Requesting Access to Offboarded Accounts
Modified on: Thu, 14 Nov 2024 7:59 AMIntroduction
This article details the approval process for all requests to access the email, G Suite (Email and Drive), computer, or network file shares or other repository used by another individual during their employment at the University of Alberta. As a UAlberta account has the potential to contain personal information about the person it was assigned to, we must follow a rigorous process to comply with Alberta privacy legislation. Please note this process can sometimes take several weeks. For normal offboarding scenarios, please make arrangements prior to someone’s departure to have them clean up personal information from the account and pass work and ownership of documents over to the appropriate account or shared drive.
Applicability
The article is applicable to Authorized Approvers at the University of Alberta when their department requires access to a former employees' accounts. Requests must be submitted by the Authorized Approver of the former employee. Abuse of this process will not be tolerated and may result in disciplinary action as governed by the University’s Information Technology Use and Management Policy.
Procedure
In order to access the CCID of a previous employee, you must request access using the “Request Access To Offboarded Account” workflow in IAM. This workflow is available only to department Authorized Approvers (AA). Any requests received by IST to access the account of a previous employee will be referred to the AA(s) for their department.
Access requests are reviewed, approved, and facilitated by the Office of the Chief Information Security Officer (CISO). If the AA has any questions regarding the state of a specific access request, they can reach out to ciso@ualberta.ca. For all other questions relating to this process, please contact the Service Desk using the Fresh Service portal.
Access requests will only be granted if they meet the following conditions:
- Approval from a Dean, Director, or Chair (or Assistant Dean, Director, or Chair) in the department in which the employee worked. If a Dean, Director, or Chair is the one requesting access, we require one-over approval.
- Approval from the Office of the Chief Information Security Officer.
-
Requests must be specific.
- Example of a request that is likely to be approved: “The former employee was working on Project X, and we require emails sent about Project X
- Example of a request that is likely to be rejected: “The employee has left the University and we want to see if there might be something we need.”
- If the subject CCID in the access request has not yet been offboarded, IST will need to first offboard the CCID (see definition below) to ensure the outgoing employee no longer has access to the account.
- In cases where the department has reason to think that a person may abuse a UAlberta email address or CCID, the outgoing employee will not be issued a new CCID. In these cases, it is the responsibility of the department to notify IST of the potential for abuse and arrange issuing physical tax forms/statements to the outgoing employee with HRS. IST will not print or email out T4 statements for former employees.
- There will be a predetermined period of access granted to the CCID/personal drive files. We do not grant access to an account in perpetuity.
- IST will not add forwarding of a former employee’s email to another account. If an “Out of Office” message is required on the account, please contact IST.
-
Requests by the former employee for access to their files must also be submitted following this process
- The former department must assess the risk of the University owned information in the account if the former account holder were to have access temporarily
-
While we do our best to fulfill these requests, if the University-owned information in the account is extremely sensitive in nature,they may not be approved,
-
Generally the sessions to transfer files to former users will be completed through Google Takeout. We will not copy entire inboxes due to the risk of having university data commingled with personal data.
- IST and CISO do not provide support for accessing the file types created when using Google Takeout
- If there is a substantial amount of files to be retrieved, the former owner of the account will be required to provide a USB drive with sufficient space for the files, at their expense.
CCID offboarding: IST creates a new CCID for the user to access Bear Tracks for T4 Tax information and pay stubs. The original CCID will be suspended. The department will not be able to access the CCID outside of the information access request process. The original CCID and all associated data will be deleted 1 YEAR after it is offboarded. Please note that the new CCID WILL have access to a UAlberta email address, but the inbox (and Google Documents) will be completely empty.
Special considerations:
- Access to accounts for employees on leave requires extra diligence due to the possibility of encountering sensitive personal/medical information related to the leave in the account.
- The employee’s department must provide documentation that they have tried to contact the employee on leave to request the files three times before making the access request to IST.
- In particularly sensitive requests (such as non-amicable offboarding, or the above case of an employee on leave), we strongly recommend that the person who will be accessing the account does so under supervision of another individual. This individual is not to go through the documents, but is there to provide corroboration that no personal documents were improperly accessed. Recommended individuals include HRS or union representatives.
- In normal circumstances, access to the accounts of current and recent students will not be granted. Should a business unit believe that they have just cause to access the account, an application must be made directly to the Chief Information Security Officer for review and exception status being granted. As the primary mission of the University of Alberta is to provide excellence in student learning, we cannot cause undue disruption to the student’s experience. It is highly advised that an agreement between the department and the employee regarding business communication and documents be made in advance before hiring a student or before an employee begins their studies.
How to submit a Request to Access an Offboarded Account
Requests to access an Offboarded CCID are submitted in the IAM under CCID Management > Request Access to Offboarded Account. If an Authorized Approver does not have access to the IAM system, please contact IST to request training and access.
Terms
The terms of the agreement are also listed below for your reference:
TERMS OF THE REQUEST
This form allows IST Security to collect concise information to provide to the proper authorizing parties. Your CCID will be automatically collected upon submission.
Your unit's need to ensure and maintain continuity following departures is reasonable from a business and operations perspective. That said, please be extremely prudent, cautious, and careful when gaining control of and accessing information from your former employee's UAlberta accounts.
We have and are currently facing grievances, complaints, and other challenges where former/out-going employees suggest the University overstepped its bounds and inappropriately conducted unauthorized disclosures and access to personal and other non-University information and records.
Please ensure your unit's accesses and disclosures are limited to only University business and records. In addition, other sensitive communications, such as those between a former employee and their AASUA/NASA or other representative, are off-limits. All other personal information and records are also off-limits. If the repository is heavily commingled with business and personal records, then sign-out and call the Chief Information Security Officer at 780-492-8607. If in doubt, sign-out and call 780-492-8607.
Preferably and where possible, have a concise list of those items your unit needs and will search for. Retain this list with other associated search details. Such documentation provides an indication of the transactions conducted and the information sought. This documentation is useful should subsequent challenges or issues arise. Again, we recognize in cases of business continuity (especially with sudden disruptions), the practice of developing a list for all and every information item sought may not be practical, but some process around what is accessed and why is prudent.
Finally, it is preferable if such control of a former employee's UAlberta accounts are limited to the time needed to obtain the information and records required for continuity and then have the accounts suspended again. An auto-reply can be put in place before suspension to redirect business inquiries (if the CCID is not to be fully disabled). The account should then remain dormant. Access can also be provisioned to your unit again if at a later date a business need arises where information and records potentially in the repository/account may be of use. At that time such a request with appropriate oversight and approval can be provisioned. Otherwise, the dormant CCID will eventually be terminated along with the information and records therein.
The Information and Privacy Office (IPO) is aware of these types of requests, as we work together on matters concerning the University's information management, privacy, and security requirements and oversight.
Keywords: request, ccid, email, gmail, account, documents, file, share, home, drive, local, computer, user, access, foipp, files, folder, google, gdocs, docs, approval, former, employee, ex-employee, form, information access requests