The consumer-side query layer that satisfies HR ops business partners, ex-employees making GDPR DSAR requests, internal and external auditors, and HMRC inspectors — all against Sage People data after the live Salesforce org is gone.
Archival solves storage and compliance retention. Legacy data access solves the human side — how HR ops, ex-employees, auditors, and regulators actually read the data when they need to.
An archive that no one can query is a compliance liability dressed up as a solution. Sage People customers who decommission the live Salesforce org without standing up a proper legacy data access layer end up either (a) maintaining a 'read-only' Sage People licence at significant ongoing cost, or (b) discovering that the first DSAR request or HMRC inspection becomes a multi-week IT project to extract the right data from the archive.
Syntra's legacy data access layer is purpose-built for the four audiences that need historical Sage People data. HR ops business partners get a curated web UI with saved queries for the standard ex-employee lookups. Ex-employees get a public DSAR portal with magic-link auth and 30-day turnaround. Internal and external auditors get a read-only role tier with pre-built compliance extracts. HMRC inspectors get a time-boxed inspector access tier with the standard payroll, P11D, and equality-monitoring reports they always ask for.
All four audiences hit the same underlying archive, governed by the same role-based access controls, audit-logged the same way. Setup runs 3–5 weeks once the archive itself is in place.
The questions HR ops, auditors, and ex-employees actually ask — answered without anyone learning Salesforce reporting or running ad-hoc SOQL.
Worker__c profile + Employment_Record__c chain + Salary__c history + Position__c history + Manager hierarchy at each date. Single printable page per former worker.
Complete data subject extract: every record about the ex-employee across every Sage People object. PDF-formatted for human review and redaction. Structured download option.
Tax code chronology, pension scheme membership, salary sacrifice arrangements, P11D taxable benefits per year, P60 year-end summaries, P45 leaver documents.
Active worker count at any historical date, drilled by business unit / department / location / grade / job. Joiner/leaver/net-change for any period.
Diversity data per Equality Act 2010 categories, with appropriate special-category data handling per UK GDPR. Year-over-year trend analysis.
Leave_Request__c history with accrual balances at each year-end. UK statutory leave (SSP, SMP, SPP) records with HMRC-relevant evidence.
From archive completion to first audited legacy access query in production. Typical engagement: 3–5 weeks.
Define user roles: HR ops, payroll team, internal audit, external audit, HMRC inspector, DSAR portal for ex-employees. Map HR/audit roles to corporate IdP groups. Define sensitive-field unmask permission per role tier.
Build pre-canned saved queries for the standard HR ops questions and compliance/HMRC report formats. Validate output against sample live-system equivalents (where the live org is still up during parallel run).
Integrate corporate IdP (Azure AD, Okta, Google) via SAML 2.0 or OIDC. Deploy public DSAR portal with email-magic-link auth, identity verification workflow, response packaging.
Pre-materialise standard auditor and HMRC datasets (annual payroll register, P11D summary, year-end headcount). Tune partition layout for hot queries. Run load tests.
HR ops UAT with standard lookups. Sample auditor walkthrough. DSAR portal end-to-end test with synthetic ex-employee identity. Quick-start training for HR. Runbook hand-off to HR ops and IT.
Six controls that satisfy UK GDPR, ICO, HMRC, FLSA, HIPAA, and internal audit oversight.
Distinct role tiers per audience — HR ops, payroll, internal audit, external audit, HMRC inspector, DSAR ex-employee. Group-driven from corporate IdP — no manual provisioning in the access layer.
Salary, NI number, bank account, date of birth, medical flags masked by default. Unmask requires explicit role permission AND query-time business-justification capture.
Every query logged with user, timestamp, query, rows returned, sensitive fields accessed. Logs streamed to corporate SIEM (Splunk, Datadog, Sentinel) or persisted to immutable storage.
Auditor and HMRC inspector access tiers are time-boxed at engagement creation (typical 90-day window). Access auto-revokes at end of engagement; extension requires explicit re-authorisation.
Every Data Subject Access Request logged with request timestamp, response timestamp, response content hash, redaction decisions, identity verification trail. ICO inspection-ready DSAR audit.
Right-to-erasure requests during retention window logged with refusal reason and retention basis. Post-retention erasure events also logged. Defensible decision trail end-to-end.
Sage People legacy data access is the consumer-side query layer that lets HR ops, payroll, audit, ex-employees, and regulators read historical Sage People data after the live Salesforce org has been decommissioned or reduced to archive-only. Three primary user groups need it. HR ops business partners need ex-employee lookups for pension queries, reference requests, and tribunal preparation — often years after the worker has left. Ex-employees (GDPR data subjects) need access to their own data under DSAR, sometimes a decade after employment ended. Auditors and HMRC inspectors need to query payroll history, P11D inputs, equality monitoring data, headcount snapshots for compliance reviews that arrive 3–7 years after the relevant period. Syntra's legacy data access layer serves all three without anyone needing a Sage People Salesforce licence.
