tami cartwright aprj 699 payroll department...

PAYROLL GUIDE – RECORDS MANAGEMENT 1 | P a g e

TAMI CARTWRIGHT

APRJ 699

PAYROLL DEPARTMENT GUIDELINES FOR

ELECTRONIC RECORDS MANAGEMENT OF

NETWORK DRIVES

Word Count: 13155

SUBMITTED ON: FEBRUARY 24, 2014

SUPERVISOR: DON SMALLWOOD


Table of Contents CHAPTER I ABSTRACT ............................................................................................................................. 3

CHAPTER II INTRODUCTION ..................................................................................................................... 5

CHAPTER III RESEARCH PURPOSE AND DESIGN ........................................................................................ 8

CHAPTER IV LITERARY REVIEW ................................................................................................................ 10

Employee Influence ................................................................................................................................ 12

Records Management Systems ............................................................................................................... 13

Network Drives ....................................................................................................................................... 16

Naming Conventions ............................................................................................................................... 18

Privacy & Security ................................................................................................................................... 19

Document Retention ............................................................................................................................... 21

Change Management .............................................................................................................................. 21

CHAPTER V STATEMENT OF RESULTS .................................................................................................... 23

CHAPTER VI ANALYSIS ............................................................................................................................. 24

Assumptions ............................................................................................................................................ 24

Limitations .............................................................................................................................................. 24

Canoil Network Drive Analysis ................................................................................................................ 24

Naming Conventions ............................................................................................................................... 26

Records Management Systems ............................................................................................................... 27

Network Drives ....................................................................................................................................... 29

Privacy & Security ................................................................................................................................... 29

Document Retention ............................................................................................................................... 30

Employee Influence ................................................................................................................................ 31

Document Risk Assessment .................................................................................................................... 31

Change Management .............................................................................................................................. 32

CHAPTER VII RECOMMENDATIONS ...................................................................................................... 34

ELECTRONIC DATA MANAGEMENT GUIDELINES – Payroll Network Drives ........................................... 38

CHAPTER VIII CONCLUSION ................................................................................................................... 41

REFERENCES ................................................................................................................................................ 43

APPENDIX A – PAYROLL RECORDS RETENTION ........................................................................................... 46

APPENDIX B – DETAILED ANALYSIS ............................................................................................................. 47

APPENDIX C – PRIVACY BREACHES ............................................................................................................. 49


CHAPTER I ABSTRACT

Electronic data management is a growing problem in organizations everywhere as they

struggle to manage the volume of data created and stored in the modern office, all of

which is increasing at a staggering rate. Data is increasing so rapidly due to technology

improvements which have made it very easy to create and transmit data. Data can be

transmitted by email, pulled from ERP systems or created from scratch using Microsoft

Office or other software. This, along with ineffective archive and destruction

procedures, has resulted in mountains of electronic data being housed in the modern

office.

In the historical paper office, effective filing and naming systems ensured documents

could be found easily when needed. Offices that did not have effective filing systems

were in disarray, less effective and put the organization at risk for increased financial

consequences of lost documents.

The modern office is becoming a wasteland of data as electronic filing techniques have

not kept pace. This has resulted in a host of issues including lost productivity,

increased server and storage costs, and financial losses due to an inability to produce

documents when required to do so. Organizations need a paradigm shift to start

treating electronic filing as sacredly important as paper filing in the historical office was.

Payroll departments are busy administrative departments, with legislated obligations for

retaining and securing data. Failure to locate documents can result in a multitude of

repercussions including an inability to pay employees on time or accurately, penalties

resulting from an audit or significant productivity loss.

The purpose of this study was to identify the issues and factors to consider in the

development of electronic records management guidelines for network drives in a

payroll department. Issues and factors include file and folder naming and storage

techniques, use of records management systems, legislative obligations and employee

influence.

This research study uncovered information that is transferable to any administrative

department, but the primary focus is for a payroll department. Payroll departments have

unique administrative procedures and legislative obligations that require distinction.

The research was completed by observing the electronic data management techniques

and analyzing the electronic data stored on the network drives in a large payroll

department. In addition, academic literature and records management documentation

were combed for relevance to the topic.


One of the major findings of the research is that document management systems,

purported to be the solution to all document management issues, do not in fact solve all

or even most of the issues. As historical paper offices have evolved into modern

electronic data offices, filing techniques have not kept pace. Organizations must step

ahead of the technology and implement electronic data management guidelines, which

will increase productivity and reduce corporate risk.

Employees must change their thinking and habits to treat electronic data similar to

paper records and understand just how important it is to manage the data effectively.

This shift represents a major change in the way administrative departments operate with

data, taking some of the control away from employees and placing it in the hands of the

organization, so effective change management is key to the success.


CHAPTER II INTRODUCTION

Over the past twenty years, the amount of electronic data that is stored on office servers

has skyrocketed to staggering quantities. As the volume increases, so do the problems

inherent with storing the data. Electronic data management is becoming a huge and

growing concern as filing practices have not kept up with the changes in technology.

Payroll is a cyclical, administrative function that is deadline sensitive and has a myriad

of legislative obligations that form the daily work activities. Payroll information is often

confidential and subject to privacy law. Employers must be aware of, and follow

legislated records retention requirements. With time-sensitive and legally charged

activities, payroll staff are tasked with knowing where to find information quickly to

ensure all employees are paid on time and accurately, and employers don’t incur

financial penalties.

Prior to the onset of computers, payroll offices used to print and store stacks of paper.

An effective filing system, considered essential to the payroll operation, was in place so

all information could be located in an expedient manner. As more and more data is

stored online verses paper copy, payroll staff must treat electronic filing just as seriously

for an organization as paper filing.

Employees are responsible for creating, saving, storing and recovering all of this data

as they perform their daily work activities, and it can be rather overwhelming. When

employees are left with no direction as to how to effectively manage documents, they

are left to their own tactics. Individual document storage organizational habits can vary

widely from person to person, leaving the company at risk of lost productivity and

ineffective backup coverage, due to time spent searching for records and data loss.

Many organizations have records management systems in place, which are intended to

offer a corporate solution to document management. These systems offer solutions to

some of the problems, but they don’t solve all of them. Sometimes they create

additional challenges resulting in an incomplete solution.

Payroll departments can vary in size and structure. A small payroll department might

consist of one employee who performs all data entry, customer service, payroll

processing, government liaison and audit inquiry activities. A large department might

consist of a complete split between input activities (data entry) and output activities such

as processing, remittances, reporting and audit inquiries. Regardless of the department

structure, there is similar data flowing through the organization.

Canoil is a large, multi-national oil and gas company with over 14,000 employees

worldwide including all provinces in Canada, twenty US states and seven foreign


countries. It has a very busy payroll department with many types of electronic records

flowing through the department daily including: email, spreadsheets, word documents,

ERP system reports, employee records, procedure manuals, process flow documents,

interface files and bank transactions.

The payroll input and output functions are split at Canoil, leaving the true payroll

processing, remittance, reporting, and reconciliation functions in the payroll department.

All data input and customer service functions are in the HR department. Each

employee in the payroll department has a unique and very specific job function.

Canoil’s payroll department currently stores data in a variety of locations, such as

personal archived email folders, nine separate shared network drives, eight individual

network drives, a records management system (RIM) and hard copy storage. Each

person in the payroll department makes independent decisions about how data is

created, stored, archived, and deleted. There is no standard of practice for data

management. Canoil encourages the use of the RIM system, but there is no corporate

standard requiring it.

Searching for misplaced documents is a common occurrence in the payroll department.

This is particularly troublesome for new employees who can spend hours each week

trying to navigate the mass of folders and files. If an employee is away from the office,

the person covering often experiences difficulty in finding the documents required to

perform the job functions. Retrieving documents for audit purposes can take time, and

sometimes results in an inability to find the documents. This frustration is echoed

throughout the payroll community outside of Canoil.

Electronic data management is a problem faced by organizations worldwide. The

solution is to implement guidelines that teach staff how to effectively manage data,

following a consistent logical approach for the department that all employees

understand.

There is no “one size fits all” approach. In a payroll department, the guidelines must

consider the work being performed, payroll cycles, as well as legal, practical, personal

and technological issues. The solution must be simple and transferrable enough to be

adapted by all employees. This research study will research the issues and

recommend guidelines for effective records management in a payroll department.

Individual administrative departments generally do not have much influence over the

organization’s records management strategy. Therefore, strategic technology solutions

such as the best document management systems are not considered as a solution.

This study is intended to inform payroll departments how to develop effective records

management guidelines, utilizing existing resources. It is not intended to recommend

new technology.


Payroll departments will be the focus of this study, although much of the outcome is

transferable across other administrative or operational departments. Payroll

departments have unique and crucial data handling requirements that compel

distinction, including deadline driven activities, privacy and records retention obligations.

Therefore, this study will focus solely on payroll departments.

The author is a Payroll Manager with over twenty years’ experience. Data obtained

from the payroll department of a large company has been used in the analysis. The

pseudonym Canoil will be used to describe this organization.

The scope of the study includes analysis of the electronic data of a large organization

and developing recommended guidelines for this organization. It does not include

clean-up of existing records. Canadian legislation will be the focus of legal obligations,

although multi-national organizations must consider the legal requirements in each

country of operation since they may be different than Canada. The electronic data

studied is limited to data stored on individual and shared network drives and within a

records management system. Email and social media outlets are out of scope of the

study. Review and recommendation of new technology as a solution is out of scope of

the study.


