How do we handle PII left behind in shared drives and email when someone changes roles or transfers offices?
When someone changes roles or transfers offices, the personally identifiable information (PII) they accumulated in shared drives and mailboxes does not move with them or disappear. It lingers in folders, attachments, and sent items where it can quietly outlive any business need. Treating a role change as a trigger event for records and privacy review is the most reliable way to keep that residue from becoming a liability.
Start With a Departure or Transition Checklist
Make a privacy and records review part of every offboarding or transfer workflow, not an afterthought. Before access is reassigned:
- Identify the records the person owned, especially anything containing PII (Social Security numbers, dates of birth, health or financial details).
- Determine which records belong to the organization and must be retained, transferred to a successor, or routed to a recordkeeping system.
- Flag content that is transitory or duplicative and eligible for disposition under your approved retention schedule.
Apply Retention and Disposition, Don’t Just Delete
PII is only a problem when it is kept longer than necessary or stored where it shouldn’t be. Use your retention schedule to decide what stays and what goes. Records still within their retention period should be moved to a controlled location with appropriate access limits. Material that has met its retention and is not subject to any legal hold can be destroyed using a documented, defensible method. Avoid ad hoc personal deletion, which can destroy records that must be kept or leave copies behind.
Tighten Access as Roles Change
A core privacy principle is least privilege: people should only reach the PII their current duties require. When someone transfers, promptly revisit shared-drive permissions and mailbox delegations so old access does not persist. Reassign ownership of orphaned folders rather than leaving them open or unmanaged.
Make It Routine and Documented
Build these steps into standard procedures, train staff to recognize PII, and keep a record of what was reviewed, retained, or destroyed. Documenting your decisions demonstrates that disposition was deliberate and policy-driven.
For related guidance on identifying and safeguarding sensitive data, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- Privacy Act of 1974 — U.S. Department of Justice
- NIST Privacy Framework — NIST
How to cite this page
APA
RM University Editorial. (2026). How do we handle PII left behind in shared drives and email when someone changes roles or transfers offices?. Records Management University. https://www.recordsmgmt.org/questions/how-to-handle-leftover-pii-shared-drives-email-after-role-change/
MLA
RM University Editorial. "How do we handle PII left behind in shared drives and email when someone changes roles or transfers offices?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-handle-leftover-pii-shared-drives-email-after-role-change/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?