All access to sensitive data should be restricted to valid employees only. Former employees, contractors, and even auditors should not have access to this sensitive data on a daily basis. These accounts should be removed or deleted per your organization’s policy.