January 11, 2022

An Information Management Checklist for Separating Employees

Updated 2/7/2022 to add Priscilla Emery's invaluable suggestion re: roles-based access controls. 

This is an update to a post I wrote for AIIM, originally posted on the AIIM blog as "The Break-Up List - A Checklist to Avoid Information Management Issues with Employee Separation"

Every organization has a process for onboarding new hires, contractors, consultants, etc. If you hire a new records manager, for example, it might look like this: 

  • Get the paperwork filled out for payroll
  • Issue the badge
  • Issue the keys to the office and the fob for the parking garage
  • Issue the computer or laptop
  • Assign the office or cubicle
  • Set up the email account
  • Set up appropriate access to the recordkeeping system
  • Set up all the other information management system-related access

Similarly, when an employee separates, there's usually a checklist there too: remove access to systems, get the laptop back, get the keys back, etc. But what happens to the employee's information stores? The laptop often gets wiped and reissued. Maybe the employee's inbox is assigned to the manager for review. Maybe the manager even manages to do so at some point! (Probably not, though)

When Employees Separate

Employee separations can cause significant information management issues, particularly if the separation was not on good terms. Consider this: Do you know the statutes of limitations for common workplace issues such as discrimination, harassment, or hostile work environment? What is the likely outcome of litigation if it turns out that the former employee's laptop was wiped and reissued while litigation is underway or should have been reasonably anticipated?

And what about all the other information stores? These include but would by no means be limited to:

  • Folders on network file shares, including personal folders
  • SharePoint sites and collections
  • Email archives and .PST files
  • OneDrive for Business sites
  • Box, Dropbox, and all the other file sync & share tools
  • Slack, Teams, Yammer, Google Suite, and the plethora of other web-based collaboration tools available
  • Flash drives
  • User-owned devices and locations, if the organization allows or ignores Bring Your Own Device/Bring Your Own Apps
  • Social media accounts used on behalf of the organization

I once had an organization tell me that one of their senior staff had brought his .PST file, containing all of his email, contacts, etc. from his previous organization when he was hired. The employee likely assumes that he will be able to take his email with him when he leaves and goes to a new organization. In what world is this OK? 

Theft of organizational information assets by separating employees is also a major issue. Research has shown that the majority of separating employees take, or keep, at least some information with them when they leave. Whether inadvertently or intentional, this is a significant issue because of concerns about confidentiality, intellectual property, privacy, and others. And this is even more of an issue for employees working from home. While an attestation isn't bulletproof, it at least raises awareness on behalf of the employer and separating employee alike of the need to return the organization's information and destroy any copies that remain under the employee's control.  

The Information Management Checklist for Separating Employees

Organizations need to ensure that their employee separation plans address information management issues, and take appropriate measures with regards to any business information that is or was in the custody of separated employees. If the separation is on good terms, much of this can and should happen prior to separation; if not, it needs to be done as soon as is practicable. 

This checklist should include, at a minimum:

  • Communication to the employee about the need to deal with the organization's information assets under the employee's control.
  • Revocation of access to all systems: on-premises, cloud-based, everything. This is basic information security 101, yet too many organizations remain cavalier about this. This is also so much easier when using role-based access controls - not only can you cut off the separating employee's access, you can also assign someone else to that role so the transition is smoother. 
  • Return of any physical security credentials such as badges or fobs. 
  • Return of all company-issued hardware. Relevant hardware should *not* be reset or reissued but should instead be retained as-is for a period of time in case of legal issues.
  • Return/removal/destruction of all company-owned information outside the custody of the organization. Hardware and information should be retained until it is determined that there is no liability; this determination should be made through consensus among, at a minimum, the business unit, HR, legal, IT, and records management.
  • Removal/deactivation of all company-issued software. This needs to be discussed with the separating employee if possible, because some applications store data on the local computer and may not be transferrable or recoverable after the fact. 
  • Transfer of ownership of any organizational social media accounts including logon credentials.
  • Attestation by the separated employee that all company property, including hardware, software, and information, have been returned or destroyed.
  • Identification and review of all applications and information stores used by the separated employee.
  • Assessment of applications and information stores to determine potential liabilities. Where possible, information stores should be set to read-only to avoid potential issues with destruction, whether inadvertent or intentional.
  • Communication that the employee has separated. Some organizations will include a forwarding email address; care should be taken to ensure that doing so does not potentially allow the former employee to continue to receive communications intended for the organization. My recommendation is to communicate that the person has separated and where to direct any inquiries. 
  • Assessment of data stores to determine whether any are part of an existing legal hold or other legal or regulatory action.

The steward assigned to the separated employee's information stores may review their contents with an eye towards fulfilling any outstanding obligations and ensuring necessary transfers of responsibilities, but care should be taken to ensure that information is not altered or deleted.

What else do you have in your employee separation checklist? Ping me at jwilkins13@gmail.com with your suggestions. 

No comments: