I've been having a few conversations recently with both partners and school leaders about what to do with accounts after staff leave. I've learnt that some immediately delete them (often resulting in lost data that is subsequently deemed useful), while others have a series of manual processes or scripts to suspend the user and then delete them.
Ideally, the best option is to use the Retention Policies feature that is part of the Office 365 Security and Compliance Centre. The real benefit of a Retention Policy (and you can have multiple policies) is that you can largely "set and forget" once implemented and safely rely on content for departed staff to be retained (archived) for a defined period of time or even indefinitely if required.
Retention Policies can apply to a range of services within O365, including:
- Exchange email
- SharePoint sites
- OneDrive accounts
- Office365 Groups (applies to content in the group’s mailbox, site, files, OneNote, and Team conversations. Support for content in Planner, Yammer, and CRM is coming soon)
- Exchange public folders
Additionally, any content that is retained can be searched via e-Discovery, similar to this example I gave about Teams, meaning if an investigation was required content can be quickly searched and emails or documents can be restored.
I can see that schools may well choose to have different policies for different types of staff such as:
- Retain forever: Principal, Chair of the Board of Trustees (if assigned a school email), Executive Officer, Financial Controller
- Retain for ten years: Heads of Department / Faculty; Pastoral Care Staff (Deans, Deputy Principals etc)
- Retain for five years: Teachers, administrative staff
Each school will have their own ideas and different countries will have relevant regulatory obligations to comply with as well.
It is important to fully understand how Retention Policies work because there are some features that may not be immediately obvious. For instance, once a policy is applied it is effective immediately, not just when a staff member leaves.
A retention policy can both retain and then delete content, or simply delete old content without retaining it.
If your retention policy deletes content, it’s important to understand that the time period specified for a retention policy is calculated from the time when the content was created or modified, not the time since the policy was assigned.
With the policy on the left that will delete content older than 7 years. If a teacher had created an awesome PowerPoint eight years ago that they used every year to teach a key concept to their classes, then this would actually be deleted because the retention policy has (correctly) identified it as having been created more than seven years ago and therefore it should be deleted.
Schools need to therefore carefully consider their business cases for retaining content before applying any Retention Policies and perhaps reserve some of these for inactive users (i.e. staff that may have left the organisation and been moved to a different OU in Active Directory). Reviewing this guide around Inactive Mailboxes in Exchange is also very useful to see different scenarios.
In my experience, this level of thinking within schools is often lacking and consequently there can be considerable frustration and even financial loss as a result of not being able to track back through staff electronic content. For this reason, I do strongly encourage school leadership teams to spend some time thinking through their requirements and then providing a clear set of guidance to their IT administrators who can then implement simple and efficient Retention Policies to securely protect data within the provided guidelines.