Last updated:

July 4, 2022

What is Microsoft 365?

Microsoft 365 (including Office 365 and SharePoint Online) is a suite of online products that is provided as a set of cloud-based subscription services. The subscription includes automatic software updates, which means that subscribers always have access to the latest version.

Access to the service is based on a tiered licence structure that provides different levels of access to various software products depending on the licence obtained. Microsoft 365 is designed to be flexible. Configurations vary widely, depending on how a specific organisation intends to use it.

Software services commonly part of the Microsoft 365 suite include:

  • Email services (e.g. Outlook, Exchange online, Delve)
  • Hosted services (e.g. Skype for Business, SharePoint Online, and the browser-based Office Web Apps suite)
  • Office applications (i.e. access to the current versions of the Office desktop applications)
  • Collaboration tools (e.g. OneDrive for Business, SharePoint Online, Microsoft Teams, Stream, Yammer and Skype for Business).

Microsoft 365 and recordkeeping

The recordkeeping implications of Microsoft 365 vary depending on the software service used, type of license held and third part integration, such as  an electronic document and records management system (EDRMS) or enterprise content management system (ECMS). The table below provides examples of recordkeeping information relevant for some common Microsoft 365 software services. This is not a comprehensive list. Note that the list may not be current as services are updated/upgraded regularly.

Service Comments

Delve Boards

Provide a space for the sharing of documents across teams.

Flow

Can be used to automate some approval processes.

Groups in Teams / Stream / Yammer and other services

Services all use the same groups which means that if a group is deleted in one service (such as Stream) the groups and all their content are also deleted from other services.

Office 2016 Desktop Suite

Becomes read-only once the Microsoft 365 subscription lapses until a new subscription is purchased and activated.

One Drive for Business

Each user receives one terabyte (TB) of online storage and some plans include unlimited personal cloud storage per user.

Records are automatically deleted 60 days after the user account is disabled.

Skype for Business

Communication methods include instant messaging, VoIP, audio, video and web conferencing.

Stream

Intelligent video service that hosts, shares and analyses video content.

Yammer

Members of a group are automatically able to access a team calendar, a shared Outlook inbox, a SharePoint library, a SharePoint team site, a shared OneNote notebook and Planner

Effective records management aims to ensure that:

  • Full, reliable and accurate records are created, captured and managed
  • The integrity of records and associated metadata is maintained
  • People are able to find what they are looking for when they need it
  • Records are secure from unauthorised access and destruction
  • Accessible records are exported from the system when required
  • Records remain accessible for as long as they are needed and then lawfully disposed of.

This can be achieved through a range of different means, including:

  • Working across and within Microsoft 365 services to build records management functionality and associated processes in compliance with PROV standards (including VERS).
  • Integration with an ECMS (or another similar solution) in compliance with PROV standards (including VERS)
  • Integration with a traditional EDRMS in compliance with PROV standards (including VERS).

PROV recommends the following actions:

  1. Obtain knowledge of the administrative applications and tools used to manage records in Microsoft 365. Please note that there are multiple administrative centres across Microsoft 365. There are also various configuration settings in these centres that can be applied for appropriate records management.
  2. Conduct a gap analysis to determine whether these controls are sufficient to manage records within their agency or whether additional controls/configuration/integration is needed
  3. Assess the culture of the agency to determine the probability and impact of users not complying with records management controls within the Microsoft 365 environment
  4. Set controls for records that consider the user experience and minimise risk of non-compliance
  5. Where third party plug-ins are to be used, develop and maintain an integration management plan that specifies how the impact of Microsoft 365 updates and upgrades will be monitored and risk to records minimised
  6. Determine where and how automation can be best applied to minimise risk to records and improve effective control of records
  7. Be aware of Microsoft 365 records management functionality, how it can be used to manage disposal of agency records, and where other mechanisms or processes are needed
  8. Conduct a gap assessment and management plan against disposal requirements to determine and minimise risk to records
  9. Consider and seek to minimise risk to records when determining whether to migrate records from a decommissioned system (including systems that manage email) into Microsoft 365.

Ideally, records management controls should be included during the planning and configuration stage. The ability to adjust configuration settings may be limited post implementation, but some controls may still be applied. For example:

  • Labels and labelling policies can be used to manage retention of records and security regimes, including sensitivity classifications (note that content can have one retention and one sensitivity label applied at the same time, and may result in blanket settings being applied across different software applications)
  • Automated labelling can be applied, depending on the license held
  • Electronic approval processes can be set up where agencies have established that electronic approval will meet their needs and obligations
  • Access permissions can be applied to sites, libraries and to groups, or usage rights protection can be applied to specific documents (if they need to remain secure regardless of where they are stored) through permissions and protection labelling apps (note that blanket access rules across different software applications may result)
  • Unique ID’s for documents can be set up within SharePoint Online using the automatic SharePoint Document ID functionality, but this is not the default and the functionality must be activated by a site administrator
  • Alerts can be set up or customised to advise of unauthorised deletions, changes, and amendments and should be appropriate for regulatory, legislative and business reporting (including reporting of risks to records)
  • Logging can be automated to ensure the accountability or integrity questions can be effectively addressed, depending on the license held
  • Standardised metadata can be applied through site scripts and site designs for common sites, such as Team sites, Project sites and so on
  • Reporting tools can be used to identify user behaviours that place records at risk so that appropriate governance structures can be put in place (note that functionality will depend on the license held)
  • eDiscovery tools that search all content, including email, can be set up through the Security and Compliance Centre (note that functionality will depend on the license held).

