Access to data belonging to terminated employees

Started by MadImmortalMan, April 15, 2010, 02:55:40 PM

Previous topic - Next topic

Does your workplace have strict rules about it?

Yes--There are a lot of controls in place and the practice is rare.
4 (33.3%)
No--Employee information belongs to the company and we do what we want with it.
6 (50%)
Workplace? Huh?
2 (16.7%)

Total Members Voted: 12

MadImmortalMan

In my job, I regularly encounter requests from users to get access to information belonging to other users. Usually email accounts or documents, and usually for terminated employees. The situation is usually something like: Manager loses or fires employee X, employee X has some info Manager wants or needs in his email or on a file share, Manager asks MIM for access to employee X's email or file share (through the chain of command up to me), MIM tells him no.

The reasons this is a very rare request for me to grant are thus:

1: Once Manager has access to X's data, he can manipulate it. Sometimes, particularly when X's termination was eventful or contested, this means Manager may have an interest in altering the data to protect himself or make X look bad. He could alter records or even send incriminating emails with X's account making it look like X sent them. In the rare event that I do allow such access, I always take a backup of it in the state it was in when access was provided and let the person know that I'm doing that.

2: Legal. Data can be placed in a state called "legal hold" when there is litigation surrounding events or other claims happening related to the individual. When this happens, there is a strict set of rules to follow such as exempting the data from the standard data retention policies and measures intended to prevent tampering. That includes not letting people fuck with it.

3: In some cases, such data may be subject to some other government entity approval because we do a lot of business with the feds. You would be surprised how far up the food chain in Washington a request to read a fired employee's email has to go. This is the easiest one. I simply explain to Manager that I can give him access to X's email as long as he gets written approval from Super-High-Up-Official-Bob. Manager usually decides it's not that important after all.


Now--on the other hand--it is standard practice in the workplace to operate under the assumption that you have no expectation of privacy when using company stuff. I know of no company that does not have a similar statement somewhere in their end-user agreement, new hire packets, etc. Some places are very fast and loose with the data they have stewardship over for this reason. It's the company's data and the people in the company can do whatever they want with it whenever they want. Even if only to get next month's employee newsletter that the fired dude was writing before he was canned.



"Stability is destabilizing." --Hyman Minsky

"Complacency can be a self-denying prophecy."
"We have nothing to fear but lack of fear itself." --Larry Summers

ulmont

We do both.

It's common for things to be thrown into a legal hold, but it's also very common for an email mailbox from a departed employee to just be copied into their successor's area.

The Brain

Women want me. Men want to be with me.

Warspite

How can you send an incriminating email after the fact? :brow: No timestamps from the exchange server?
" SIR – I must commend you on some of your recent obituaries. I was delighted to read of the deaths of Foday Sankoh (August 9th), and Uday and Qusay Hussein (July 26th). Do you take requests? "

OVO JE SRBIJA
BUDALO, OVO JE POSTA

MadImmortalMan

Quote from: Warspite on April 15, 2010, 03:48:32 PM
How can you send an incriminating email after the fact? :brow: No timestamps from the exchange server?

People will try. It would be ham-fisted and easily incriminating for them, but people are stupid.

Brain: Both. The term is used to describe any employee separation from the company, amicable or no.
"Stability is destabilizing." --Hyman Minsky

"Complacency can be a self-denying prophecy."
"We have nothing to fear but lack of fear itself." --Larry Summers

Agelastus

If it was a company e-mail account, the information contained was the company's.

Although I may be a somewhat biased source, since I both worked for a very small company and had permission to access the Managing Director's e-mail account whenever I liked (all the directors e-mails in fact.) Theoretically the reverse was true, except for the complete inability of any of the directors to remember any passwords except their own.  :)
"Come grow old with me
The Best is yet to be
The last of life for which the first was made."

viper37

#6
Quote from: MadImmortalMan on April 15, 2010, 02:55:40 PM
In my job, I regularly encounter requests from users to get access to information belonging to other users. Usually email accounts or documents, and usually for terminated employees. The situation is usually something like: Manager loses or fires employee X, employee X has some info Manager wants or needs in his email or on a file share, Manager asks MIM for access to employee X's email or file share (through the chain of command up to me), MIM tells him no.

