Feb 25 2021

How Agencies Can Secure Data from Shared Documents After Users Leave

The most common collaboration tools include periods during which admins can capture and reassign important information.

A decade ago, agencies struggled to build collaborative workplaces because the technology to facilitate teamwork simply didn’t exist. The advent of modern office productivity suites changed that picture entirely.

With tools such as Google WorkspaceMicrosoft OneDrive and Box, agency teams could quickly and easily work together on a shared ­document without the version control problems that occurred with file servers and email threads back in the day.

Eventually, however, these tools ­presented a new problem: Specifically, what happens when a user leaves the agency? In the days of shared servers, for instance, files remained on the server even after the departure of the employee who created them. Agency IT staff must understand how collaboration services behave ­following the deletion of an employee’s account, and plan now to preserve important data if an employee departs. 

It’s better to understand the consequences of deleting data in advance than to be surprised when critical information disappears later.

Understand the Deletion Policies of Productivity Platforms 

Google’s G Suite automatically removes data belonging to a user when the account is deleted. That data will no longer be available to collaborators, but won’t immediately be deleted from Google’s servers; administrators have 20 days to restore a deleted user and recover their data using the Google Admin Console. After 20 days, the data is no longer recoverable.

Microsoft OneDrive works similarly, but with a 30-day grace period for admins to restore a deleted user’s account and recover their data.

Box builds in an extra safeguard to prevent the accidental deletion of important files. When Box admins delete a user, they are offered the option to either permanently delete all of the user’s content or transfer that content to another active user.

With those default behaviors in mind, administrators can work with HR teams to develop an orderly process for the transfer of data upon user deprovisioning. Agencies should develop a ­consistent process for ­handling the accounts of former employees.

LEARN MORE: Find out what document management systems are andhow they can help your agency. 

Decide Who Gets the Data When Employees Leave 

Most collaboration services allow accounts to be marked as inactive or disabled. That allows admins to achieve the immediate objective of cutting off a former employee’s access without deleting data. It’s a good idea to disable accounts as an intermediate step before deletion.

20-30 days

The amount of time admins have to recover a former employee’s data before deletion

Source: Microsoft, Google

Admins should also think through who is allowed to access data created by a former employee. It might seem logical to simply transfer all of a former employee’s data to that person’s supervisor, but this raises privacy concerns.

If users intentionally or inadvertently stored personal information in their ­corporate account, transferring that data gives a manager access to the information. This isn’t an ­insurmountable issue, but it’s not a decision that should be made by IT staff alone. 

Consult with the agency’s legal and ­privacy advisers and craft a policy to deal with it. The policy should clearly state the circumstances under which agency officials may access data in the account of a former employee and the approval process for such access.

MORE FROM FEDTECH: Discover how disaster recvoery tools kepe agencies running. 

IT Admins Should Define Who Owns the Documents in Groups

Ownership of data in a collaborative tool is tricky. If one employee creates a blank document and then shares it with other members of their department who edit it, who truly “owns” that document? 

It doesn’t make sense for a document that belongs to an entire team to reside within a single user’s account simply because that person created the initial blank document. Some of the major collaboration services recognize this issue. Google shared drives and Office 365 Groups allow administrators to create file shares that belong to an entire team and are not tied to one user’s account.

Box doesn’t offer a similar function, but many Box administrators work around this by creating an account that owns shared folders for the organization, and then designating individual employees as co-owners of those shared folders. This way, the Box ­folders are tied to the organizational account and are never deleted, even if a co-owner leaves the organization.

Technology teams should develop a consistent strategy for their agency on the creation, tracking and use of shared drives and communicate it to all ­relevant stakeholders. This will keep a team on the same page and prevent the unwanted and unexpected loss of important data.