Student account deletion

1. Introduction

The University requires a clear lifecycle for the closure of student accounts once a user leaves the University. This should cover what happens when they notify student services they are leaving or have graduated. It should specify any grace period of access to their account and state when the account and data will be deleted from our systems.

2. Purpose

This policy outlines the University’s approach account management one a student decides to leave the organisation.

3. Objectives

The objectives of this policy are to:

• Record the lifecycle actions that will be applied to a student account one a user leave the organisation.
• Record and make clear the times at which these actions will take place.
• Fulfil the University’s duty of care and legislative responsibilities in relation to the information with which it has been entrusted

4. Scope

This policy is applicable to:

All Student accounts generated by the student management system. The policy will be communicated to all students and will be made available to interested parties as appropriate.

5. Policy

The workflow will consist of 4 key stages.

Stage 1 – Updating the student record

Upon graduation or termination of study the student record will be updated. This will create a defied end date which will be passed to the Identity Management System.

Stage 2 – Grace period of account access

For students with a course finishing code “Normal Complete” an account closure date will be set based on the supplied end plus 365 days (1 year) from the end date of the account. This is to allow students to transfer any relevant data out their account and help apply for jobs.

For students with a course finishing code “Studies Terminated” a closure date will be set based on from when the identity system first becomes aware of this status. For this situation 28 days is the duration off the closure from that date.

For students with a course finishing code “Withdrawn” a closure date will be set based on from when the identity system first becomes aware of this status. For this situation 28 days is the duration off the closure from that date.

For applicants with a Declined status the account is disabled immediately

Stage 3 – Account disablement

An initial email will be sent when the student gets an end date in SITS notifying them off the account end date. We will then send them an email 28, 21, 14 and 7 days before we disable the account

Stage 4 – Account deletion

A further 28 days grace period will be put in place after the account is disabled. During that time a user may request a temporary reopening for maximum of 1 week. At the end of this period the account will be deleted along with email and data and will not be recoverable.

6. Legal and regulatory obligations

The University of Dundee will comply with all UK and EU legislation as well as a variety of regulatory and contractual requirements.

7. Compliance

The University must comply with GDPR and other relevant data management regulations. We must also ensure we comply with security policies to ensure we close down accounts in a timely manner.

8. Responsibilities

The following bodies are connected to this policy and have a responsibility to ensure data is secure and that our users accounts provide a minimum attack surface.

• The Data, Records and Information Committee (DRIC) has executive accountability for information security within the University. DRIC has responsibility for overseeing the management of the information security risks to the University's staff and students, its infrastructure and its information.
• The Data Protection Officer is responsible for ensuring we don’t hold data for no legitimate reason. 

9. Supporting policies, codes of practice, procedures and guidelines

Our security policy will be relevant to supporting this policy.