Microsoft 365 (M365) is a suite of services–some more familiar, such as Word, Excel and OneDrive, and some less familiar such as PowerBI and Delve.
In M365, public records can live in a variety of locations and in a variety of forms, from documents to chats to SharePoint lists.
When it comes to records management, the M365 suite (and particularly SharePoint) is of increasing interest and you will want to be able to manage the documents and records held within M365 in a compliant way without having to turn off the collaborative features that make the suite so attractive.
The goal of this advice is to provide recommendations about M365 to support compliant records management while also allowing collaboration.
Table of contents
M365’s default, off-the-shelf configurations are not compliant with Queensland’s records management requirements under the Public Records Act 2002.
This does not mean that M365 cannot be configured and used in a way that would meet your records management needs.
The simpler your records management needs, the more likely M365 is to be able to easily meet those needs. However, careful implementation and ongoing governance will always be required.
M365 is an evergreen system. Updates and new features are frequently released. This means that any advice regarding M365 is vulnerable to becoming out-of-date quickly.
While every effort is made to keep this advice up to date, please keep this in mind when reading the more technical advice below particularly around configuration options.
Every agency should consider their own needs prior to implementing or making changes to their M365 configurations. The advice below is an example of potential configurations only.
Three key retention features are available:
- Retention labels
Can be applied to items. If an item with a retention label changes locations, the label will persist. Can be applied manually or automatically in limited circumstances and depending on the licence.
- Retention label policies
Used to publish retention labels in groups and apply them to specified locations.
- Retention policies
Can be applied to locations. Is not able to discriminate between content within the location. A policy can apply to a single location or multiple. A single policy cannot apply to all locations and there are limits to what locations can be included together under a policy.
QSA recommends that retention labels and policies be enabled and configured to support records management of temporary and permanent public records.
Application: retention policies
Certain M365 retention and disposal features are only available with the E5 licence, particularly those features that offer automatic application to content.
With or without an E5 licence, it is easiest to map retention policies and periods to locations and services and determine the appropriate retention with a risk-based assessment of the public records held there.
QSA recommends that minimum retention periods for containers be rolled up, that is, the longest minimum retention period be used for a location that includes content with multiple retention periods.
Communal locations such as group mailboxes or SharePoint sites can have the appropriate minimum retention period determined through consideration of the documents stored there and the group/site’s purpose.
The following table is an example of how minimum retention periods may be mapped:
Whether all or most correspondence and documents are moved to a central repository such as SharePoint or an eDRMS will depend on other factors that support discoverability such as the use of group mailboxes.
|Location||Rolled up retention period|
|EXO mailboxes of executive staff||Permanent|
|EXO mailboxes of all other staff||7 years|
|Teams 1:1 chats of management and/or executive staff||Permanent|
Teams 1:1 chats of all other staff
|Teams conversations in channels*||7 years|
|OneDriveforBusiness of all staff||7 years|
|M365 Group mailbox||Retention depending on activities/roles of Group|
|SharePoint sites||Retention depending on activities/role of Site|
*Please note that chats in Teams private channels cannot support retention labels or policies at this time. This feature is in private preview as of June 2021. As such, a public authority using private channels should take care to ensure any public records in that channel is retained appropriately.
The minimum retention periods in the above table have been determined based on consideration of the GRDS and the public records likely to be created or received in these locations and services. Please note, the relevant disposal authorisation(s) will need to be specified in any disposal documentation for public records in these locations.
The set up in the above table can provide a foundation for retention in M365, however, it will never replace the need for education and training of employees on their records management responsibilities. End users should still be educated on these responsibilities, with attention paid to records classes that may require additional or alternative actions such as criminal history checks (GRDS 1240).
Application: retention labels
QSA does not recommend that end users are expected to manually apply retention labels to content. For agencies without the required licence for automatic application, we recommend that retention be configured only at the container level.
Depending on their role and activities, it may be appropriate to configure some retention labels and give end users the option to apply them to ensure particular public records are retained appropriately. However, relying on end users to be the main source of retention labels may result in inconsistent application across your system.
With an E5 licence, there are options for the automatic application of retention labels to content that includes or matches:
- nominated sensitive information types
- specific keywords that match a query
- trainable classifiers.
