People leave and lose jobs.
But what are you supposed to do with their company email account, and what does that have to do with email compliance?
The best way to manage this transition smoothly is to create a terminated employee email policy. Some of the information from their email accounts will need to be accessed in the future for business purposes, unforeseen data requirements, compliance reasons, or in response to an ediscovery request or HR investigation.
So, it’s essential that you establish clear guidelines for email retention, access permissions, and compliance measures to ensure data security and legal adherence.
In this guide, we’ll cover:
- What is a terminated employee email policy
- Why it is important
- Key elements of a comprehensive terminated employee email policy
- What you should do with former employees’ email accounts
- How email archiving can help
What Is a Terminated Employee Email Policy?
A terminated employee email policy outlines how a company handles email accounts once an employee’s tenure ends, whether through resignation, retirement, or termination.
This policy helps ensure that the company’s sensitive information remains secure, that important communications are not lost, and that a smooth transition takes place when employees leave the organization.
The main goals of the terminated employee email policy include:
- Protecting the company’s sensitive information by minimizing the risk of unauthorized access, data breaches, and miscommunication.
- Maintaining business continuity by ensuring important emails are not lost and remain accessible to relevant parties within the organization.
- Complying with legal and regulatory requirements to ensure compliance with industry-specific standards and government regulations, avoiding potential fines and legal issues.
- Protecting the company’s reputation through preventing the misuse of company email addresses and safeguarding against potential legal disputes.
- Respecting employee privacy by clearly defining how personal information within emails will be handled after termination.
Key Elements of a Terminated Employee Email Policy
A well-thought-out terminated employee email policy should address several key areas, including:
- Deactivation timeline — When will the email account be deactivated? Will there be a grace period for the employee to wrap up personal communication?
- Data retention — How long will emails be archived or retained? Are there specific legal or compliance requirements that dictate data retention periods?
- Email forwarding — Will emails be forwarded to another employee or a generic mailbox? How will the sender be notified about the employee’s departure?
- Auto-reply — Will an automatic reply be set up to inform senders about the employee’s status and provide alternate contact information?
What Should You Do with Former Employees’ Emails?
You may choose to simply delete the account, and the data that goes with it. In the short term, this might seem like a fine solution, as you no longer need to worry about any new emails or servers to keep the data on, but it may be a catalyst for a host of new problems.
Currently there are data retention laws in effect that require you to keep your email for a number of years (based on your industry and geolocation).
In addition to that, the employee’s old communications may be subject to ediscovery in the event of a legal case. If the required data has been deleted, your organization could be subject to fines or other severe penalties.
Here’s a better process for handling email when an employee leaves or is dismissed:
Restrict access to their mailbox
In certain cases, you may want to give them some time before their final departure date to go through their mailbox, respond to emails, and do the handover.
This, of course, depends on the circumstances under which they left and your organization’s own policy about IP and confidentiality of records.
For companies to protect themselves, especially if the employee was terminated due to bad performance, communication skills, or layoffs, it’s best to terminate all email privileges immediately. The longer you wait, the more likely the employee will act out of resentment and do something malicious.
Of course, you can be more relaxed if someone is leaving by agreement, has a notice period, and you have no reason to question their integrity.
Once the employee leaves, it’s essential to reset their email password and restrict access to their email account. If this offboarding procedure is not followed, there could be data loss or data leak.
Forward their email to an appropriate employee or manager
You can leave the mailbox status as active, but make sure you forward their email to a manager or IT. You can also include an auto-responder message explaining that the employee is no longer with the company and who would be the best point of contact onwards.
Remember that having an active mailbox incurs a monthly mailbox fee, which can be quite expensive depending on your email client and plan (e.g., Office365 E5 subscriptions are 35.75$ a month).
In theory, if you’re not in a regulated industry, you could delete the mailbox after one to three months. Still, we generally advise against complete wiping to preserve business information and prepare for compliance audits and litigation.
This depends on the employee’s position and responsibilities in the company, but it’s good to have an established terminated employee email policy to avoid missteps.
Remember that, based on which laws apply to you and where you operate, there could be data privacy concerns if you decide to keep former employee mailboxes active.
Email correspondence contains vast amounts of valuable information, but data retention laws are also in conflict with data protection laws, so it’s important to carefully weigh in for how long you’re going to keep records in order to have them at hand but avoid breaking any data privacy laws like the GDPR.
Such a situation happened in Belgium, where the local Data Protection Authority fined an SME EUR 15,000 for keeping the employee data for over two years and failing to abide by the foundational principles of the GDPR (data minimization and lawfulness).
