SPU employees are granted account access and permissions based job duties and assignments. Care must be taken when employment ends to protect University data, business operations, and business processes. This document provides an outline of common procedures for employee separation from the University.
There are responsibilities for both the employee and the employee's supervisor during the separation process.
Seattle Pacific University computer accounts and network resources are intended for use by SPU faculty, staff and students in the performance of academic instruction or University business. The "standing" of an individual as a current or former student may include the continuation of some SPU User account resources (such as email) after the individual leaves employment. Care must be taken to insure that "business" and "personal" data are properly identified and separated during the employment separation process.
The following section provides information regarding the processes and responsibilities of employees and their supervisors at the time of employee separation. These procedures specify the steps that will take place in the account/resource termination process, as well as detail when these activities will take place, what the former employee is obligated to do, and where institutional oversight (direct supervisor) is needed.
Table of Contents
Effective Date: August 2, 2018 Last Updated: August 23, 2021
Responsible Office: Computer & Information Systems Responsible Executive: AVP for Information Technology/CIO
Notification on Data Retention
Employees or supervisors may want to contact CIS well in advance of the separation date if they have any questions or need additional guidance beyond what is provided here, to make the separation process clear and smooth.
Any personal employee data (e.g. My Documents, OneDrive, Email, etc.) not shared with their Supervisor or team, will be lost in 30-120 days after employee separation (depending on the system data retention policy). If any data not shared by the employee is needed, Supervisors must request CIS assistance prior to 30 days after an employee separation or the data will likely be permanently lost.
Access to systems using the University credential (SPU Username / Password) is automatically revoked by CIS using the MARS Identity Management system. MARS also automatically removes membership in permission groups and university distribution lists. Automated actions occur on the separation data recorded by Human Resources.
Most automated actions do not apply if an employee is moving to a new position at SPU. In this case, systems access from the previous role will need to be manually removed.
Employees will retain access to their SPU email account for 30 days after their last day of employment. Former students may retain access to their SPU indefinitely (see below). Contact CIS and ask for the account to be locked if there are exceptions to this.
The employee is obligated to disclose to the supervisor all privileged information such as key contacts, email addresses, phone numbers, files and archives etc. relevant to the functions/business responsibilities held on behalf of the University. By the last day of employment, the following tasks must be completed by the employee. It is the supervisor's responsibility to communicate these to the employee and to ensure they are completed.
All employment/business related accounts, systems, and data must be transferred to the supervisor, or other designee.
All person/non-business related accounts, systems, and data must be removed from SPU provided equipment and systems.
All employment/business related accounts, systems, and data that is stored on personally owned systems must be removed and deleted.
Out-of-Office messages and greetings must be put in place (details below).
Unmanaged Systems Accounts
Transfer or remove access to any 3rd party accounts not managed by SPU's Identity Management System. These include applications such as Mail Chimp, Survey Monkey, TargetX, Formstack, and SmugMug. It also includes access to vendor support resources like Slate, Banner, Atlassian, Tableau, etc.
SPU's identity management system automatically revokes access to all systems that use an employee's SPU Username / Password for access.
Prior to the last day of employment, all employment/business related accounts, systems, and data that might be in place or configured on personally owned computers, tablets or phones should be deleted and removed. Identify and document types of accounts, data stores, procedures, and any other information that is relevant and needed for the smooth continuation of business functions or activities after the end of employment. Including but not limited to:
Transfer Documents and Data: copy, transfer, or provide all employment/business related data to your supervisor, to a shared resource (SharePoint, a departmental share (Matthew), etc...), or another employee so designated by the supervisor.
This should include email, My Documents, OneDrive for Business, and any other information stored on university-provided or non-SPU systems, computers, drives, or systems. This might include a snapshot of the departing employee's email account (a .PST file) and a snapshot of the departing employee's My Documents, OneDrive for Business, or any other similar resources.
This includes any data that has been stored in systems or locations outside of those managed by the University
Transfer Ownership of App Resources: self-service resources, particularly those on Microsoft365, must be transferred to other employees within your departments so those resources can continue to be used. This step applies to apps like teams on Microsoft Teams, Microsoft Forms, Microsoft Bookings, and more.
Remove University Data from Personal Devices: remove and delete all employment/business related data, accounts, and systems from all personally owned devices. This includes all personally owned computers, tablets, phones, at home, other cloud services, etc...
Remove Personal Data from University Systems: remove and delete all personal/non-employment related accounts, systems, and data from university provided computers, systems and equipment.
Out of Office Greeting
On about the final day of employment, the employee will set an Out-of-Office greeting on their SPU email account. This greeting is to remain in effect for thirty (30) days following employment separation or three (3) months for an employee that will continue to use their SPU-provided email account after the end of employment.
The email account Out-of-Office greeting shall include the following information:
A clear statement that the employee is no longer an agent of the department or University.
Follow-up contact information for the employee’s supervisor, replacement, or other departmental designee.
Optional (at the discretion of the University): a personal forwarding address for email that is sent to the departing employee for correspondence unrelated to University business.
Automatic email forwarding to a non-SPU email account is prohibited during this notification period.
