Archive for the ‘Legal’ Category

SharePoint Online and OneDrive for Business – Preventing external sharing of data

October 17, 2017

A recent (September 2017) article suggested that OneDrive for Business (ODfB) (and by extension SharePoint Online (SPO); ODfB is a SharePoint-based service), a key application in Office 365 was a potential source of data leaks and/or target for hacking attacks.

I don’t disagree that, if not configured correctly, any online document management system – not just ODfB/SPO – could be the source of leaks or the target of external attacks. Especially if these systems, and the security controls that can protect the data in them, are not properly configured, governed, administered, and monitored.

But, I would ask, what controls do most organisations have in place now for documents stored in file shares and personal file folders, not to mention USB sticks, and the ability to send document via Bluetooth to mobile devices or upload corporate data to third-party document storage systems? Probably not many, because users have no other way to access the data out of the office.

As we will see, the controls available in Office 365 are likely to be more than sufficient to allow users to access to their documents out of the office, while at the same time reducing (if not eliminating) the sharing of documents with unauthorised users.

How to stop or minimise sharing from OneDrive for Business and SharePoint Online

There is one simple way to prevent the sharing of data stored in SPO and ODfB with external people – don’t allow it.

There are several ways to control what can be shared, each allowing the user a bit more capability. All these options should be based on business requirements and information security risk assessments, and Office 365 configured accordingly.

In this article I will start with no sharing allowed, and then show how the controls can be reduced as necessary.

External sharing – on or off

This is the primary setting, found in the main Office 365 Admin centre under Settings > Services & add-ins > Sites. If you turn this off, no-one can share anything stored in SPO or ODfB.

The option is shown below:


If you do allow sharing, you need to decide (as shown above) if sharing will be with:

  • Only existing external users
  • New and existing external users [Recommended]
  • Anyone, including anonymous users

The second option is recommended because it doesn’t restrict the ability to share with new users. The last option is unlikely to be used in most organisations and comes with some risks.

The next place to set these options are in the SPO and ODfB Admin centres.

OneDrive admin center

If the previous option is enabled, the following options are available for ODfB. Note that BOTH SharePoint and OneDrive are included here because the latter is a part of the SharePoint environment.

  • Let users share SharePoint content with external users: ON or OFF.
    • NOTE: If this option is turned OFF, all the following options disappear.
  • If sharing with external users is enabled, the following three options are offered:
    • Only existing external users
    • New and existing external users [Recommended]
    • Anyone, including anonymous users
  • Let users share OneDrive content with external users: ON or OFF
    • This setting must be at least as restrictive as the SharePoint setting.
  • If sharing with external users is enabled, the following three options are offered
    • Only existing external users
    • New and existing external users [Recommended]
    • Anyone, including anonymous users

If sharing is allowed, there are three sharing link options:

  • Direct – only people who already have permission [Recommended]
  • Internal – only people in the organisation
  • Anonymous access – anyone with the link

You can limit external sharing by domain, by allowing or blocking sharing with people on selected domains.

External users have two options:

  • External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]
  • Let external users share items they don’t own. [This should normally be disabled]

A final ‘Share recipients’ checkbox allow the owners to see who viewed their files.

SharePoint admin center

The SPO admin center (to be upgraded in late 2017) has two options for sharing.

The first option is under the ‘sharing’ section which currently has the following options:

Sharing outside your organization

Control how users share content with people outside your organization.

  • Don’t allow sharing outside your organization
  • Allow sharing only with the external users that already exist in your organization’s directory
  • Allow users to invite and share with authenticated external users [Recommended]
  • Allow sharing to authenticated external users and using anonymous access links

Who can share outside your organization

  • [Checkbox] Let only users in selected security groups share with authenticated external users

Default link type

Choose the type of link that is created by default when users get links.

  • Direct – only people who have permission [Recommended, same as above]
  • Internal – people in the organization only
  • Anonymous Access – anyone with the link

Default link permission

Choose the default permission that is selected when users share. This applies to anonymous access, internal and direct links.

  • View [Recommended]
  • Edit

Additional settings (Checkboxes)

  • Limit external sharing using domains (applies to all future sharing invitations). Separate multiple domains with spaces.
  • Prevent external users from sharing files, folders, and sites that they don’t own [Recommended]
  • External users must accept sharing invitations using the same account that the invitations were sent to [Recommended]

Notifications (Checkboxes)

E-mail OneDrive for Business owners when

  • Other users invite additional external users to shared files [Recommended]
  • External users accept invitations to access files [Recommended]
  • An anonymous access link is created or changed [Recommended]

Sharing via the Site Collections option

In addition to the options above, sharing options for each SharePoint site are set in the ‘site collections’ section as follows. Note that the default is ‘no sharing allowed’. A conscious decision must be taken to allow sharing, and what type of sharing.


When a site collection name is checked, the following options are displayed.

Sharing outside your company

Control how users invite people outside your organisation to access content

  • Don’t allowing sharing outside your organisation (default)
  • Allow sharing only with the external users that already exist in your organization’s directory
  • Allow external users who accept sharing invitations and sign in as authenticated users
  • Allow sharing with all external users, and by using anonymous access links

If anonymous access is not permitted (setting above), a message in red is displayed:

Anonymous access links aren’t allowed in your organization

SharePoint Sharing option

The SharePoint Admin Centre has an additional ‘Sharing’ section with the same settings as shown above for ODfB. It is expected that these multiple options will be merged in the new SharePoint Admin Centre due for release in late 2017.

Additional security controls

In addition to all the above settings, there are a range of additional controls available:

  • All user activities related to SPO and ODfB, including who accessed, viewed, edited, deleted, or shared files is accessible in the audit logs.
  • SPO and ODfB content may be picked up by Data Loss Prevention (DLP) policies and users prevented from sending them externally. This is of course subject to the DLP policies being able to identify the content correctly.
  • SPO and ODfB content may be subject to records retention policies set by preservation policies. These may impact on the ability to send documents externally.
  • SPO and ODfB content may be subject to an eDiscovery case.
  • Administrators can be notified when users perform specific activities in both SPO and ODfB.
  • Sharing (and access to the documents once shared) may be subject to security controls enforced through Microsoft Information Protection.


In summary, the settings above allow an organisation to strongly control what can be shared. If sharing is allowed, certain additional controls determine whether the sharing is for internal users or for users external to the organisation. If the latter is chosen, there are further controls on what external users can do. Audit controls and policies may also control how users can share information externally.

The key takeaway is that organisations should ensure that the sharing options available in Office 365 are based on the organisation’s business requirements and security risk framework.


Office 365 – new data governance and records retention management features

October 7, 2017

At the September 2017 Ignite conference in Orlando, Florida, Microsoft announced a range of new features coming soon to data governance in Office 365.

These new features build on the options already available in the Security and Compliance section of the Office 365 Admin portal. You can watch the video of the slide presentation here.

Both information technology and records management professionals working in organisations that have Office 365 need to work together to understand these new features and how they will be implemented.

Some of the key catch-phrases to come out of the presentation included ‘keep information in place’, ‘don’t horde everything’, ‘no more moving everything to one bucket’, ‘three-zone policy’, and ‘defensible deletion process’. The last one is probably the most important.

How do you manage the retention of digital content?

If your organisation is like most others, you will have no effective records retention policy or process for emails or content stored across network file shares and in ‘personal’ drives.

If you have an old-style EDRM system you may have acquired a third-party product and/or tried to encourage users (with some success, perhaps) to store emails in that system, in ‘containers’ set up by records managers.

The problem with most of these traditional methods is that it assumes there should be one place to store records relating to a given subject. In reality, attempts to get all related records in the one place conjures up the ‘herding cats’ problem. It’s not easy.

What is Microsoft’s take on this?

For many years now, Microsoft have adopted an alternative approach, one that is not dissimilar to the view taken by eDiscovery vendors such as Recommind. Instead of trying to force users to put records in a single location, it makes more sense to use powerful search and tagging tools to find and manage the retention of records wherever they are stored.

Office 365 already comes with powerful eDiscovery capability, allowing the organisation to search for and put on hold records relating to a given subject, or ‘case’. But it also now has very powerful records retention tools that are about to get even better.

This post extends my previous posting ‘Applying New Retention Policies to Office 365 Content‘, and won’t repeat all of it as a result.

Where do you start?

A standard starting point for the management of the retention and disposal of records is a records retention schedule. These are also known in the Australian recordkeeping context as disposal authorities, general disposal authorities, and records authorities. They may be very granular and contain hundreds of classes, or ‘big bucket’ (for example, Australian Federal government RAs).

Records retention schedules usually describe types of records (sometimes grouped by ‘function’ and ‘activity’, or by business area) and how long they must be retained before they can be disposed of, unless they must be kept for a very long time as archival records.

The classes contained in records retention schedules or similar documents become retention policies in Office 365.

Records retention in Office 365

It is really important to understand that records retention management in Office 365 covers the entire environment – Exchange (EXO), SharePoint (SPO), OneDrive for Business (OD), Office 365 Groups (O365G), Skype for Business. Coverage for Microsoft Teams and OneNote is coming soon. Yammer will not be included until at least the second half of 2018.

That is, records retention is not just about documents stored in SharePoint. It’s everything except as noted.

Records managers working in organisations that have implemented (or are implementing) Office 365 need to be on top of this, to understand this way of approaching and managing the records retention process.

Retention policies in Office 365 are set up in the Security and Compliance Admin Centre, a part of the Office 365 Admin portal. Ideally, records managers should be allocated a role to allow them to access this area.

There are two retention policy subsections:

  • Data Governance > Retention > Policy
  • Classification > Labels > Policy

The settings in both are almost identical but have slightly different settings and purposes. However, note all retention policies that are set up are visible in both locations.

The difference between the two options is that:

  • Retention-based policies are (according to Microsoft) meant for IT to be used more for ‘global’ policies. For example, a global policy for the retention of emails not subject to any other retention policy.
  • Label-based policies map to the individual classes in a retention schedule or disposal authority.

Note: Organisations that have many hundreds or even thousands of records retention classes will need to create them using Powershell.

Creating a retention-based policy

Retention-based policies have the following options:


Directly underneath this are two options:

  • Find specific types of records based on keyword searches [COMING > also label-based]
  • Find Data Loss Prevention (DLP) sensitive information types. [COMING > label-based DLP-related polices can be auto-applied]

A decision must then be made as to where this policy will be applied – see below.

Creating a label-based policy

To create a classification label manually, click on ‘Create a label’.



  • Labels are not available until they are published.
  • Labels can be auto-applied

The screenshot below shows the options for creating a new label.


Label- based policies have the following settings:

  • Retain the content for n days/months/years
  • Based on Created or Last Modified [COMING > when labelled, an event*]
  • Then three options: (a) delete it after n days/months/years (b) subject it to a disposition review process (labels only), or (c) don’t delete.

* Such as when certain actions take place on the system.


Applying the policies

Once a policy has been created it can then be applied to the entire Office 365 environment or to only specific elements, for example EXO, SPO, OD, O365G.

  • IT may want to establish a specific global policy
  • Most other policies will be based on the organisation’s records retention schedule

Once they have been published, labels may then be applied automatically or users can have the option to apply them manually.

In EXO, a user may create a folder and apply the policy there. All emails dragged into that folder will be subject to the same policy.

In SPO, retention policies may be applied to a document library and can be applied automatically as the default setting to all new documents. [COMING > also to a folder and a document set]. Adding a label-based policy to a library also creates a new column so the user can easily see what policy the documents are subject to.

Note: Individual documents stored in the library will be subject to disposal, not the library. 

What about Content Types?

Organisations that have used content types to manage groups of records including for retention management will be able to continue to do so, but Microsoft appears to take the view (in the presentation above) that this method should probably replaced by labelling. This points needs further consideration as content types are usually used as a way to apply metadata to records.

Note: If the ability to delete content (emails, documents) is enabled, any deleted content subject to a retention policy will be retained in a hidden location. The option also exists when a label-based policy is created to ‘declare’ records based on the application of a label. 

What happens when records are due for disposal?

Once the records reach the end of their retention period, they will be:

  • Deleted
  • Subject to a new disposition review process [COMING in 2017 – see below]
  • Remain in place (i.e., nothing happens)

In relation to the second option above, a new ‘Disposition’ section under Data Governance will allow the records manager or other authorised person to review records (tagged for Disposition Review) that have become due for disposal.

This is an important point – only records that had a label with the option ‘Disposition Review’ checked will be subject to review. All other records will be destroyed. Therefore, if the organisation needs to keep a record of what was destroyed, then the classification label must have ‘Disposition Review’ selected.

Records that are reviewed and approved to be destroyed are marked as ‘Completed’. This means there is a record of everything (subject to disposition review) that has been destroyed, a key requirement for records managers.

Other new or coming features

A number of other new features demonstrated at the Ignite conference, are coming.

  • Labels will have a new ‘Advanced’ check box. This option will allow records marked with that label to have any of the following: watermark, header/footer, subject line suffix, colour.
  • Data Governance > Records Management Dashboard. The dashboard will provide an overview of all disposition activity.
  • Data Governance > Access Governance. This dashboard, which supports data leakage controls, will show any items that (a) appear to contain sensitive content and (b) can be accessed by ‘too many’ people.
  • Auto-suggested records retention policies. The system may identify groups of records that do not seem to be subject to a suitable retention policy and make a recommendation to create one.
  • For those parts of the world who need it, new General Data Protection Regulations (GDPR) controls
  • Microsoft Information Protection, to replace Azure Information Protection and provide a single set of controls over all of Microsoft’s platforms.

Applying information security and protection capabilities in Office 365 & SharePoint Online

March 12, 2017

Office 365 includes a range of information security and protection capabilities. These capabilities are first set in Azure and then applied across the Office 365 environment, including in Exchange and SharePoint Online. This post focuses on the application of these capabilities and settings to SharePoint Online.


Enterprise E3 and E4 plans include the ability to protect information in Office 365 (Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business). If you don’t have one of those plans you will need a subscription to Microsoft Azure Rights Management.

Enabling Information Protection in Azure

The following steps must be carried out the first time Information Protection is enabled on Azure:

  • Log on to Azure (as a Global Administrator).
  • On the hub menu, click New. From the MARKETPLACE list, select Security + Identity.
  • In the Security + Identity section, in the FEATURED APPS list, select Azure Information Protection.
  • In the Azure Information Protection section, click Create.

This creates the Azure Information Protection section so that the next time you sign in to the portal, you can select the service from the hub ‘More Services’ list.

Default Azure Information Protection policies

There are four default levels in Azure Information Protection:

  • Public
  • Internal
  • Confidential
  • Secret

Once set, these levels can be applied as labels to information content. Sub-labels and new labels may also be created, as necessary via the ‘+ Add a new label’ option.

The configuration settings are shown below:


Each of these label/level settings may:

  • Be enabled or disabled
  • Be colour-coded
  • Include visual markings (the ‘Marking’ column)
  • Include conditions
  • Include additional protection settings.

Each includes a suggested colour and recommended tip, which are are accessed via the three dot menu to the right of each label.


When selected, this option will place a label watermark text on any document when the label is selected.


Conditions may be applied, for example, if credit card numbers are detected in the text. It allows the organisation to define how conditions apply, how often (Occurrences), and whether the label would be applied automatically or is just a recommended option.


Global Policy Settings

In addition to the settings per level, there are three global policy settings:

  • All documents and emails must have a label (applied automatically or by users): Off/On
    • When set to On, all saved documents and sent emails must have a label applied. The labeling might be manually assigned by a user, automatically as a result of a condition, or be assigned by default (by setting the Select the default label option).
  • Select the default label:
    • This option allows the organisation the default label to be be assigned to documents and emails that do not have a label.
    • Note: A label with sub-labels cannot be set as the default.
  • Users must provide justification to set a lower classification label, remove a label, or remove protection: Off/On [Not applicable to sub-labels]
    • This option allows you to request user justification to set a lower classification level, remove a label, or remove protection. The action and their justification reason is logged in their local Windows event log: Application > Microsoft Azure Information Protection.

Custom Site

A custom site may be set up for the Azure Information Protection client ‘Tell me more’ web page.

Unique ‘Scoped’ Policies

In addition to the default policies listed above, a unique policy may be created. These are called Scoped Policies.

Enabling (and Disabling) Azure Information Protection

The steps above are used to set up the labels. They must then be enabled to provide protection. The steps below also allow protection to be removed.

From the Azure Information Protection section, click on the label to be set, then click on Protect. This action opens the Permission settings section.

Select Azure RMS and ‘Select template’, and then click the drop down box and select the default label template. This will probably show as, e.g., ‘(Your Company Name) – Confidential’.

Click ‘Done’ to enable this label and repeat for the others.

Note: If a new template is created after the Label section is opened, you will need to close this section and return to step 2 (to select the label to change), so that the newly created template is retrieved from Azure.

Removing Protection

Users must have the appropriate permissions to remove Rights Management protection to apply a label that has this option. This option requires them to have the Export (for Office documents) or Full Control usage right, or be the Rights Management owner (automatically grants the Full Control usage right), or be a super user for Azure Rights Management. The default rights management templates do not include the usage rights that lets users remove protection.

If users do not have permissions to remove Rights Management protection and select this label with the Remove Protection option, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.

Additional notes

If a departmental template is selected, or if onboarding controls have been configured:

  • Users who are outside the configured scope of the template or who are excluded from applying Azure Rights Management protection will still see the label but cannot apply it. If they select the label, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.
  • All templates are always shown, even if a scoped policy only is configured. For example, a scoped policy for the Marketing group; the Azure RMS templates that can be selected will not be restricted to templates that are scoped to the Marketing group – it is possible to select a departmental template that selected users cannot use. It is a good idea (to help troubleshoot issues later on) to name departmental templates to match the labels in the scoped policy.

Once these settings are made, they need to be published (via the ‘Publish’ option) to become active.

Enabling Information Protection in Office 365

Activating Information Protection in the Office 365 Admin Portal

Once they have been configured and published, it is then necessary to enable the required settings in the Office 365 Admin Portal (Settings > Services & add-ins > Microsoft Azure Information Protection).

To do this, log on to the Office 365 Admin Portal (as a Global Administrator) then click on ‘Services & add-ins’ under Settings. Click ‘Activate’ to activate the service.

Activating Information Protection for Exchange and SharePoint Online

Once the service is activated for Office 365, it can then be activated in the Exchange and SharePoint Admin Centres. In SharePoint Online this is done via the Admin Center section ‘Settings’ and ‘Information Rights Management (IRM)’.

Configuring SharePoint and SharePoint Libraries for IRM

As at 12 March 2017, it is only  possible to link Azure Information Protection classification policies with SharePoint Online if a new site is created via the SharePoint end user portal, as it appears as an option when enabled. Sites created via the SharePoint Admin Portal do not (yet) include the option to apply a protection classification.

If the creation of sites via the SharePoint end user portal is enabled, users with appropriate permissions (e.g., Owners with Full Control) can apply Information Rights Management to SharePoint libraries in their sites.

IRM is enabled on each individual library or list where the settings will be applied via Library Settings > Information Rights Management, under Permissions and Management.


Check the box to ‘Restrict permissions on this library on download’. Only one policy can be set per library.

Assigning Information Protection labels to Office documents

[NOTE: for clients that have installed versions of Office, the Azure Information Protection client needs to be installed on the desktop. See this site for more information:

When labels are configured and enabled, they can then be be automatically assigned to a document or email. Or, you can prompt users to select the label that you recommend:

  • Automatic classification applies to Word, Excel, and PowerPoint when files are saved, and apply to Outlook when emails are sent. It is not possible to use automatic classification for files that were previously manually labeled.
  • Recommended classification applies to Word, Excel, and PowerPoint when files are saved.

Applying the policies to Exchange and office

The site below describes how to apply these policies to Exchange and Office applications. These are not discussed further here.

How Office 365 challenges traditional records management practices

September 27, 2016

If your organisation is using SharePoint on-premise now, or just starting out with Office 365, it is important to understand how the Office 365 ecosystem will challenge traditional ways of managing records practices while at the same time delivering a transformational all-digital experience for end users.

SharePoint On-Premises

When configured well, SharePoint on-premises (e.g. versions up to SharePoint 2016) allowed organisations to manage unstructured (i.e., document-based) content through a hierarchy of site collections – sites/sub-sites – document libraries – (folders/document sets) – documents.

In on-premise SharePoint environments, document libraries could be used to store and manage records, thereby becoming the logical containers or aggregations of records, similar to ‘files’ in traditional EDRM systems.

The Office 365 ecosystem

Office 365 changes and challenges the on-premises model of SharePoint by adding new ways of working to standard SharePoint team and publishing sites. These new ways of working include:

  • Office 365 Groups, each of which has a dedicated SharePoint site
  • OneDrive for Business, a personal version of SharePoint
  • Yammer
  • Skype for Business
  • Delve
  • Planner
  • Sway

Why is this important? 

SharePoint has been clearly positioned as Microsoft’s online document management engine. SharePoint, not network file shares, is the document management future. And so, by extension, it becomes the future location for the management of digital records for any organisation that subscribes to Office 365.

From both the business and end-user points of view, SharePoint provides easy-to-use and more efficient content management and collaboration capabilities allowing users to access and use a range of content anywhere, anytime, on any device. Coupled with collaboration options such as Office 365 Groups, Yammer, and Skype for Business, information is now available across a number of different applications within the same single ecosystem.

From a records management point of view, this new way of working challenges the idea that information can be stored in the context of a single function, activity or transaction that created it. Instead, it supports the concept that digital information cannot truly be assigned to a single function or context; its context may also depend on the context of the person seeking to access it.

That is, how one person stores information is not necessarily how others may expect to find or use it. Think of the parallels with eBay, Facebook, LinkedIn and similar products – algorithms present information to you, often in a ‘feed’, based on what the application knows about you, not how other people store that information.

‘Modern’ Team Sites

The most striking change with ‘modern’ team sites in SharePoint Online (compared with SharePoint 2013 and earlier) is the disappearance of the ribbon menu and the simplification of the user-experience to be more or less identical with OneDrive for Business.

When any library is selected (and before a document is selected), the user is presented with the common options: New (Folder, Word, Excel, PowerPoint, OneNote, Link), Upload, Quick Edit, and Sync.


When a document is selected, the user is presented with a context-specific menu offering again commonly used options: Open, Share, Get a link, Download, Delete, Pin to top, Move to, Copy to, Rename, Version History, Alert me, and Check out.



The familiar Library Settings, previously located on the ribbon menu, are now found via the Office 365 settings ‘cog’.


Microsoft have also changed the look of SharePoint Online sites and provided a new ‘SharePoint’ landing page to help users access all the sites they are following, and also present suggestions for sites to follow. In other words, the system understands the user’s context and presents content suggestions, the same way Facebook users are invited to befriend people.

From a records management point of view, little has changed with document libraries in team sites. SharePoint Online continues to offer all the same features as before:

  • Almost unlimited metadata options allowing multiple metadata-based views to be set up
  • Unique, persistent document IDs
  • Folders and document sets (although the latter are even harder to set up than they were)
  • Versioning (and more efficient storage of versions)
  • Popularity trends and per-document views
  • Detailed audit trails
  • Access/permission controls
  • Legal compliance/retention and disposal
  • Powerful search
  • Full integration with Office but now allowing users to save directly by default to SharePoint and OneDrive by default.
  • Hyperlinkable documents
  • Easy sharing

While it is still possible in SharePoint Online to manage records out the box, the other elements that make up the Office 365 ecosystem provide a much broader and complex environment for the storage and management of records. SharePoint Online is just one component of this environment.

Office 365 Groups

Office 365 Groups provide a way for a group of people within the organisation – as well as external users – to discuss and share information.

  • They are similar to Active Directory (AD) Distribution Groups in the sense that they are a pre-defined organisational group designed to receive information.
  • They are different in that, instead of being just the recipient of information, users (and people who join the group at a later date) can see all discussions that have been sent to all members and access any Group documents.

Office 365 Groups are made up of two main content elements: ‘Conversations’ email-based threads and ‘Files’.


  • Conversation threads are based on simple email exchanges presented in Outlook – currently it is not possible to create folders in the group.
  • The Files option in Office 365 Groups is a SharePoint site that allows the group to store, share and collaborate on any unstructured content.

Groups also include a calendar and a group Notebook (which opens OneNote Online in the Group SharePoint site).

Office 365 Groups content is stored either within the context of the Group’s email-based conversations or in unstructured content stored in an associated SharePoint site.

Office 365 Groups SharePoint sites are visible in the user’s list of SharePoint sites, making it easy to get back to the Group’s site or its conversations.

OneDrive for Business

OneDrive for Business is built on the SharePoint engine. The consumer version of OneDrive has been around for a few years and is a direct competitor to the likes of Google Drive, iDrive, DropBox, Box and so on.

OneDrive for Business, the online replacement for ‘personal’ network drives, allows users to store, synchronise and share ‘personal’ work information through an interface that in Office 365 is now almost identical with modern team sites (less the Library Settings).

As with personal drives on network drives, content stored by users on OneDrive for Business is inaccessible unless shared with others. Organisations have only 30 days by default to do something about the user’s OneDrive for Business content when they cease to be an employee, before the content is deleted.

Options to manage the otherwise hidden content of a departed user’s OneDrive for Business account include allowing the user’s manager to review and if necessary move or delete it, allowing an authorised person in IT to review it, and/or backing it up to other storage so it is not deleted.


While the long-term future of Yammer is unclear in the face of Office 365 Groups, Yammer may still exist and capture information and records for a time to come.

Skype for Business

In addition to Yammer and the conversation options provided through Office 365 Groups, Skype for Business provides yet another option to discuss and share information including via voice and/or video calls.


All the options described above provide a function-rich environment to store and manage unstructured content and collaborate with other people both within and external to the organisation. But how to make sense of all this information?

Depending on licensing, Delve provides a way to find content that may be relevant to the user.


Delve suggests a range of content that may be of interest (based on the user’s profile, connections and content created or accessed), and provides an analysis of the user’s activity as recorded in Outlook, the calendar and other actions.

Challenges with managing records in Office 365

While Office 365 provides a transformative digital experience for end users, managing the records created and stored in various parts of Office 365 presents new challenges for records managers.

For example, there is far less ability to control the way content is stored or described in specific, pre-defined and/or metadata-driven aggregations and contexts. Users are likely to use whatever application is the most appropriate or convenient. For example, they may use OneDrive for Business to create and store large volumes of content, hidden away from corporate view. They may even share content from this application, including with external users.

The default settings in SharePoint, if not disabled, provide end-users with considerable latitude to create new SharePoint sites and Office 365 Groups, in addition to their personal OneDrive for Business sites, to store, manage and share rich digital content including with external users. In reality, these settings probably need to be disabled to prevent uncontrolled growth in the environment.

Even if records managers (as Site Collection Administrators) have oversight and control of the creation of SharePoint Online team sites, some questions arise:

  • How will they extend this control to SharePoint sites created to support Office 365 Groups, or the conversations that take place within those groups?
  • What about content stored in and shared from OneDrive for Business?
  • How will it be possible in the future to bring together all information about a given function/activity for disposal or disposition actions, especially if it’s not all stored in the one aggregation?

Good SharePoint (and Office 365) governance requires a good balance of control. Too much control and users will be put off using and benefiting from the ecosystem. Too little and the ecosystem may become uncontrollable but possibly very ‘lively’ in terms of content profusion.

Ideally, users should feel that they have the ability to manage their information within a lightly controlled environment – for example, SharePoint site owners cannot create new Sites (to prevent the massive proliferation of sites) but they can create document libraries (thereby reducing IT administrative controls).

Can analytics help with managing records?

Analytics via the Office Graph may provide a way to bring together information and records in context, a context (or contexts) which may be unforeseen by the person who created the content in the first instance. For example, a user may store information in a document library, unaware of its relevance or similarity to others in the organisation. Analytics may be able to connect the two, or the different people doing similar things.

At this stage, Analytics does not seem to provide the ability to bring together all information about a given subject. The model, instead, appears to be about presenting or making information accessible in any context at any time to users depending on their context at the time.


eDiscovery, a feature available from SharePoint 2013, has the potential ability to bring together all information about a given subject from across the Office 365 ecosystem. However, the primary purpose of eDiscovery is to support legal processes, not records management.

New ways of thinking are necessary

Records managers need to think differently about how they will approach the management of all types of digital records and other content (conversations, discussions, photographs, videos, Sway presentations) created and stored by users across the complex ecosystems that is Office 365.

It will no longer be possible to assume that all records relating to a given function/activity pair, subject, or context can or will be stored in the same aggregation of records. Instead, records managers need to find other ways to manage digital content, including to manage disposition activities.

Artificial Intelligence (AI) may provide the clue to this. Microsoft CEO Satya Nadella made this very clear in a keynote presentation to the Microsoft Ignite conference on 26 September where he noted that AI would be able to: “… to reason over large amounts of data and convert that into intelligence”. He also noted Microsoft’s ambition is to create an intelligent assistant that “… can take text input, can take speech input, that knows your deeply. It knows your context, your family, your work. It knows about the world.”

Nadella also noted that: ” The most profound shift is in the fact that the data underneath the applications of Office 365 is exposed in a graph structure. And in a trusted, private-preserving way, we can reason over this data and create intelligence. That’s really the profound shift in Office 365.” (Source:

(Note, the last two paragraphs were added on 29 September to include comments made by Satya Nadella about Microsoft’s AI ambitions).



SharePoint 2013 Site Disposal Policies

May 18, 2013

SharePoint 2013 includes the option to set a disposal date on site collections. This article describes how to configure a SharePoint 2013 site collection to include a site disposal policy.

Default settings

A site cannot be deleted (either manually or automatically) unless a Site Policy has been set up (exception – the SharePoint Administrator has permissions to do this).

Without a Site Policy, the default settings under the Site Closure and Deletion option (see below) are as follows:

  • Site Closure – ‘Close this site now’ click box default: greyed out.
  • Site Deletion – ‘This site will be deleted on:’ Default: ‘Never’.
  • Site Policy – Default:  ‘No Site Policy’.