CHAPTER III RESEARCH PURPOSE AND DESIGN

Research problem

The purpose of this study is to develop a recommendation of guidelines for effective

electronic records management in a payroll department. The research is qualitative.

Observations of electronic data in a large payroll department informed the research.

Research method

Research consisted of content analysis; primarily collecting and analyzing electronic

records from Canoil’s payroll department. Academic and legislative sources were

analyzed for legal obligations, trends and best practice recommendations.

Observations of records management procedures in a large payroll department are

made.

The research focused on records from all payroll related network drives and the records

management system at Canoil. Each record was categorized as follows:

FILE CATEGORIES

Retention

Critical Files have legal retention requirements and are not to be destroyed before an identified date. These files are integral to business continuity and considered high risk.

Current Files that are in current or recent use. Current files can also be duplicate files. There are no legislated retention requirements.

Archival Files that are useful to be kept for a period of time, but not in current use. There are no legal retention requirements.

Destructible File is no longer of use or past archive or destruction dates.

Accessibility

Internal Files that must be accessible by all members of the payroll department team.

External Files that must be accessible by all members of the payroll team as well as selected users from other departments.

Personal Files that are used exclusively by a specific team member and not required by any other internal or external team members.

Other

Procedure Files that are procedure related including procedure or process instructions, process flow maps, cheat sheets, forms or other like documents. These files are integral to the continuity of business operations and consequently high risk.

Duplicate Files that are very similar or the same. They have likely been created as a result of inability to find the original document. Duplicate files can fall under any of the retention categories.


The specific names of folders, files, drives or staff have not been used in the study.

Records are referred to by the generic category titles or anonymized names. Graphs or

other analysis reporting methods are used to report the data.

Existing research and literature was reviewed to identify known trends and best

practices for electronic records management. This research was analyzed for

relevance and practicality in a payroll department setting. The primary sources

reviewed were research studies and industry journal articles.

Records retention and privacy laws in Canada were gleamed to identify the legislative

requirements for organizations.

Research Questions

In order to solve the research problem, the following research questions have been

asked and answered:

1. What are the employer’s legal obligations in regards to records retention and

privacy?

2. How do employee data management habits impact guidelines?

3. How does the quantity of data, structure of the department, and type of work

play into the overall decisions about document management?

4. What are the factors to consider for managing the change?

5. What are the RIM system technology limitations?

6. How can naming conventions be used to facilitate data management?


CHAPTER IV LITERARY REVIEW

We live and work in a digital age. “More than 89 billion corporate emails are sent and

received each year” (Amy B. Royal, 2013). Email is one of the primary methods for

transferring and sharing files. Electronically stored information comes in various types

and formats including, but not limited to e-files, or electronic documents stored on a

user’s hard drive, a network drive or a record management system; word processing

documents such as Word or RTF; PowerPoint presentations and Excel spreadsheets;

graphic files such as PDFs, TIF & JPEGs; web pages or web-based data; video or

sound files; server or web-based email; and Outlook exchange. “Electronically stored

information may be stored in duplicative as well; for example, an email may be stored in

Outlook and on the same user’s Blackberry or iPhone” (Amy B. Royal, 2013). This

information is then often transferred to network drives.

The World Wide Web was invented by Tim Berners-Lee in 1989 at the CERN research

facility in Geneva, Switzerland (CERN, 1989). The project was initially intended for

physicists within CERN to exchange data. History shows that in a relatively short period

of time, we have become irretrievably attached to the web as it infiltrates our working

and home lives.

Since the invention of the web, the world has seen a dramatic increase in the amount of

information created and stored, to the point where it is estimated that four exabytes (4.0

X 10 ^ 19) of unique information will be created this year alone, which is more than the

previous 5000 years (Fisch, 2014). All of the new data needs to be managed, reviewed,

saved, printed, stored, archived or deleted. Every day, employees are faced with

dealing with volumes of data, which in and of itself is a significant job. When you marry

ineffective record management practices, you’ve now significantly increased an

employee’s workload.

Searching for misplaced data takes time, resulting in lost productivity and consequently

lost profits. Employees often have trouble finding documents, email or other data files.

One survey puts the estimated productivity loss due to searching for documents at

21.3% (Iron Mountain, 2012).

Another primary issue related to electronic data is privacy and security. As companies

become more reliant on transmitting data online, securing that data against ill-intended

individuals becomes more challenging.

Hardly a week goes by where there is not another significant privacy or security breach

in the headlines. This week alone, Israel’s defence computers were hit by hackers

(BBC News, 2014), advocacy groups challenged Bell’s data collection on wireless


customers (LaSalle, 2014) and there are more privacy breaches in the Alberta health

care system (Trynacit, 2014). Privacy breaches are a big concern around the world.

As the amount of data has increased, so has the importance and interest in data

management. Corporations scramble to manage their data in order to mitigate risk.

This has resulted in a reliance on records management systems (RIM) as a technology

solution to effective data management.

Vendors began developing records management information system software in the

1980’s, originally to manage paper documents. As technology improved and electronic

data quantity increased, RIM systems evolved to manage electronic data. The earliest

systems dealt with proprietary file types and limited numbers of file types. They

advanced to image file types and became commonly known as document imaging

systems. They have continued to evolve to the point where now they manage any type

of file that can be stored on a network. The scope of service offerings encompasses

electronic documents, collaboration tools, security, workflow, and auditing capabilities

(Wikipedia, 2014).

When documents are misplaced, workers can spend valuable work time searching for

them. This unproductive time indirectly hits the bottom line in the form of lost profits. If

organizations are unable to produce the documents for evidence of legislative

compliance, they could be faced with severe financial penalties. There is a perception

that record management systems are the solution to all of a corporation’s electronic

record management problems. But research shows that they do not address all of the

issues.

Canoil has a RIM system as a corporate standard for records management. Users

often complain that it is not very intuitive, hard to navigate and slow to retrieve and save

documents. Most users don’t completely understand the functionality. Employees are

not likely to adapt effectively to a technology solution for storing documents if it is not

easy to use. This is due to the extensive volume of data they must handle daily.

Iron Mountain conducted a survey of record management practices of organizations to

which they service. The survey produced some interesting statistics:

72% of organizations say they are very committed to records management

program improvements

80% stated they have formal records and information management policies

37% consistently apply records and information management policies across the

organization

9% claim enterprise wide, consistent policy adoption

36% offer no or limited records management training

72% have no strategic, multi-year plan for dealing with records management


63% reported a trigger event that cost their company money

73% report that legal departments, compliance departments and/or formal

records management steering committees are accountable for governance of

their records management programs

(Iron Mountain, 2012)

Organizations still struggle with records management because it is a tough problem and

a desire to do better can’t overcome the complexity. Electronic records are everywhere

and in too many formats to grasp: applications, file shares, SharePoint, tape, desktops,

and even the cloud.

(Iron Mountain, 2012)

Ultimately, employees need guidelines on how to make better records management

decisions in order to minimize risk to the organization. Guidelines should cover file and

folder naming conventions, versioning, how to determine the right place to store

documents, security, privacy and records retention.

Many organizations are putting more concerted efforts into operational excellence.

Canoil is implementing an Operational Excellence Management System in 2014. This

system encompasses ten key areas of business processes to focus on and has been in

the works for the past three years. Late last year, the executive team added electronic

data management to make eleven key areas in recognition of the significant impact it

has on operational excellence. This is an indicator of just how important the issues

have become to businesses.

One challenge with electronic data management is getting over the perception that it is

completely an information technology (IT) issue. IT is one component of the issue, but

people habits is a greater part of the issue. An IT solution won’t resolve the fact that

employees have to change the way they deal with the data. The existing IT solutions

are too cumbersome for practical use for all data considering the volume. Businesses

need a solution now that will work with existing technology.

The intent of this study is to develop electronic records management guidelines that

utilize existing technology. As a guideline, user acceptance is crucial for effective

implementation and ongoing usefulness.

Employee Influence Masses of data are handled every day and it isn’t typical for organizations to have

policies and procedures in place for addressing data management. If an employer

provides direction on how to save, name, store and archive documents, it could be

viewed by some as controlling behaviour, lending itself to resistance from users.


The Strategic HRM Model offers some insight into how employee influence is central to

strategic human resources. Strategic human resource management is about aligning

the human resource goals to the corporate goals. The strategic HRM model indicates

the influence of various internal and external environmental factors on organizational

and HRM strategies; the outcomes of which affect the overall HRM and organizational

effectiveness (Athabasca University, 2011).

Looking at the strategic HRM model, one can see that Employee influence is pivotal to

work systems, human resource flow and rewards. Organizations that focus on policies,

rules and regulations tend to overlook the importance of employee self-control.

Organizational control generates compliance, but not commitment. If organizations

provide an environment where employees can identify with the organizational goals and

interests and where they are empowered to perform their work as they best see fit and

to use their creative talents, employees will be more likely to go out of their way to

contribute towards organizational success. Hence, the less expressed control the

organization exercises over its employees, the more overall “control” it may have.

(Athabasca University, 2011).

Employers should seek to find a balance between controlling behaviours to manage

organizational risk and giving employees the freedom to perform well. Implementing a

strict policy for managing electronic documents could prove difficult for employees to

follow, and may be viewed as unnecessary control. Gaining the employee’s buy-in to

the development of guidelines will help to obtain commitment. It may be possible to

agree that certain documents are better with tighter controls and others can be left up to

the best judgement of the employee.