The reasons this is a very rare request for me to grant are thus:

1: Once Manager has access to X's data, he can manipulate it. Sometimes, particularly when X's termination was eventful or contested, this means Manager may have an interest in altering the data to protect himself or make X look bad. He could alter records or even send incriminating emails with X's account making it look like X sent them. In the rare event that I do allow such access, I always take a backup of it in the state it was in when access was provided and let the person know that I'm doing that.

2: Legal. Data can be placed in a state called "legal hold" when there is litigation surrounding events or other claims happening related to the individual. When this happens, there is a strict set of rules to follow such as exempting the data from the standard data retention policies and measures intended to prevent tampering. That includes not letting people fuck with it.

3: In some cases, such data may be subject to some other government entity approval because we do a lot of business with the feds. You would be surprised how far up the food chain in Washington a request to read a fired employee's email has to go. This is the easiest one. I simply explain to Manager that I can give him access to X's email as long as he gets written approval from Super-High-Up-Official-Bob. Manager usually decides it's not that important after all.


Now--on the other hand--it is standard practice in the workplace to operate under the assumption that you have no expectation of privacy when using company stuff. I know of no company that does not have a similar statement somewhere in their end-user agreement, new hire packets, etc. Some places are very fast and loose with the data they have stewardship over for this reason. It's the company's data and the people in the company can do whatever they want with it whenever they want. Even if only to get next month's employee newsletter that the fired dude was writing before he was canned.




It's a small business here, so really no managers beside myself or my father need access to that data.
If it's someone from the outside, only the cell phone on a need to know basis will be given.
I do not answer banks/credit card companies asking for personal info other to confirm/deny that the employee is working here.
I do not answer the governement on anything else than they are authorized by law to know.
I do not answer collection agencies requests.

Only if an employee gives me specific instructions to answer a particular request will I do it.
And due to bad stuff happenning in the past, no more do we answer their wives/girlfriend requests to know were their man is working, unless it's very serious.
I don't do meditation.  I drink alcohol to relax, like normal people.

If Microsoft Excel decided to stop working overnight, the world would practically end.

grumbler

Assuming that all the letters and characters after the "yes" and the "no" are, in fact, random rather than an ill-conceived attempt to make the question impossible to answer by creating extreme positions that don't exist in the real world ( :P), at my school the departed faculty member's email and server files are archived after a copy is sent to the department chair.

If an employee is still at the school, the headmaster must approve any outside access to any files belonging to that employee.
The future is all around us, waiting, in moments of transition, to be born in moments of revelation. No one knows the shape of that future or where it will take us. We know only that it is always born in pain.   -G'Kar

Bayraktar!

garbon

Quote from: MadImmortalMan on April 15, 2010, 03:50:44 PM
Brain: Both. The term is used to describe any employee separation from the company, amicable or no.

Really? Your work has a policy on employees who were killed by a terminator? :o
"I've never been quite sure what the point of a eunuch is, if truth be told. It seems to me they're only men with the useful bits cut off."
I drank because I wanted to drown my sorrows, but now the damned things have learned to swim.

Monoriu

Government employees are transferred around all the time, frequently to another department.  In that sense, almost every day, someone is "terminated".  Their successors need to have access to their email to do whatever they should be doing if they are not transferred.  Yes, we have access to all their emails.  I use the government's email knowing that someone can read them when I am gone.  But then again I can delete them before I leave  :whistle:

BuddhaRhubarb

if someone fired me and wanted to get info they "need" from me, they should have thought of that before firing me.
:p

crazy canuck

MiM,

My usual practice when advising people in your position is to have the manager give you an explanation of what it is he needs and then have you send send a copy of that information to him.

If litigation is anticipated then I send in a third party IT team to make a copy of the media to preserve the evidence.  After that is done the company can use their information however they wish.

In my opinion, it is not good policy to allow the termination of an employee to disrupt the operation of the business by withholding information that is required.