Managing employee data – what to do with the data when an employee leaves

Protection October 12, 2022

A generation ago, it wasn’t unusual for workers to stay with an organization from the time they first started working through to retirement.

Today, employment longevity is no longer the norm, particularly for younger workers. According to the U.S. Bureau of Labor Statistics, median tenure is 4.6 years for wage and salary workers aged 16 and up.

Between the increasingly transient nature of employees, the amount of technology use, and the volume of data that has to be archived for compliance reasons, information technology staff have to work hard to keep up with managing employee data.

While it’s not as simple as putting the responsibility entirely on IT, that’s the perspective we’re focusing on in this post. But keep in mind that there are likely accounts and systems that employees have access to that are outside of IT’s control.

The proliferation of web-based SaaS products being used by corporations means that IT isn’t always in charge of provisioning or decommissioning access to all accounts anymore – even if they’re involved with vetting the tools for security purposes.

However, for most knowledge workers, regardless of industry, the majority of employee data is still going to be tied to their network accounts. So, after you lock down access (the easy part), how do you manage that data and their accounts when they leave?

It’s far too expensive to retain all employee data by default unless it’s a requirement for compliance. So, how do you easily retain the data that you need to keep and discard the rest?

Identify the types and sensitivity of data the employee handled

Regardless of the reason for termination, and before taking any action with the data, work with the employee’s manager and other colleagues to determine the kinds of data they were working with.

Would they have customer information, legal documents, or anything else that should be archived or otherwise marked for retention? Gaining an understanding of the information they were using and had access to is key.

Determine how to handle the data

Once you know the kinds of data you’re dealing with, then you can decide how to manage it. The data helps inform where it should be stored (primary, secondary, or archive repositories), who should have access to the data, and how long they’ll need access.

In an ideal world, you could work with the employee who’s leaving to decide. But since that isn’t always possible, IT’s role in the offboarding process is to ensure data is secure but available and accessible when needed.

Data management provides more control and flexibility

Sure, IT can use the built-in retention or legal hold features in various storage repositories, such as Office 365, Box, Azure files, on-premises file servers, and more to preserve former employee data. But retention is only one aspect of compliance.

Regulations like GDPR have increased the e-discovery demands organizations have to adhere to – and organizations are learning that most requests are coming from former employees. The number of legal discovery cases is ballooning as IT is under increasing pressure to answer legal actions within the required timeframe.

Cloud backup scenario: Data retention that covers your bases

You’ve figured out what data the employee was using and producing. Now that you know, let’s say your legal department tells you they want a 180 days or 7 years retention on the data from the time of the employee’s departure.

In most sources that have retention capabilities, the retention clock runs off the creation date of the files/messages rather than the final date of employment. This creates a problem when it comes to ensuring data is purged according to the timelines legal set out. The ideal solution is to pull the data into a secondary storage repository where the retention clock can be set according to legal’s specifications.

A side benefit of using secondary storage to back up of former employee data is that you’ll keep your production/collaboration space cleared of inactive legacy data.

By instituting a segregated backup of your Office 365Box, and on-premises data paired with a data management platform, you can extend the built-in data protections these tools provide, and take the stress out of meeting compliance requirements.

Want to learn more? Contact us today to speak with one of our team about your organization’s needs are around backup and recovery.

Dan Gagliardi
Dir, Product Management