At the discretion of the University, the departing employee may continue to use their SPU email account during the notification period if their "standing" allows such continued use. The Out-of-Office greeting and forwarding rules will remain in place for at least 3 months to provide notification regarding transition of employment.
For current or former students that will have continued access to SPU provided resources after the end of employment - after the 3 months notification period, complete account control returns to their student status and any Out-of-Office messages can be deleted.
Retaining an SPU Email Account
SPU offers email services to former students, emeriti, and retired staff indefinitely, however this offer is at the University's discretion. Employees who are former students will retain their SPU email account unless the supervisor or HR requests that it be removed. The following rules still apply at separation:
Out-of-Office Message: current or former students that will have continued access to SPU must maintain the out-of-office notification on their account for 3 months after separation. After the 3 months notification period, complete account control returns to their student status and any Out-of-Office messages can be deleted.
Purge Business Data: All employment/business related email and documents must be purged from the account in accordance with applicable Data Laws and Regulations and Campus Data Policy. This should only be done after providing a copy of this data to the supervisor.
Upon separation the employee must return any university owned equipment. This includes University provided phones, PCs, monitors, printers, or other university-owned equipment. A CIS HelpDesk ticket must be promptly created to have all of the former employee's computers prepared for their next employee, even if the computers have yet to be designated to a new purpose.
The supervisor will oversee the employee’s actions as described above – including care to make sure email account data (such as a .PST file) and all documents, worksheets, reports, and presentations that the employee may have are transferred to the supervisor or another designated employee. Additionally, the supervisor will:
Provide the departing employee with specific details as to how/ to whom future University correspondence shall be redirected.
Verify that the employee activates their Out-of-Office greeting prior to departure, and that this is tested and confirmed functional.
Revoke System Access
The employee and supervisor should review all internal and external User accounts, data stores, resources, and systems well in advance of separation and either copy files to the appropriate backup staff members, or make sure critical institutional data is preserved for future business use. Prior to the last day of employment, the supervisor will transition and remove access to all employment/business related accounts, systems, and data.
Transition 3rd Party Accounts
Disable or transition any 3rd party accounts or access not managed by CIS. These include access to applications such as Mail Chimp, Survey Monkey, TargetX, Formstack, SmugMug. It also includes access to vendor support access like Slate, Banner, Atlassian, Tableau, etc.
Preserve University Data
If it there is important University-related information stored on a desktop computer or network resource, the supervisor must coordinate the backup this information prior to the employee's departure. CIS is not responsible for information that is revealed “needed” after that time, nor is there any guarantee that purged/deleted information will be recoverable from tape backups or other information stores.
This action is best done in coordination between the supervisor and employee prior to their departure. Without direct approval from the employee, these actions require the approval of the president or area VP. See Administrative Account Access
A departing employee's phone number will be automatically redirected to 206-281-2000 the morning after their last work date. Supervisor shall, if desired, submit a ticket for CIS forward such calls to a different departmental number until such time as a new employee is assigned the departing employee's old phone number.
Gifting/Sale of Equipment
In some cases university equipment may be sold or gifted to an employee as they depart the University.
Used SPU Computer Purchases
If a departing employee's SPU-issued computer is due for upgrade at the time of their departure they may purchase that computer as a personal device, pending their department's approval. Computers that are not up for replacement may be sold for their depreciated cost with a department head's approval. For more information on this purchase process see here: Buy Your Used SPU Computer or Other Surplus Equipment for Personal Use.
SPU Computer Gifts
A departing employee's SPU-issued computer may only be gifted to them by the request and/or approval of their Dean or Area VP. The following is also applicable to computer gifts:
Taxes: The departing employee must be informed that the depreciated value of the device being gifted to them is considered taxable income. This will be assessed against the departing employee's final paycheck by the Office of Financial Affairs. This process must be completed prior to the employees final paycheck.
Ownership Transfer: Ownership and liability for the equipment must be formally transferred to the individual. Creat a CIS HelpDesk ticket to start this process.
Regulated Data: Computers must be wiped of all data. This process includes installing a new operating system, removing institutional data, and unencrypting the hard drive).
Budget Impact: Gifting a computer to a departing employee may require the department to also provide funding to CIS for a new, replacement device.
Failure to transfer ownership and have Regulated Data wiped from a device will constitute a data breach. The gifting department will be responsible for all subsequent breach related costs up to SPU's cyber-insurance deductible of $25,000.
Termination for Cause
If the separation is a Termination for Cause, all prior steps are still in play, but there are additional options for preserving institutional data and communications. See: CIS Privileged Account Usage for policies and permissions that are required.
Documents and Email Snapshots
The department head or HR may request that CIS take a snapshot of the employee's email account, and OneDrive for Business resources. This must be done prior to separation.
The document and email snapshots can then be provided by CIS to an employee designated by the department head.
Retaining University Email Account
SPU offers email services to former students, emeriti, and retired staff indefinitely, however this offer is at the University's discretion. If an individual is a former student and an employee terminated for cause, a department head or VP may request that the email account be terminated along with employment.
If the email account is not retained, the supervisor needs to require that the employee to delete the University email account off any personal devices (mobile phone, tablet, laptop, etc.).
These actions require the approval of the president or area VP.