Setting up a Site Policy

New site policies are created under Site SettingsSite Collection AdministrationSite Policies. Once created, the policy is applied under Site SettingsSite AdministrationSite Closure and Deletion. While you can create multiple policies, only one policy can be selected at a time under the Site Closure and Deletion option.

There are no default policies; the first time Site Policies is opened, the Site Policies section provides only one option – ‘Create’. Each policy must have a Name and may have a Description. The name and description can be the class description from a records retention schedule, using ‘after date created’ or ‘after date closed’ as the triggers (see below).

Site Closure and Deletion options

There are three options under Site Closure and Deletion:

  • Do not close or delete site automatically. The default option.
  • Delete sites automatically. This option deletes a site on a pre-defined date after it was created or closed.
  • Close and delete sites automatically. This option first closes the site and then deletes it on pre-defined dates.

In addition there is a check box ‘Site Collection Closure’ that allows the site collection to be made read only when it is closed.

Delete sites automatically

When this option is selected the following appears:

  • Set Deletion Event. The two options provided are ‘Site closed date’ and ‘Site created date’, plus n days, months, or years.
  • (Check box) ‘Send an email notification to site owners this far in advance of deletion:’ (i.e., to warn them of the pending deletion) – n days, months or years. Default setting is 3 months.
  • (Check box) ‘Send follow-up notifications every:’ (i.e., to remind site owners of the pending deletion) – n days, months, or years. Default setting is 14 days.
  • (Check box) ‘Owners can postpone imminent deletion for:’ (i.e., to postpone the proposed deletion) – n days, months or years. Default setting is 1 month.

Close and delete sites automatically

This option is identical to Delete Sites Automatically except that it also includes a date when the site can be closed – after which a deletion event date is set followed by the same three options above.

Site Closure and Deletion

As noted above, a Site Policy must exist before a site can be closed and deleted using these options. The Site Policy must be selected otherwise the default options (see above) apply.

  • If the Site Policy is based on the Delete Sites Automatically option, the option to ‘Close this site now’ becomes available. If the option ‘Site Closed Date’ was selected, the site will not be deleted (at the pre-defined time) until this option is selected. If the option ‘Site Created Date’ was selected there is no requirement to ‘manually’ close the site.
  • If the policy is based on the Close and Delete Sites Automatically option, the option to ‘Close this site now’ becomes available. This allows the site to be closed earlier, otherwise the deletion date will be automatically calculated from the site policy setting and displayed next to the Site Closure and the Site Deletion options.
  • If no policy is selected, the default settings will apply; this means that the site cannot be closed.

Further reading

Overview of site policies in SharePoint 2013 (Microsoft).

Applying recordkeeping policies to email – Microsoft Messaging Records Management (MRM)

June 1, 2012

The problem

The problem of managing emails as records is summed up in the following statements:

“Many organizations have yet to define an email retention policy. More than one‐quarter of organizations have not yet established any sort of email retention policy despite the fact that there are a growing body of statutory requirements and legal obligations to preserve business records, including those stored in email. Among the nearly three‐quarters of organizations that have established an email retention policy, only two‐thirds of these organizations indicate that their users are fully aware of the policy.” Michael Osterman, “Messaging Archiving and Document Management Markets Trends, 2009-20112”, dated May 2009.

‘Over 40 years after the invention of email, relatively few institutions have developed policies, implementation strategies, procedures, tools and services that support the longterm preservation of records generated via this transformative communication mechanism.’  Christopher J Prom, ‘Preserving Email’, DPC Technology Watch Report 11-01 Decemer 2011.

Storing business records in context

Traditional records management theory recommends that there should be a clear relationship between records about a particular subject or issue, regardless of format, and the business context that originated it. (AS ISO 15489-2002: 9.3 Records Capture)

In the paper world, this was achieved by the co-location of related records in a physical file.

In the electronic world, this is usually achieved through the application of metadata. Business classification and naming systems applied to electronic folders generally achieve this; as well, electronic systems also allow for a range of cross-subject metadata that allows records to be organised in different contexts.

Additional, business context-specific metadata can be applied to emails (including from integrated business applications – for example, an email saved to TRIM will show the TRIM record number in its email metadata properties).  However, this ability (as with Properties in Office documents) is rarely enabled or used.

Instead, and as with Office documents, we tend to let users ‘categorise’ their emails (and documents on network shares) through folders – although not all users do this.  (Interestingly, online email systems like Google’s gmail use tags instead of folders).

Are emails documents?

The short answer is yes (in the Australian legal evidence context), but they are documents that, in a way like xml-based Office documents like docx, are made up of structured data that displays as a single ‘document’.

Part of the problem with emails as records is the perception (on the part of users who have never had to face court) that they are not documents, but messages.  The ability to use the system to send or receive ‘private’ messages exacerbates this perception.

The problem of storing emails as records

Emails have been a constant problem and challenge for records managers and recordkeeping since they first appeared in the early 1990s.

The three main approaches to keeping emails have been to (a) print to paper, (b) save to a recordkeeping system, and (c) save to a drive.

Print to paper, while relatively common in many organisations even now, is probably the poorest (and some might say ‘silliest’) option in the digital world as (a) it is dependent on users, (b) emails usually lose their message headers, (c) emails are unsearchable in their electronic form, (d) emails remain on the Exchange system and are discoverable.

Saving emails to a recordkeeping system, while better than printing, is an inadequate option because (a) it is usually dependent on users to do it, (b) the email still remains in the Exchange system, and (c) it can sometimes result in the email being saved in a different format that is not necessarily suitable for long-term preservation (e.g., TRIM’s .vmbx).  There is also the problem of users saving ‘dumb’ emails with (valuable) attachments, which can make the attachment harder to find, identify or access.  Some systems (such as SharePoint 2010) include email-enabled storage locations.

Chris Prom, in a blog posting titled ‘Practical E-Records ‘Facilitating the Generation of Archives in the Facebook Age’, notes that:

‘…the formal recordkeeping systems previously used by many organizations for electronic records have died or have one foot firmly in the grave.  At the same time, the habits that individuals use in producing, consuming, storing, filing, searching, and interpreting records are themselves undergoing constant change.  People adopt new communication technologies at an ever-quickening pace.   Divergent personal practices, rather than the centralized electronic systems, are the harsh reality that confronts our profession’.

Saving to a drive is also a poor option, and is usually based on user preferences to want to ‘keep’ emails.  Emails saved to drives (a) will still remain in the Exchange system, (b) may lose their header information, and (c) are not necessarily saved in appropriate or accessible formats.

In relation to the last point, Outlook does not make it easy for an end user to decide, with usually five options to choose from – which is the right one?  Users will usually choose whatever is the default (.msg), but this isn’t necessarily the best long term option (which is MIME or EML – the latter described by the National Archives of Australia (NAA) as ‘an acceptable open file format for long term storage).

In all cases, keeping these emails in the business context to which they relate has been a constant problem for records managers.  As a consequence, there is a tendency on the part of almost all businesses to leave and manage emails where they are (i.e., in Exchange).

Microsoft Exchange 2010 – Messaging Records Management

To try to address this problem, Microsoft introduced ‘Mailbox Manager Policies’ in Exchange Server 2003.

This was followed by ‘Message Records Management’ with Managed Folders in Exchange Server 2007 (a feature that remains in Exchange 2010).

