Académique Documents
Professionnel Documents
Culture Documents
Agreed
actions
Satisfactorily
addressed
Partially
addressed
No longer
applicable
Not
addressed
Priority 1
13
12
Priority 2
Priority 3
CONTENTS
EXECUTIVE SUMMARY .................................................................................... 3
STATUS OF AGREED ACTIONS ...................................................................... 4
APPENDIX 1 DISTRIBUTION LIST .............................................................. 11
Audit information
Version
4 March 2015
Audit Manager
Joe Palfreeman
Clive Walker
Page 2
EXECUTIVE SUMMARY
Objective
The objective of this audit was to review the effectiveness of controls over HR
document management covering both paper and electronic documents.
Scope
The audit focused on the control environment in relation to the following key risk
areas associated with the management of staff records and personal data
within HR:
Policies and procedures including communication to the business
Roles and responsibilities
Delivering document retention, storage and retrieval requirements
Review and disposal of documents
Monitoring compliance with policies and procedures and following up any
issues
Summary of findings
Our Interim Audit Report dated 4 July 2013 entitled HR Document
Management, identified four Priority 1 issues and one Priority 2 issue resulting
in 16 agreed management actions.
The following issues were identified as being Priority 1:
There is no strategy within HR for delivery of its responsibilities with regard
to the Information and Records Management (IRM) policy
There is a lack of local procedures and guidelines to advise staff on the
management, storage and disposal of personal employee records
Document management practices across HR operations are inconsistent
and ineffective
Records held electronically are not deleted once the statutory retention
period has been reached, as required by the DPA and TfLs Privacy and
Data Protection Policy
We have now carried out a follow up review and can confirm that 15 actions
have been satisfactorily addressed and one is partially addressed. We are
satisfied that activity is being taken to address the partially addressed action
and this will be follow up as part of our 2015 audit Pan-TfL HR Documentation.
Accordingly this audit is now closed.
Page 3
Agreed action
Owner and
due date
Status
Priority 1 actions
1.
2.
3.
Satisfactorily addressed
Satisfactorily addressed
Satisfactorily addressed
Stephen
Field / Lee
Wise
26/07/13
4.
Stephen
Field / Lee
Wise
31/03/14
Page 4
Ref
Agreed action
Owner and
due date
Status
5.
Stephen
Field / Lee
Wise
Satisfactorily addressed
31/03/14
6.
Stephen
Field / Lee
Wise
31/03/14
Satisfactorily addressed
An HR Sharepoint Document Management Support site now
supports document management within HR.
The site is easy to use and includes sections on the HR Disposal
Schedule, HR Document Management Strategy, Line Manager
Guidance, Information Governance Courses and the Core Staff
File. There are also links to Information Governance fact sheets.
The site re-enforces the need for all HR staff to follow document
management processes to comply with the Data Protection Act
and references the Employment and Pensions Disposal Schedule
as the key sign-posting document.
Details of core staff file requirements are reflected in the TfL
Management System.
Page 5
Ref
Agreed action
Owner and
due date
Status
7.
Stephen
Field / Lee
Wise
Satisfactorily addressed
31/03/14
Stephen
Field / Lee
Wise
31/03/14
Extended to
30/11/14
Satisfactorily addressed
A four month amnesty was agreed by The Director of Pensions
and Reward on behalf of the HR Leadership Team to allow HR
staff to comply with the revised document management
arrangements.
From August 2014 a requirement was introduced for HR Line
Managers to undertake regular compliance checks within their
business areas. Details of the checks are included in the HR
Managers Quick Guide.
HR Leadership Team audit checks are also now conducted on a
six monthly basis to be carried out at random across HR. The
first of these audits took place in December 2014 and a report
Page 6
Ref
Agreed action
Owner and
due date
Status
produced with appropriate actions to address identified
weaknesses.
9.
10.
11.
Stephen
Field / Lee
Wise
Stephen
Field / Lee
Wise
Satisfactorily addressed
31/12/13
Stephen
Field / Lee
Wise
Satisfactorily addressed
31/03/14
Satisfactorily addressed
The feasibility of holding staff records in one place was
investigated but found to be not possible due to the different IT
systems in use throughout HR. The Employment and Pensions
Disposal Schedule will be used as the guide as to where staff
records should be retained. This approach is endorsed by the HR
Leadership Team.
31/03/14
Page 7
Ref
Agreed action
Owner and
due date
Status
12.
Stephen
Field / Lee
Wise
Partially addressed
31/03/14
13.
Stephen
Field / Lee
Wise
Satisfactorily addressed
See agreed action 12 regarding the change request.
31/03/14
Page 8
Ref
Agreed action
Owner and
due date
Status
Stephen
Field / Lee
Wise
Satisfactorily addressed
Priority 2 actions
14.
31/12/13
All HR staff apart from those on maternity, career breaks and long
term sick completed the three eLearning courses:
My role in information and records management
My role in information security
My role in privacy and data protection
Those on leave are required to complete the training on their
return to work.
15.
Stephen
Field / Lee
Wise
31/03/14
16.
Stephen
Field / Lee
Wise
31/03/14
Satisfactorily addressed
A process is in place to ensure all new HR staff complete the
three eLearning courses. A periodic report is sent via the SAP
reporting team to identify new entrants or existing employees who
have joined HR. These employees are contacted to complete the
training within four weeks of starting in HR. HR monitor
completion of the training and a reminder is sent if they do not
complete all three modules within this timescale.
Satisfactorily addressed
HR requires that its staff complete the eLearning courses at least
once every three years. If there are updates to any of these
courses staff are required to complete the updated course within
six months of being notified of the changes. Information
Page 9
Ref
Agreed action
Develop a roll out plan to ensure
that staff with responsibilities for
people-related records
management, complete this
additional training.
Owner and
due date
Status
Governance recommends that refresher training for data
protection and information security eLearning courses is
completed annually and HR accepts the risk of not following this
recommendation.
Following completion of this standard training we noted some
weaknesses in document management responses to questions
raised with the HR Help Desk suggesting there was a further
training requirement in this area.
HR undertook specific coaching for the advisors that take 1729
HR Help Desk calls and Information Governance also attended
advisor team meetings to reinforce document management
knowledge. New advisors will also receive this coaching and
refresher sessions will also be held on a six monthly basis.
Document management requirements are also reinforced in role
training for all staff with responsibilities for people-related records.
Page 10
Kim Travers
Rebecca Crowther
Lee Wise
Hannah Delves
Charlotte Johns
Richard Bevins
James Newman
Clare Cowling
Kathy McMahon
Caroline Kelly
Nigel Blore
Andrea Clarke
Andrew Pollins
Howard Carter
General Counsel
Robert Brent
KPMG
Page 11