Last updated:

October 30, 2019

What is Microsoft Office 365

Microsoft Office 365 is a suite of online products that includes SharePoint Online and is provided as a set of cloud-based subscription services. The subscription includes automatic software updates, which means that subscribers always have access to the latest version.

Software services commonly part of Office 365 suite include:

  • Email services (e.g. Outlook Mail, Outlook Calendar, Outlook People, Outlook Tasks and Clutter)
  • Hosted services (e.g. Exchange, Skype for Business, SharePoint Online, and the browser-based Office Web Apps suite)
  • Office applications (i.e. access to the current versions of the Office desktop applications)
  • Collaboration tools (e.g. OneDrive for Business, SharePoint Online, Microsoft Teams, Stream, Yammer, Skype for Business, Outlook Online and Delve boards).

 

Office 365 and Recordkeeping

The recordkeeping implications of Office 365 vary depending on the software service used, type of license held and whether or not Office 365 is integrated with an EDRMS or ECMS. The table (below) provides examples of recordkeeping information relevant for some common Office 365 software services. This is not a comprehensive list. Please also note that the list may not be current as services are updated/upgraded regularly.

 

Service Comments

Clutter

Remembers and analyses user's preferences regarding the relevance and importance of emails, and makes decisions based on that analysis, such as moving email to a specific folder in Outlook

Delve Boards

Provide a space for the sharing of documents across teams

Flow

Can be used to automate some approval processes

Groups in Teams / Stream / Yammer and other services

Services all use the same groups which means that if a group is deleted in one service (such as Stream) the groups and all their content are also deleted from other services

Office 2016 Desktop Suite

Becomes read-only once the Office 365 subscription lapses until a new subscription is purchased and activated

One Drive for Business

Each user receives one terabyte (TB) of online storage and some plans include unlimited personal cloud storage per user

Records are automatically deleted 60 days after the user account is disabled

Skype for Business

Communication methods include instant messaging, VoIP, audio, video and web conferencing

Stream

Intelligent video service that hosts, shares and analyses video content.

Yammer

Members of a group are automatically able to access a team calendar, a shared Outlook inbox, a SharePoint library, a SharePoint team site, a shared OneNote notebook and Planner

 

What is needed for effective records management?

Effective records management aims to ensure that:

  • Full, reliable and accurate records are created, captured and managed
  • The integrity of records and associated metadata is maintained
  • People are able to find what they are looking for when they need it
  • Records are secure from unauthorised access and destruction
  • Accessible records are exported from the system when required
  • Records remain accessible for as long as they are needed and then lawfully disposed of.

This can be achieved through a range of different means, including:

  • Working across and within Office 365 services to build records management functionality and associated processes in compliance with PROV standards (including VERS).
  • Integration with an enterprise content management (ECM) system, or another similar solution) in compliance with PROV standards (including VERS)
  • Integration with a traditional electronic document and records management system (EDRMS).

PROV recommends the following actions:

  1. Obtain knowledge of the administrative applications and tools used to manage records in Office 365
  2. Conduct a gap analysis to determine whether these controls are sufficient to manage records within their agency or whether additional controls/configuration/integration is needed
  3. Assess the culture of the agency to determine the probability and impact of users not complying with records management controls within the Office 365 environment
  4. Set controls for records that consider the user experience and minimise risk of non-compliance
  5. Where third party plug ins are to be used, develop and maintain an integration management plan that specifies how the impact of Microsoft Office 365 updates and upgrades will be monitored and risk to records minimised
  6. Determine where automation can be best applied to minimise risk to records and improve effective control of records
  7. Be aware of Microsoft Office 365 records management functionality and how it can be used to manage disposal of agency records
  8. Conduct a gap assessment and management plan against disposal requirements to determine and minimise risk to records
  9. Consider and seek to minimise risk to records when determining whether to migrate records from a decommissioned system into Office 365.

 

How can records management controls be applied?

