However, equally, there are some legislative requirements that may drive your decisions on data retention. Currently, Payroll data has to be held for a period of 7 years in total to satisfy HMRC audit requirements.
- How often will the data need to be accessed?
If the data needs to be accessed frequently, then a means of accessing the data easily, securely and efficiently needs to be considered.
- Security of data
The security of the historic data is another key driver in your choice. You will need to assess if password protected files are secure if multiple people need to access the file. How do you secure part of the data if that person cannot see salaries for Directors for example.
- Ongoing Costs
The costs of retaining your old data for the specified time, will incur additional costs.
Payroll data needs to be kept for 6 years. When changing the HRIS system, this needs to be considered. The current years data will be imported into your new system. This will require making provisions to store the 6 years of history. This is dependent on when the new system goes live, if it is part way through the year, it may be that 6 years+ history is required.
GDPR 6 Principles
- Fair & lawful
- For specific, explicit and legitimate purpose
- Adequate, relevant & limited
- Accurate & up to date
- Not kept longer than necessary
- Ensure appropriate security
System Decommissioning and Data retention policy
With the above GDPR principles due to take effect in May 2017, organisations should start to define their data retention policy. This will in turn help decide the route to take when decommissioning an old HRIS System.
There is a lot of hype out there now, but help is readily available. It really is not that scary.