Successfully managing your payroll records can help give insight to your professional approach and enable you to manage your liabilities effectively. With risks of fines, censure, and a wealth of other issues – it is vital to make sure that you remain compliant as we move into a new decade.

So, what payroll records need to be kept by your business and what can you do to improve your approach?

Which payroll records must be kept?

The law dictates that you are required to keep information about your employees’ tax and National Insurance (NI) contributions for three years from the end of the tax year they are attached to.

This is to allow HMRC to fully check and validate your internal records, ensuring that you are acting correctly and that there are no irregularities with your approach.

These are to be provided in a way that allows them to be quickly and efficiently checked for accuracy in order to enable HMRC to validate that you are paying the correct amount of tax. If not provided in a timely or appropriate manner, this can cause issues for the department and your business – with HMRC having a number of protocols in place to help them get hold of the information that they need.

With a significant number of powers at their disposal, HMRC can heavily impact your business – resulting in a number of complications that can range from the commitment of additional resources, preventing your ability to trade, to formal prosecution.

This makes it essential to get it right first time and to ensure that you are operating and reporting correctly is treated as a priority for every business.

How they should be stored?

When it comes to capturing information about your staff, there are a number of standard or hybridised options available to you that allow you to remain fully compliant. These include

Physical Records: Also know as ‘paper’ records, these involve holding the information you require on onsite storage, most commonly in a secured room in a filing cabinet or other secure storage solution. While fully compliant with the law, this can quickly become a highly inefficient process – with changes to records requiring regular updates and risking the potential of human error. This also raises questions of tracking who has access to the storage area, potentially leaving you open to action for data breaches.

Offline Digital Storage: The next step up for efficiency – but not security – this involves storing data on a series of spreadsheets on a system. This can be distributed by tools such as Google Docs or Microsoft cloud storage, but for day-to-day use, it becomes essential to ensure that data protection protocols are enforced and applied. Choosing a cloud solution can help ensure document unity and allow flexibility when it comes to editing content when needed.

Dedicated HR Systems: Selecting a bespoke on-site system can be perfect for businesses dealing with high-turnover or long-term problems when it comes to your document management. Ensuring compliance, these can require significant effort to validate and install, but carry the bonus of making your work more efficient and correct through automation, reminders, and the deployment of dashboards and key metrics. These are commonly stored on internal servers or require on-site hardware and – if appropriate for your use case – can provide significant long-term benefits.

Cloud HR Systems: The next step up from a dedicated HR infrastructure, cloud based solutions are designed to be fully GDPR compliant and make document management straightforward. These are commonly accessed through dedicated apps or online portals and cut back on the physical needs for your business to manage your reporting – with the ability to auto gen reports, cut back on maintenance, and ensure full compliance with HMRC protocol.

No matter your choice, it is essential to review your existing practice, your HMRC requirements and find the most efficient way to manage your workload. This can involve reviewing with your internal IT and HR teams but should ideally involve guidance from experts or other providers to ensure that the right decision is made to cut back on additional time or resource expenditure.

How to know which payroll records to keep?

Thankfully, HMRC provide extensive information about the material you and your teams are required to provide and retain when it comes to regular reporting.

When it comes to the details you are required to keep, these include any information on-

1. Payments: Your information should contain details about what your employees are paid and the deductions that you make internally,

2. HMRC Content: Your data should also include copies of any and all reports made to HMRC along with any payments that you tendered.

3. Employee Data: This should also include information about employee absences across the period, including sick leave and other exceptional circumstances.

4. Tax Code Information: Any information tendered about changes to your tax code should be added to the system, in the form of a P6 document.

5. Expenses Details: All taxable expenses should be added to the list along with any benefits.

6. Payroll Scheme Details: The material should also include information about your Payroll Giving Scheme documentation, such as contracts, authorisation forms, or other material relevant to your business.

Along with keeping this information secure, accurate, and up to date, employees should be able to make a request to view the information that you store about them at any time.

This includes complying with requests to-

– View the information that you are storing and correct it if it is wrong.

– Request the deletion of data.

– Request that their information is not to be used for certain purposes.

They are then able to check in and, if these changes have not been made or adhered to, your business can potentially be left open to legal action.

