10 Replies Latest reply on Jun 10, 2011 12:42 PM by disaacs

    Managing a user's data after they leave the company

    Bart.Schutte

      In europe, we are required to remove all personal data concerning an employee from our IT systems within 3-6 months after they leave the company.

       

      In the context of Jive, this means that we can keep their contributions if the employee agrees (though we must allow them the possibility to delete them) but we have to remove their profile.

       

      How have others addressed this issue?

       

      In Jive, if you delete a profile you delete all of the contributions, but we would like to keep the contributions if we can.

       

      Our approach would be do blank out all of the profile attributes.  This works for any attributes that do not come from our group directory LDAP.  At present we get from the LDAP

      • email
      • name
      • phone
      • title
      • Group identifier

      So to pursue this approach, we would literaly have to stope the link with the LDAP and have users enter their data themselves.

       

      Let me know if you have a better idea.

        • Re: Managing a user's data after they leave the company
          FrankGebhardt

          We have the same issue. Using the inetuserstatus = {dD}isabled a user gets marked 'disabled' on Jive. However, their profile remains and any content they have created still has a link to it. Currently we only delete profile information on Jive not from LDAP. Hence the information regarding email and phone can be misleading. The mouse over event displays this picture

          disabled_person.jpg

          not providing any hint (rather the avatar) that this person has left. Even the "follow this person" link is still there. I'd appreciate a process that

          • disables the pop up window for disabled people (that is people not having access to Jive any more)
          • disables the profile for those accounts
          • removes any follow this person or this person is following links

           

          Frank

            • Re: Managing a user's data after they leave the company
              bcswissre

              We encountered much the same challenges.

               

              With regard to the profile, we also disable (we call it deactivate...) the user profile and, as we use a custom user synchronisation process, we also use the REST interface to wipe the user profile information that we can. The email address is of course mandatory, so we set this to an address which we can easily identify as invalid (prefixed with deactivated_).

               

              With regard to what the other users see, we have kepts these changes to a minimum, but the templates can be customised to display different content depending on the status of the user. For example, if the deactivated user profile is visited, we don't render the content for them. The same could be done for the pop up window. I expect this would be easier than stopping the pop up all together.

               

              Ben.

            • Re: Managing a user's data after they leave the company
              Bart.Schutte

              Okay, there is the issue of technically how do you block the data, but there is also the issue of what is legally required.

               

              This is  getting interesting because according to our lawyers, this is a clear  area of dispute between the American laws and european laws.  European  laws give priority to protect users.  American laws give priority to  e-discovery (the ability to be able track all content every created back to the user who created it).

               

              There  is no clear legal answer so companies that operate in an international  context need to decide the right solution for their context.

               

              In  the case of mt company, we are a French company and our  authorizations for all of Europe and countries with agreements with  Europe will be provided to us by the French authorities.  so we will  clearly opt for removing all personal data after 3-6 months as required  here.  If we do this for Americans, we will be in conflict with American  requiremets for e-discovery.  (and of course, this issue exists also  for email and other systems).

               

              Our  lawyers will be checking with our American lawyers on how they want to  play this.  We may implement an approach where we keep the profile  active for Americans, but we're not sure that this will be accepted by  the French Authority.  Another approach is to kepp the profile  information for all, and ensure that no one but administrators can see  it, and only for the purposes of e-discovery.

               

              American  companies have exactly the opposite problem.  You will lean towards not  deleting the data, but then find yourselves in conflict with the  Europeans.

               

              Gia, it would be good to a have sinmple, clear document from Jive on how best to manage the profile of users after they have left.  I am hearing both here and in tht e2.0 Adoption Council conflictin or confusing information about how to do this.

               

               

                • Re: Managing a user's data after they leave the company
                  rwilsker

                  This is an old thread, but this remains a big issue for us, especially since we're hosted and, therefore, we are dependent on what Jive can/will do for us. (Why do I sometimes  feel like have the Blanche - "I have always depended on the kindness of strangers" - DuBois?)

                   

                  It's really important to our management that email addresses and telephone numbers not be displayed for disabled users. Why not let us have a choice of display templates that can be used for disabled users? Then those of us who really care about it could choose the template that minimizes the amount of information displayed.

                   

                  Message was edited by: Roy Wilsker

                    • Re: Managing a user's data after they leave the company
                      Andrew Kratz

                      We were just discussing this today.  We have been working with Jive PS to source employee information to Jive each night (new/departing employees, changes to HR profile data).  For disabled users we had concerns that before someone leaves they may change their profile to something not appropriate.  You can't search on a disabled user, but via content they created you can get to their profile (as we understand the product).  So what we are thinking about doing down the road is modify our plug-in so that when a user leaves the company and we send a disabled record to jive that we write some code to simply blank out or set to a default all fields we can (email, phone, text boxes).   So the skelton profile will exist to support the content they created but we will avoid having to police for any bad behavior for a departing staffer.

                    • Re: Managing a user's data after they leave the company
                      nsteinmetz

                      Bart

                       

                      How do you solve this confilit ? I tend to think that as you're based in France, and also as the most restrictive law is to have precedence over the others, you have to follow the more restrictive rules and then remove profile's data ?

                       

                      That's what we plan so far but we made the effort on privacy declaration for France only so far.

                    • Re: Managing a user's data after they leave the company
                      AmandaS

                      Could you just disable the user and remove all details from their profile or do you have to remove their name from the system?  If you delete the user I believe their content remains but it displays “Guest” as the author and only Admin can edit the content.