Exchange Server 2010 includes a new model of managing emails as records, called ‘Messaging Records Management’.  Microsoft describe it as follows:

‘Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value. This is accomplished through the use of retention policies or managed folders’. (Source:

As Microsoft notes, however (on the same page), MRM does not prevent users from deleting messaging; it is really only designed to remove them at the end of a given period.  Microsoft recommend ‘journaling’ emails where there are specific business reasons to keep them for longer (such as legal proceedings or the need to ensure specific email is kept), or applying the Legal Holds functionality.

The key elements of MRM are Retention Policy Tags (RPTs) and Retention Policies.

There are three types of Retention Tags: (1) Default Policy Tags (DPT), (2) Retention Policy Tags, and (3) Personal  Tags (which are an ‘opt-in’ on the email client).

  • Retention Policy Tags (RPTs) are used on default folders (e.g., inbox, junk mail, sent, deleted). Users cannot change the RPT but can override it with a Personal Tag.
  • Default Policy Tags can be applied by users to untagged items.  A Retention Policy can contain only one default policy tag.
  • Personal Tags can be applied by users to their own custom folders or individual emails.

In most cases, users make the decision, and the retention applies on where the email is located.  If there is actual or anticipated litigation, a Retention Hold can be applied to the user’s mailbox; however, this does not prevent users deleting emails, it only overrides any retention policies.  The Legal Hold option should be applied to prevent deletion.  Once this option is applied, Legal Hold ‘captures any deleted or edited items into a special folder that’s neither accessible nor changeable by the user’.

All retention tags include: a Tag Name, a Tag Type, an age limit (in days) with an action to take, and comments.

The actions available are:

  • Delete And Allow Recovery – This action will perform a hard delete, sending the message to the dumpster. The user will be able to recover the item using the Recover Deleted Items dialog box in Outlook 2010 or Outlook Web App.
  • Mark As Past Retention Limit – This action will mark an item as past the retention limit, displaying the message using strikethrough text in Outlook 2007, 2010 or Outlook Web App.
  • Move To Archive – This action moves the message to the users archive mailbox.(see below)
  • Move To Deleted Items – This action will move the message to the Deleted Items folder.
  • Permanently Delete – This action will permanently delete the message and cannot be restored using the Recover Deleted Items dialog box.

Once the tags are created, they can be added to a Retention Policy and this policy, in turn, is then applied to specific mailboxes – one policy per mailbox.

The ‘auto-tagging’ feature, once 500 items have been tagged, will automatically tag items in a user’s mailox based on their past tagging activities.

So, is MRM the answer to managing emails as records? 

Yes and no.  From a recordkeeping perspective, MRM:

  • Does nothing to ensure that records are kept in the business activity or functional context to which they relate, unless (of course) the emails are the only form of record that exists for the business activity.
  • Does not stop users from deleting emails.

On a positive note, MRM:

  • Attempts to address the problem of email retention.
  • Allows the application of a retention policy to emails that might be stored in a business context Outlook mailbox or fold As well, Exchange features like Legal Hold and Journaling allow further controls to be implemented.


Exchange 2010 now includes a ‘personal archives feature’, which allows users to save emails to their own archive instead of saving emails to drives or using Personal Storage (.pst). A good article on this subject can be found at this location:

Sources (all retrieved 1 June 2012)

Enforcing Information Management Systems … and Strategies that Work

June 16, 2010

Extracted from a speech given to the 4th Information Management & E-Discovery Summit, Sydney, Australia, 10th June 2010.

Digital information is everywhere. One of the biggest problems for organisations is the volume of so-called unstructured information commonly found on network drives and in email folders.

Electronic document management systems (EDMS), often now known as enterprise content management (ECM) systems, are seen as the panacea to this problem, however unless they are mandated for all unstructured information, users will continue to have some level of discretion about what goes into them.

In response to this, organisations may implement an email archiving system to at least capture emails, or use back up tapes as a form of archive tape, or move information to some other form of long-term storage.

All of these options have shortcomings, not the least of which is that they may end up storing information for much longer than necessary, thereby exposing the organisation to the risk of this information being discovered.

So, you are probably a bit confused about what to do, and what direction to take.

Do you:

(a) Acquire and implement a system in the hope that you can get users to put unstructured information into it, and somehow manage the information that’s not captured, including by using email archiving or network drive archiving/duplication?

(b) Acquire, implement and mandate a system across the organisation for all unstructured information?

(c) Don’t acquire anything, and risk manage it all?

If you decide to go with option (a), here are some suggestions for managing unstructured information more effectively in organisations.

Have a good information management strategy

Not everything (usually) needs to be managed in the same way.  It would be an unusual organisation that wanted to manage everything in exactly the same way.  Some information must be managed well, some less so.

A good strategy will show a good understanding of the following elements:

  • Your organisation’s digital information assets.
  • Your compliance requirements and standards, including records management best practice, standards and compliance needs.
  • The way your users, and your organisation, currently do their work.
  • Your current technological environment (your technological limits or opportunities).
  • The external information management and electronic document management environment (what is happening out there).
  • How contemporary electronic document management systems work, as they are not all the same.

And then develop your information management strategy and EDMS implementation plan accordingly.

Communicate this strategy through information provided via the intranet, all staff emails, desk drops, information provided through managerial meetings.

Make sure there is effective communication at all phases of the project

This is essential, almost critical to success.  More is better.  Best projects have very good communication.

Keep people informed and they will keep up with you.  They may even use your system.

When considering change management, remember the technology adoption lifecycle and the five broad categories of users.

There will always be innovators, early adopters, the early majority and late majority and finally the laggards.

And yes, unfortunately, these are often (but not always) reflective of the ages of your staff.  Target your changes, and the required training, accordingly.

Have realistic and understandable policies and procedures for managing electronic documents

A key element in any information strategy, therefore, is having and implementing an effective policy that addresses the management and retention of information.

But, make sure it is a policy that everyone can access, understand, and put into practice.  Recent research conducted in Malaysia in 2004 and 2008 indicated that less than 50% of organisations had a policy for managing electronic documents, and of the 50% that did, less than 25% of respondents complied with it.  The one’s who didn’t comply said they didn’t have the time, or found it too difficult, to do so.

Interestingly, the research also showed that most respondents said they wanted such policies in the form of guidelines for managing electronic records.

What does this research indicate to us?  That good communication and effective change management are critical to support policies and help users to use systems to keep records; if you don’t have one, you probably won’t succeed.

Have a good, realistic defensible, and well considered project scope document

Don’t underestimate just how hard it is to implement these systems.  After all, you are making a fundamental and sometimes unintuitive change to the way people manage information.

This is a key part of any proposed project.  What are you trying to achieve?

Installing a new product is easy, changing staff behaviours is very difficult.

What’s your objective?  Why is it your objective?  Is it compliance, if so, compliance with what?  There would be few organisations in Australia for which compliance with something is the only driver for an organisation-wide EDMS.

When defining the project scope and project plan, you should have a really good handle on the following:

  • What information are we actually trying to manage?
  • What are the actual compliance drivers?  (see below)
  • How do people actually manage digital AND paper information now?
  • What are the risks with current processes and practices?
  • What risks are you trying (or needing) to mitigate against?
  • What is happening externally?

A simple rule of thumb that seems to work in most cases is this: the greater your risks of not complying or needing to be accountable (including because of anticipated litigation), the more likely your users will manage your information well.

Or, to put it another way, you are more likely – and probably should – spend most of your effort managing the information that you have to manage well.

There are several risks associated with users continuing to use uncontrolled systems such as network drives and email folders to manage records.  Making them aware of these risks through policies, procedures or guidelines can be a good idea.

The risks are:

  • Being unable to find and produce information required except through costly data recovery or forensic processes.
  • Not meeting compliance requirements, that is, managing information poorly.
  • Keeping information for longer than required.

