Records retention policies are created in the Security and Compliance Admin portal, Classifications section of Office 365, as noted in my previous post of 9 March 2018 on the subject.
This post describes how these are applied to document libraries and what happens when the records reach their disposal/disposition period.
Note: In Australia we refer to the disposal of records. In the US this is called disposition.
Setting up retention policies
Organisations may have complex or quite simple records retention policies. An important point to keep in mind in Office 365 is how many policies should be displayed to the end user to choose from.
Ideally, there should be fewer than a dozen classes so they are easy to choose from (see below). There is nothing stopping you creating 100 or 500 policies, but all of them will appear in the drop down list to choose from. Microsoft say they are working on ‘grouping’ policies, so this may help to fix the issue.
For some organisations, it may be useful to distill or group retention policies down to a smaller number.
- For example, specific retention policies for certain types of records, and one (or two) for ‘all other’ records. The key, as we will see below, is naming them so they are obvious and easy to apply.
Viewing available retention policies
Retention policies that have been created appear in the Security and Compliance Admin portal, under Classifications > Labels.
Note: Labels must be published before they become visible to end users.
When you click on Labels, you can then see all the retention policies that have been created (but not necessarily published).
The screenshot below shows just the very top policy (a test/demonstration policy with a 7 day retention period) in a list of policies.
Note: Policies can be auto-applied, provided the policy has sufficient ability to identify what records they should be applied to.
Published policies appear in the Data Governance, Dispositions section:
The Dispositions section displays policies that have been published and are visible to end users in the Office 365 areas selected when the policy was created (e.g., Exchange, SharePoint, OneDrive etc).
Applying the policy in a SharePoint document library
To apply the policy to a SharePoint document library, go to the document library, library settings, and you will see the option to add the retention policy: ‘Apply label to items in this list or library’.
The ‘Apply Label’ dialogue shows the option to apply the label to existing items (recommended) and a drop down which shows all the published retention policies.
In this example below, there are four policies including the test policy.
The policy now applies to all records stored in that document library.
When the records reach the end of the retention period configured in the policy, the person designated to be informed about the retention will receive an email notifying them of the need to review the dispositions.
Note, the person (or mailbox) receiving this email MUST be assigned to the Records Management role in the Security and Compliance Admin portal, Permissions section. No-one else will see the records due for disposal otherwise (not even the Global Admins, unless they have also been delegated to that role).
The records person clicks on the link ‘Go there now’ and it opens the following section in the Office 365, Security and Compliance Admin portal, showing the documents that are pending disposition. A number of options are available to sort by Type, to search, and to filter by several options.
The following options appear if a single document is selected. Note the option to extend the retention period or apply a different label, as well as the ability to delete the item permanently.
Filtering options are displayed below.
Finally, the records manager can choose all the documents in the list and complete three bulk actions as shown.
Positives and negatives
The positives of this method of disposing of documents are that all records from any location will appear in a single view that can be filtered and actions taken as required.
The negatives are that potentially thousands of documents might appear in this listing every single day making it difficult to decide what can deleted or not.
However, as it’s possible to filter by the retention policy, that at least should make it relatively easy to identify what can be destroyed. The more fine-grained the policies, the fewer records should appear.
Organisations that have function-based disposal classes should find that all records relating to the same function appear for disposal under that function.
Another potential negative is that records may not always appear in the same context, whether it be subject- or function-based. For example, a collection of documents (often known as a ‘file’) may not appear in the disposition listing as a collection but as a set of records that are only connected by the disposal policy name. Does this matter?
Recording disposal actions
A key requirement for most organisations is keeping a record of what was destroyed.
At the moment the only apparent option to do this is to apply filters and export the list, using the handy ‘Export’ option to keep a record of what was destroyed. That csv file can then be stored in a control library to ensure a record is kept. This type of action requires a degree of control to ensure it happens every time.
It may also be possible to identify what was destroyed – and by whom – in the audit logs. This is being investigated.