Data Privacy (HR)

S AP E n h a n c e m e n t P a c k a g e 0 4
f o r S AP E R P 6 . 0
Copyright
© Copyright 2011 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM,
z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM,
Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower,
PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,
RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide
Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of
Business Objects Software Ltd. Business Objects is an SAP company.

(C) SAP AG Data Privacy (HR) 2

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product
specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG
and its affiliated companies ("SAP Group") for informational purposes only, without representation
or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to
the materials. The only warranties for SAP Group products and services are those that are set
forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

(C) SAP AG Data Privacy (HR) 3

Icons in Body Text

Icon Meaning
Caution
Example
Note
Recommendation
Syntax

Additional icons are used in SAP Library documentation to help you identify different types of
information at a glance. For more information, see Help on Help General Information Classes
and Information Classes for Business Information Warehouse on the first page of any version of
SAP Library.

Typographic Conventions

Type Style Description

Example text Words or characters quoted from the screen. These include field
names, screen titles, pushbuttons labels, menu names, menu paths,
and menu options.
Cross-references to other documentation.
Example text Emphasized words or phrases in body text, graphic titles, and table
titles.
EXAMPLE TEXT Technical names of system objects. These include report names,
program names, transaction codes, table names, and key concepts of a
programming language when they are surrounded by body text, for
example, SELECT and INCLUDE.
Example text Output on the screen. This includes file and directory names and their
paths, messages, names of variables and parameters, source text, and
names of installation, upgrade and database tools.
Example text Exact user entry. These are words or characters that you enter in the
system exactly as they appear in the documentation.
<Example text> Variable user entry. Angle brackets indicate that you replace these
words and characters with appropriate entries to make entries in the
system.
EXAMPLE TEXT Keys on the keyboard, for example, F2 or ENTER.

(C) SAP AG Data Privacy (HR) 4

Table of Contents
Data Privacy (HR) ....................................................................................................................... 6
Data Privacy Management ....................................................................................................... 7
Destruction of Data .................................................................................................................. 9
Legal Holds (Infotype 3246) ................................................................................................ 11
Destruction Log .................................................................................................................. 12
Block for Creating Data ...................................................................................................... 13

(C) SAP AG Data Privacy (HR) 5

 Data Privacy (HR)
The electronic collection and transfer of personal data and technological developments in the
area of communication and information technology that involve intensive saving and processing
of personal data require standardized data privacy legal regulations.

Considering the increase in data abuse and the accompanying need for legal regulations, data
privacy and data security have also gained importance in enterprises. Data privacy does not
mean protecting the data, rather protecting the individual from his or her personal data being
abused. Data security however, means protecting the data from being accessed by unauthorized
persons. For enterprises, this means that adhering to data privacy guidelines requires suitable
data privacy and data security measures.

More Information
Data Privacy Management [Page 7]

(C) SAP AG Data Privacy (HR) 6

 Data Privacy Management
Each enterprise must ensure that they adhere to the data privacy [Page 1] guidelines for their
country and that the legal entitlement of individuals to protection of their personal data is fulfilled.
Note that the legal situation is different in each country and that the data privacy management of
an enterprise operating globally must provide for this.

Efficient data privacy management comprises organizational and technical measures for handling
personal data so as to adhere to data privacy principles. It must be ensured that the data can be
used optimally, and without interruption, in operative business processes for as long as this is
required.

Earmarking
Necessity
For what purpose is
Which personal
personal data entered and
data is entered?
used?

Data privacy
in the enterprise

Data economy/
Data destruction
data reduction while
Only personal data that is considering
absolutely necessary for the
retention periods
application

Data Privacy Principles

The following data privacy principles provide you with the necessary reference for ensuring data
privacy in your enterprise and your employees' right to determine what happens to their data:

Earmarking

Personal data may only be processed for the purpose for which it was collected and is to
be protected from abuse.

Necessity of data collection

(C) SAP AG Data Privacy (HR) 7

 For data privacy reasons and to reduce costs, only the data that is absolutely necessary
should be collected. This is also in conjunction with the basic principle of data economy
and data reduction.

Data economy and data reduction

In data privacy, this principle can be viewed as a preventative measure and can also
reduce costs if it results in the effective organization of data processing. This also
includes the efficient management of the volume of data in a database to limit the
operating costs for a system. For information about data management, see SAP Service
Marketplace at http://www.service.sap.com/ilm .

In the Human Resources applications, a multitude of data is to be considered personal data with
regard to data privacy and is thus subject to data privacy legal regulations. The data privacy
principles of data economy and necessity mean that personal data is to be deleted as soon as it
is no longer required. SAP supports your data privacy management by providing suitable SAP
NetWeaver Information Lifecycle Management (ILM) functions in the Human Resources
applications.

Data Archiving
Efficient data management involves archiving data from completed business transactions. This
data that is no longer required in the system, but is to be retained as evidence, for example, is
written to an archive file. To reduce the load on the database, the archive file is stored in a file
system or content repository and the data is deleted from the database. For more information,
see SAP Library for SAP NetWeaver on SAP Help Portal and choose Data Archiving (CA-
ARC) Archiving Using the Archive Development Kit (ADK) .

Retention Periods
ILM's Retention Management provides tools and methods for storing data and enables you to
fulfill the legal requirements for retaining data:

Creating and managing data retention policies and rules

Integrating storage systems in ILM

Function for destroying data at the end of its lifecycle

Legal Case Management functions such as destruction locks for data that is to be
retained for longer than the retention period with regard to legal cases

For more information, see SAP Library for SAP NetWeaver on SAP Help Portal and choose
Information Lifecycle Management (ILM) in the SAP System Control Information Lifecycle
with Retention Management .

Destruction of Data
In the Human Resources applications, you have the ILM function for the destruction of personal
data available. You can use this function to delete personal data as soon as the end of the legal
and operational retention periods specified for the data has been reached, and thus fulfill data
privacy requirements. For more information about the data destruction process, see Destruction
of Data [Page 9].

(C) SAP AG Data Privacy (HR) 8

 Destruction of Data
The data privacy principles of data economy and necessity mean that data is to be deleted as
soon as it is no longer required. For data privacy reasons therefore, all data that was collected in
the Human Resources system for persons must be able to be deleted. This must be done while
considering country-specific regulations.

In all Human Resources (HR) applications, you have archiving objects available, which support
the Information Lifecycle Management (ILM) function for the destruction of data. Some archiving
objects support archiving in addition to data destruction.

An archiving object contains data from the database that is related in a business context. An
archiving object has at least one write program and one delete program. The write program reads
the data from the database and the associated delete program deletes the data from the
database. An archive file must always be written for the destruction of data; this is also deleted
after the data has been destroyed. The system writes the data that, according to the relevant
checks, can be destroyed in accordance with the specified retention rules, to this archive file.

In the Information Retention Manager (IRM), you can define and edit policies and rules for the
retention of data. These retention rules are evaluated when the write program is run for the
archiving object.

Retention periods for data can have different reasons. For example, tax-based data needs to be
retained for revision purposes and tax audits. For data privacy reasons, personal data needs to
be retained and destroyed when it is no longer needed. These reasons are represented by audit
areas in the system. For more information, see SAP Library for SAP NetWeaver and choose
Information Lifecycle Management (ILM) in the SAP System Control Information Lifecycle
with Retention Management Edit Policies for Retaining Business Information General
Principles and Recommendations for Policies and Rules .

Process
To destroy data for personal data in HR, proceed as follows:

1. To be able to use retention rules for an archiving object, you need to assign this archiving
object to an object category. You assign archiving objects in the Information Retention
Manager (transaction IRM_CAT).

For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .

2. To differentiate between retention policies and residence time policies, the term policy
category will be used. Not all policy categories known to the Information Retention
Manager (IRM) are available automatically for an object type, you need to have specified
this explicitly in Customizing for the object type. Create the permitted policy category
(transaction IRM_CUST).

For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .

(C) SAP AG Data Privacy (HR) 9

 3. Before you define policies and rules to be able to destroy your data according to the
retention periods, you first need to create the audit area. Create an audit area for the
destruction of data (transaction IRMARA).

For more information, see SAP Library for SAP NetWeaver and choose Information
Lifecycle Management (ILM) Retention Management Information Retention Manager
Maintenance of Policies and Rules .

4. Edit your ILM policies for the policy category in Editing of Policies (transaction IRMPOL).

For more information about this Customizing setting, see SAP Library for SAP
NetWeaver and choose Information Lifecycle Management (ILM) Retention
Management Edit Policies for Retaining Business Information Information Retention
Manager Object-Category-Specific Customizing .

5. Create minimum retention periods for each archiving object. To be able to destroy data,
you need to have first written it to an archive file temporarily. However, the storage of
data for an archiving object registered in the Information Retention Manager is only
possible if each audit area that is assigned to this object type contains at least one audit
area and at least one rule that can be applied. In this rule you need to have defined a
start time and a minimum retention period. Therefore, to archive data that must be kept,
enter the retention period and a start time in rule maintenance.

For appraisal documents from the Performance Management processes, the HR

Administrator has entered the minimum retention period as 3 years and the start
time as the end of the fiscal year. Data that meets these conditions is approved
for archiving or destruction in the archiving-object-specific checks and is written
to archive files and deleted. The prerequisite for data destruction is that the
determined end date for retention is in the past. If the end date is today's date,
this data is not considered.

6. Use the relevant archiving objects in archive administration [External] (transaction SARA)
to destroy personal data.

For more information about the individual archiving objects, see SAP Library for SAP
ERP and choose SAP ERP Central Component Human Resources HR Archiving
.

(C) SAP AG Data Privacy (HR) 10

 Legal Holds (Infotype 3246)
An infotype for blocking an employee's data for data destruction [Page 9].

In the Legal Holds (3246) infotype, you can state which employee data is blocked for destruction,
meaning for deletion from the database.

As a result of legal activities not completed, it is possible that data has to be retained for longer
periods of time, even if their retention period has already expired and the data is to be destroyed
for data privacy reasons. You can use this infotype to ensure that data relevant for a legal case
cannot be destroyed. When the legal case is decided, the data can be further processed.

