Requesting Access to Offboarded Accounts

Introduction
Applicability
The Approval Process
Procedures for Submitting a Request
Special Considerations
Key Terms
Terms of the Request

Introduction

This article outlines the process for requesting access to accounts used by a former employee at the University of Alberta. This includes access to email, G Suite (Gmail and Drive), computer files, network shares, and any other data repositories. It also includes requests by the former employee to access their old account.

Due to Alberta's privacy legislation, a rigorous approval process is required to ensure compliance, as these accounts may contain an individual's personal information. Please be aware that this process can take several weeks. To avoid this, departments should arrange for former employees to clean up personal information and transfer all work-related documents and ownership to the appropriate shared drives or accounts before their departure.

For requests to the accounts of employees on leave, please see the Requesting Access to Accounts of Employees on Leave KBA

Applicability

This process is applicable to Authorized Approvers at the University of Alberta whose departments need to access a former employee's accounts. Requests must be submitted by the Authorized Approver of the former employee. Any misuse of this procedure is strictly prohibited and may result in disciplinary action under the University's Information Technology Use and Management Policy.

The Approval Process

To access a former employee's CCID, you must use the "Request Access To Offboarded Account" workflow in the IAM system. This workflow is only available to departmental Authorized Approvers (AAs). If you send a request directly to IST, they will redirect you to your department's AA.

The Office of the Chief Information Security Officer (CISO) reviews, approves, and facilitates all access requests. If you have questions about a specific request, contact ciso@ualberta.ca. For all other questions about this process, please reach out to the Service Desk via the Fresh Service portal.

Conditions for Approval

Access will only be granted if the following conditions are met:

Approval from a Dean, Director, or Chair (or Assistant Dean, Director, or Chair), or a Faculty General Manager from the department where the employee worked. If a Dean, Director, or Chair (or FGM) is the one making the request, a one-over approval is required.
Approval from the Office of the Chief Information Security Officer.
The request must be specific.
- Example of an approvable request: "The former employee was working on Project X, and we need emails sent about Project X."
- Example of a request likely to be rejected: "The employee has left the University, and we want to see if there might be something we need."

Other Important Considerations

Access Duration: Access to the CCID or personal drive files is granted for a predetermined period and will not be granted in perpetuity.

Email Forwarding: IST will not forward a former employee's email to another account. You can, however, contact IST to set up an "Out of Office" message if one was not set at the time of offboarding.

Requests from Former Employees: Requests from former employees for access to their own files must also follow this same process. The department must assess the risk of allowing the former account holder temporary access to University-owned information. If the information is extremely sensitive, the request may not be approved.

File Transfer: To transfer files to a former user, Google Takeout is the preferred method. To avoid commingling University data with personal data, IST will not copy entire inboxes. Note that IST and CISO do not provide support for accessing the file types created by Google Takeout.

Large File Transfers: If a substantial amount of files needs to be retrieved, the former account owner must provide a USB drive with sufficient space at their own expense.

Procedures for Submitting a Request

Requests to access an offboarded CCID are submitted within the IAM system under CCID Management > Request Access to Offboarded Account. If an Authorized Approver does not have access to the IAM system, they should contact IST to request training and access.

Special Considerations

Please email ciso@ualberta.ca for guidance with any requests with special considerations.

Sensitive Requests

In particularly sensitive situations, such as a non-amicable offboarding, disruption, or abrupt resignation, it is highly recommended that the person accessing the account does so under the supervision of a representative from HRS or a union individual. This individual is there to provide corroboration that no personal documents were improperly accessed.

Students

Active and recent students whose employee roles end should be offboarded. When offboarding occurs, requests for access to their old accounts can follow the standard process.

In the rare cases where an active student has been approved to keep their existing CCID after their employment ends, access to these accounts will not be granted. If a business unit believes they have just cause to access a student's account, they must first offboard the account.

It is highly recommended that departments create an agreement with student employees regarding business communication and documents before their employment begins to avoid future issues.

Deceased Members of the University Community

If a member of the university community (including students and guests) has passed away and the department or family requires access to their CCID account, we must first offboard the CCID before we can proceed with the request. If this has not been completed, please have an Authorized Approver create a ticket with IST using the CCID Offboarding form. Be sure to indicate in the ticket that the CCID holder has passed away, as these types of offboardings are handled differently by IST. Also please note that updating Peoplesoft to reflect the individual’s status does not automatically change the status of the CCID.

Once the CCID is offboarded, the AA can start the process in the IAM tool. If the request is for the family of the individual, please ensure that you provide contact information for them in the “Reason for Access” text box so CISO is able to connect with them.

Key Terms

CCID Offboarding: IST creates a new CCID for the user to access Bear Tracks for T4 tax information and pay stubs. The original CCID is suspended, and the department can only access it through the official information access request process. The original CCID and all associated data will be deleted one year after it is offboarded.

Terms of the Request: When you submit a request, you agree to these terms:

Limit Access to Business Records: Access and disclosure must be limited to University business and records only. Sensitive communications, such as those between the former employee and a union representative, are off-limits.

Create a Search List: It is prudent to have a concise list of the items you need to search for. This documentation can be helpful if challenges arise later

Temporary Access: Account access should be limited to the time needed to retrieve the required information. An auto-reply can be set up to redirect business inquiries. The account should then be suspended and will eventually be terminated.

Terms

The terms of the agreement are also listed below for your reference:

TERMS OF THE REQUEST - For Business Unit Access to Individual Contributor CCIDs.

Your unit's need to ensure and maintain continuity following departures is reasonable from a business and operations perspective. That said, please be extremely prudent, cautious, and careful when gaining control of and accessing information from your former employee's UAlberta accounts.

We have and are currently facing grievances, complaints, and other challenges where former/out-going employees suggest the University overstepped its bounds and inappropriately conducted unauthorized disclosures and access to personal and other non-University information and records.

Please ensure your unit's accesses and disclosures are limited to only University business and records. In addition, other sensitive communications, such as those between a former employee and their AASUA/NASA or other representative, are off-limits. All other personal information and records are also off-limits. If the repository is heavily commingled with business and personal records, discussion with the IPRM Office or CISO may be needed.

Preferably and where possible, have a concise list of those items your unit needs and will search for. Retain this list with other associated search details. Such documentation provides an indication of the transactions conducted and the information sought. This documentation is useful should subsequent challenges or issues arise. Again, we recognize in cases of business continuity (especially with sudden disruptions), the practice of developing a list for all and every information item sought may not be practical, but some process around what is accessed and why is prudent.

Finally, it is preferable if such control of a former employee's UAlberta accounts are limited to the time needed to obtain the information and records required for continuity and then have the accounts suspended again. An auto-reply can be put in place before suspension to redirect business inquiries (if the CCID is not to be fully disabled). The account should then remain dormant. Access can also be provisioned to your unit again if at a later date a business need arises where information and records potentially in the repository/account may be of use. At that time such a request with appropriate oversight and approval can be provisioned. Otherwise, the dormant CCID will eventually be terminated along with the information and records therein.

The Information Privacy and Records Management Office (IPRMO) is aware of these types of requests, as we work together on matters concerning the University's information management, privacy, and security requirements and oversight.