At the September 2017 Ignite conference in Orlando, Florida, Microsoft announced a range of new features coming soon to data governance in Office 365.
These new features build on the options already available in the Security and Compliance section of the Office 365 Admin portal. You can watch the video of the slide presentation here.
Both information technology and records management professionals working in organisations that have Office 365 need to work together to understand these new features and how they will be implemented.
Some of the key catch-phrases to come out of the presentation included ‘keep information in place’, ‘don’t horde everything’, ‘no more moving everything to one bucket’, ‘three-zone policy’, and ‘defensible deletion process’. The last one is probably the most important.
How do you manage the retention of digital content?
If your organisation is like most others, you will have no effective records retention policy or process for emails or content stored across network file shares and in ‘personal’ drives.
If you have an old-style EDRM system you may have acquired a third-party product and/or tried to encourage users (with some success, perhaps) to store emails in that system, in ‘containers’ set up by records managers.
The problem with most of these traditional methods is that it assumes there should be one place to store records relating to a given subject. In reality, attempts to get all related records in the one place conjures up the ‘herding cats’ problem. It’s not easy.
What is Microsoft’s take on this?
For many years now, Microsoft have adopted an alternative approach, one that is not dissimilar to the view taken by eDiscovery vendors such as Recommind. Instead of trying to force users to put records in a single location, it makes more sense to use powerful search and tagging tools to find and manage the retention of records wherever they are stored.
Office 365 already comes with powerful eDiscovery capability, allowing the organisation to search for and put on hold records relating to a given subject, or ‘case’. But it also now has very powerful records retention tools that are about to get even better.
This post extends my previous posting ‘Applying New Retention Policies to Office 365 Content‘, and won’t repeat all of it as a result.
Where do you start?
A standard starting point for the management of the retention and disposal of records is a records retention schedule. These are also known in the Australian recordkeeping context as disposal authorities, general disposal authorities, and records authorities. They may be very granular and contain hundreds of classes, or ‘big bucket’ (for example, Australian Federal government RAs).
Records retention schedules usually describe types of records (sometimes grouped by ‘function’ and ‘activity’, or by business area) and how long they must be retained before they can be disposed of, unless they must be kept for a very long time as archival records.
The classes contained in records retention schedules or similar documents become retention policies in Office 365.
Records retention in Office 365
It is really important to understand that records retention management in Office 365 covers the entire environment – Exchange (EXO), SharePoint (SPO), OneDrive for Business (OD), Office 365 Groups (O365G), Skype for Business. Coverage for Microsoft Teams and OneNote is coming soon. Yammer will not be included until at least the second half of 2018.
That is, records retention is not just about documents stored in SharePoint. It’s everything except as noted.
Records managers working in organisations that have implemented (or are implementing) Office 365 need to be on top of this, to understand this way of approaching and managing the records retention process.
Retention policies in Office 365 are set up in the Security and Compliance Admin Centre, a part of the Office 365 Admin portal. Ideally, records managers should be allocated a role to allow them to access this area.
There are two retention policy subsections:
- Data Governance > Retention > Policy
- Classification > Labels > Policy
The settings in both are almost identical but have slightly different settings and purposes. However, note all retention policies that are set up are visible in both locations.
The difference between the two options is that:
- Retention-based policies are (according to Microsoft) meant for IT to be used more for ‘global’ policies. For example, a global policy for the retention of emails not subject to any other retention policy.
- Label-based policies map to the individual classes in a retention schedule or disposal authority.
Note: Organisations that have many hundreds or even thousands of records retention classes will need to create them using Powershell.
Creating a retention-based policy
Retention-based policies have the following options:
Directly underneath this are two options:
- Find specific types of records based on keyword searches [COMING > also label-based]
- Find Data Loss Prevention (DLP) sensitive information types. [COMING > label-based DLP-related polices can be auto-applied]
A decision must then be made as to where this policy will be applied – see below.
Creating a label-based policy
To create a classification label manually, click on ‘Create a label’.
Note:
- Labels are not available until they are published.
- Labels can be auto-applied
The screenshot below shows the options for creating a new label.
Label- based policies have the following settings:
- Retain the content for n days/months/years
- Based on Created or Last Modified [COMING > when labelled, an event*]
- Then three options: (a) delete it after n days/months/years (b) subject it to a disposition review process (labels only), or (c) don’t delete.
* Such as when certain actions take place on the system.
Applying the policies
Once a policy has been created it can then be applied to the entire Office 365 environment or to only specific elements, for example EXO, SPO, OD, O365G.
- IT may want to establish a specific global policy
- Most other policies will be based on the organisation’s records retention schedule
Once they have been published, labels may then be applied automatically or users can have the option to apply them manually.
In EXO, a user may create a folder and apply the policy there. All emails dragged into that folder will be subject to the same policy.
In SPO, retention policies may be applied to a document library and can be applied automatically as the default setting to all new documents. [COMING > also to a folder and a document set]. Adding a label-based policy to a library also creates a new column so the user can easily see what policy the documents are subject to.
Note: Individual documents stored in the library will be subject to disposal, not the library.
What about Content Types?
Organisations that have used content types to manage groups of records including for retention management will be able to continue to do so, but Microsoft appears to take the view (in the presentation above) that this method should probably replaced by labelling. This points needs further consideration as content types are usually used as a way to apply metadata to records.
Note: If the ability to delete content (emails, documents) is enabled, any deleted content subject to a retention policy will be retained in a hidden location. The option also exists when a label-based policy is created to ‘declare’ records based on the application of a label.
What happens when records are due for disposal?
Once the records reach the end of their retention period, they will be:
- Deleted
- Subject to a new disposition review process [COMING in 2017 – see below]
- Remain in place (i.e., nothing happens)
In relation to the second option above, a new ‘Disposition’ section under Data Governance will allow the records manager or other authorised person to review records (tagged for Disposition Review) that have become due for disposal.
This is an important point – only records that had a label with the option ‘Disposition Review’ checked will be subject to review. All other records will be destroyed. Therefore, if the organisation needs to keep a record of what was destroyed, then the classification label must have ‘Disposition Review’ selected.
Records that are reviewed and approved to be destroyed are marked as ‘Completed’. This means there is a record of everything (subject to disposition review) that has been destroyed, a key requirement for records managers.
Other new or coming features
A number of other new features demonstrated at the Ignite conference, are coming.
- Labels will have a new ‘Advanced’ check box. This option will allow records marked with that label to have any of the following: watermark, header/footer, subject line suffix, colour.
- Data Governance > Records Management Dashboard. The dashboard will provide an overview of all disposition activity.
- Data Governance > Access Governance. This dashboard, which supports data leakage controls, will show any items that (a) appear to contain sensitive content and (b) can be accessed by ‘too many’ people.
- Auto-suggested records retention policies. The system may identify groups of records that do not seem to be subject to a suitable retention policy and make a recommendation to create one.
- For those parts of the world who need it, new General Data Protection Regulations (GDPR) controls
- Microsoft Information Protection, to replace Azure Information Protection and provide a single set of controls over all of Microsoft’s platforms.
Records about the world 