Blog Post

Healthcare and Life Sciences Blog
1 MIN READ

Office 365 Records Management and Compliance Resource Documentation

MichaelGannotti's avatar
Sep 05, 2019

The other day I had a discussion with a customer around the use of Microsoft 365 for records management. We covered front end SharePoint Online administration for records management and as is usual in these conversations moved into a discussion around their regulatory compliance requirements. At the end of our discussions and demonstrations I provided the customer asked if I could provide links to Microsoft official documentation around Records management and compliance.

In this post I provide the resource documentation I put together focusing on Office 365 Records Management and related Compliance/Security documentation.

Thanks for visiting – Michael Gannotti   LinkedIn | Twitter | Facebook | Instagram 

Michael Gannotti

Updated Sep 05, 2019
Version 1.0
  • AndrewWarland   Totally agree. In this case we provide capability form a technical standpoint but the implementation and use of that technology is meant to be customized for various orgs depending on their interpretation of the compliance regulations under which they operate. That is why in addition to having rich APIs for customization by orgs that have the in house resources we also have a wealth of Partner who can implement in the manner desired as well as Partners who provide canned add-on solutions that can be configured for needs. 

  • AndrewWarland's avatar
    AndrewWarland
    Steel Contributor

    Thanks Michael, this is a very helpful and useful reference list and Microsoft deserves a lot of credit for listening to the records management community to improve on how records are managed in Office 365. 

     

    A key point of concern that comes up in many of my discussions with organisations is how to effectively the outcome of records retention, based on the best practice described in ISO 16175. 

     

    The two main options now are (a) destroy automatically ('conveyor belt into a furnace' was the analogy I was given), and (b) subject the records to a disposition review. 

     

    A concern about auto destruction is if any of the records may be required for litigation purposes - either potential or actual. As I'm sure you're aware, section 1519 of the US Criminal Code ('Destruction, alteration, or falsification of records in Federal investigations and bankruptcy') makes it an offence to destroy records, documents or tangible objects 'with the intent to impede, obstruct, or influence the investigation or proper administration of any matter'. You would want to be pretty sure that the records subject to auto-destruction will never be required for litigation purposes. 

     

    The concerns about the disposition review process are that it (a) targets and (if approved) destroys individual documents/records in a document library leaving the library in place, and (b) no record is kept of what was disposed. Records managers I have spoken with said they would want to review not just the individual records but the entire original 'aggregation' of records (the document library) before making a decision about disposition. Of course, they can do this by using the link in the disposition review to go back to the library, but it's an extra step. 

     

    Additionally, it is good records management practice to keep a record of records that were destroyed; currently the disposition review only shows and allows the export of default, basic metadata, not any other metadata that may have been applied in the original library. It would be good if, instead of culling the individual documents in the library, the outcome of the disposition review could include the option to (a) export all the library's original metadata (including the library URL) to a different location and (b) then delete the actual library, including all the documents contained in it (rather than targeting individual records). 

     

     

  • AndrewWarland's avatar
    AndrewWarland
    Steel Contributor

    Thanks Mike. Microsoft have done a great job aligning various parts of Office 365 with common records management requirements. I understand your comment about using third-party partners to build on this foundation to address 'additional' requirements. 

     

    I don't see a problem with auto-destruction if it is applied appropriately and the business understands the potential risks involved.

     

    However the requirement to review individual records via a disposition review could be made much more useful with only a couple of changes. My concern is that, once you get thousands of records to review at a time, I think that this option will become much less useful than it appears at present. It would be similar to going through every physical document in a box of records to work out if the entire box needs to be kept - as much as possible, disposal should be at the 'aggregation' level, not the individual items. 

     

    I would suggest that the 'Finalise decision' dialogue box have one additional option: 'Review document library'. Clicking this option would take the reviewer to the original document library where they can review the content of the library in the context of the site in which they were created, and export the metadata if required. This is the first step in the process. 

     

    I would also suggest that the option to 'Dispose of the records' include the options to (a) export the original metadata (with a destination or download option) and (b) delete the original document library (yes/no). Otherwise you will end up with empty libraries and no clue as to what they contained. Knowing what was destroyed is an important recordkeeping requirement. 

     

    Perhaps partners can do this, or have solutions that are better than the Microsoft out of the box options. But, having come so far with a recordkeeping disposal solution, it would be a pity if Microsoft didn't take the opportunity to complete the solution, without having to bring in partners. 

  • Ralph Rivas's avatar
    Ralph Rivas
    Copper Contributor

    I knew saving this article would prove to be a great thing as I literally had just about everything I needed for what the client through was days of work to gather and condense and here it all was in one place :smile:.  

     

    That said, one thing was not direct and mostly because the documentation itself is not direct on this.  If we were to have a role in the organization specifically for "Record Management", which roles or combination of roles would be need to assign to allow for that activity such that we would not have to give them too much access (Global Admin) or too little (Compliance Manager?   Perhaps that role is more powerful than it looks or perhaps it IS the records management role?)  and have them walk away feeling that they have Records Management properly attended to? … Thanks in advance and I will keep hunting in those docs to see if I missed it which I apologize if I did.  

     

    bigpix200