Microsoft 365 and recordkeeping
Find out more about the role of Microsoft 365 in recordkeeping in NSW Government. This information from State Records NSW covers compliance with records management standards and offers strategies for effective recordkeeping.
This guidance helps organisations with securing and storing records, including making sound decisions, staying accountable, and protecting the rights of staff and clients.
What is Microsoft 365?
Microsoft 365 (M365) refers to the online subscription of services and applications offered by Microsoft. Depending on the licencing plan Microsoft 365 includes, but is not limited to:
- desktop, web, and mobile Office applications for word processing, spreadsheet, and presentations
- email and calendaring
- hosted services (Exchange, Skype for Business, SharePoint)
- collaboration tools (SharePoint, Teams, Yammer)
- file storage and sharing services (OneDrive and SharePoint)
- security and compliance tools
- business analytics tools.
Microsoft 365 and records management compliance
Public offices need to assess Microsoft 365 with the business systems checklistto achieve compliance with:
- the Standard on records management and
- the State Records Act 1998.
The organisation needs to consider how to best configure and use M365 to
- meet organisational needs and recordkeeping requirements and
- identify where there may be gaps.
To bridge these gaps, consider the following strategies:
- Change the configuration of the system, for example: turn on/off particular features
- Implement third-party software or APIs (Application Programming Interface). This is to extend the features and functionality of security, compliance, and/or record tools within M365
- Integrate the business system with an external recordkeeping system, such as EDRMS
- Export records and save the exported records into an external recordkeeping system, such as EDRMS
- Re-engineer existing business processes or introduce new work processes
- Implement policies, procedures, business rules or guidelines to meet recordkeeping requirements and/or
- Use multiple approaches to achieve compliance.
Document any configuration settings, policies, or strategies employed. This is to ensure that they continue to meet the organisation’s needs and recordkeeping requirements.
Consider the following as they may create risks to meeting recordkeeping requirements in M365:
- machinery of government (MoG) changes
- process change
- system upgrades or migrations.
Stategies for effective recordkeeping in M365
When assessing Microsoft 365 with the business systems checklist, consider the following strategies/actions:
M365 is structured with multiple administrative centres. Settings in these centres will need to be configured for records management functions.
M365 records management functions should be understood so that gaps can be covered, and risks mitigated. Evaluate whether M365 configurations for retention and disposal of records are appropraite for organisation's business needs. QSA's guidance (Queensland Government) for example, provides some useful strategies for managing disposal functions within M365.
Review the configuration options to ascertain if there are any gaps in meeting recordkeeping requirements. Consider any additional controls/configuration/integration that may need to be implemented.
Content needs to be declared as a record to be defined as a record in M365. Without the record declaration, metadata, retention and/or disposal documentation will not be retained. This will need to be configured in M365 settings.
Assess the likelihood and the consequences of users not complying with M365 records management controls.
Consider the user experience and the implementation of preventative measures to minimise risk of non-compliance.
If a third-party software or API is installed, develop a plan that defines how M365 updates and upgrades will be monitored and risk to disruption of recordkeeping processes minimised.
Identify where and how automation can be enabled to improve record control and risk.
Identify any migration risks to records when importing into M365 from another system (including systems that manage email) or exporting from M365 to another system. Troubleshoot migration risks to ensure accessibility, authenticity, and accuracy of records is kept.
Complete a risk-based assessment of records and map retention policies and periods to locations and services in M365. For containers, set the retention period to the longest minimum retention period required where there are multiple retention periods in the same location.
Certain systems/applications of M365 do not support retention labels or policies, or records management functionalities. Assess strategies on how to manage this – to ensure that the records are captured and managed accordingly.
Review M365 retention configuration practices to ensure that retention and disposal authorities issued by the State Records NSW are effectively configured into the system. Consider developing a local, streamlined version of relevant retention and disposal authorities and classes prior to creating bulk retention labels in M365.
Consider what reporting tools will need to be implemented. Review the business systems checklist to ensure that M365 meets the necessary reporting/auditing requirements. Other strategies may need to be considered and/or implemented to meet the specifications. M365 has the configuration ability to set up alerts for unauthorised deletions, changes, and amendments.
State Records NSW acknowledges the use of Public Record Office Victoria’s (PROV) M365 advice in the development of this guidance for NSW public offices.
Additional useful resources for implementing M365 include:
- Council of Australasian Archives and Records Authorities (CAARA) – Functional Requirements for Managing Records in Microsoft 365
- National Archives of Australia - Managing records in Microsoft 365
- Queensland State Archives – Manage your records and Microsoft 365
- New Zealand Archives – Microsoft 365
- Public Office of Victoria – Microsoft 365
- State Records Office of Western Australia – Records Management Advice - Microsoft 365 Compliance Centre for Records Management
- White Paper: Supporting New Zealand’s Public Records Act compliance obligations with Microsoft 365