Through a curated web UI plus a SQL endpoint. The UI ships with pre-built saved queries for the standard HR ops questions: 'show me John Smith's full employment history', 'what was Jane Doe's final salary on leaving date?', 'list all employees in the engineering team as of 2023-06-30', 'find leave records for Mark Brown during his employment'. Each query produces a clean, printable response — no SOQL knowledge required. For ad-hoc queries beyond the saved set, a guided query builder lets HR users construct queries against Worker__c, Employment_Record__c, Salary__c, Leave_Request__c with autocomplete on field names. Power users can drop to direct SQL access against the underlying Parquet archive.
The Syntra legacy data access layer exposes a public DSAR portal at a documented URL (typically dsar.yourcompany.com). Ex-employees authenticate via email-verified magic link sent to the email address held in their Worker__c record, with optional step-up identity verification for high-risk requests. Once authenticated, the system runs a pre-built data subject query that collects every record about the requester from Worker__c, Employment_Record__c, Salary__c, Leave_Request__c, Performance_Review__c, and related objects. Output is packaged as a PDF (human-readable, redaction-review-friendly) plus optional structured download. Request and response are both logged for ICO inspection evidence. Standard 30-day GDPR response window is the target, with workflow to escalate genuinely complex cases.
Yes, through a dedicated audit role tier. External auditors (Big 4, mid-tier, regulatory inspectors) get a read-only login with access to standard auditor extracts: annual payroll register per pay group, P11D summary per tax year, year-end headcount snapshots, salary band distribution, leave utilization by year, equality monitoring rollups. Auditors can run ad-hoc SQL queries against the archive for deeper analysis. Every audit query is logged with the auditor's identity, timestamp, query text, and rows returned — creating an audit-of-the-audit trail. Sensitive-field unmask requires explicit role permission and business-justification capture. The audit role is time-boxed (typical 90-day engagement window) and revoked automatically at end-of-engagement.
UK GDPR right-to-erasure (Article 17) is subject to several exemptions, including legal-obligation retention (HMRC, pension regulation) and legitimate-interest retention (tribunal claim window). Most HR data sits under these exemptions for the statutory retention period. During the retention window, erasure requests can be lawfully refused, but the data subject must be informed of the reason and the retention basis. Syntra's legacy data access layer captures every erasure request, the legal basis for refusal or acceptance, and the eventual erasure event (after retention) — creating a defensible decision trail. After retention period expires, targeted erasure is supported: a specific worker and all related records can be erased on signed authorisation. The erasure event is itself logged (an audit trail of the erasure) per ICO guidance.
The data archive is the underlying storage layer — Parquet files in cloud object storage, partitioned by year/month/business-unit, hash-signed, schema-preserved. It's efficient and compliant but not user-friendly. Legacy data access is the consumer-facing layer on top: web UI for HR ops, saved query library, DSAR portal for ex-employees, audit role tier, HMRC inspector access, SSO integration with corporate IdP, role-based access tiers, sensitive-field masking, audit logging. The archive without legacy data access is data warehouse infrastructure; with legacy data access, it's a complete replacement for keeping the live Sage People org running.
Multiple integration points. SSO: SAML 2.0 or OIDC with Azure AD, Okta, Google Workspace, Ping Identity for HR/audit users. SQL endpoint (JDBC/ODBC): connect Tableau, Power BI, Looker, Qlik for analytics; ACL, IDEA, Alteryx for audit. REST API: programmatic access for HR ops tools, ITSM integration for ticket-driven lookups, and DSAR workflow automation. Direct Parquet access: query from Athena, BigQuery, Snowflake, Databricks for warehouse-native analytics. Pre-built consumer integrations available for Microsoft Teams (ex-employee lookup bot for HR ops), ServiceNow HR (legacy data lookup in case workflow), and DSAR workflow tools (OneTrust, TrustArc).
3–5 weeks once the underlying Sage People data archive is in place. Week 1: scope user roles, map to corporate IdP groups, define sensitive-field masking rules per role. Week 2: build saved query library for the standard HR ops questions, design the DSAR portal flow, prepare auditor and HMRC extract templates. Weeks 2-3: SSO integration with corporate IdP, DSAR portal deployment with email-magic-link auth, sensitive-field masking implementation. Weeks 3-4: pre-materialise the standard auditor and HMRC datasets for hot-query performance, tune partition layout. Weeks 4-5: user acceptance testing with HR ops, sample auditor walkthrough, DSAR portal end-to-end test, training, runbook hand-off.
30-minute call. We'll walk through your HR ops use cases, expected DSAR volume, audit/HMRC requirements, and IdP setup — and confirm a 3-5 week on-ramp.