Archive and delete the mailbox
Alternatively, you can archive the employee’s mailbox and back it up on a local server, after which the original email can be safely deleted.
After a set period of time, you could get the IT department to create a backup of the existing emails and keep them on the company servers for as long as you need them.
In the meantime, the former employee may (or may not) have access to their work email address, and you can erase it once it has been copied. You could have a permanent, indefinite, or set timeframe for keeping the mail, making it accessible when required.
Use third-party email archiving to keep things simple and compliant
If you are in a highly regulated industry like education or financial services, you will need to preserve electronic records, including those of former employees, not only for business continuity purposes, but also to meet compliance requirements.
Third-party email archiving software relies on email journaling and creates a copy of all emails in near real-time. The email is instantly indexed and stored, allowing you to delete everything from the mailbox and still have an archive (in the cloud or on-premises).
Such archives are fully searchable, which makes them:
If you are in a highly regulated industry like education or financial services, you will need to preserve electronic records, including those of former employees, not only for business continuity purposes, but also to meet compliance requirements.
Third-party email archiving software relies on email journaling and creates a copy of all emails in near real-time. The email is instantly indexed and stored, allowing you to delete everything from the mailbox and still have an archive (in the cloud or on-premises).
Such archives are fully searchable, which makes them:
- The easiest way to access work email after termination,
- Good to avoid paying for an account’s full price and
- The perfect solution to stay compliant with all relevant email retention laws.
Most third-party email archiving solutions allow you to set retention policies. So, based on the employee’s role and relevant regulations, you could retain all the legacy data indefinitely or schedule retention rules for the records to be automatically deleted once the specified or mandated retention periods expire. For example, FINRA firms will need to retain all email for at least six years).
Summary
What happens to an employee’s email account when they leave?
- This varies based on the organization’s policies and the employee’s role.
- It’s best to have a terminated employee email policy as well as an email retention policy with detailed guidelines on how the company handles terminated employees’ email accounts.
- Access to the work email account should be terminated as soon as possible.
- The account may be deactivated, and all the incoming emails will bounce back.
- More often, the account will be forwarded or redirected to a colleague or supervisor.
- The emails could be archived for legal and compliance purposes.
- If the company has a data retention policy, your email account and its contents will be retained for some time before they get permanently deleted.
Jatheon is a tech company specializing in the secure archiving of business communications like email, social media, text messages, and chat apps for compliance, business continuity, and legal discovery. See how our AWS-based cloud archiving software can help you reduce the cost and complexity of managing former employee email.
FAQ
Can my employer read my email after I quit?
This depends on the company policy, the type of email account, and applicable laws. Employers often retain rights to company-provided emails for business, security, and compliance purposes, but data protection laws may restrict access depending on your location.
Should you delete all your emails when you leave a company?
It depends on company policies, as well as your legal and contractual obligations. Before taking any action, it’s best to review the company’s email retention policy. If the company has an email archiving or backup system, deleting your emails from your inbox may not remove them from the company’s records. Deleting all your emails might be seen as an attempt to hide something, so it’s best to be transparent and consult with HR or relevant supervisors.
What does a manager do when an employee resigns?
When an employee leaves, the manager will announce the departure to the person’s team and other relevant departments, staff, and contacts (vendors, contractors, customers). The next steps are to transfer the responsibilities, comply with final pay laws, and conduct the exit interview. The employee’s access to company email and workspace will be canceled, and they may be asked to hand back some of the company-issued equipment and devices.
What to do with an email account when leaving a job?
Before taking any action, you should review your company’s email retention policy because some companies have specific guidelines for departing employees. You should back up any essential work-related emails you may need in the future. If you used your company email account for personal purposes, you should delete any personal emails, attachments, and photos unrelated to work to protect your privacy.
Can my employer find deleted emails?
If your employer has established a backup or email archiving solution, then yes. No matter what actions you take to delete your personal or work-related emails from your primary company-provided mailbox (e.g., Gmail or Outlook), the solution automatically makes a copy and stores it elsewhere for search and retrieval for compliance, HR, or ediscovery purposes. It’s best to read your email retention policy to learn more. Deleting any emails is generally not advised, as the employer may believe you want to hide something.
What are the rules for accessing work email after termination?
Your access to company email after termination depends on company policies, legal considerations, termination circumstances, local laws, and the industry. In most cases, your email access will be revoked immediately, and you will not be able to access it without explicit authorization. It’s the company’s responsibility to handle your personal data in compliance with data privacy and protection laws.