The level of control exercised over the record management process should be in direct

proportion to the organizational risk associated. Procedural documents or those with

retention requirements present the highest risk of any documents in a payroll

department and are candidates for tighter controls.

Records Management Systems As organizations focus more on improving management of electronic documents, many

have invested in a records or content management system (RIM). RIM systems have a


wide variety of service offerings including tracking and storing electronic data. The

benefits to an organization are purported to be increased productivity, legislative

compliance and risk mitigation. Some of the common features of RIM systems are:

- Retention and destruction management

- Versioning control

- Audit history of all changes, additions or deletions of any document

The service offerings of OpenText RIM system has been reviewed in detail as

representative of the offering of all RIM systems. The information obtained has been

balanced against observations made of the practices of using a RIM system in a large

payroll department.

The SWOT analysis, developed by Michael Porter, provides a good framework for

reviewing the strategy, position and direction of a company or business proposition

(swot analysis, 2014). A SWOT has been used to evaluate the strengths, weaknesses,

opportunities and threats of utilizing a record management system for all business file

storage requirements.

RIM systems have a number of features that are intended to help organizations reduce

risk by effectively managing their data including maintaining security for private data and

meeting legislated record retention obligations.

Winterberg describes some of the features of a RIM system. A RIM system categorizes

each document using profiles or templates. Profiles populate fields which identify the

document’s characteristics or content and consequently enforce good naming

conventions.

RIM systems have sophisticated search capabilities. A network drive has limited

methods for a user to search and find data. The user must know the name or parts of

the name of the file. Searches can be performed by the date the record was created or

modified; or if there is more known about the folders or drives it’s stored in, the search

can be narrowed down. These methods are fairly limited. A RIM system has very

robust search functionality.

RIM systems have permission settings that allow organizations to track and control

access to documents. All activities related to each document are recorded in logs

including who created, accessed, changed or deleted files and when. Network drives

have some capabilities to limit access to documents, but a RIM system is more robust.

(Winterberg, 2011)

OpenText is Canoil’s corporate record management system and offers a number of

products. OpenText claims it is a system that delivers the essential capabilities for

managing business-critical documents.


The service offerings of this system are:

1. Organize and share records

2. Apply custom metadata

3. Taxonomic hierarchies

4. Rate and critique documents

5. Automate change requests, review and approvals

6. Work directly from popular authoring tools

7. Email documents to and from the repository

8. Use permissions to control access to documents

9. Audit all document events

10. Comprehensive search functionality

11. Versioning control

12. Document usage reporting

13. Manage compound documents

RIM systems can manage any type of electronic document. Documents can be

organized into hierarchies of folders and compound documents within three types of

workspaces. Network drives allow documents to be organized into hierarchies of

folders.

Metadata is extra information related to the document. A RIM system can index

metadata and easily retrieve it to generate reports on documents based on custom

criteria. Each piece of metadata is an attribute; and attributes can be grouped and

associated with any document. An example of metadata in a payroll department would

be a report on Social Insurance Numbers of all employees. The report would contain all

of the social insurance numbers, but the metadata would be the attribute “Social

Insurance Numbers”. Another example would be a T4. The metadata would be the

attribute T4, not necessarily the actual details of the T4. It helps to refine search

functionalities and characteristics of files.

Taxonomy is the general principles of scientific classification (Merriam Webster, 2014).

Taxonomy is a hierarchy of user specified information relevant to their operations. The

pre-determined system is set up, then all records that are added to the system are

classified within it. A payroll department might set up a taxonomy folder structure that

includes the job descriptions and cycles of work, like biweekly, monthly, quarterly and

annual or payroll analyst, stock compensation analyst. All files stored in this system

would have to be categorized in one of these areas. A robustly defined taxonomic

system will greatly improve search functionality.

RIM systems allow a user to rate the value of a document and write a critique to be

saved with the document and viewed by others. In addition, it can track document

usage and show the most recent and frequently used documents.


RIM systems allow users control over the changing, reviewing and approving of

documents using a workflow feature. This can allow businesses to enforce record

management guidelines.

RIM systems allow users to open and save documents directly from the repository. It

also allows drag and drop functionality directly from Windows Explorer.

Unique email addresses can be assigned to a RIM repository, allowing users to email

document attachments directly to a particular folder. Each document in the repository

has an email function, enabling the document’s link or the document itself to be emailed

to any recipient. Permission settings can prevent an unauthorized viewer from seeing

the document. Up to nine levels of permissions can be defined for users. Permissions

can restrict or grant access to view, modify, or delete a document.

Users can build search queries that include using custom metadata or taxonomic

classification. Search results can provide rankings, automatic summaries, and

clustered result themes, hit-highlighting and similar finds.

Check-out and check-in functions can prevent multiple authors from overwriting each

other’s work. When a user checks out a document, it can be viewed, but not modified.

Comprehensive reporting on the use of documents within the system is available. This

can be useful for statistics reporting and determining process review.

Compound documents are documents that are multiple of the same document. Within a

compound document, sub-documents can be ordered and nested. You can create

major releases and minor revisions of compound documents as well as links that point

directly to a particular release or revision.

Network Drives Network drives are drives that are located on a corporate server. Each network drive

can be configured to give access only to users that require it. Each folder and subfolder

can be configured for secure access. At Canoil, there are nine shared network drive

and eight individual network drives that the payroll team uses.

A shared network drive, for the purpose of this study is one that is shared between

payroll team members. An individual network drive is a personal drive used by a single

user. Network drives are backed up nightly and each nightly backup is kept for one

year.

A network drive consists of primary folders, subfolders and individual files. The primary

folder is the first folder the user looks at when they open the network drive. Subfolders


are the folders stored within the primary folder. Subfolders can be layered with as many

layers as the user chooses. The purpose of layering is to better define the information

stored within the primary folder. Excessive layering can result in confusion and an

inability to find the file.

It is estimated that the world’s electronic information is doubling every two years. The

majority of the volume is unstructured information such as spreadsheets, word

documents, email and image formats like PDF and jpegs (Richardson, 2013). Network

drives are the most common method to store documents in a payroll department.

The absence of organizational guidance and controls regarding network drives results in

“digital dust” (Richardson, 2013). Hard drives become graveyards that impede risk

management efforts, corporate decision making, e-discovery and operational efficiency.

Organizations are at risk of financial loss due to penalties resulting from not being able

to produce required documents in an audit; financial loss due to significant productivity

loss; and potential inability to perform work functions if a replacement position cannot

find the procedures or documents required to perform the job when someone is away.

At Canoil, if the person covering for the payroll processing analyst was unable to

process payroll because they couldn’t find the procedure documents, this could result in

14,000 employees not being paid on time or accurately.

Security settings can be configured to grant or deny access to drives, primary folders,

sub folders or individual files to prevent employees from accessing data they shouldn’t

see or even prevent users from creating primary or secondary folders. It should be

noted that if an employee has authorization to create a folder, they have authorization to

name it whatever they choose.

Network drives have limited ability to detect duplication unless a file is being saved with

the exact same name in the same location. Ineffective file naming and storing practices

can lead to duplication.

Versioning can only be managed by naming techniques on a network drive. A common

practice for manually versioning a file is to include a date or version indicator such as

“V2” at the end of the file name. Manual versioning doesn’t delete the old file. If there

are no guidelines or practices in place to eventually delete the old file, a user can have

multiple copies of the same file, which takes up unnecessary space on a server.

Network drives do not have automated retention management capabilities. Payroll

departments have legislated obligations to retain specified records for a period of time

as defined by the legislation. ERP systems hold structured content, such as pay

statement history, T4 history (unless manual amendments have been done outside of

the system) and records of the time entry that was paid to the employee. The rest of


the data is stored on network drives or RIM systems. There is considerable variety as

to the type of information that requires retention as well as the retention periods for each

legislative source. It is important to have the information readily available and

accessible to minimize the amount of time required spent recovering them.

Naming Conventions Naming conventions are guidelines for how to name folders and files in such a way that

you can easily access a file and prevent misplacement of files. The existence of

naming conventions predates the modern computer as effective systems were used in

the paper office. Before the computer age, a busy payroll department with large

volumes of paper flowing through, had effective paper file naming conventions in place

to ensure documents could be located quickly.

The value of a name lies in its simplicity and its descriptiveness (Loshin, 2004). As the

quantity of new data increases dramatically, it has become even more important to

ensure naming is effective and consistent.

The article “Digital Dusting: Spring Cleaning for network drives” provides tips for

effective folder and file naming (Richardson, 2013).

1. There should be consensus among employees as to effective naming practices.

The employees who are creating and saving the files are the ones that will have

the impact on how successful the naming system is. When employees have buy

in to the process, they are more likely to follow it.

2. Folder names should not be cryptic, include acronyms or be only recognizable to

specific department employees. They should be recognizable by employees

outside of the department. In some cases, it may be prudent to include the

retention period of the files within the folder in the name.

3. Name files logically, in a natural alphabetical order.

4. Perform a Litmus test to ensure that any employee in the company can read the

file name and understand the content without opening it.

5. Consistent prefixes may be appropriate such as; date file created, employee last

name, or vendor company name

Richardson recommends having one or two employees responsible for creating and

naming folders on a network drive as well as archiving and destruction. Implement an

annual review process to delete files that are no longer needed and archive those that

are required, but not current. An annual cleanup is a good time to restructure and

rename folders and files if needed. (Richardson, 2013)

Files should be named intelligently, systematically and logically from the start, to

position your business for success (Duffy, 2011). Tackling the backlog of misnamed

files is onerous. Typically a business will implement a naming convention and start

fresh, going forward, but not bother to clean up existing files.


