Skip to main content

HR and Payroll Record Anonymisation

Updated yesterday

To meet European GDPR requirements on 'the right to be forgotten' and the requirement to only retain personal data for as long as it is necessary and justifiable to do so, a routine is available which will ‘anonymise’ HR Personnel and PR Employee data when required.

To anonymise HR and Payroll data:

  1. Go to Human Resources > Administration > Anonymise or Payroll > Administration > Anonymise.

    Anonymisation Selection Screen

  2. Enter the date ranges that apply to the records you want to anonymise.

    The leaving dates and last paid dates default to a number of years before the most recent year end, based on the setting of the CO parameter ANONYRS. The routine cannot be run for records more recent than this.

  3. Tick Delete Captions if you want caption data to be deleted as well.

  4. Set the Mode field to check if you just want the routine to report on which records will be anonymised; set to Process if you want it to actually anonymise the records.

  5. Optionally, use the Employee Selection or Personnel Selection tab to further restrict the records that will be anonymised.

  6. Click Next to run the routine.

What the Routine Does

The person’s name in both the Personnel and Employee records is changed as follows:

  • First Name is set to “Anonymised”.

  • Surname is set to the Employee Number.

  • Middle Name, Suffix, Inits are blanked out.

All PR payslip documents, photos, and dependant/Spouse/Emergency contact records attached to the Employee record are deleted.

The following are either blanked out or (depending on the field) replaced with the text Data Removed because of Anonymisation:

  • All email addresses stored in both the Personnel and Employee records

  • All partner/spouse fields in the Employee record

  • All address fields stored in both the Personnel and Employee records (including Phone and Email)

  • National Insurance Number

  • Phone/Pager/Fax numbers

  • The name used in BACS payments in Employee record

  • Emergency name in Personnel record

  • Maiden name in Personnel record

  • Known as in Personnel record

  • Salutation

  • Birth Date

  • EEO-1 Code, Ethnic Origin

  • Nationality

  • Country of Birth

  • driving licence Numbers

  • Religion

Example of Anonymised Record

When the person to be anonymised has employee records in different PR companies:

  • If all are leaver employees, all employee records will be anonymised, as well as the personnel record.

  • If employee is current in a company, then only the PR employee records where the status is leaver employee will be anonymised. The personnel record will be untouched.

If the employee number format is based on the name (see parameters PR/EMPCODEF and HR/HRIDFRMT), JOHSMI for example, you can use the Payroll Administration utility Renumber Employees to change the employee number to unique digits, such as 123456, to ensure all references which could enable someone to determine who the employee is are removed.

What will not be anonymised

A record will not be anonymised if any of the following apply to it:

  • Open H&S Accident records

  • Open H&S Claim records (worker’s compensation, for example)

  • Unsatisfied payments/loans with the company

  • Unreturned assets (keys, laptop, etc.)

  • Pay History on file for the current PR Year.

  • HR Links

    • ESS Portal link

    • Contract Employee

    • Fleet Driver

    • Operatives

    • Job Managers

    • Sales Rep

    • Subcontractor

    • Supplier

    • Expenses

  • Employee timesheets on file against still open/incomplete contracts. The contract could be in litigation. (Currently, a liability period is not stored against the JC Contract to make this determination.)

The utility will not delete the HR Personnel or PR Employee record. Unless otherwise stated above, other history records will remain on file, allowing this data to be available for audits, lawsuits, worker’s compensation claims, etc.

If the person is active in any company, the HR Personnel record will remain untouched.

The utility will not delete Audit records.

Old return files will not be deleted, since they are a record of the submission. Copies of the RTI and year end returns are stored in Document Management and these XML files contain employee identity fields. A future project will be considered to create purge routines for these files.

The utility will not anonymise or delete data stored in PDF files. Clients need to ensure that these PDFs have document security applied to them to prevent unnecessary access.

Access to Anonymised Personnel/Employees

After the utility has been run, only Coins ERP+ users whose Security setting is 8 or above will be allowed to view anonymised HR/PR Personnel/Employee records.

