Aug 06 2020

How Agencies Can Secure Data from Shared Documents After Users Leave

The most common collaboration tools include periods during which admins can capture and reassign important information.

A decade ago, agencies struggled to build collaborative workplaces because the technology to facilitate teamwork simply didn’t exist. The advent of modern office productivity suites changed that picture entirely.

With tools such as Google G SuiteMicrosoft OneDrive and Box, agency teams could quickly and easily work together on a shared document without the version control problems that occurred with file servers and email threads back in the day.

Eventually, however, these tools presented a new problem: Specifically, what happens when a user leaves the agency? In the days of shared servers, for instance, files remained on the server even after the employee who created them departed.

Agency IT staff must understand how collaboration services behave following the deletion of an employee’s account, and plan now to preserve important data if an employee departs. It’s better to understand the consequences of a deletion in advance than be surprised when critical data disappears later.

Here’s how three of the most common collaboration tools handle data associated with deleted accounts.

Understand How Collaboration Tools Normally Operate

Google’s G Suite automatically removes data belonging to a user when the account is deleted. That data will no longer be available to collaborators, but won’t immediately be deleted from Google’s servers; administrators have 20 days to restore a deleted user and recover their data using the Google Admin Console. After 20 days, the data is no longer recoverable.

Microsoft OneDrive acts similarly, but with a 30-day grace period for admins to restore a deleted user’s account and recover their data.

Box builds in an extra safeguard to prevent the accidental deletion of important files. When Box admins delete a user, they are offered the option to either permanently delete all of the user’s content or transfer that content to another active user.

With those default behaviors in mind, administrators can work with HR teams to develop an orderly process for the transfer of data upon user deprovisioning. Agencies should develop a consistent process for handling the accounts of former employees.

READ MORE: Find out what document management systems are andhow they can help your agency. 

Develop a Process for Employee Deprovisioning

Most collaboration services offer the opportunity to mark an account as inactive or disabled. That allows admins to achieve the immediate security objective of cutting off a former employee’s access without deleting their data. It’s a good idea to disable accounts as an intermediate step before deletion.

Admins should also carefully think through who is allowed to access data created by a former employee. It might seem logical to simply transfer all of a former employee’s data to that person’s supervisor, but this could raise significant privacy concerns.

20-30 days

The amount of time admins generally have to recover a former employee’s data before deletion

Source: Microsoft, "Get access to and back up a former user's data;" Google, "Restore a G Suite user’s Gmail and Drive data"

If users intentionally or inadvertently stored personal information in their corporate account, transferring their data would give the manager access to that information.

This isn’t an insurmountable issue, but it’s not a decision that should be made by IT staff alone. Consult with the agency’s legal and privacy advisers and craft a policy to deal with this issue. The policy should clearly state the circumstances under which agency officials may access data in the account of a former employee and the approval process for such access.

MORE FROM FEDTECH: Discover how disaster recovery tools keep agencies running. 

Agencies Should Use Shared Drives for Collaboration

Ownership of data in a collaborative tool is tricky. If one employee creates a blank document and then shares it with other members of their department who edit it collaboratively, who truly “owns” that document?

It doesn’t make sense for a document that belongs to an entire team to reside within a single user’s account simply because that person created the initial blank document.

Some of the major collaboration services recognize this issue and have developed features to better accommodate teamwork. Google Shared Drives and Office 365 Groups allow administrators to create file shares that belong to an entire team and are not tied to the account of one user.

Box doesn’t offer a similar function, but many Box administrators work around this limitation by creating an account that owns shared folders for the organization, and then designating individual employees as co-owners of those shared folders. This way, the Box folders are tied to the organizational account and are never deleted, even if a co-owner leaves the organization.

Technology teams should develop a consistent strategy for their agency on the creation, tracking and use of shared drives and communicate it to all relevant stakeholders. This makes it simpler for employees to remember the proper locations to store agency data and facilitates orderly digital transitions when employees leave the agency or change roles.

Creating standardized, written procedures will keep a team on the same page and prevent the unwanted and unexpected loss of important data.

ngkaki/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT