Separated Employee and Electronic Resources Access

Policy Name: Separated Employee and Electronic Resources Access

• Owner: Chief Information Officer
• Author: Information Security Manager
• Contact Information: itsecurity@css.edu
• Effective Date: 01/01/2024
• Recent Review: 07/09/2024
• Next Review Date:
• Applicable Laws, Regulations, Compliance: NA

I. Purpose

This policy establishes consistent standards for the College of St. Scholastica’s employee separation process. This policy applies to all employee separations, including voluntary and involuntary, regardless of date. This policy is required to meet audit compliance.

II. Definitions

Authenticate: To authenticate means to verify the identity of a user, device, or entity by comparing provided credentials against an authoritative database or through other means of validation. This process ensures that individuals or systems are who they claim to be before granting access to sensitive information or critical resources.

Information Technologies (IT): The Information Technologies department at the College offers solutions to technology needs for the campus community through infrastructure and technological support, among others.

Former Employee (also a “separated” or “terminated” employee): A former employee is an individual previously employed by the College but is no longer part of the institution due to resignation, termination, retirement, or any other separation from employment. Former employees may have had access to electronic resources, sensitive information, or secure facilities during their tenure, necessitating revocation of such access upon departure.

Vice President (VP): The head of a department/area at the College.

III. Policy

Before an employee's separation, the employee must review the College-related electronic information in their possession:

● Forward content of ongoing operational value from individually assigned College accounts to a Shared Drive;
● Transfer files from devices and online accounts to a departmental Google Shared Drive;
● Remove or transfer personal information to non-College resources;
● Assess and handle any College information on non-College personal accounts or devices by transferring to College-approved storage or deleting it as necessary.

Employees must initiate the data transfer process no later than one week before their separation date to ensure sufficient time for IT to assist if needed. All transfers must be completed by the end of the business day of the employee's final workday.

When transferring sensitive or confidential information, employees must first encrypt content using College-provided encryption tools.

Upon an employee's departure, the Information Technologies department will suspend the employee's account. It is not possible to configure auto-replies for emails sent to a disabled account, ensuring no communication is lost or misdirected.

Upon request, IT will assist individuals with the procedures related to the policy’s compliance.

Exceptions - Procedure for Access

Accessing a Former Employee's Content for Operations – emergency access only:

It is against standard practice for IT staff to access former employees' accounts. The following exception procedure is established for incidents when emergency campus operational needs require access to a former employee's files.

If accessing a former employee's emails or files is necessary, the supervisor must notify the former employee of the business need(s) for access to information in their account and request their assistance in accessing the needed information or gather their written consent for IT staff to grant access. All access requests must be submitted by the Vice President of the respective area of the former employee and supervisor requesting access. When departmental staff have the technical capability to provide someone else access to former employees' data, the procedures referenced below or a similar process approved by the department head should be followed.

Option 1. Former Employee Gives Access Before Separation Date
The primary method for gaining access to a former employee's email or files is for the former employee to grant access, either by a) transferring My Drive file ownership to a Shared Drive or b) forwarding specific requested information.

Option 2. Access Following Employee Separation
Written approval by the former employee must be obtained before access is granted. The Supervisor must first notify the Vice President and receive their approval. Once the written consent of the former employee is obtained, an IT service request can be submitted. All access requests must be submitted by the Vice President of the respective area of the former employee.

The request must include:

• Indicate whether the former employee was contacted and whether consent for access request was granted;
• Explain what emergency necessitates access and why the Employee Separation and Electronic Resources Access Policy before separation outlined above was not sufficient in this instance;
• Describe the request in detail:
  • Account name(s);
  • Description of resource for which access is needed;
  • Who will have account access;
  • How long access is required;
  • Define the request as narrowly as possible (i.e., identify specific files or folders);
  • Justify if access is requested for more than several days.

IV. Individuals and entities affected by this policy

All faculty and staff.

V. Related documents, forms, and procedures

College FERPA Policy

Employee Separation Process for Supervisors

VI. History and Updates

The College reserves the right to modify policies at any time, ensuring the involvement of relevant committees and constituents in the decision-making process (e.g., policy committee, faculty assembly, staff council, student government association, etc.)