The longer we keep information that doesn’t need to kept, the more we expose the organisation to potential embarrassment and expense through e-discovery and other forms of information retrieval.

Understand your real compliance requirements

What are your actual compliance mandates?  If users know what they are, they may respond better to a new system.  Often this is not well communicated.

It is very important to have a very thorough understanding of your actual compliance requirements.

And then, based on that understanding, take a risk based approach to the management of your information.  This will in turn inform how you approach the issue of user uptake of a system.

In August 2007 the Management Advisory Committee (MAC) of the Federal Government’s Public Service Board published one of the most useful common sense documents to come out of Canberra, ‘Note for File’.

The report acknowledged the key difficulties faced by agencies in managing information, the problems of information stored unofficially on network drives and in email and other electronic systems.  It recommended agencies take a risk based approach and prioritise their recordkeeping attention on activities that pose the greatest level of risk.

Get senior management support

Will your CEO use the system? If not, why not? My CEO uses our system.  It’s a great selling point for staff.

Have end user participation and contribution from the beginning

This is part of good business analysis.

Understand your organisation and its business needs, preferably with some product knowledge behind you.

Find the key users, the early adopters. Consult. Listen. Identify problem areas.

BUT! Recognise that users are not always right and remember that customisation can be expensive.

Have well defined system requirements – but don’t over do it

Understand your business needs and define your requirements for a system carefully.

Understand and define what the relationship will be between the existing systems, drives and email folders and the new system, and how end users will work in the future.  Storybook it even.

Many products probably already do what you want.  These systems offer users folders containing documents, wrapped up in access, security and audit requirements, sharing and collaboration models, with retention and disposal capability.

The more you customise the base product, the more expensive and complicated it gets.

Find the product that best meets your needs

Find a product that is the best match for your business needs, not one that has the best marketing team, or is flavour of the month.  Many products have been around for years.  They started out as DM, became EDM, then EDRM, and are now ECM systems.

There is a lot of maturity in this market and, in recent years, a great deal of upheaval and acquisitions.

TRIM was bought by HP.  Hummingbird and Vignette were acquired by Open Text.  The old iManage was bought by Interwoven and became Worksite (and Mailsite), then was acquired by Autonomy.  Documentum by ECM, and in the wake of those acquisitions Alfresco appeared.

Really get to know the product and what it does, including your infrastructure requirements

So, what’s the best system for users to use?  One that meets your objectives.  One that will:

  • Meet your business, regulatory and litigation compliance requirements and standards for keeping, storing or managing information and records.
  • Be used by users, with minimal training.
  • At a cost that is affordable and gives true return on investment.

It doesn’t, necessarily, have to manage everything.

Don’t forget about recordkeeping requirements.  If you follow the principles outlined in ISO 15489 you are more likely to have good records that will meet compliance requirements.

A realistic project plan AND change plan

Have a separate change and project plan, although they may be in the same document.

I’ve seen extraordinarily complex project plans for projects that didn’t succeed, and very simple project plans that did succeed.

Success can be as much about a great plan as it is about the people and resources doing the work, and the capability of the users in the organisation to change.

Failure, on the other hand, is often about poor scoping and/or scope creep, poor understanding of the organisation’s capability for change, poor change management, poor communication, user rejection, and, frankly, the wrong choice of technology.

As they say, successful projects have proud parents, the unsuccessful ones are orphans.

Have a great change management plan

You need a good change plan, especially for the late majority and late adopters.  In fact, some people suggest you should only target these groups for change.

Change is not popular.  People fear change and tend to be somewhat parochial and protective of the technology they have got used to.

Moving from a paper-based to an electronic-based way of managing information is, perhaps, one of the greatest challenges over the past decade.

Understand the technology adoption lifecycle.

Software – know your proposed or acquired product – well.

I mean, really well.  How often do we see organisations evaluating and acquiring a system, and then engaging a systems integrator to implement a product, without having a good idea of how the product really works in the first place?

This is as much about the acquisition process as it is about the implementation process.

In one case I was involved in recently, the organisation spent a lot of money getting external consultants to help define the business requirements of the system, which were then passed to an integrator who did exactly what was required.

Problem was, the system then failed because it was not designed to work in the way that the users had requested, the consultant had defined, and the integrator had made it work.  Find out how other organisations use the same product.

You should also know your vendor very well, too, along with any proposed systems integrator.

Customise only when necessary

This is an interesting one and in many ways related to the previous point. Clearly it is a good idea to engage staff in how they want a system to work.

However, many systems are, by default, capable of doing most of what the majority of users want without customisation.

You need to tread a very fine line between listening to users and implementing what they want.

The more complex your project in terms of customisation (in particular), the more likely it is the majority of potential early adopters will miss out.

Maintain sufficient flexibility to get your project over the line within time and budget.

In a case I was involved in last year, the organisation persisted in developing a complex and expensive set of customisations, when the product out of the box actually met 98% of user requirements.


Don’t forget about recordkeeping issues, including retention periods for the information.  This is closely linked to your policy.

Remember, keeping records for too long can be just as risky as not keeping them, because it exposes the organisation to legacy information that should probably have been deleted.

Use qualified resources

Use qualified resources, people who have a good track record.

Post implementation evaluation of the project

Look around at other projects. Learn the lessons. Communicate them!