For effective naming, think about how your business operates. Payroll departments

have cyclical activities. The cycles in Canoil’s payroll department include biweekly

payroll processing, monthly accounting and stock compensation processing and annual

yearend processing. The work is divided largely by job responsibilities of each

individual and secondly by cycles.

As with folders, file names should be unique. Creating unique file names prevents the

likelihood of overwriting a different file with the same name. It also makes it easier to

identify the file. Names should indicate what the file contains. It should be clear

enough that the user doesn’t have to open the file to know what it contains.

Files should be named in a natural alphabetical order since sorting by last date modified

is not a certain method to putting files in chronological order on a network drive. The

modified date is not the date the file was created, but the last date someone modified at

it. Including a numerical date at the front of every file will result in your files always

being in order from created date.

Be consistent with the practices and over time, the rewards will pay off (Duffy, 2011).

Privacy & Security Privacy and security go hand in hand. Privacy concerns have risen over the past

number of years in direct proportion to the increase in electronic data. A variety of

organizations store private information electronically to facilitate such consumer

demanded activities like online purchasing, social media, email and direct input into

various websites. There is a general lack of awareness of the security concerns with

trading data electronically.

Identity theft is one of the primary privacy concerns. Once your identity is stolen, the

thief may obtain access to your assets. Thieves have been known to steal hundreds of

thousands of dollars by fraudulent use of bank accounts, selling an owner’s home,

ruining credit and engaging in criminal activities all under the guise of the former owner.

Identity theft is a real modern concern.

Organizations that collect and store private information about employees have a duty to

protect that data (Turban & Volonino, 2011). Privacy laws include provincial laws such

as Alberta’s Personal Information Protection Act (PIPA) or Canada’s federal Personal

Information Protection and Electronic Documents Act (PIPEDA). These laws are

representative of privacy legislation in Canada.

Payroll departments handle very private employee information such as name, address,

social insurance number, birthdate, bank account information and salary information.

The social insurance number is one of the most crucial personal identifiers that can


easily lead to identity theft if placed in the wrong hands. Payroll departments must use

caution when storing or transmitting any employee personal information.

Email is a common method for transmitting data. Email has never been considered a

secure method of transmission, unless it is sent within a company firewall. There is a

lack of awareness as to the dangers of transmitting private data through email. Once

unencrypted data leaves the corporate firewall, it is a prime target for hackers.

In her article titled “Are You Protecting Your Employee’s Data”, LuAnn Bean talks about

how over the past few years data privacy failures have become commonplace,

domestically and globally (Bean, 2012). These failures have harmed employees and

damaged the reputation of companies. More than 50 of the reported data breaches in

the past year have been attributed to computer hacking. Hacking accounted for the

largest number of compromised personal records in the last 12 months, involving an

estimated 43 million Americans (Privacy Matters, 2014).

Ceridian Corporation is a third party provider of payroll services and consequently

stores large amounts of personal data. In 2011, a legal case decided that Ceridian

failed to employ reasonable and appropriate security measures to protect the data,

according to federal law. Personal information was stored non-encrypted and

indefinitely on their systems without a business need, greatly increasing the risk to the

employee.

Security on Ceridian’s systems was lax and their systems were hacked in 2009, leading

to the compromise of 28,000 employees’ social security numbers and direct deposit

information. Not only did the Federal Trade Commission require Ceridian to implement

comprehensive information security programs, but they are required to obtain

independent, third-party audits every other year for the next 20 years. This is a

significant cost to the organization (Bean, 2012).

Bean performed an analysis of employee private data breaches based on statistics from

the HR National Database Case Listings at HR Privacy Solutions since 2010. Bean’s

analysis identifies some interesting trends, see Appendix C. 21.2% of cases were a

result of stolen computers or laptops. The second most common reason was hacking

into the companies systems or databases, followed by breaches resulting from

breakdowns in security of a third-party service provider (Bean, 2012).

Companies are faced with handling greater volumes of sensitive information

electronically, so regulatory agencies have increased their focus on data privacy

failures. Hackers have become more organized and have found better ways to invade

personal privacy since it seems to be surfacing through evolving malware, filing sharing,

and spyware as well as malicious hacking attacks.


Document Retention Document retention legislation for payroll is primarily governed by Canada Revenue

Agency (CRA), Service Canada, provincial and federal employment standards and

international governing bodies. Organizations are expected to keep specific records on

hand to produce when required. Failure to produce the records can lead to financial

punishments such as penalties and interest or administrative punishments such as

being forced to recreate the records or produce new ones. There is also potential for

imprisonment of executives in extreme cases.

Everyone in the department should know which documents must be retained and the

retention schedule (Maurer, 2013). See Appendix A for a Canadian payroll records

retention schedule.

Change Management Change management is “the management of change and development within a

business or similar organization” (Oxford Dictionary, 2014). It involves recognizing the

impact of the change on people and putting the processes, systems and communication

in place to minimize the impact. If the change is not adopted by the people, it has no

value.

The primary steps to approaching change management are:

(Hanson, 2010)

Assessment

•Understand employee readiness for change.

Preparation

• Set the groundwork for the change processing.

Execution

• Implement and monitor change and organizational development

Sustain

• Sustain and institutionalize


A company can have the best document storage technology or guidelines in place, but if

employees don’t know how to use the technology or aren’t prepared to adapt to the

guidelines, it can be a failure. Any change involving the way electronic data is managed

should involve consideration of the impacts on people.

In the absence of specific guidelines, employees have developed personal habits for

electronic data management including personal naming conventions, versioning, file

creation and saving, folder layering, retention and security practices. Rules for

managing electronic data are not commonly in place in an office, so there may be some

resistance and lack of understanding as to why they are being implemented now.

From a change management perspective, employees are more likely to adapt to a

change if they participate or have input into developing the solution. Implementing new

guidelines, especially one that so intensely affects the daily activities of employees,

should involve input from the employees who will be expected to follow them.


CHAPTER V STATEMENT OF RESULTS

Electronic data management is a huge and growing issue, not just for payroll

departments, but all organizational departments. Organizations are behind in keeping

up with the dramatic increase in technology. Payroll departments are busy

administrative departments that have specialized requirements due to privacy and

retention legislation.

Employees have long been in the habit of developing their own systems for naming and

storing electronic documents. Implementing new guidelines will involve a change in

habits for employees. Employees are more committed and engaged when they feel in

control of their work habits. Special consideration should be given to ensure that

employee influence is taken into consideration in the implementation of guidelines.

One of the surprising findings in the research is that document management systems

are not a comprehensive solution. They do in fact reduce risk, but are too cumbersome

to be used for all file storage. Any organization that forces employees to use these

systems for data management is taking a big hit on productivity. However, these

systems offer such detailed functionality that they are great for storage of high risk

documents. High risk documents represent about 9% of all documents in a payroll

department, so it is feasible to utilize RIM systems for these documents.

One of the primary findings is that there is no “one size fits all” approach to developing

guidelines. This has probably been one of the reasons for a delayed approach to

getting on top of this administrative issue. A corporation can’t simply implement

corporate-wide guidelines that can be used for every department. Each individual

department needs to think about the way work is performed in their department and

modify the guidelines for effective use.

A key step in determining how to structure folders in a network drive is how the

department performs work activities. All payroll departments perform work activities in

cycles, but some may find it more appropriate to segregate information based first on

the job description and second on work cycles. Defining how work activities are

performed lends to the development of effective naming conventions.

Naming conventions, file storage techniques, privacy and record retention

considerations, annual cleanup procedures and change management are all critical

components of effective records management guidelines in a payroll department.


CHAPTER VI ANALYSIS

Assumptions Canoil’s OpenText document management system has been reviewed for the purpose

of this analysis. It is assumed that this document management system is representative

of the functionality and service offerings of all document management systems.

The title of a primary folder indicates the type of records that it contains. All records in

the folder are expected to hold content as indicated by the title of the primary folder.

If the title of a primary folder is the same or similar to the title of another primary folder in

any drive, all files are deemed to be duplicate.

Limitations The author was unable to find research or articles on best practices for records

management specifically for a payroll or administrative department, so the information

found has been combed for relevance to a payroll department.

Canoil Network Drive Analysis The data analysis was performed on the network drives of Canoil’s payroll department.

The files and folders in all payroll team members’ personal drives, RIM system, and

payroll department “owned” network drives as well as any drives where payroll folders

and files are located. A summary of the analysis on these drives can be found in

Appendix B.

Due to the extensive quantity of files and folders, the analysis has been performed on

the primary folders, with assumptions about the type of content based on the title of the

folder. The exact number of files and subfolders is known as this is indicated in the

properties menu of the primary folder. Individual files and subfolders are not analyzed

in detail.

Shared network or RIM drives or folders are shared amongst payroll team members and

in some cases, other teams. Individual drives are accessible only to the owner of the

drive. The owner of each individual drive provided details as to the names of primary

folders and number of sub-folders and files.

For shared network drives that are “owned” by another team, only the folders that are

used by payroll have been examined for the purpose of this analysis. All files and

folders on drives that are “owned” by payroll have been analyzed.


All records have been categorized into the following types and subtypes:

FILE CATEGORIES

Retention

Critical 3% Files have legal retention requirements and are not to be destroyed before an identified date. These files are integral to business continuity and considered high risk.

