There are, broadly speaking, two ‘bookend’ options when it comes to creating new SharePoint Online sites and the document libraries in those sites:
- ‘Controlled’ model: The creation of new sites is restricted to a small group of individuals with admin rights, who also oversee the creation of document libraries and application of metadata. A combination of controlled and manually applied classification and metadata and retention policies are used to access and manage content over time. Artificial intelligence (AI) tools can also be used to manage content.
- ‘Chaos/uncontrolled’ model: The creation of new sites, including the creation of document libraries is not restricted. AI tools (including auto-classification) and auto-applied retention policies are used to classify, access and manage content over time. This model assumes that any form of random categorisation applied by end users (e.g., library names, metadata) is mostly ignored by AI tools.
From a traditional information governance and records management (ISO 15498/ISO 16175) point of view, the second ‘chaos’ or uncontrolled model option seems to run counter to conventional wisdom and agreed standards.
From a practical point of view, the first ‘control’ model option seems to run counter to common sense given the volume and range of digital information and the difficulty of classifying or categorising information and records correctly.
Which option is better?
Confusingly, perhaps, the answer may be a combination of both.
- Certain types of more formal records, such as those required for corporate compliance, formal policies, staff files, accounting information not stored in a finance system, property information, and/or product information, is almost certainly going to be better off in a controlled SharePoint sites with pre-defined libraries and metadata. These types of documents are more likely to be subject to records retention requirements and almost certainly may be subject to eDiscovery and legal holds.
- Other types of less formal records, including ‘working’ documents, chats and conversations may be better off stored in uncontrolled SharePoint sites, including SharePoint sites linked with Office 365 Groups and Teams, and in MS Teams/Outlook. These types of records are less likely to be subject to records retention requirements but may be subject to eDiscovery and legal holds.
Ultimately, the way the organisation needs to implement Office 365, including SharePoint Online and apply retention policies and other options will depend on its need to comply with oversight and legal requirements (including minimum retention periods), and/or its tolerance for risk.
How does this work in Office 365/SharePoint Online?
If both options Organisations need to make a conscious decision to allow both options, and be prepared to manage both.
The key features of Office 365 and SharePoint to allow both options are listed below:
- Office 365 retention policies apply to all of Exchange Online, all OneDrive for Business accounts, entire sites (invisible to users) or parts of sites (visible to users).
- Some retention policies may be applied based on the auto-classification of records, subject to review.
- The creation of SharePoint sites is either controlled (requested and provisioned) or uncontrolled (created by end users) via either (a) ‘Create sites’ in the end-user SharePoint portal or (b) when a new Team is created in MS Teams.
- All sites, including Office 365 Group/Team sites are reviewed regularly for activity and inactive sites with no content of value deleted.
- All controlled sites are assigned either an invisible retention policy or individual visible retention policies (with disposal review), depending on their content.
- All uncontrolled sites are assigned an invisible retention policy. Uncontrolled and inactive sites with content are also made read only.
Features of controlled and uncontrolled SharePoint sites
SharePoint Online is quite different from older versions of the application and those who dismiss it based on previous experience should consider having another look as a lot has changed in the past couple of years.
SharePoint Online allows the creation of sites that contain important content that needs to be controlled of managed as records, as well as sites created and managed entirely by end-users. And, as an added bonus, all the content is stored in the one place, not in multiple locations (network drives, email servers, EDRM system, etc).
The elements that make up both types of sites, as well as ‘informational’ sites, are described below:
- Controlled sites
- Where the organisation’s official records are stored and managed.
- Created by SharePoint Administrators.
- More formal in nature, containing the official records.
- Structure decided by business areas – for example, document libraries using agreed naming conventions.
- Use of Content Types and site column or local library metadata to define the content.
- Application of Office 365 retention policies to entire sites or individual document libraries, with disposal reviews. Auto-classification is less likely to be required as the content has already been structured as required.
- Uncontrolled sites
- Usually based on end-user created Office 365 Groups or MS Teams.
- Where ‘working documents’ are created and managed, with the emphasis on allowing end-users collaborate and communicate easily and effectively – and move content to formal sites when required.
- Created by end-users but naming monitored by SharePoint administrators (or using rules).
- Informal in nature, used for working documents (effectively replacing personal and network file shares, and other unapproved systems).
- A fluid structure for document libraries, driven by end-user requirements (not imposed by others).
- Little if any use of Content Types or metadata.
- Retention based on Group activity (E5 licences), otherwise based on Office 365 site retention policies and/or auto-classification options.
- No disposal reviews – content is deleted after a given period of time.
- Communication sites (e.g., ‘intranet’)
- Used to publish information to the organisation
Things to watch out for
It is largely true that if you give people an option, someone is bound to try it, sooner or later, especially if it says ‘Create site’, ‘Create team’, or ‘Create group’. Early adopters learn quickly and can just as quickly abandon something that provides no benefit.
In a ‘free for all’ SharePoint environment, where end-users can create new sites, teams or groups (both of the latter have a SharePoint site), the most likely issues will include:
- Sites with names that are very similar to ones that already exist, created because the end-user didn’t know another existed (it may not be obvious) or didn’t like the name.
- Sites with names that make no sense (including common acronyms) or are just ‘wrong’ or contrary to preferred naming conventions.
- Sites used to create and store content that really should be stored in a more formal site or, conversely, doesn’t belong in the organisation’s official information systems (e.g., photos of someone’s wedding).
All of these issues require some general rules about the creation of new sites (or Office 365 Groups or Teams or Yammer Groups), including suggested naming.
Global and SharePoint admins can monitor the environment and fix issues when they arise rather than wielding a big stick.
What’s great about it
You can have the best of both worlds with SharePoint Online.
- Keep formal official records in ‘formal’ sites with controlled structures and metadata.
- Allow end-users to get on with creating, collaborating, sharing (one copy, not attachments), chatting, on any device.
If your communications and change management are good, end-users will soon learn how much fun it can be to use Teams, or access their content from File Explorer (or both!), without having to having to be trained how to save records. All they need to know is how to use the ‘Move’ option to move the final version of records to a formal site.
The foundation of any compliance program is knowing where all of your data lives and then classifying, labeling, and governing it appropriately.