A brief history of the origins of the Statute of Limitations

January 28, 2010
(NOTE: This article was completely re-revised on 1 February 2010, all original content was changed).
The retention – and eventual disposal – of records is a common business practice, despite occasional concerns about what gets destroyed.  Justice Scalia, in Arthur Andersen LLP v United States (No. 04-368, 2004) said as much about the destruction of records relating to Enron by Arthur Anderson ‘… we all know that what are euphemistically termed “record-retention programs” are, in fact, record-destruction programs, and that one of the purposes of the destruction is to eliminate from the files information that private individuals can use for lawsuits and that Government investigators can use for investigations.’
A key factor in all records disposal programs is determining how long records should be kept.  In many parts of the English speaking world, seven years is frequently cited as the minimum period that records must be kept. But what is the origin or significance of this period of time?
It seems, based on the available evidence, that the seven year period is based on an arbitrary period or time limit of six years, set in 1623.  Some jurisdictions with English legal traditions around the world have retained the same minimum six year period, for example, ‘An action for an account shall not be brought in respect of any matter which arose more than six years before the commencement of the action.'(s4(2) Limitation Act 1950 (New Zealand)). Others have decided to go with seven years, based on (it would seem) the expiry of the six year period.
It has been claimed by some commentators that the seven year period is based on Deuteronomy 15:1 – 2, which refers to the release of debts after a seven year period, and Deuteronomy 31:10 which has similar references.  There is also, as we will see, Jewish influence on English property law during the same period which set the scene for the eventual creation of statutes of limitations, but these links do not provide credible links to the specific period of time that was chosen.  If anything, the origins of a set timeframe for (legal) actions can be traced to Roman Law but, again, the links with early English property law is not strong.
Roman Law
Roman law, as outlined in the Twelve Tables (see, for example,, included the principle for property related matters of usucapio, literally ‘taking by use’ (Table VI.5).  ‘Usucapio of movable things requires one year’s possession for its completion; but usucapio of an estate and buildings two years.’
The concept of usucapio is in many respects the basis for the English expressions ‘possession is nine-tenths of the law’, and ‘finders keepers’.  The timeframes defined in the original tables were eventually extended by Justinian but ‘it remained in principle a method of acquiring ownership’.  (House of Lords, R v Oxfordshire County Council and Others, 24 June 1999).
Roman law also established the concepts of possession (possessio) and ownership (dominium). (see reference in sources).
Of interest is that Henry de Bracton, a Royal judge during the time of Henry II, wrote considerably on Roman Law, although his writings and the value of them have been disputed (see Wikipedia article).
English Law
English law, on the other hand, never accepted the idea that long possession of property was the basis for ownership or acquiring title. Instead, the continual possession of property over a passage of time removed the original owner’s right to claim it back.
Blackstone’s Commentaries on the Laws of England (1765-1769) notes that William I introduced feudal tenures into England after 1066.  An essential part of this new governance model was that ‘the king is the universal lord and original proprietor of all the lands in his kingdom; and that no man doth or can possess any part of it, but what has mediately or immediately been derived as a gift from him, to be held upon feodal fervices’.  This meant that the tenant’s possessory right in land was limited to usufruct, as granted by the King, who retained absolute dominion over the land.
Usufruct means that the tenant, or ‘fief’ was required to render service to the sovereign in return for the privilege of using the land.
According to Judith Shapiro, William also brought with him Jews who were owned by him and became his moneylenders.  Jews could not own land, but they could lend money using land as the collateral security, and presumably over a period of time.  While the contracts established at the time (‘shetar’, also known as ‘Jewish gage’) did include a clause from the bible (Deuteronomy 24:10-11) protecting debtors, it is highly doubtful that they released debt at the end of 7 years – in fact, Deutoronomy 15:3 clearly distinguishes ‘foreigners’ from this requirement.
According to the UK Law Commission April 2009 report ‘Why does the present law need reform’, the first limitation periods applied only to land-related actions.
Henry I succeeded William in 1100 and reigned until his death (of gluttony) in 1135.  Henry I brought about many changes to English feudal law recognised in documents such as ‘Leges Henrici Primi’ (written around 1115) and ‘Quadripartitus’.  One important change introduced was a limit on the date by which a ‘disseisor’ (that is, a person claiming ownership of land as a result of adverse possession (‘assize of novel disseisin’)) could claim ownership.
In R v Oxfordshire County Council and others, 1999, it is noted that ‘… the medieval real actions for the recovery of seisin were subject to limitation by reference to past events.
Shapiro (ibid) notes that, during Henry II’s reign (1154 – 1189), ‘… the King’s court assumed an increasing share of litigation that had previously only been heard in local courts.  This was done through the issuance of Royal writs, including the new ‘writ of debt’, used to collect loans of money.
Writs of Entry were also created during this period, according to Joseph Biancalana.  Writs of entry were used to allege that a defendant had no entry into land other than by a transaction or taking that did not authorise him to hold the land, for a period of years (‘ad terminum qui preterit’), defined in three degrees.
Biancalana claims that the timeframe set out in the three degrees was developed from the writs of ‘gage’ (debt).
Shapiro claims that, eventually, the Jewish moneylending practices became ‘a weapon of socio-economic changes that tore the fabric of feudal society and established the power of liquid wealth in place of land holding.’  Riots broke out in 1190 and many of the original documents were destroyed (leading, incidentally, to the creation in 1200 of local Archives (Archae) and duplicate copies).
The UK Law Commission report noted above states that,
  • Before 1237, ‘… plaintiffs could not claim land on the basis of seisin before the day in 1135 when Henry I died.’
  • In 1237, the Statute of Merton, 20 Hen III (1235) stated that a writ of right for land-related claims could not refer back to any time before the coronation of Henry II in 1154.
  • In 1275, the Statue of Westminster, 3 Ed I c 39 moved this date forward to the coronation of Richard I in 1189.
  • These dates were not changed again until the 1540 Act of Limitation, which prescribed 60, 50, and 30 year limitation periods for land-related writs of right, writs of morts d’ancestor, and claims based on possession of the claimaint, respectively.
In R v Oxfordshire County Council, it further notes that ‘as time went on, proof of lawful origin … became for practical purposes impossible … the evidence was not available …’ to assess claims of novel disseisin.  Judges apparently instructed juries that ‘if there was evidence of enjoyment for the period of living memory, they could assume that the right had existed since 1189’.  As time wore on, it clearly became impossible to prove.
Finally, the Statute of Limitations Act 1623 fixed a 20 year period for ‘writs of formedom’ (UK Law Commission report).
However, these changes still proved difficult in practice and often relied on ‘legal fictions of presumed grants’ (R v Oxfordshire) effectively based on ‘time immemorial’ (that is, since 1189).
Until the passage of the Act in 1623, no limitation periods existed for other, non land-related claims. (UK Law Commission report) The new Act included limitation periods for non-land-related claims as follows:
  • Two years: Actions for slander
  • Four years: Actions of trespass to the person, assault, menace, battery, wounding and imprisonment
  • Six years: Actions on the case (other than slander); actions for account, other than such accounts as concern the trade of merchandise between merchant and merchant, their factors or servants; actions of trespass, detinue, action sur trover, and replevin for taking away of goods or cattle; actions of debt grounded upon any lending or contract without speciality; and actions of debt for arrears of rent; actions of trespass to land.
The 1623 Act also provided for an extension of time where the plaintiff was under the age of 21, a married woman (‘feme covert’), mentally disabled (‘non compos mentis’), imprisoned, or ‘beyond the seas’.
The UK Law Commission states, on page 5 that ‘we have been unable to trace any information on the reason why the six year period was thought appropriate’.  They add that ‘No limitation period applied to contracts under seal (that is, specialties), actions of account between merchants, their servants or factors, actions brought for debt under a special statute, or actions brought on a record’.
Limitation periods for land related actions were reviewed by the Real Property Commissioners in 1829.  The Commissioners recommended the retention of the 20 year period, implemented in the Real Property Limitation Act 1833 and the Prescription Act 1832.  The Commissioners also found that no limitation periods applied in some cases, including where seisin did not need to be alleged. And, there were no statute of limitations applied to actions by the Church. The 20 year period was then reduced to 12 years by the Real Property Limitation Act 1874. (UK Law Commission report)
Limitation periods were further reviewed in 1936 and recommendations made.  These included:
  • That a single limitation period of six years should apply to actions in simple contract, and actions in tort.
  • A new limitation period of 12 years (down from 20) was created for actions on a specialty.

According to the UK Law Commission report, the six year period ‘which at present applies to the majority of such actions … is familiar to the general public’.

  • ‘The Shetars Effect on English Law – A Law of the Jews becomes the Law of the Land’ by Judith Shapiro in The Georgetown Law Journal Vol 71, pages 1179 – 1200
  • ‘The Origin and Early History of the Writs of Entry’, Joseph Biancalana.  Law and History Review.  Vol 25, No. 3, Fall 2007.
  • ‘Final Report on Limitation  and Notice of Actions’, Western Australian Law Reform Commission,  1997.
  • ‘Ownership and Possession in the Early Common Law’, by Joshua C. Tate, Southern Methodist University (SMU) – Dedman School of Law, American Journal of Legal History, Vol. 48, pp. 280-313, 2006 SMU Dedman School of Law Legal Studies Research Paper No. 5
  • UK Law Commission, ‘Why does the Present Law need Reform?’, April 2009
  • Blackstone’s Commentaries on the Laws of England (1765-1769)
  • ‘A Man and His Money’, Harvey Reeves Calkins , 1915.
  • ‘A treatise on the law of actions relating to real property’, Henry Roscoe, 1825


November 9, 2009

Integrity is a key element in recordkeeping.  According to AS ISO 15489, integrity of documents means that they are complete and unaltered.

These words mirror s.11(3) of the Electronic Transactions Act 2000 (NSW) which notes that the integrity of information contained in a document is maintained if, and only if, the information has remained complete and unaltered, apart from:

(a) the addition of any endorsement, or

(b) any immaterial change, which arises in the normal course of communication, storage or display.