When performing archiving sessions for the destruction of data with archiving object programs,
you must therefore ensure that information on emloyees and activities relevant for legal cases
cannot be deleted from the database. This infotype enables you to specify legal holds for such
data relevant for legal cases.

For example, in the following situations you must ensure that the relevant data is not
deleted:

Lawsuit regarding the evaluation of overtime (at employee or organizational unit

level)

Lawsuit regarding the decision to hire or transfer

When the legal case is decided, this data can be further processed.

Structure
An entry in the Legal Holds infotype contains the following information for each employee:

Validity period with start and end date (system end date) for the legal hold

Subtype that refers to the archiving object and for which the legal hold is to be applied

Short description for the legal hold

The infotype text can be used to enter a detailed description for the legal hold.

(C) SAP AG Data Privacy (HR) 11

 Destruction Log
During the destruction of personal data from Human Resources infotypes, the system creates a
destruction log in the infotype Archived Objects [External] (0283) for each personnel number for
which data was destroyed.

Prerequisites
For each archiving object for which destruction logs are to be created, a subtype must be created
in the infotype Archived Objects. You can check this Customizing setting in the view Subtypes for
Infotype 0283 and Infotype 3246 (V_T77PAARC_SUBTY).

Groupings of subtypes can also be defined for each subtype of infotype 0283.

In Time Management, the archiving object HR: Absences (HRTIM_ABS) can be used to
destroy data from infotypes for groupings of multiple subtypes, for example, all absence
types for URLAUB (leave) or all absence types for KRANKHEIT (illness). This grouping of
absence types is saved as information in the document data record of infotype 0283. A
separate data record is created in infotype 0283 for each grouping of absence types.

Features
If the preprocessing program of the archiving object has been run and a corresponding session
has been created, a data record is created in infotype 0283. The status Flagged for Data
Destruction is set for this data record. After the delete program of the archiving object has been
run, this status is set to Destroyed.

If a personnel number is selected for data destruction as a result of the defined retention rule, but
there are no valid data records that can be destroyed, during the preprocessing phase the status
Destroyed is set immediately for this data record in the infotype 0283.

If there is a data record to be destroyed for the personnel number for which the valid-to date is
after the maximum destruction date, the status Destroyed is also set in the preprocessing phase.
For the data record of infotype 0283, the maximum destruction date is set as the valid-to date.

The data records of infotype 0283 are also used to create data blocks. This prevents data from
being created again for the period for which it was destroyed.

(C) SAP AG Data Privacy (HR) 12

 Block for Creating Data
For data privacy reasons you have destroyed [Page 9] personal data on employees in the
system. Data privacy also requires that such data can never be created again. This function
ensures that the data for the period for which it was destroyed cannot be created again.

All absence data for an employee that is older than 3 years (for example, up to December
31, 2007) is destroyed for data privacy reasons. For the period up until December 31,
2007, no more absence data can be created retroactively for this employee.

Prerequisites
An archiving session for the destruction of data for an employee in a defined period was
started for an archiving object.

The archiving-object-specific checks during the preprocessing or write phase of the

program showed that the end of the retention period for the data on this employee has
been reached and the data was destroyed in the delete phase.

Process
1. For this employee, the system writes a data record with the related delete period to the
infotype Archived Objects (0283).

2. If relevant data is created for the employee in the delete period, for example, using
transaction PA30, the system reads infotype 0283.

3. Creating data for the employee is blocked for this period.

Data In infotype 0283

Data from DB table a data record
destruction IRM PAXXXX is deleted is written for
session is retention when the end of the the data
started rules retention period destruction status
has been reached.

Infotype A rc hiv ed O bjec ts (0283) is

read before data is c reated

C reation of data us ing HR trans ac tions (e.g . P A30)

Process for Blocking the Creation of Data

(C) SAP AG Data Privacy (HR) 13

Example
For maternity protection or parental leave, a retention rule was defined that states that the
retention period for data of this absence type is 5 years. This means that all data on maternity
protection or parental leave that is older than 5 years must be destroyed.

Destroy until
12/31/2005

01/01/2002 A 12/31/2004

01/01/2003 B 12/31/2008

01/01/2002 C

2002 2003 2004 2006 2007 2008

Block for Creating Data on Maternity Protection/Parental Leave

There are three data records for three employees for maternity protection/parental leave. The end
date of two data records (A and C) is before the destruction date (Destroy Until) December 31,
2005, which means that these data records are completed. The end date of data record B is after
the Destroy Until date, which means that this record is not completed. Data destruction is
performed for data records A and C. For data record B, no data destruction is performed since
the check showed that the data record does not meet the retention rule since it is not older than 5
years. After the data destruction session has been completed, the following actions are no longer
possible due to the block on creating data:

For the period before December 31, 2005, no data on maternity protection/parental leave
can be created for these employees.

The data record that was not destroyed may not be changed.

If the infotype data records are not from Time Management, they can be delimited on
January 1, 2006.

Creating data is blocked, irrespective of which transaction you use to create data.

(C) SAP AG Data Privacy (HR) 14