|Technical Rating: |
|Published Date : 06 Oct 2017
Last Updated : 16 May 2019
Content Ref: TEC5900881
Under principal 5 of the Data Protection Act, schools need to ensure that cloud service providers retain personal data no longer than is necessary for the purpose they obtained it and this obligation continues to be important under GDPR.
One of the key benefits of RM Unify automating your user management is that it helps you keep cloud services in sync as users leave your institution. This ensures that cloud service providers know that they can now clear up the data of staff and students that have left.
This article provides further information on how we manage deleted users in RM Unify and connected third party apps.
When a user is deleted from your RM Unify establishment, we do the following:
- In RM Unify - delete the user so that no further user updates occur.
- In Microsoft® Office 365 - unlicense the user.
- In G Suite - suspend the user.
- Tell all third party apps with auto-provisioning that the user has been deleted.
If an RM Unify user remains deleted for nine months or longer we will run a housekeeping task. This will:
- In RM Unify - remove all data that RM Unify holds pertaining to the user.
- In Office 365 - delete accounts that were linked to the RM Unify user. Once deleted, the standard Office 365 deleted user settings apply to the account, i.e. the account is permanently removed from Office 365 after 30 days.
- In G Suite - delete accounts that were linked to the RM Unify user. Once deleted, the standard G Suite deleted user settings apply to the account, i.e. the account is permanently removed from G Suite after 20 days. Google may change the restoration period of a deleted user and their data. Please check current settings here.
We believe that nine months is long enough to ensure that the person is not returning to your institution and gives you sufficient time to recover any Office 365 or G Suite files that you need. You can, however, choose to prevent a particular Office 365 and G Suite account from being deleted by the housekeeping task. For more information, see the relevant sections below.
Note: Third party apps are responsible for their own data retention policies and conformance with GPDR. For more information, please contact the cloud app vendor.
|How to prevent an Office 365 account from being deleted by the housekeeping task|
Excluding an Office 365 account from deletion is a two-step process. This process must be followed, irrespective of whether the account(s) are assigned any type of additional licence intended to archive or retain the Office 365 account:
- Move the account to your onmicrosoft.com domain.
- Remove the ImmutableID from the account.
Both steps must be completed to prevent deletion. To complete the steps you will need the following:
To move the account to the onmicrosoft.com domain
- Sign into the 'Office 365 admin centre' as a global administrator user.
- Click Users.
- Select the user account to be excluded.
- In Aliases, type an alias prefixed with Archive or something similar and select your onmicrosoft.com domain, e.g. SchoolA.onmicrosoft.com.
- Click Add. You will now have a new alias, e.g. Archive-JSmith@SchoolA.onmicrosoft.com.
- Next to the new alias, click 'Set as primary'. A window will appear to warn about changing the user's sign-in information.
- Click Save and Close.
The user's old account name will be retained as an alias. This will prevent the old email address being used to create a new account for any future user. To release the email address to be used in the future, select the user again and select to delete the alias email address.
To remove the ImmutableID from the account
- On a computer with an Internet connection, open PowerShell.
- Type Import-Module msonline and press Enter.
- Next, type Connect-MsolService and press Enter.
- Enter your Office 365 credentials when prompted.
- Type Set-MSOLUser -UserPrincipalName <Archive-JSmith@SchoolA.onmicrosoft.com> -ImmutableID "$null", where Archive-JSmith@SchoolA.onmicrosoft.com is the email address you set as primary in step 5 above.
If you want the user to be able to sign into Office 365 then reset their password in Office 365 and ask them to sign in directly via portal.office.com, using their new username and password.
How to prevent a G Suite user from being deleted by the housekeeping task
- Sign into G Suite as a user with the super admin role.
- From admin console, click Users.
- Select the user to rename.
- Click the three ellipses on the top right-hand corner of the user's details page.
- Click Rename.
- In primary email address, prefix the name with Archive or similar, e.g. Archive-JSmith@SchoolA.com
- Click Rename User.
Free licences for Office 365 are provided to eligible (verified) educational establishments in the UK by Microsoft. To be eligible, students need to be matriculated (enrolled) at the establishment, and staff must be employed at the establishment. Once a user leaves the educational establishment they may no longer be eligible for those free licences.
Please contact Google directly with any questions about your establishment's eligibility for free educational licences. For more info: https://support.google.com/a/answer/134628.
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: gdpr, dpa, unlicensed,