FINAL INTERNAL AUDIT REPORT

HR Document Management (IA 12 108/F)

Tricia Riley, HR Director
Audit Conclusion: Audit Closed
9 March 2015
Issue
categories

Agreed
actions

Satisfactorily
addressed

Partially
addressed

No longer
applicable

Not
addressed

Priority 1

13

12

Priority 2

Priority 3

HR Document Management (IA 12 108/F)

CONTENTS
EXECUTIVE SUMMARY .................................................................................... 3
STATUS OF AGREED ACTIONS ...................................................................... 4
APPENDIX 1 DISTRIBUTION LIST .............................................................. 11

Audit information
Version

Draft versions issued

Draft report issued

4 March 2015

Audit Manager

Joe Palfreeman

Director of Internal Audit

Clive Walker

Page 2

HR Document Management (IA 12 108/F)

EXECUTIVE SUMMARY

Objective
The objective of this audit was to review the effectiveness of controls over HR
document management covering both paper and electronic documents.
Scope
The audit focused on the control environment in relation to the following key risk
areas associated with the management of staff records and personal data
within HR:
Policies and procedures including communication to the business
Roles and responsibilities
Delivering document retention, storage and retrieval requirements
Review and disposal of documents
Monitoring compliance with policies and procedures and following up any
issues
Summary of findings
Our Interim Audit Report dated 4 July 2013 entitled HR Document
Management, identified four Priority 1 issues and one Priority 2 issue resulting
in 16 agreed management actions.
The following issues were identified as being Priority 1:
There is no strategy within HR for delivery of its responsibilities with regard
to the Information and Records Management (IRM) policy
There is a lack of local procedures and guidelines to advise staff on the
management, storage and disposal of personal employee records
Document management practices across HR operations are inconsistent
and ineffective
Records held electronically are not deleted once the statutory retention
period has been reached, as required by the DPA and TfLs Privacy and
Data Protection Policy
We have now carried out a follow up review and can confirm that 15 actions
have been satisfactorily addressed and one is partially addressed. We are
satisfied that activity is being taken to address the partially addressed action
and this will be follow up as part of our 2015 audit Pan-TfL HR Documentation.
Accordingly this audit is now closed.

Page 3

HR Document Management (IA 12 108/F)

STATUS OF AGREED ACTIONS

Ref

Agreed action

Owner and
due date

Status

Priority 1 actions
1.

2.

3.

Agree an overall owner with the

Lee Wise
HR Leadership Team for document
management.
Complete

Satisfactorily addressed

Secure the HR Leadership Teams Lee Wise

agreement to establish an HR-wide
network group to deliver HRs
Complete
responsibilities with regard to the
IRM policy.

Satisfactorily addressed

Implement the HR-wide network

group with representation from HR
Services, HR Delivery and the
Centres of Excellence.

Satisfactorily addressed

Stephen
Field / Lee
Wise
26/07/13

4.

Develop a local HR Strategy that

supports the overall IRM Policy
taking into account the HRS
document management project
work carried out in 2009.

Stephen
Field / Lee
Wise
31/03/14

The Director of Pensions and Reward is the owner on behalf of

the HR Leadership Team.

The HR Leadership Team established a HR-wide network group.

The network group had appropriate representation from across

HR as well as the wider business including Information
Governance. HR document management was taken forward as a
project by the network group.
Satisfactorily addressed
A strategy that supports the overall IRM Policy and takes into
account the HRS 2009 project was produced. The strategy was
approved by the Director of Pensions and Reward and is
available on the Sharepoint HR Document Management Support
page.

Page 4

HR Document Management (IA 12 108/F)

Ref

Agreed action

Owner and
due date

Status

5.

Develop and implement an HR

Disposal Schedule.

Stephen
Field / Lee
Wise

Satisfactorily addressed

31/03/14

The Employment and Pensions Disposal Schedule was updated

by Information Governance with input from across HR. Each area
of HR gathered data to review the relevant section of the
schedule. The Schedule was approved by the Director of
Pensions and Reward and is available on both the HR Sharepoint
site and in the TfL Management System.
The schedule will undergo a formal review every two years with
other updates made as and when required.