As sensitive information types may be present in a variety of disposal authorisations, using sensitive information types to attach retention labels is unlikely to be convenient or easily achieved.
The trainable classifiers feature comes with several pre-set classifiers such as ‘Profanity’. Custom classifiers can also be developed. This feature was made available in early January 2021.
You can also design queries using specific words, phrases or values of searchable properties that will be automatically applied to content.
Following analysis of business activities, you may wish to implement queries to selectively apply minimum retention periods to public records (for example, those relating to significant projects or other record types with permanent retention periods).
We also recommend that you use the preservation lock feature cautiously This is primarily because:
- the preservation lock cannot be removed once applied
- content cannot be modified or deleted if subject to preservation lock.
The inability to modify content is likely to result in multiple copies of a public record, making it difficult to determine which version or copy should be a source of truth and increasing storage imposition and costs.
M365 has the option to upload a File plan to bulk-create retention labels.
Rather than using this feature to upload entire retention and disposal schedules, you should analyse both your retention and disposal schedule(s) and activities in order to roll up the available disposal authorisations to a limited list. This list may then be converted to retention labels and applied, if desired.
Compliant disposal is difficult in M365. While workarounds are possible, they are not especially convenient.
One of the issues with M365’s disposal functionalities is that disposition review or obtaining proof of disposal is difficult without declaration of the relevant documents as records, which also requires an E5 licence.
Declaration of a document as a record is an American records management concept. Under the Public Records Act 2002 (the Act), all documents are public records from the moment they are created or received by a public authority, depending on the purpose for which they were created or received–no declaration is necessary.
QSA does not recommend that you enable the ability to declare document as records as this prevents any further editing and may cause confusion about what is a public record under the Act.
As an alternative, you may wish to purchase a third-party add-on which can work with M365 to provide additional disposal functionalities. A manual alternative involves the use of audit logs.
As with the disposal of all other public records, you need to do a review of the records to make sure they can be destroyed.
How in depth the review needs to be will depend on a risk-assessment of the records–low-risk, low-value records will probably not require much of a review, whereas higher risk or higher value records will need more.
Without access to Microsoft’s disposal review feature, public authorities are reliant on manual processes.
Where retention labels or policies are in use, records could be reviewed while in the preservation hold library, or the first or second stage recycle bin. This would require regular reviews of content in those locations.
The frequency of these reviews would need to be determined through a risk-assessment and will be impacted by any other processes in place to catch important records prior to disposal, such as education and training of staff.
It is important to note that content in either the first or second stage recycle bin is not indexed and therefore will not be found using Microsoft’s content search feature for eDiscovery. As such, extra care should be taken to ensure no disposal occurs for any records that are required for current or pending legal action.
Audit logs, once enabled, capture actions performed on content including deletion.
To meet disposal documentation requirements, you could use the audit logs as evidence of how the records were destroyed, the description of the records and their date range. The disposal authorisation used and the relevant approval would need to be created separately and linked.
While under the GRDS (1131), disposal documentation should be retained for 50 years, audit logs are only stored in M365 for a maximum of 10 years, depending on the licence. As such, audit logs will need to be extracted and stored appropriately. This extraction can be automated using PowerShell.
Metadata retained after destruction
The Queensland Recordkeeping Metadata Standard and Guideline (QRKMS) requires certain metadata elements and element qualifier to be retained after disposal:
- Element 2: record identifier
- Element 3: record title
- Element 5.1: record creation date/time
- Element 11: record relation, where the relationship type is ‘documents’ (to show the function the record relates to)
- Element 12: record disposal
- Element 15: record event history, where the event type is ‘closed’ (to show the date the record was closed).
Public records may exist in the form of documents, Teams chats or conversations, or emails. Other than by declaring content as a record, there is no ability to retain documentation of disposal that includes the required metadata elements.
To meet the QRKMS requirements, you can use PowerShell to export the details of the contents of the recycle bin into a csv file. However, due to SharePoint’s (lack of) hierarchical structure, there is no central recycle bin, meaning you would need to individually export the details of each site’s recycle bin’s contents on a regular basis.