What are the penalties for not keeping them?

One of the major reasons for ensuring compliance is the significant formal and informal costs that accompany a breach.

HMRC has extensive abilities to investigate and aggressively prosecute all those that are unintentionally or deliberately breaking the rules. The body enjoys significant civil and criminal powers to identify and conduct a criminal investigation. HMRC aims to provide a ‘strong deterrent message’ by prosecuting infractions to the fullest of their ability in order to set an example to other businesses. While HMRC will not make a decision about a criminal prosecution, they will gather information to provide the strongest possible criminal case before passing the information to the relevant prosecution service for the chosen jurisdiction.

While payroll will rarely lead to significant action, HMRC’s aggressive approach extends to their checks. If full and complete records are not provided, they have the ability to force you to pay a fine of up to £3000 and make an estimation based on the information they have available to them, which will likely to prove less than conservative. If your payroll records are not available – due to damage, theft, or loss – you must inform them immediately and detail values that are estimated or provisional.

If HMRC identifies what they believe to be a criminal obfuscation or data breach, they will likely take action to carry out a full investigation and use their influence to investigate you to their satisfaction.

In addition, the negative press that surrounds a lawsuit can cause other damage to your business. A loss of payroll data can be due to or result of a data breach, leaving your employees open to pursuing legal action against you for breach of their personal data. This can also be followed up with prosecution or fines levied through GDPR and potential partners taking action in the wake of an investigation that they can become implicated with.

Add in the soft power loss and negative publicity that follows reporting on fines and censure, you can quickly realise that taking the utmost care in your dealings with HMRC is essential.

How they should be disposed?

When records are required to be removed, they must be disposed of routinely and in line with relevant legislation. This requires the records to be deleted or shredded in a manner that is fully compliant with GDPR protocol.

These should be added as a regular part of daily responsibilities and should be easy to validate by any investigatory or regulatory body. This makes it vital to spend time creating and implementing a  plan that covers the disposal of physical and digital documentation in a fully compliant manner.

This involves considering:

Handling Physical destruction: Any business will provide physical documentation or come into materials that will need to be destroyed. It is essential that your teams understand the approach to take when it comes to disposing of documentation safely and securely and that you are fully aligned with GDPR best practice.

Physical Infrastructure: It is often easy to forget that much of the hardware deployed in your office can be used to retrieve data and infrastructure. Old laptops can contain sensitive documents that can be retrieved from a restore point, sensitive communications, or allow access to accounts through stored passwords. Make sure to have your IT teams fully wipe devices and take appropriate steps to put old units safely beyond use before recycling or repurposing them.  

Enforcing Best Practice: There is little point having protocols and steps in place without educating your staff about how to follow them. Instructions should be delivered to individuals throughout your teams and supported by hands-on training about best practice. This can range from poor document handling or simply copying sensitive files from a shared server to a pen drive that goes missing. Avoiding issues before they come to light can help head issues off at the pass and save significant time, stress, and resource expenditure,.

What should I ask my provider?

When it comes to making changes to your approach or optimising your existing infrastructure, it is vital to take the time to review your configuration with your in-house or external providers and find a solution that is right for you. This includes asking-

What elements are coming in the future? While GDPR has influenced, it is likely that the next ten years will see numerous changes as the world’s approach to data handling and understanding of the risks involved grows. Settling on an approach that is adaptable can help ensure that you are ready to meet this head on and respond to threats and opportunities with surety and speed.

What can help? A critical part of records management is understanding where you are currently falling down when it comes to storage and management and what you can do to improve your process. This can involve confirming key roles for members of staff, updating your infrastructure, or working to familiarise yourself with GDPR or HMRC requirements.

Going Digital? For many companies, implementing or improving digital infrastructure is a highly efficient way to improve your document storage protocol and ‘bake in’ compliance at all levels of your business. While finding the right system or additional tools can be difficult, consulting  a professional team can help reduce the effort involved and ensure that your business is ready to adapt to future change and capture payroll information that can be used to drive future decision making.

What next?

If you want to learn more about optimising your payroll practice, our team at Practical Software is here to help. With many years’ experience, we work with you to provide the level of care you need to remain compliant and make the payroll process as easy to complete as possible.