6.

Develop processes and supporting

documentation for employees and
Line Managers that is easy to use
and takes into account the
Employment and Pensions
disposal schedule and makes use
of a draft Records Management
Fact Sheet. The processes will be
included in the TfL Management
System.

Stephen
Field / Lee
Wise
31/03/14

Satisfactorily addressed
An HR Sharepoint Document Management Support site now
supports document management within HR.
The site is easy to use and includes sections on the HR Disposal
Schedule, HR Document Management Strategy, Line Manager
Guidance, Information Governance Courses and the Core Staff
File. There are also links to Information Governance fact sheets.
The site re-enforces the need for all HR staff to follow document
management processes to comply with the Data Protection Act
and references the Employment and Pensions Disposal Schedule
as the key sign-posting document.
Details of core staff file requirements are reflected in the TfL
Management System.

Page 5

HR Document Management (IA 12 108/F)

Ref

Agreed action

Owner and
due date

Status

7.

Develop and deliver

communications and training to HR
staff and Line Managers in support
of the processes.

Stephen
Field / Lee
Wise

Satisfactorily addressed

31/03/14

Document management champions are embedded into each HR

business area and provide support and training to HR staff as
required.

Regular communication on document management activities

were provided throughout the project by the HR Director including
an article in HR News.

Information and records management, and privacy and Data

Protection have been added to the HR Leadership Team agenda
for discussion on a half yearly basis to review and monitor
compliance with document management.
8.

Create a mechanism to be able to

carry out regular on-going
compliance checks to ensure HR
staff and Line Managers are
following the processes. Agree
with the HR Leadership Team what
these checks are and how regular
they should be.

Stephen
Field / Lee
Wise
31/03/14
Extended to
30/11/14

Satisfactorily addressed
A four month amnesty was agreed by The Director of Pensions
and Reward on behalf of the HR Leadership Team to allow HR
staff to comply with the revised document management
arrangements.
From August 2014 a requirement was introduced for HR Line
Managers to undertake regular compliance checks within their
business areas. Details of the checks are included in the HR
Managers Quick Guide.
HR Leadership Team audit checks are also now conducted on a
six monthly basis to be carried out at random across HR. The
first of these audits took place in December 2014 and a report

Page 6

HR Document Management (IA 12 108/F)

Ref

Agreed action

Owner and
due date

Status
produced with appropriate actions to address identified
weaknesses.

9.

10.

11.

The HR Network Group will

investigate the feasibility of holding
staff records in one place and
make a recommendation to the HR
Leadership Team.

Stephen
Field / Lee
Wise

HR will implement an interim

process which will signpost where
all staff file documentation is held
pending the outcome of the
feasibility review. This will be
communicated to line managers
and captured in the TfL
Management System.

Stephen
Field / Lee
Wise

Satisfactorily addressed

31/12/13

This has been communicated to HR using the HR Sharepoint

Document Management Support site and through HR News.
The Disposal Schedule is available on the TfL Management
System.

Signposting will be used on an ongoing basis where different

technologies mean it may not be
possible to hold data in one place.

Stephen
Field / Lee
Wise

Satisfactorily addressed

31/03/14

Satisfactorily addressed
The feasibility of holding staff records in one place was
investigated but found to be not possible due to the different IT
systems in use throughout HR. The Employment and Pensions
Disposal Schedule will be used as the guide as to where staff
records should be retained. This approach is endorsed by the HR
Leadership Team.

The Employment and Pensions Disposal Schedule is the key

point of reference for signposting where all staff file
documentation is held.

See agreed action 10.

31/03/14

Page 7

HR Document Management (IA 12 108/F)

Ref

Agreed action

Owner and
due date

Status

12.

Work with IM to agree the rules

around archiving and deletion on
SAP R3, EiC, Taleo and Intrinsic.
Rules will be documented and
communicated to all staff with
responsibility for maintaining
personal records on these
systems.

