When employees leave (or are asked to leave) or retire from businesses and organisations, those entities still have a legal responsibility to ensure that security levels are maintained with regards to data security.
Laws For Data
The General Data Protection Regulation (GDPR) and the Data Protection Act 1998 are the main legislative frameworks covering how a businesses or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e. you and your company/organisation) hold the responsibility for data matters.
Protecting that data is vitally important both to protect those who the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more. As well as personal data, your business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.
In addition to legal responsibilities for data protection, businesses must also address other potential threats as part of due diligence and hopefully, of a built-in company procedure when an employee leaves for whatever reason. For example:
– Damage and Disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage and disruption.
– Insider Threat – One of the dangers of not managing the departure of an employee properly is that your business could then have an ‘insider threat’ i.e. a former employee, contractor or partner with access rights and logins that still work.
Security and Employee Exit
Clearly, there are many areas to be covered to manage employee exit from a security perspective. Here are some pointers for managing the security aspects of an employee’s departure:
– Email is a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘way in’ for cyber-criminals. With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important. Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders e.g. mass mailing programs with stored lists, such as Mailchimp.
– Company Systems and Networks. Employees have login details and rights/permissions for company computer systems and networks. These should be revoked for the employee when they leave.
– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.
– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms e.g. Teams or Slack also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.
– If the departing employee has a personal voicemail message on the company phone, this will need to be changed.
– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.
– Retrieval of any backup/storage media e.g. USBs may also help to prevent some security threats.
– Although it is best to store all online documents in a shared company folder that you have control over e.g. in OneDrive, it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.
– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.
– If the departing employee was authorised to use company credit/debit cards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.
– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.
– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.
– If the employee has been issued with physical documents (e.g. a handbook) that contains information and data that could threaten company security, these need to be retrieved when the employee leaves.
– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website. Also, check that company social media doesn’t indicate that the departed employee is still in their role e.g. on LinkedIn and Facebook. You may also wish to make sure that the ex-employee doesn’t feature in the business online estate e.g. at the top of the website home page or other prominent pages.
Responsibility of the Employee
It should not be forgotten that employees who leave or retire from their jobs also have a legal responsibility as regards not taking company data with them. A case in point, from 2019, led to the Information Commissioner’s Office (ICO) to warn those retiring or taking a new job that under the Data Protection Act 2018, employees can face regulatory action if they are found to have retained information collected as part of their previous employment. The case which led to the warning from the ICO related to two (former) police officers who were investigated under previous Data Protection Act 1998 legislation after it was alleged that they had retained personal data in the form of notebooks that they had used while serving.
The warning in the ICO’s statement was that the Data Protection Act 1998 has since been strengthened through the Data Protection Act 2018, to include a new element of “knowingly or recklessly retaining personal data” without the consent of the data controller (see section 170 of the DPA 2018).
The only exceptions to this new part of the new Act are when it is necessary for the purposes of preventing or detecting crime, is required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or whether it is justified as being in the public interest.
ICO Warning – Retiring or Taking a New Job
The ICO has also warned that anyone who deals with the personal details of others in the course of their work, private or public sector, should take note of this update to the law, especially when employees are retiring or taking on a new job because those leaving or retiring can now be held responsible if the breach of personal data from their previous employer can be traced to their individual actions.
Examples of where the ICO has prosecuted for this type of breach of the law include a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work email account (in February 2017) containing sensitive personal information of 183 people. Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.
Maintaining the company/organisation’s security (physical, data and financial), are vital to its survival. Making sure that procedures are in place to cover security in the event of ‘employee exit’ could save the company from preventable threats in the future.