Parameters

  • CO/ANONYRS - The number of years employee data must be retained before it can be anonymized

    Enter the number of years employee data must be retained before it can be anonymised.

    If left blank or set to 0, you are not allowed to run the HR/PR anonymise Utility.

  • HR/HRIDFRMT - Personnel Id number format

    The format to use for HR ID numbers.

    This takes the form of a template for the employee number. The template characters you can use are:

    9 - a digit. If auto-numbering the first number with obeys the uniqueness rules will be used.

    I - a digit. If auto-numbering the next available number will be used.

    Z - a digit which will be blank for a leading zero. If a string of Zs is followed by an I then it will be an I type number, otherwise it will be a 9 type number.

    X - any character. If auto-numbering this will be taken as a literal X as it is really to cater for manual input which does not fit a definable rule.

    A - any letter. If auto-numbering this will be taken as a literal A as it is really to cater for manual input which does not fit a definable rule.

    F - a character from the first name (initial characters used).

    M - a character from the middle name (initial characters used).

    L - a character from the surname (initial characters used).

    N - a character from the national insurance number (final characters used).

    D - a character from the department code (initial characters used).

    P - a character from the payroll type description (initial characters used).

    For options X, A, F, M, L, N, D or P any lower case letters will be converted to upper case. However if the lower case equivalents of these are used (x, a, f, m, l, n, d or p) then both lower and upper case letters will be allowed.

    Any other character will be a literal. To specify the literal text for one of the special characters above put a tilde (~) before it.

    Examples:

    999999 - a 6 digit number including leading zeros (for example 000150).

    ZZZZZ9 - a 6 digit number without leading zeros (for example 150).

    LLL999 - the first 3 characters of the surname followed by 3 digits to make it unique (for example SMI001).

    To demonstrate the difference between 9 and I consider the formats LLL999 and LLLIII. If you add a HR Person John Smith both of these will give the same result SMI001. But if you then add Sarah Jones LLL999 will give JON001 whilst LLLIII will give JON002.

  • PR/EMPCODEF - Employee number format

    When in use, the value in the frequency-specific parameter EMPCODEF will supersede the value in the Global PR Parameter EMPCODEF. The format to use for employee numbers.

    This takes the form of a template for the employee number. The template characters you can use are:

    9 - a digit. If auto-numbering the first number with obeys the uniqueness rules will be used.

    I - a digit. If auto-numbering the next available number will be used.

    Z - a digit which will be blank for a leading zero. If a string of Zs is followed by an I then it will be an I type number, otherwise it will be a 9 type number.

    X - any character. If auto-numbering this will be taken as a literal X as it is really to cater for manual input which does not fit a definable rule.

    A - any letter. If auto-numbering this will be taken as a literal A as it is really to cater for manual input which does not fit a definable rule.

    F - a character from the first name (initial characters used).

    M - a character from the middle name (initial characters used).

    L - a character from the surname (initial characters used).

    N - a character from the national insurance number (final characters used).

    D - a character from the department code (initial characters used).

    P - a character from the pay frequency description (initial characters used).

    For options X, A, F, M, L, N, D or P any lower case letters will be converted to upper case. However if the lower case equivalents of these are used (x, a, f, m, l, n, d or p) then both lower and upper case letters will be allowed.

    Any other character will be a literal, limited to 0 -9, A - Z, and a - z. To specify the literal text for one of the special characters above put a tilde (~) before it.

    Examples:

    999999 - a 6 digit number including leading zeros (for example 000150).

    ZZZZZ9 - a 6 digit number without leading zeros (for example 150).

    LLL999 - the first 3 characters of the surname followed by 3 digits to make it unique (for example SMI001).

    To demonstrate the difference between 9 and I consider the formats LLL999 and LLLIII. If you add an employee John Smith both of these will give the same result SMI001. But if you then add Sarah Jones LLL999 will give JON001 whilst LLLIII will give JON002.

Did this answer your question?