IT review of unused accounts

Hands on keyboard

In recent months IT have been tidying up systems with regards to staff we have not been made aware of who have left the Trust.

A starters, movers and leavers process is being worked on but this is out of IT's control so we are having to do all we can in the meantime for legal, security, confidentiality, integrity, and financial reasons. To give you some idea of the scale of this work almost 2500 unused accounts have already been deleted, along with over 5000 unused user folders.

Any member of staff who has not used their network account in over 30 days is being cross referenced with GRS to check their status, anyone who does not have a valid reason for not using their account (maternity leave, long term sick, career break, etc) is having their network account disabled and archived. Likewise their Microsoft 365 license is being released and their account deleted.

In the event of a member of staff requiring their network account be recovered for any justifiable reason, this can be done within 180 days.

For Microsoft 365 accounts (mailboxes, etc.) this is limited to 30 days. This limit is set by Microsoft and cannot be changed.

If IT are not informed within those timescales of any account that needs reinstating they are permanently deleted and are unrecoverable.

Also work, is ongoing to remove user folders stored on Trust fileservers that are not being used, again for legal, security, confidentiality, integrity, and financial reasons.

Any folder that has not been modified in over 2 years has been moved from the live area to an archive area, likewise any folders that are found to have no staff permissions applied (i.e. due to them leaving the Trust) are being moved to the archive area. When all folders falling into these categories has been moved (likely to be end of October / early November) they will continue to be retained, and therefore recoverable, for a further 90 days, after which they will be permanently deleted.

Published 14th October 2020

Hi Julia,

In the vast majority of cases we do not know who line managers are. We are doing all practicable checks, our records are cross referenced with ESR and GRS.

20 October 2020

Is it possible prior to deleting accounts that IT could check with line managers as a further safeguard please?
20 October 2020

Leave a Comment
Name (required)
Email Address (required, never displayed)
Enter a message

(all comments are moderated - your submission will be posted on approval.)