Current 82% Files that are in current or recent use. Current files can also be duplicate files. There are no legislated retention requirements.

Archival 8% Files that are useful to be kept for a period of time, but not in current use. There are no legal retention requirements.

Destructible 7% File is no longer of use or past archive or destruction dates.

Accessibility

Internal 69% Files that must be accessible by all members of the payroll department team.

External 13% Files that must be accessible by all members of the payroll team as well as selected users from other departments.

Personal 18% Files that are used exclusively by a specific team member and not required by any other internal or external team members.

Other

Procedure 6% Files that are procedure related including procedure or process instructions, process flow maps, cheat sheets, forms or other like documents. These files are integral to the continuity of business operations and consequently high risk.

Duplicate 56% Files that are very similar or the same. They have likely been created as a result of inability to find the original document. Duplicate files can fall under any of the retention categories.

There are more than 550,000 files that are stored in 522 primary folders and over

27,200 sub-folders. These files and folders are located in sixteen network drives and

the RIM system. The payroll department consists of eight people, which means an

average of 70,000 files per person. 70,000 files is an astronomical number of files for

one person to manage.

Over ½ million files for one department is a significant amount of data being stored on

the company servers. 98% of these files are stored on shared drives verses individual

drives. This is a good percentage allocation since individual drives can’t be accessed

by other team members, and consequently should be limited to data the rest of the team

doesn’t need. Following this logic, it is expected that leaders and/or team members on

special projects may have a higher percentage of files stored on individual drives.

The percentage of total folders verses files is used as a baseline for an appropriate

average file to folder ratio. Therefore, for every twenty files, no more than one folder

should be created. Excessive folders can lead to confusion and inability to find the file.


Only 1% of folders created are excessive on shared drives. However, 50% of folders

created on individual drives are excessive.

2% of folders are primary folders. The other 98% are subfolders. This indicates a

significant amount of folder layering, which can add to confusion when finding files. It

was observed that a user is less likely to find a file where it is layered more than three

folders deep.

Duplicate, archival and destructible files make up 71% of files. The files are adding to

the clutter in a network drive and compounding the problem of productivity loss.

Critical and procedure files represent a high risk to the business. Procedure documents

are required to help ensure business continuity when users are unsure how to perform

complex steps or if there is a requirement to cover another person’s position. If

procedure documents can’t be found, there is a greater likelihood of mistakes.

Critical files are those that have legislated retention obligations. It was observed that

most employees in the payroll department have an incomplete understanding of what

documents have retention requirements. No special care was given to critical

documents and no system exists for ensuring they are retrievable by any team member.

Naming Conventions File naming is critical to ensure a document can be found at a later date, retained for the

right amount of time, treated as private when appropriate and stored in the right

location. The value in a name lies in its consistency and simplicity (Duffy, 2011).

Naming conventions should be easily understood to be adopted. The user should be

able to view the name of the file and know what the contents are without opening it.

Names should not be cryptic, include acronyms and must be easily understood by all

users, including those outside the department. File names should be intelligent,

systematic and logical from the start (Duffy, 2011). They should be in line with how

payroll thinks about information. A few seconds spent creating the right file name will

go a long ways in the future.

Payroll departments have very cyclical work and often have team members that have

individualized roles independent of their coworkers. When the primary folder indicates

how work activities are segregated, it makes it easier for co-workers to find records.

External network drives are used by external team members to store documents that

are required by payroll team members. When external drives are used to store

information that is created or owned and used by payroll team members, it adds to

confusion over where to find the documents.


Each individual has a personal drive to store information. These drives are accessible

only by the individual and not accessible to team members. If shared information is

stored on individual drives, it increases risk to the organization in the event that the

person leaves the role. Senior team members store the greatest amount of shared

documents, including critical and procedure documents on personal drives.

If a work activity is a shared activity, such as the biweekly payroll processing activity, it

is easier to find documents when they are stored under an appropriately labelled shared

folder name, rather than specific job titles.

Records Management Systems Records management systems (RIM) work similar to a network drive, but with more

robust functionality. Paperless offices can be at significant risk if there is a catastrophic

server crash or hard drive failure, which can lead to the loss of hundreds of thousands

of documents in payroll alone. Organizations have a responsibility to shareholders to

mitigate this risk.

This chart is a comparison of the functionality of a network drive compared to RIM

system.

Functionality Network Drive RIM

Organizing and Sharing documents Yes Yes

Metadata No Yes

Taxonomy No Yes

Rate and critique documents No Yes

Automate change requests, review and approval

Partial Yes

Email documents to and from No Yes

Permissions Yes Yes

Audit document events Partial Yes

Simple or advanced search Partial Yes

Control and manage versions No Yes

Document usage reports No Yes

Compound documents No Yes

Performance Yes No

Practical use of RIM system functionality in a payroll office was observed. One critical

observation is that it takes significantly longer to open, modify, save and retrieve

documents using RIM systems compared to a network drive. This is a significant

deterrent to using a RIM system compared to the very quick and efficient network drive.

While RIM systems offer considerable functionality, it was observed that none of the

users in the payroll department know how to use more than the basic functionality.


Better training is required to ensure users of RIM systems know how to use the

functionality adequately for the documents that are stored.

All documents that are stored on a RIM system have the potential for reducing risk by

controlling and tracking use. A SWOT analysis, developed by Michael Porter, is used to

determine the strengths, weaknesses, opportunities and threats of utilizing RIM for all

electronic records.

If a RIM is not used effectively, data can be difficult to find. RIM has better search

capabilities than a network drive, but unstructured storage can lead to time waste.

The RIM can be an effective risk management tool, by isolating the use to critical

documents. These documents can be any document with a retention requirement as

well as procedure documents. Limiting the use will encourage more likely adoption by

users, provide better visibility to management, and reduce corporate risk. Structured

storage procedures will further improve the opportunity.

The explosive quantity of data which is being generated from an ever increasing

number of sources, such as, blogs, tweets, instant messages, and social media,

presents a significant threat to the success of a RIM.

The greatest advantage of using a RIM system for document storage is to reduce risk to

the organization. Therefore, those documents that present the greatest risk will benefit

most from being stored on a RIM system.

THREATS

Explosive data quantity Lack of capacity for all data

OPPORTUNITIES

Critical document/Risk based use Training to users

WEAKNESSES

Slow, cumbersome Ineffective use/lack of knowledge

STRENGTHS

Reduce Risk Clear Audit Trail


Network Drives Network drives do not have as robust functionality as RIM systems, but they are easy to

use and offer a high degree of individual control over use, making them an important

business tool.

The high degree of individual control, without guidance and support can lead to

confusion and inefficient use of the technology. When individuals are left without

guidance to use their own methods of managing data, the result is multiple systems for

records management that are inconsistent with fellow users of the same data.

There is no visibility among team members as to which users have access to network

drives. Having no visibility can increase reluctance to store confidential documents on

shared drives and consequently increase the use of individual drives for documents that

should be shared.

Privacy & Security Payroll departments handle private data including social insurance numbers, addresses,

banking information and salary details. Organizations have an obligation to protect

employee’s private information.

Corporations generally have a strong firewall in place to protect the company servers

from unauthorized web access. It isn’t guaranteed that unauthorized users will not get

in, but it significantly reduces the chances. Emails that are sent to and from a company

email address stay within the firewall and are more protected than those that are sent to

a non-company email address.

Email sent outside of the corporate firewall are sent over the open web, with no

protection and are more susceptible to unauthorized viewing. Cyber thieves use

malicious software to easily find information that is sent over the open web. Companies

that don’t protect employee’s private information and send it over the internet, outside of

the protection of the firewall, are putting their employees at greater risk of identity theft

or other malicious attacks. It is extremely important for payroll departments to be very

conscious of what constitutes private information and what safe transmission methods

are.

Hardly a week goes by where there isn’t word of a major privacy breach. An analysis of

the reasons for privacy data breaches resulted in a number of trends:

1. Failure to implement corporate information security programs, including physical

security measures.

2. Failure to train employees regarding the proper procedures when handling or

disposing of sensitive data


3. Failure to ensure that third-party service providers use comprehensive

information security compliance procedures and programs

Payroll department employees have a good understanding of what information is

considered private, but there is not enough emphasis and direction from the company

as to how that information should or should not be transmitted, particularly when it

comes to email transmission. It has been observed that the average email user in a

payroll department has little idea of the risks of sending private information by email.

This results in private data being sent unsecured over email outside of the corporate

firewall, greatly increasing the risk to the employee.

Files that contain private information should be easy to identify so any user will

immediately know that special handling requirements apply.

Internal team members often interact with third party providers as part of their job.

These team members require training and understanding to ensure acceptable

transmission standards are followed. If team members enforce the acceptable

standards, third party providers must comply and will follow the lead.

Document Retention Employers have an obligation to retain certain documents for specified periods of time.

This responsibility stems from legislation from several government bodies. Canadian

employers are responsible to adhere primarily to provincial employment standards,

Canada Revenue Agency and Service Canada.

Not having easy access to documents that are required in the face of an audit can lead

to severe financial consequences. Employees who are responsible for creating,

modifying and deleting files that have retention requirements must know which records

have these legal obligations.

It is observed that users don’t clearly understand which documents have retention

requirements and which don’t. If users don’t understand the retention requirements, it is

unlikely they are going to save them to the appropriate spots where they can be

protected and produced in an audit. It also increases the likelihood they will be

accidentally destroyed prematurely.

