Starters, Movers & Leavers Policy

Conduct background checks and verify the identity of new employees, where relevant and permissible by law;
Ensure that employment contracts include clauses addressing confidentiality, data protection and compliance with relevant security policies.

Provide new employees with comprehensive induction training that covers UK GDPR and UK Cyber Essentials requirements.
Ensure new employees read, understand, and sign a confidentiality agreement and an acceptable use policy.
Grant access to systems, applications and data based on the principle of least privilege, only allowing access to the information necessary for their role.
Provide new employees with unique login credentials and enforce the use of strong, unique passwords.
Provide relevant training on secure data handling, password management and phishing awareness.

Regularly review and update access rights when employees change roles or departments.
Revoke unnecessary access and privileges when an employee’s role changes.
Update the employee’s information in relevant systems and directories.
Provide additional training and support for employees moving to roles with increased security responsibilities.

Inform relevant departments (e.g., IT, HR) about the departure of an employee and the termination date.
Disable and/or delete the departing employee’s accounts, access rights and login credentials for all systems, applications, and data.
Collect any physical access tokens (e.g., ID cards, key cards) and organisation-owned devices (e.g., laptops, smartphones).
Conduct an exit interview, emphasising the importance of maintaining confidentiality even after employment termination.

Regularly monitor for unauthorised access attempts by former employees.
Maintain contact details for former employees in case of any data breach or incident that requires their involvement.
Ensure that all ex-employees’ data is retained, archived or deleted in accordance with the organisation’s data retention policies and GDPR requirements.