UM Former Employee Data Access & Transfer Standard

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Data Protection and Lifecycle

IN PLAIN LANGUAGE

When an employee leaves the University, their system access must be disabled on or before their last day. If a department needs to retrieve business-critical data from a former employee's account afterward, that access must go through a formal approval process — it cannot simply be granted on request. Supervisors must submit a documented request through the University's ticketing system, which is then reviewed by HR, Legal, and the Information Security Office depending on the sensitivity of the data involved. Any access granted must be limited in scope, time-bound, and logged. Departments are encouraged to plan ahead and coordinate data handoffs before an employee's last day whenever possible.

1. Purpose

The purpose of this Standard is to establish requirements for the secure, compliant transfer, retention, and access management of digital University Data associated with employees who separate from the University of Montana.

This Standard ensures continuity of business operations while protecting Restricted and Confidential University Data, safeguarding personal information, and maintaining compliance with applicable legal, regulatory, and institutional requirements.

This Standard aligns with the University's approved procedure for accessing former employee data.

2. Scope

This Standard applies to:

  • All employee separations, including resignation, termination, retirement, and end of contract
  • Digital University Data stored in University-managed systems (including cloud-based services and local devices)
  • Requests for access to former employee data by University personnel

This Standard applies across all University of Montana System campuses and to digital University Data only. Non-digital records are governed by records management, privacy, and other applicable University policies.

3. Core Requirements

3.1 Access Termination

  • System access for departing employees must be disabled on or before the last day of employment
  • Multi-factor authentication tokens and privileged access must be revoked
  • Any temporary extension of access must follow documented approval through established institutional processes

3.2 Data Transfer Planning

Departments are responsible for ensuring continuity of business operations by:

  • Identifying business-critical digital University Data
  • Designating successor ownership for ongoing processes
  • Coordinating data transition prior to separation when feasible

Departing employees are expected to cooperate in knowledge transfer consistent with University policy.

3.3 Legacy Access Request Submission

All requests for access to former employee data must:

  • Be submitted through the University's approved institutional ticketing system
  • Include documented business justification
  • Identify specific systems and data scope requested
  • Specify the requested duration of access

Requests that do not include required documentation will not be processed.

3.4 Approval Routing

Legacy access requests must follow this approval sequence:

  1. Supervisor or Business Owner approval
  2. Human Resource Services (HRS) review
  3. Legal Counsel review when legal, regulatory, litigation, or privacy considerations apply
  4. Information Security Office (ISO) review when Restricted (Moderate Risk) or Confidential (High Risk) Data is involved

Information Technology executes access only after documented approvals are completed. ISO review supplements, but does not replace, HRS or Legal review.

3.5 Privacy Review Prior to Access or Transfer

Prior to granting access to or transferring digital University Data associated with a former employee account, privacy considerations must be evaluated as part of the approval process.

Where appropriate, HRS, Legal Counsel, or ISO may conduct or coordinate a review to:

  • Identify clearly personal, non-University, or legally protected information
  • Limit disclosure to business-relevant data
  • Ensure compliance with applicable privacy, employment, and legal requirements

Access must be limited to the minimum necessary data required to fulfill the documented business purpose.

3.6 Controlled Access Execution

When access is approved:

  • Access must be limited in scope
  • Access must be time-bound with a defined and documented expiration date
  • Access must be automatically revoked unless formally renewed
  • All access actions must be logged
  • Full mailbox or account delegation should be avoided unless explicitly justified and approved

3.7 Retention and Disposal

Former employee data must:

  • Be retained in accordance with applicable records retention schedules
  • Be securely disposed of when no longer required
  • Comply with the IT Data Disposal & Media Sanitization Standard

4. Roles and Responsibilities

4.1 Human Resource Services (HRS)

  • Coordinate employee separation notifications
  • Review and approve legacy access requests
  • Confirm alignment with University policy
  • Participate in privacy review where appropriate

4.2 Department Supervisors and Business Owners

  • Initiate data transfer planning
  • Submit legacy access requests
  • Provide documented business justification
  • Confirm minimum necessary scope

4.3 Legal Counsel

  • Review requests involving litigation, regulatory, employment, or privacy concerns
  • Provide guidance on privilege, retention, and disclosure risks
  • Approve or deny requests within the documented workflow

4.4 Information Security Office (ISO)

  • Review requests involving Restricted (Moderate Risk) or Confidential (High Risk) Data
  • Provide risk guidance and ensure compliance with security standards
  • Support privacy-aware handling of protected data

4.5 Information Technology

  • Disable access upon separation
  • Execute approved data transfers and access modifications
  • Enforce time-bound access controls
  • Maintain logs of access grants and revocations

IT does not determine business justification or legal compliance; IT executes approved requests.

5. Exceptions

Exceptions to this Standard must follow the established Information Security exception process and include:

  • Documented justification
  • Identification of a named risk owner
  • CISO or designee approval
  • Defined duration and periodic review

6. Enforcement

Unauthorized access to former employee data, failure to follow the documented approval process, or failure to apply required privacy considerations may result in corrective action consistent with University policy.

7. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in legal requirements, operational needs, or institutional risk posture.

Print Article