Documents with retention requirements are critical to the organization and represent a

greater risk. Any employee in the payroll department should know where to find these

documents. The documents require protection to ensure they aren’t accidentally

deleted or moved to an inaccessible or unknown location.

Electronic records require period cleanup just the same as paper records. If they aren’t

cleaned up, over time this results in clutter and disorganization. The rate of increase in


the number of documents compounds the problem to staggering proportions. Effective,

regular cleanup efforts will result in fewer documents to be managed by each individual,

making it easier to find those documents.

Employee Influence Records management is both a technological issue and people issue. Individual

employees are primarily responsible for records management. Research shows that

employees perform better and are happier when they have more control over their work

activities. This need for independent control must be balanced with the organizations

need to manage risk.

Gaining an employee’s buy-in to the process will increase their desire and commitment

to adapt to a new process. Employee’s buy-in is gained by giving them input into the

decisions about the process.

The level of control offered to employees over the records management process should

be in direct proportion to the risk the specific record has to the organization. Records

that are deemed high risk (critical and procedure) should be more tightly controlled.

Other records should be more discretionary.

High risk documents in a payroll department include critical and procedural documents

and make up an estimated 9% of all records. Critical documents are high risk because

they are documents that have legal retention requirements.

Procedural documents are high risk because they are the records that explain how to

perform work activities and are key to ensuring continuity during staff transition, illness

or absences. Department managers need high visibility to where the records are

located.

Document Risk Assessment A risk impact assessment is performed on each document type to determine tightly

controlled the management of the document should be.

Impact

LOW: No risk to the company

MED: Some risk to the company

HIGH: Increased risk to the company

Likelihood:

LOW: Little chance files will be misplaced or deleted

MED: Potential for misplacement or deletion of files

HIGH: Likely that files could be misplaced or deleted


RISK ASSESSMENT

HIGH IM

PA

CT

Procedure 6%

Critical 3%

MED Current 82%

Archival 8%

LOW Duplicate 56% Destructible 7%

LIKELIHOOD

LOW MED HIGH

Critical and procedure files are the highest risk to the organization. These files make up

9% of the total files. These files should be more tightly controlled to mitigate the risk to

the organization.

Change Management Implementing new records management guidelines will be just as much a people

change as a technology change. Employees are in the habit of creating and using their

own methods for records management. Records management is not an area where

that has been any effort to control, so this will be a new area. It is important for

organizations to recognize this change to employees.

Change management is about ensuring that people adopt the change. If the change is

not adopted, it has no value. Employees are more likely to adopt a change if they

understand the reasons for the change and participate or have input into the solution.

The primary steps to approaching change management are:

1. Assessment: Assessing the readiness for change involves education about the

problem. Explain and ensure understanding of the scope of the issue. Allow

employees to participate in the development of the solution.

2. Preparation: Prepare employees for the change by planning for the

implementation. Communicate, train, ensure they are understand what is going

to happen and when.

3. Execution: Implement the change, monitor the adoption, train users

4. Sustainment: Implement regular governance processes to ensure the change

has worked and it has been adopted.

(Hanson, 2010)


The guidelines for records management must be easy to understand and employees

must have enough training to ensure adoption. Employees should be allowed an

opportunity to input wherever possible to gain as much buy-in to the change as

possible.

High risk documents require tighter controls to mitigate potential risks for the

organization. Control in data management is exerted by restricting the freedom for

naming files, restricting access to files, and restricting ability to create files.

While it is recommended that one person is responsible for the creation of all folders on

a network drive, the research shows that this may be too restrictive for employees and

exercise unnecessary control. It is more important that risky documents are controlled

and employees are left to use good judgement on documents that represent less risk to

the organization.


CHAPTER VII RECOMMENDATIONS

Electronic records management guidelines should be developed for the payroll

department to ensure all users understand the expectations for managing corporate

data and apply consistent and standardized principals that are understood by team

members.

Records management should be addressed in smaller segments, breaking off and

creating separate guidelines for general categories of records management such as:

network drives, social media, and email.

Guidelines should address the following aspects of electronic records management in a

payroll department:

1. Records to be stored on RIM verses a network drive

2. Folder and file naming and storage techniques

3. Privacy and security

4. Cleanup procedures

5. Change management and sustainment

Implementing effective electronic records management guidelines is highly dependent

on having a good understanding of the work activities in the department. Before

engaging in a project to define guidelines, there should be a clear definition of roles and

responsibilities.

High risk documents include procedure documents and those with legislated retention

requirements. These documents should be stored on a records management system,

rather than network drives to minimize the risk to the organization.

Assign the responsibility for stewarding effective records management to a single

person. This person is the “go to” person for other team members. They ensure all

users are trained on the guidelines, oversee cleanup procedures and control the

management of high risk documents.

A sustainment process, which includes annual cleanup of records should be

implemented to ensure data management stays under control. Cleanup is not a one-

time activity, it must be an ongoing part of business operations. New employee

orientation to the guidelines is part of the ongoing sustainment.

Individuals are free to store documents as they wish on their personal network drives

since these have no impact on other users. However, they must follow the guidelines

for all documents that are shared or accessible by other team members. These

documents are corporate documents, not personal documents.


Senior team members require special instruction about the propensity for storing shared

information on personal drives and the risk this brings to the organization.

Files that contain personal information must be appropriately named to distinguish them

from non-personal documents. This is to increase the visibility and increase the

chances that they will be transmitted securely.

Departmental employees should be given the opportunity to participate in the

development of an effective naming convention and primary folder structure. Giving the

opportunity for input to these critical naming techniques not only increases the buy-in

from employees, but also results in a more effective product since users are likely to

offer important input into the process.

All users are to have a copy of the records retention schedule and be trained to

recognize the specific documents related to their jobs that require retention.

Implement an exit process for leaving employees requiring them to transfer all

information from their personal drives to a network drive folder.

File names should be naturally alphabetical. They should contain a maximum number

of separate fields that identify crucial aspects of the file. Team members should provide

input into what the fields are and what specific order they go into. Some common field

types might be:

1. Pay period number

2. Payroll area

3. File name

4. File creation date

5. Privacy indicator

6. Version

Eg: PP3_S2_WAGETYPE AUDIT_20140218_PRIVATE_V01

It isn’t important that all files contain all fields, only that they contain them in the same

order. There should be a standard method to separate fields such as an underscore.

To make it easier to optically find files, all users should follow the same capitalization

techniques. Include an indicator if the document is private to trigger the user to use

special handling techniques when transmitting or storing the data.

Start fresh with new naming conventions, don’t attempt to go back and fix all historical

file names.

Primary folders should be named according to how the work activities are divided. At

Canoil, they are divided by job responsibilities and cycles. Therefore, there should be a


primary folder for each job description as well as each of the cycles for shared work

activities.

In addition, there should be two primary folders set up to hold archival documents and

destructible documents. These folders are temporary holding folders pending annual or

periodic cleanup.

Canadian Payroll Analyst

US Payroll Analyst

International Payroll Analyst

Stock Compensation Analyst

Payroll Accountant

Payroll Specialist

Payroll Manager

US Payroll Advisor

Biweekly

Yearend

Monthly

Quarterly

Archive

Destruction

Guidelines for sub-folders and layering should include suggestions to avoid confusion.

No more than one folder is to be created for less than twenty files. No more than three

layers of folders should be created.

Only the following records should be stored on external network drives:

1. Records created by other departments and used by payroll

2. Records created by payroll, but not used by payroll team members

If a record is created by payroll and used by payroll team members and external team

members, a separate folder should be set up on the payroll drive to store the records

and access should be provided to the external team member who require it.

Data stored on individual drives should never contain shared information. If the

information is shared, but confidential to a few sources, restrictions should be placed on

the appropriate shared folder rather than creating shared information on personal

drives.

Create a retention schedule that clearly identifies the types of documents handled by

the department and the corresponding retention requirements – see Appendix A.

Ensure all employees have easy access to the document. Provide training to each


employee upon hire and at annual intervals to ensure they know what the retention

requirements are.

All documents with retention requirements present a risk to the organization and

consequently must be stored on the RIM system.

Files containing private information must be appropriately identified by an agreed upon

indicator included in the file name. Private documents are to be sent encrypted to

external email addresses. It is also recommended to send encrypted documents

internally to reduce the risk of sending to the wrong user.

Ensure private information is not stored on drives where unauthorized users might have

access to it. Annually, verify the access to all payroll owned network drives is still

accurate.

Privacy methods of third-party providers should be scrutinized to ensure they follow

acceptable practices and all department team members should have some guidelines

for what is expected.

Cleanup efforts should focus on ensuring that the guidelines set in place are being

followed and that files and folders are being named appropriately. Verify there is no

excessive folder layering and duplicate records aren’t being produced. Verify that high

risk documents are being stored in the appropriate locations and archiving and retention

schedules are being met.

Move archival files to archive folders and destroy outdated files or files that are no

longer useful. Effective cleanup procedures will result in fewer documents for

employees to manage.

Ensure the correct users have access to payroll data.

Educate employees as to the problem and recommendations for improvement. Gather

input into their views on the scope of the issue. Solicit input into the primary and sub

folder content as well as the fields and logic to developing effective names. Develop

new guidelines and vet it with the affected employees, gathering their input to ensure it

is comprehensive. Train employees on the new guidelines, giving opportunity to answer

any questions.

Have a file cleanup day and celebration, gathering their help in cleaning up the existing

records. Ensure this is at a non-critical time where all employees can participate and

there is no chance of making a mistake.