Stephen
Field / Lee
Wise

Partially addressed

31/03/14

HR undertook work to agree the rules around archiving and

deletion in line with the Employment and Pensions Disposal
Schedule requirements and this was agreed by the HR
Leadership Team. A change request was submitted to IM to look
into the feasibility of implementing archiving and deletion rules
into HR systems.
This work was incorporated into the wider pan-TfL IM Enterprise
Content Management (ECM) programme and the HR Pensions
Manager assigned to the ECM steering group to ensure HRs
requirements were met.
However, ECM is now focusing on overall strategy and the
technical roadmap, rather than implementing the specific needs of
any particular business area. As a result a group has been
established to take forward the archiving and deletion of HR data.
Group membership is from HR, IM and Information Governance
and the first stage of their activity will be to conduct a proof of
concept. IA will follow up this work as part of the 2015 audit PanTfL HR Documentation.

13.

A business case will be developed

for automated archiving and
deletion of personal records for
consideration by the HR Director
and Chief Information Officer.

Stephen
Field / Lee
Wise

Satisfactorily addressed
See agreed action 12 regarding the change request.

31/03/14

Page 8

HR Document Management (IA 12 108/F)

Ref

Agreed action

Owner and
due date

Status

Stephen
Field / Lee
Wise

Satisfactorily addressed

Priority 2 actions
14.

Existing HR staff with responsibility

for managing records and who
have not completed the eLearning
records management course will
do so.

31/12/13

All HR staff apart from those on maternity, career breaks and long
term sick completed the three eLearning courses:
My role in information and records management
My role in information security
My role in privacy and data protection
Those on leave are required to complete the training on their
return to work.

15.

All new HR staff will be required to

complete the eLearning records
management course on joining the
function.

Stephen
Field / Lee
Wise
31/03/14

16.

Develop any additional training

required to ensure that staff are
equipped to manage HR
information and records relating to
staff and personal data effectively.

Stephen
Field / Lee
Wise
31/03/14

Satisfactorily addressed
A process is in place to ensure all new HR staff complete the
three eLearning courses. A periodic report is sent via the SAP
reporting team to identify new entrants or existing employees who
have joined HR. These employees are contacted to complete the
training within four weeks of starting in HR. HR monitor
completion of the training and a reminder is sent if they do not
complete all three modules within this timescale.
Satisfactorily addressed
HR requires that its staff complete the eLearning courses at least
once every three years. If there are updates to any of these
courses staff are required to complete the updated course within
six months of being notified of the changes. Information

Page 9

HR Document Management (IA 12 108/F)

Ref

Agreed action
Develop a roll out plan to ensure
that staff with responsibilities for
people-related records
management, complete this
additional training.

Owner and
due date

Status
Governance recommends that refresher training for data
protection and information security eLearning courses is
completed annually and HR accepts the risk of not following this
recommendation.
Following completion of this standard training we noted some
weaknesses in document management responses to questions
raised with the HR Help Desk suggesting there was a further
training requirement in this area.
HR undertook specific coaching for the advisors that take 1729
HR Help Desk calls and Information Governance also attended
advisor team meetings to reinforce document management
knowledge. New advisors will also receive this coaching and
refresher sessions will also be held on a six monthly basis.
Document management requirements are also reinforced in role
training for all staff with responsibilities for people-related records.

Page 10

HR Document Management (IA 12 108/F)

APPENDIX 1 Distribution list

This report was sent to Tricia Riley, Director of Human Resources, by Clive
Walker, Director of Internal Audit, and copied to:
Stephen Field

Director of Pensions and Reward

Kim Travers

Head of HR Service Delivery

Rebecca Crowther

HR Services Delivery Manager

Lee Wise

Staff Travel Manager

Hannah Delves

Head of HR Planning & Governance

Charlotte Johns

Recruitment Delivery Manager

Richard Bevins

Head of Information Governance

James Newman

Privacy and Data Protection Manager

Clare Cowling

Information & Records Manager

Kathy McMahon

IM SAP Functional Operations Manager

Caroline Kelly

as Key Risk Representative

Nigel Blore

Head of Group Insurance

Andrea Clarke

Director of TfL Legal

Andrew Pollins

Interim Chief Finance Officer

Howard Carter

General Counsel

Robert Brent

KPMG

Page 11