If the Microsoft 365 service is integrated with an EDRMS or ECM system then disposal controls can continue to be applied in that system through traditional methods (such as assigning retention periods through the business classification scheme and folder structure).

If there is no integration, disposal will need to be managed within Microsoft 365, which uses a slightly different approach. Please note that manual processes may be required, and that functionality will depend on the license held, as well as configuration settings that have been applied.

Disposal in Microsoft 365 environments can be managed through setting retention policies in the Security and Compliance Centre. These may be set up and applied through either of the following:

  • Classification through use of labels and labelling policies
  • Data Governance-Retention via a retention policy

Classification through the use of labels and labelling policy can be automated. Otherwise the labels must be manually applied, which requires the user to select an appropriate label to apply where multiple labels exist. To do this the user must be aware of agency retention policy in order to select the appropriate label for their data.

Using the Data Governance application may be a better approach as it enables retention to be applied “behind the scenes” without user action. When applying retention policies, consider the most appropriate level to apply the policy to. For example:

  • If applying at a high group level it may be useful to flatten retention periods to a few big buckets that round retention up to the relevant disposal class with the longest minimum required retention period.
  • If everything except a couple of records is subject to one retention period, a separate retention for those records may be applied at the document level; however this can be very onerous and document level retention is not usually advised.

The following information about Records Management functionality is from the Microsoft 365 website:

  • Microsoft 365 E5/A5. Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance, Office 365 E5/A5, Office 365 Advanced Compliance provide the rights for a user to benefit from Records Management including declaring items as records, automatically applying retention or record labels and executing disposition review processes (excluding automatically applying a retention label based on trainable classifiers).
  • Microsoft 365 E5/A5. Microsoft 365 E5/A5 Compliance, Microsoft 365 Information Protection and Governance provide the rights for a user to benefit from automatically applying retention or record labels based on trainable classifiers.

Below is a table of possible risk to records that may be encountered when implementing Microsoft 365 and some suggested mitigation strategies.

Risk Challenge Mitigation
Risk to meeting legislative requirements Public records remain subject to privacy, security, freedom of information (FOI) and public records requirements while they are held externally in Microsoft 365

Either integrate Microsoft 365 with a compliant system or configure Microsoft 365 in line with records management requirements to identify high risk areas and their appropriate mitigation


For example, records above a specific security classification may need to be only created or stored on systems that are under direct agency control

While a protected cloud environment may be an option for some records, others may not be permitted to be stored within an encrypted environment

Risk to evidential integrity of records, unauthorised access and unlawful deletion The collaborative design of Microsoft 365 places the user in a position of decision maker regarding management of records when most users lack the skills and knowledge to manage records appropriately

Have records management controls (automated where possible) in place to ensure that the evidential integrity of records is not put at risk, records remain accessible, and records are not subject to unauthorised access or unlawful disposal

For example, use sensitivity labels, an associated and relevant Label Policy and audit log alerts to notify the appropriate person if unauthorised access occurs
Risk to full and accurate records of Victorian Government It may be unclear who owns or holds what rights over the public records in Microsoft365 environments, including rights over records contained in laws from the jurisdiction where the records are being held

Clarify ownership and rights over agency records and, where there is lack of clarity, ensure that the records are held within agency owned and controlled systems

For example, clearly express record ownership and rights in contracts and agreements

Ensure that data is hosted in Australia, preferably Victoria – as required by Victorian Government Privacy and Security controls
Risk of losing records Content may be lost due to Microsoft service changes, as part of normal service operations that include automated deletion, or upon removal of the service by Microsoft

Review and remain up to date with service changes including release notices to ensure that risk to records is known

For example, if a Microsoft notice flags that a service will be disabled, review and either move or convert records from that service to one that is being actively managed

 

Microsoft 365 is a cloud service that utilises web-based applications (including forms of social media). As such, records management advice for cloud computing, management of websites, social media, mobile technologies and decommissioning systems also apply.

Aboriginal and Torres Strait Islander Peoples should be aware the collection and website may contain images, voices and names of deceased persons.

Material in the Public Record Office Victoria archival collection contains words and descriptions that reflect attitudes and government policies at different times which may be insensitive and upsetting.

PROV provides advice to researchers wishing to access, publish or re-use records about Aboriginal Peoples.