ELECTRONIC DATA MANAGEMENT GUIDELINES – Payroll Network Drives

Purpose

The purpose of these guidelines is to provide direction to payroll department employees on how to

effectively manage Canoil’s electronic documents that are stored on network drives and OpenText. All

documents that should be shared among team members fall under these guidelines.

Documents that are personal and not relevant to any other team member or external party should be saved

on personal drives and do not fall under these guidelines.

Definitions

Archival: documents that must be retained for a period of time.

Destructible: documents that can be destroyed

Critical: documents with a legislated destruction requirement

Procedural: process or procedure documents, process flow maps, cheat sheets.

Folder Structure

The primary folders are labeled according to how the work is divided in the department. Primary folders are

labeled using the following four criteria:

1. Job title: Each person in the payroll department holds a unique job, so most of the work and

documents can be segregated by job title. Eg: Canadian payroll analyst, stock compensation

analyst.

2. Cyclical, shared job function: The activities in the payroll department that are shared among team

members are cyclical. Eg: Yearend, Biweekly, Monthly

3. Archival

4. Destructible

Documents that are shared work activities should be saved on the cyclical drives. Documents that are only

related to one person’s role and don’t combine to form part of a whole procedure, should be saved under

the job title of the person.

Secondary folders are named descriptively. Make sure the title is in natural alphabetical order. Choose the

most relevant folder title according to the content, so the user can easily understand the content in the

folder. Folder and file naming is the most important aspect to ensuring a user can quickly find a document.

Excessive folder layering causes confusion to users and should be limited. Where ever possible, a user

should have to go through no more than three layers to find the file. New folders should not be created for

less than twenty files.

File Naming

Files are to be named as descriptive and simple as possible. There are up to six fields required for a file.

Not all fields are required for each file, but they must always follow the same sequence. All fields must be


separated with an underscore. All names should be in all capital letters for consistency. The fields and

sequence are:

1. Pay Period #

2. Payroll Area

3. File Name (be descriptive, but keep to no more than three words)

4. File creation date: always use YYYYMMDD, all numerical

5. Privacy Indicator: this field indicates the content includes private information and should only be

transmitted using a secure method such as encryption

6. Version: Use the format V01

Eg: PP3_S2_WAGETYPE AUDIT_20140218_PRIVATE_V01

It isn’t necessary to use all of the above fields, but use any that are relevant and always follow the same

order and naming logic. This naming logic will always keep the files in natural alphabetical order according

to the most important alphabetical indicator.

Archive & Destruction

The primary archival and destructible folders are special folders that are “holding” spots. At least once per

year, documents that are archival or destructible should be moved into these folders. The subfolders

immediately under the primary folder should always be labelled by the destruction year. Eg:

ARCHIVE 20151231

ARCHIVE 20201231

Always use December 31 of the year of destruction. Once an archive folder has reached the destruction

date, move it into a destruction folder. Do not destroy any documents without corporate permission as

there are sometimes “do not destroy” orders in effect.

Move any garbage or unnecessary documents into a destruction folder on an as needed basis. This is a

holding spot before destruction in case there was a mistake and you need them.

Critical and Procedure Documents

All critical and procedure documents are to be stored on OpenText document management system. The

folder names are defined and controlled by one or two internal persons to ensure consistency in naming

conventions and document storage of this high risk document set.

No critical or procedure documents are to be stored on personal or shared network drives.

Network Drives

Documents that are “owned” by the payroll department are to be stored on the Common payroll drive.

Documents that are “owned” or created by another department, but used by payroll are to be stored on the

other departments network drive with permission to the payroll team.

Only documents that are not required by any other team member, including the person who covers your

position are to be stored on personal network drives.


Retention

Documents that have a legislated retention requirement are indicated on the attached retention schedule.

The retention requirements are also indicated. These documents are critical documents and must be

stored on OpenText. They can be created on a network drive, but must be moved at minimum on a

monthly basis to OpenText.

Privacy

All documents that contain private information, including employee names, social insurance numbers, pay

details, etc., must be clearly labeled by including the word “PRIVATE” in the file name. Private documents

must be encrypted or securely transmitted if they are sent to any other party.

If private documents are transmitted to other users through email or other source, they must be encrypted

or sent through a secure transmission means. Encryption is available in word document, excel documents

and adobe files. If the document is being sent to an internal email address, encryption isn’t necessary, but

is recommended as a safer way to transmit the document in case the file is sent to the wrong user. Always

send the encryption password in a separate email.

Annual Cleanup

Each year, departmental employees will be asked to cleanup all documents according to the cleanup

procedure document. Cleanup will encompass:

1. Moving all archival documents to the archive folder in the correct year

2. Moving all destructible documents to the destruction folder

3. Ensuring all critical and procedure documents have been moved to OpenText

4. Cleanup folder layering and naming to ensure they follow guidelines

Electronic Data Management Stewardship

One person is assigned as the steward for electronic data management in the department. If there are any

questions about how to effectively manage documents, these should be directed to the identified steward.


CHAPTER VIII CONCLUSION

Electronic data management is a very important business issue. The lost productivity

attributed to searching for misplaced documents at 20%, is a crucial indicator that this

area requires attention. Combine that with the fact that the problem is growing

exponentially year by year and it’s easy to see that businesses can’t afford to ignore it

any longer.

Payroll departments are particularly vulnerable to the impacts of lost documents due to

the implications on timely and accurate payment to employees and inability to produce

documents when legislative authorities require them.

This research resulted in the following management recommendations:

1. Implement guidelines for electronic records management including collaboration

with the team on developing an appropriate, consistent file naming convention to

be used for the naming of all files.

2. Elect one person as a steward for overseeing the records management process

to ensure guidelines are met, archive and destruction procedures are followed

and employees have a resource to turn to for questions.

3. Implement a sustainment procedure that includes an annual cleanup of network

drives to ensure the situation doesn’t get out of control again in the future

4. Add a review of the electronic data management guidelines to the orientation of

any new or temporary employee.

5. Ensure that all high risk documents including critical and procedure documents

are managed effectively and stored in the document management system, with

the ability to delete documents or create new folder structures available only to

one or two trained and competent people

The biggest current issue is that employees are given no direction, leaving them to their

own individual practices. With no consistent method shared amongst team members,

and each person using their own techniques, the logic and methods used are not

shared and understood by all.

Electronic records management seems like an unmanageable issue due to the volumes

and the lack of control that an employer really has over the practices of each employee.

Employers don’t want to burden employees by ineffective regulations, but they also are

in a position of risk by not doing anything. This problem is managed well by

implementing guidelines, which don’t force control, but do offer effective techniques and

most importantly give an understanding to the employee of what the employer wants.

Above all, this research shows that the problem can be greatly mitigated quite easily by

implementing effective electronic records management guidelines. Employees are


looking for direction, not dictation, but direction. With direction, cooperation and

information, electronic records management guidelines can mitigate the risk of

productivity and financial loss significantly to the employer.


REFERENCES

Amy B. Royal, E. (2013). Data, Data Everywhere. Business West, 43-57.

Athabasca University. (2011, January). HRMT-502 Study Guide. Alberta, Canada: Athabasca University.

Athabasca University. (2012, October). INTS-602 Study Guide. Alberta, Canada: Athabasca.

BBC News. (2014, January 27). Israel defence computers hit by hack attack. Retrieved from BBC News:

http://www.bbc.co.uk/news/technology-25575790

Bean, L. (2012). Are you protecting your employees data? Journal of Corporate Accounting and Finance.

Canada Revenue Agency. (2014, February 1). Books and Records Retention/Destruction. Retrieved from

Canada Revenue Agency: http://www.cra-arc.gc.ca/E/pub/tp/ic78-10r5/ic78-10r5-10e.pdf

CERN. (1989). The birth of the web. Retrieved from CERN: http://home.web.cern.ch/topics/birth-web

Duffy, J. (2011, December 29). Get Organized: Great tips for Better File Names. Retrieved from

PCMag.com: http://www.pcmag.com/article2/0,2817,2385613,00.asp

Edge Systems LLC. (n.d.). Document Management Return on Investment. Edge Systems LLC.

Fisch, K. (2014, January 19). Did You Know? 3.0 (2012). Youtube. Canada:

http://www.youtube.com/watch?v=YmwwrGV_aiE .