Ideally, records management controls should be included during the planning and configuration stage. But, if this does not happen, various controls can be introduced post-implementation. For example:

  • Labels and labelling policies can be used to manage retention of records and security regimes, including sensitivity classifications (note that content can have one retention and one sensitivity label applied at the same time)
  • Automated labelling can be applied, but only comes with the Enterprise E5 licence or higher
  • Electronic approval processes can be set up using the application Flow, where agencies have established that electronic approval will meet their needs and obligations
  • Access permissions can be applied through SharePoint Permissions to sites, libraries and to groups, or through an Azure Information Protection label assigning usage rights protection to specific documents (if they need to remain secure regardless of where they are stored)
  • Unique ID’s for documents can be set up within SharePoint Online using the automatic SharePoint Document ID functionality, but this is not the default and the functionality must be activated by a site administrator
  • Alerts can be set up or customised to advise of unauthorised deletions, changes, and amendments
  • Standardised metadata can be applied through site scripts and site designs for common sites, such as Team sites, Project sites and so on.
  • eDiscovery tools that search all content, including email, can be set up through the Security and Compliance Centre (note that for some eDiscovery functionality an Office 365 E5 license is required.)

 

What about disposal?

If the Office 365 service is integrated with an EDRMS or ECM system then disposal controls can continue to be applied in that system through traditional methods (such as assigning retention periods through the business classification scheme and folder structure).

If there is no integration, disposal will need to be managed within Office 365 and SharePoint Online, which uses a slightly different approach.

Disposal in Office 365 environments can be managed through setting retention policies in the Security and Compliance Centre. These may be set up and applied through either of the following:

  • Classification through use of labels and labelling policies
  • Data Governance-Retention via a retention policy.

Classification through the use of labels and labelling policy can be automated with an E5 license. Otherwise the labels must be manually applied, which requires the user to select an appropriate label to apply where multiple labels exist. To do this the user must be aware of agency retention policy in order to select the appropriate label for their data.

Using the Data Governance application may be a better approach as it enables retention to be applied “behind the scenes” without user action. When applying retention policies, consider the most appropriate level to apply the policy to. For example:

  • If applying at a high group level it may be useful to flatten retention periods to a few big buckets that round retention up to the relevant disposal class with the longest minimum required retention period.
  • If everything except a couple of records is subject to one retention period, a separate retention for those records may be applied at the document level; however this can be very onerous and document level retention is not usually advised.

 

What are the Risks?

Below is a table of possible risk to records that may be encountered when implementing Office 365 and some suggested mitigation strategies.

Risk Challenge Mitigation
Risk to meeting legislative requirements Public records remain subject to privacy, security, freedom of information (FOI) and public records requirements while they are held externally in Office 365 and SharePoint Online systems

Either integrate Office 365 with a compliant system or configure Office 365 in line with records management requirements to identify high risk areas and their appropriate mitigation


For example, records above a specific security classification may need to be only created or stored on systems that are under direct agency control.

While a protected cloud environment may be an option for some records, others may not be permitted to be stored within an encrypted environment.
Risk to evidential integrity of records, unauthorised access and unlawful deletion The collaborative design of Office 365 places the user in a position of decision maker regarding management of records when most users lack the skills and knowledge to manage records appropriately

Have records management controls (automated where possible) in place to ensure that the evidential integrity of records is not put at risk, records remain accessible, and records are not subject to unauthorised access or unlawful disposal

 

For example, use sensitivity labels, an associated and relevant Label Policy and audit log alerts to notify appropriate person if unauthorised access occurs
Risk to full and accurate records of Victorian Government It may be unclear who owns or holds what rights over the public records in Office 365 environments, including rights over records contained in laws from the jurisdiction where the records are being held

Clarify ownership and rights over agency records and, where there is lack of clarity, ensure that the records are held within agency owned and controlled systems

 

For example, clearly express record ownership and rights in contracts and agreements

 

Ensure that data is hosted in Australia, preferably Victoria – as required by Victorian Government Privacy and Security controls.
Risk of losing records Content may be lost due to Microsoft service changes, as part of normal service operations that include automated deletion, or upon removal of the service by Microsoft.

Review and remain up to date with service changes including release notices to ensure that risk to records is known.

 

For example, if a Microsoft notice flags that a service will be disabled, review and either move or convert records from that service to one that is being actively managed.

 

Other Considerations

Office 365 is a cloud service that utilises web-based applications (including forms of social media). As such, records management advice for cloud computing, management of websites, social media, mobile technologies and decommissioning systems also apply.