Properly managing the offboarding process is crucial toensure a smooth transition and protect your business from risks. This factsheet provides essential steps small businesses should follow when offboarding employees to maintain security, ensure compliance, and protect business interests.

‍

Why is Offboarding Important?

Security Risks: Prevent unauthorised access to company systems, data, or assets by revoking access promptly.

Business Continuity: Ensure a smooth transition of duties and protect important client and business relationships.

Compliance: Meet legal obligations related to any non-compete clauses.

‍

Key Steps to Offboarding Employees

Notify Key Departments: Alert HR, IT, and finance to coordinate payroll, benefits, and access removal.

Revoke Access and Change Passwords: Immediately revoke access to company systems, networks, and confidential data. Change passwords to all business accounts the employee had access to, including email, project management tools, and cloud storage.

Recover Company Assets: Collect laptops, phones, access cards, and other company property. For devices that are no longer usable, follow proper disposal or recycling protocols.

Dispose of Devices and Accounts: If devices are being retired, ensure proper data wiping or destruction to prevent sensitive information from being accessed. If the employee had access to cloud accounts or online services, ensure these accounts are closed or transferred to active team members.

Use Document Shredding Services: Safely dispose of any sensitive printed documents. Consider using professional document shredding services to ensure that no confidential information can be retrieved from discarded paperwork.

Manage Knowledge Transfer: Ensure a thorough handover of ongoing projects, client relationships, and critical documentation.

Review Non-Compete Agreements: If applicable, ensure departing employees understand and comply with any non-compete or confidentiality clauses.

Exit Communication: Clearly communicate the employee’s departure internally and to relevant external stakeholders.

‍

Legal and Compliance Considerations

Data Privacy: Securely remove the departing employee’s access to sensitive client, colleague, or business data.

Proper Disposal of Documents: Use document shredding services for secure destruction of physical records, preventing any unauthorised access.

Record-Keeping Obligations: Small businesses must keep accurate employee records (onboarding documentation, payslips, time sheets, leave records) for 7 years, as mandated by the Fair Work Act. Failure to do so can result in fines. However, it is best practice to archive ex-employee records so that they are not routinely accessible.

Privacy Act: If your business handles personal information, ensure you comply with the Privacy Act 1988.

Tools and Resources to Assist in Offboarding

Password Management: Use password managers to revoke access to all business accounts quickly and change shared passwords as necessary.

Cloud Backup and Data Disposal: Backup all necessary files before offboarding. For devices no longer in use, ensure proper data wiping and disposal protocols to protect sensitive information.

Human Resources Software: HR tools exist that can assist you to manage access, payroll, and exit documentation, ensuring compliance with legal obligations.

‍

For additional support or information, contact IDCARE by submitting a Get Help Form or call 1800 595 160 (Aus) or 0800 121 068 (NZ).

Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
If you would like to provide feedback please use our Feedback Form.