Government of Alberta. (2014, February 1). Employment Standards Code AB. Retrieved from

Government of Alberta:

http://www.qp.alberta.ca/1266.cfm?page=E09.cfm&leg_type=Acts&isbncln=9780779725663

Government of BC. (2014, February 1). Employment Standards . Retrieved from Government of BC:

http://www.labour.gov.bc.ca/esb/igm/esa-part-3/igm-esa-s-28.htm

Government of Manitoba. (2014, February 1). The Employment Standards Code Manitoba. Retrieved

from Government of Manitoba: http://web2.gov.mb.ca/laws/statutes/ccsm/e110e.php

Government of New Brunswick. (2014, February 1). Employment Standards Act. Retrieved from

Government of New Brunswick: http://laws.gnb.ca/en/showdoc/cs/E-7.2/ga:l_iv#anchorga:l_iv

Government of Newfoundland and Labrador. (2014, February 1). Labour Relations Agency. Retrieved

from Government of Newfoundland and Labrador:

http://www.gov.nl.ca/lra/faq/ls_payrolladmin.html

Government of Nova Scotia. (2014, February 1). Labour Standards Code Nova Scotia. Retrieved from

Government of Nova Scotia:

http://nslegislature.ca/legc/statutes/labour%20standards%20code.pdf

Government of Ontario. (2014, February 1). Employment Standards Act Ontario. Retrieved from

Government of Ontario: http://web2.gov.mb.ca/laws/statutes/ccsm/e110e.php

PAYROLL GUIDE – RECORDS MANAGEMENT 44 | P a g e Government of Prince Edward Island. (2014, February 1). Employment Standards Act. Retrieved from

Government of Prince Edward Island: http://www.gov.pe.ca/law/statutes/pdf/e-06_2.pdf

Government of Saskatchewan. (2014, February 1). Labour Standards Act Saskatchewan. Retrieved from

Government of Saskatchewan:

http://www.qp.gov.sk.ca/documents/English/Statutes/Statutes/L1.pdf

Hanson, S. (2010). Change Management and Organizational Effectiveness for the HR Personnel. Cornell

HR Review. Retrieved from http://0-

ehis.ebscohost.com.aupac.lib.athabascau.ca/eds/pdfviewer/pdfviewer?sid=6f17bf7a-9942-

4c24-a4a8-d43192da329b%40sessionmgr112&vid=3&hid=109

Iron Mountain. (2012). A View Into Unified Records Management. Retrieved from Iron Mountain:

http://www.ironmountain.ca/en/~/media/948B12B7067D4A84895CF9C7BACBFDF4.pdf

LaSalle, L. (2014, January 27). Advocacy groups challenge Bell's data collection on wireless customers.

Retrieved from The Canadian Press:

http://www.calgaryherald.com/technology/Advocacy+groups+challenge+Bells+data+collection+

wireless+customers/9435541/story.html

Loshin, D. (2004). Naming Conventions and Semantic Consistency. DM Review, 30-31.

Maurer, B. (2013). Mapping the way towards records compliance. Information Management.

McCafferty, D. (2013). How Document Management Drives Workers Crazy. CIO Insight.

Merriam Webster. (2014, February 1). Taxonomy. Retrieved from Merriam-Webster:

http://www.merriam-webster.com/dictionary/taxonomy

Ngoepe, M., & Van Der Walt, T. (2010). A Framework for Records Management Programme: Lessons

from the Department of Cooperative Governance and Traditional Affairs in South Africa. Unisa

Press, 82-106.

Office of the Privacy Commissioner of Canada. (n.d.). PIPEDA Compliance Framework. Retrieved from

Office of the Privacy Commissioner of Canada: http://www.priv.gc.ca/leg_c/framework_e.asp

OpenText. (2014, January 12). Open Text Document Management. Retrieved from Open Text:

http://www.opentext.com/What-We-Do/Products/Enterprise-Content-Management/Content-

Management/OpenText-Document-Management

Oxford Dictionary. (2014, January 7). Change Management. Retrieved from Oxford Dictionary:

http://www.oxforddictionaries.com/definition/english/change-management

Privacy Matters. (2014, February 8). Computer Hacking and Identity Theft. Retrieved from Privacy

Matters: http://www.privacymatters.com/identity-theft-information/identity-theft-computer-

hacking.aspx

Richardson, B. E. (2013). Digital Dusting: Spring Cleaning for Network Drives. RIM Fundamentals.

Royal, A. B. (2013). Data, Data Everywhere. Business West, 43-57.

PAYROLL GUIDE – RECORDS MANAGEMENT 45 | P a g e Services, U. D. (2014, January 4). Department of Technology. Retrieved from State of Utah:

http://www.geomapp.net/docs/ut_ERMBusinessCase.pdf

swot analysis. (2014, February 8). Retrieved from Business Balls:

http://www.businessballs.com/swotanalysisfreetemplate.htm

Trynacit, K. (2014, January 24). Privacy breaches in Alberta health care system not new. Retrieved from

CBC News: http://www.cbc.ca/news/canada/edmonton/privacy-breaches-in-alberta-health-

care-system-not-new-1.2508476

Turban, E., & Volonino, L. (2011). Information Technology for Management, Improving Strategic and

Operational Performance. New Jersey: John Wiley & Sons, Inc.

Webster, M. (2012, September). Bridging the Information Worker Productivity Gap: New Challenges and

Opportunities for IT. Retrieved from Compucompproducts.com:

http://www.compucomproducts.com/Documents/bridging-the-information-worker-

productivity-gap.pdf

Wikipedia. (2014, January 27). Document Management Systems. Retrieved from Wikipedia:

http://en.wikipedia.org/wiki/Document_management_system

Winterberg, B. (2011). Five Misconceptions about Document Management. Journal of Financial

Planning, 38-40.


APPENDIX A – PAYROLL RECORDS RETENTION

Record BC AB SK MB ON QC NS NF PE NB CRA

Retention # Years 2 3 5 3 3 N/A 3 4 3 3 6+

Name, SIN, Date of Birth, Address X X X X

Sex X

Job Description, Position Title X X X X

Hire Date, Termination Date X X X X X X X X X

Wage Rate, Change Dates X X X X X X X

OT Rate X X X X X

Hours of Work X X X X X X X

Daily Hours X X X X X X X X

Payroll Start, End and Pay dates X X

Date of Layoff X X X

All Earnings, deductions and reason X X X X X X X

Pay Statements X X

Work Schedules, Daily start & end times X X

Vacation entitlement & dates taken X X X X X X X X X

Stat holiday entitlements & dates taken X X X X

Banked overtime and dates taken X X X X

Leave of Absence Dates & Pay X X X X

Termination Pay X X X X X X

Backup for Yearend Adjustments X

Tax slips X

(Canada Revenue Agency, 2014)

(Government of Alberta, 2014)

(Government of BC, 2014)

(Government of Manitoba, 2014)

(Government of New Brunswick, 2014)

(Government of Newfoundland and Labrador, 2014)

(Government of Nova Scotia, 2014)

(Government of Ontario, 2014)

(Government of Prince Edward Island, 2014)

(Government of Saskatchewan, 2014)


APPENDIX B – DETAILED ANALYSIS

SHARED TOT SHARED A SHARED B SHARED C

Total Files 107533 134551 3527 16288

Total Folders 5549.5 5% 9001 7% 326 9% 1799 11%

Total Primary 100 96 19 11

Total Procedure Files 2121 2% 513 0% 331 9% 0 0%

Total Duplicate Folders 4167 75% 1100 12% 232 71% 1155 64%

Total Destructible files 32279 30% 10 0% 77 2% 0 0%

Total Archival Files 0 0% 6784 5% 967 27% 8482 52%

Total Current Files 70232 65% 123176 92% 2472 70% 6423 39%

Total Critical 5022 5% 4581 3% 11 0% 1383 8%

Total Internal 104144 97% 41254 31% 3517 100% 13333 82%

Total External 3038 3% 153 0% 0 0% 2955 18%

Total Personal 351 0% 93144 69% 0 0% 0 0%

Total Excessive 18 0% 79 1% 17 5% 10 1%

SHARED E SHARED F SHARED G SHARED H

Total Files 1390 54104 3554 86971

Total Folders 131 9% 1768 3% 128 4% 1005 1%







Total Critical 409 29% 0 0% 935 26% 1489 2%

Total Internal 1390 #### 0 0% 3499 98% 77108 89%

Total External 0 0% 54104 100% 55 2% 9863 11%

Total Personal 0 0% 0 0% 0 0% 0 0%

Total Excessive 10 8% 5 0% 4 3% 12 1%

INDIVIDUAL A INDIVIDUAL B INDIVIDUAL

C INDIVIDUAL

D

Total Files 1512 206 4395 314

Total Folders 138 9% 27 13% 748 17% 7 2%








Total Critical 64 4% 0 0% 335 8% 0 0%

Total Internal 463 31% 67 33% 340 8% 0 0%

Total External 0 0% 0 0% 0 0% 0 0%

Total Personal 1049 69% 139 67% 4055 92% 314 100%

Total Excessive 33 24% 23 85% 91 12% 0 0%

INDIVIDUAL E INDIVDIUAL F INDIVIDUAL

G INDIVIDUAL

H

Total Files 1771 570 884 512

Total Folders 53 3% 46 8% 90 10% 17 3%







Total Critical 24 1% 0 0% 0 0% 0 0%

Total Internal 43 2% 0 0% 0 0% 0 0%

Total External 0 0% 0 0% 0 0% 0 0%

Total Personal 1728 98% 570 100% 884 100% 512 100%

Total Excessive 3 6% 1 2% 9 10% 2 12%


APPENDIX C – PRIVACY BREACHES

Reported Employee Data Breaches (January 2010 to February 2012)

Reason Number Percentage of Total

Stolen computer or laptop 38 21.2%

System hacked 24 13.4%

Third-party loss of data 18 10.0%

Stolen-Other storage devices for data 17 9.5%

Public posting on Web due to lack of training/security to prevent this 17 9.5%

Data emailed to an unauthorized individual or group 14 7.8%

Breakdown in access or absence of physical security 11 6.2%

Virus, malware, spyware, or file sharing 11 6.2%

Inappropriate disposal of data through waste collection 7 3.9%

Data in paper form stolen 7 3.9%

Data exposed and viewable in a mailing 6 3.4%

Data lost, tampered, or stolen during mail transport 4 2.2%

Access device fraud by temporary employees 3 1.7%

Sold computer equipment without removing sensitive data 2 1.1%

TOTAL 179 100%