IT Guidelines for Handling Exiting Employees identifies common situations that may occur when an employee leaves the University at Buffalo (UB, university) or moves within UB.
When an asset is issued, written notice should be given to the employee stating that non-returned assets will be reported as stolen to the UB Police Department (UBPD). Timing is an important consideration with respect to asset collection. For example, faculty may hold an appointment through August, but may depart campus in June. Therefore, it is important to collect assets while the faculty member is still on campus. Doing so avoids incurring shipping charges to collect the asset. Early asset collection reduces the risk of not having an asset returned.
If an employee member requires an asset to fulfill his/her job duties over the summer, written notice should be given to the faculty member that states the following:
Physical keys must be returned. If the employee has knowledge of a group keycode (electronic) access, that keycode should be changed to prevent unauthorized access. If the employee was issued an individual keycode, that keycode should be deactivated. If the employee is faculty who has retired, but is still maintaining an office and emeritus status, they can retain their keys.
UB Cards should be returned and shredded. They may contain designations such as “student,” “faculty,” or “staff” which are taken at face value and grant the holder privileges they are no longer entitled to upon leaving UB. In addition, physically presenting the card may entitle the presenter to discounted services that UB negotiates. Once someone is no longer affiliated with the university, they are no longer entitled to these services.
Retiring faculty who have been granted emeritus status can retain their UB Card.
In the event that the exiting person cites Library or Athletics facilities access as a reason to keep the card, they should be directed to apply for access to these services as a member of the public.
Individual retains UB Card.
If any State funds, even as little as $1, are used toward the purchase of equipment, the title vests with the State (see “Split-Funding” in the policy, “Managing University Equipment”) and the item will be recorded in the Property Control System (PCS) as a State asset. This is important to note in the cases where equipment purchases may have been split-funded between state money and research money. In those cases, the asset belongs to the state.
When an employee returns an asset, such as a phone or a laptop, make sure to account for items such as accessories including power chargers, etc. These important items are sometimes overlooked.
If an employee does not return state assets, contact Human Resources’ Equipment Management. Equipment Management will advise on how to handle cases where someone has left UB completely and not returned assets. The Equipment Manager will serve as the point of contact with UBPD if unreturned assets need to be reported as stolen.
The employee must return all departmental assets unless arrangements have been made between the inventory coordinators for the employee’s old and new department. With departmental approval, the coordinators can arrange for asset transfers or swaps. If an employee moves to another department and has not returned all assets to their previous department, contact Human Resources’ Equipment Management. Equipment Management will advise on how to handle cases where someone has moved to another department and not returned assets.
Research Foundation (RF) or Sponsored Programs approval should be obtained when a departing employee wants to take equipment purchased via a grant. If the asset was split-funded using state funds, then ownership of the asset vests with the State. Refer to “State Assets,” above. If the equipment has an asset tag (State or RF), then the appropriate inventory control group should be consulted.
If the employee controls a social media or other external account that use UB branding/trademarks, or is integral to the business of the department, account control (username/password) must be returned to the department.
If the account is linked to the employee’s personal account (e.g. Facebook pages) then the employee should add a departmental designee to the account as an administrator. That designee can then remove the exiting employee from the account. If the account is not linked to the exiting employee’s personal account (e.g., a UB-branded Twitter account name) then the username and password should be handed over to a departmental designee who should then immediately change the password.
Employees may have personal files saved to their university accounts. Employees are permitted to take these files with them. The exiting employee is responsible for the cost of the media or for providing the media to copy the files.
The employee’s department must determine which files are legitimately personal and which files contain university information. For example, it is not appropriate to make a full copy of the employee’s Documents folder. If the cost of separating personal files from university files is too high, then no files should be given to the exiting employee. Although this may seem like taking the hard line, UB has a responsibility to protect private information and has a policy disallowing use of state assets for personal reasons. If you cannot reasonably and easily differentiate personal files from university files, then the only option is to not copy anything for the departing employee.
In all cases, it is important to note that the UBIT Help Center (which handles account closures) has limited staffing after hours and on weekends. It is vitally important that either the department or Human Resources (whatever is appropriate given the department’s organizational structure) inform the UBIT Help Center and the Information Security Office in advance to ensure the UBIT account is closed in the appropriate manner and at a time that is acceptable to your department.
Departments are responsible for ensuring a departing employee's
privileged access to IT systems is removed. This could include, but
is not limited to, privileged access given to the employee's UBIT
account, an administrative exception account, an ITORG exception
account, Microsoft key codes, and/or other non-UBIT accounts on IT
systems. Group membership of UBIT or other accounts should be
considered when revoking privileged access.
A department may request a copy of the files, including voice
mails, in the employee’s account for business purposes
only. The request should be made to the UBIT Help Center.
The files will be copied to an administrative account assigned to a departmental designee. If the employee’s UBITName is integral to departmental business, UB reserves the right to issue them a new UBITName so that the department can retain control of the old UBITName. Refer to the policy, “UBITName Policy.” for more information.
When an employee retires/resigns, they may still keep their UBITName account, unless the UBITName is integral to department business. In this case, UB reserves the right to issue a new UBITName to the employee.
The department must contact the student and work directly with them to obtain copies of needed files. The account may contain educational records regulated by FERPA. Therefore, a full copy of the account cannot be provided.
The previous department should work directly with the employee to obtain copies of needed files. Difficulties in obtaining copies should be addressed with the employee’s new supervisor.
In the case of a non-renewed employee, loyalty and trust are likely compromised. Disable access to all resources and then grant access to specific resources as needed for the employee to fulfill their job duties for the remainder of their employment.
If the employee’s account is integral to department business (e.g. recruiting), then the department can request that Employee Relations approves that the employee is given a new account. Access to the employee’s original account will granted to the department.
The following text can be used when asking UBIT to close an account with an auto-reply (“vacation message”) in place. Customize as needed.
To whom it may concern,
[Employee Name] is no longer with the University at Buffalo and email sent to this account is neither monitored nor read. To contact [department/school name], please call [departmental phone number] or send us email at [departmental email address].
The following sample can be used when notifying an employee that university assets must be returned. Customize as needed.
[Name of asset] is required to be returned to the University at Buffalo [name of department/school/unit] no later than [date]. If this asset is to be shipped, then [name] is responsible to cover the shipping charge. Assets not returned by [date] will be reported as stolen to the UBPD.