What is Microsoft 365 [Office 365]?
Microsoft 365 refers to online subscription of services and applications offered by Microsoft. Depending on the subscription plan Office 365 includes, but not limited to:
- Desktop, web and mobile Office applications for word processing, spreadsheet, and presentations
- Email and calendaring
- Hosted services such as Exchange, SharePoint Online
- Collaboration tools such as SharePoint, Teams, and Yammer
- File storage and sharing services such as OneDrive and SharePoint Online
- Security and compliance tools
- Business analytics tools.
Microsoft 365 applications and services have limited capabilities for capturing and managing records in a way that support their ability to function as authentic evidence of business activities.
Microsoft 365 and recordkeeping strategies
There is no single way to configure Microsoft 365 to facilitate good recordkeeping.
Public offices should consider their recordkeeping requirements and the Microsoft 365 features and functionality when making decisions on how it will be configured and used. We recommend documentation of any Microsoft 365 configuration settings or policies implemented.
In order to manage records created in the Microsoft 365 environment in place, public offices should understand the functionalities available in the Office 365 environment and decide whether to:
- implement third-party software or APIs to extend the features and functionality of available security and compliance tools
- integrate Office 365 with a separate electronic document and records management system (EDRMS) or enterprise content management system (ECM)
- use multiple approaches to achieve compliance.
Microsoft 365 against Checklist for assessing business systems
In this guidance, Microsoft 365 is used collectively to include applications and services. Please note that the default repository for Microsoft 365 “in place” records management is SharePoint. SharePoint has some recordkeeping functionality compared to other applications or services like Yammer, OneDrive or Common Data Service.
The following table identifies the requirements from the Checklist for assessing business systems that are relevant to Microsoft 365. We recommend NSW public offices to use this table as a guide in assessing or understanding the records and information management capabilities of existing or future Office 365 environment.
Requirements and observations
The requirements and the observations provided are not exhaustive and current at the time of publication of this advice.
|Functional requirement||Standard on records management minimum compliance requirements||Microsoft 365 Observations|
1. Does or will Office 365 capture records created or received, regardless of format and technical characteristics?
Capturing means that:
1.1 Office 365 can be configured to automatically declare or capture Microsoft 365 contents as records.
1.2 Some of the additional configurations needed are:
 In Microsoft 365, any content or document is not considered to be a record until users go through the records declaration process. This concept and process comes from recordkeeping practices in the United States. The Australian recordkeeping and legal environments do not need a document to go through a particular process or be managed in a particular way to be considered a record. The State Records Act 1998 defines a record as 'any document or other source of information compiled, recorded or stored in written form or on film, or by electronic process, or in any other manner or by any other means'.
2. Does or will the business system uniquely identify each record and store this identification as metadata with the record?
|3.2 & 3.3||2.1 Microsoft 365 can be configured to enable visibility of unique IDs.|
3. Does or will the business system capture and show metadata?
The minimum requirements for metadata for authoritative records and information include:
• unique identifier of the record
• name / title of the record
• date and time of capture
• who created the record
• format of the record / medium
• change history / audit trail of actions done
• security and access information
|3.2 & 3.3||
3.1 Microsoft 365 captures a range of metadata and can be configured to capture certain metadata.
3.2 Microsoft 365 has limitations such as:
|4. Does or will the business system support creation of additional metadata elements detailed in relevant standard or any other metadata required to support the organisation’s business requirements?||2.1, 2.3, 3.1||
4.1 Microsoft 365 captures a range of metadata and can be configured to capture certain metadata.
|5. Does or will the system store metadata over time, regardless of whether the related record has been archived, transferred, deleted, or destroyed?||3.1, 3.2, & 3.3||
5.1 By default, Microsoft 365 is unable to store metadata over time.
|6. Does or will the business system allow or restrict “edit” rights on record metadata?||3.4||
6.1 Microsft 365 can be configured to allow or restrict ‘edit’ rights on content declared as a record metadata.
|7. Does or will the business system prevent the deletion of digital records and associated metadata at all times, except when deletion or destruction takes place as part of an authorised disposal activity?||2.5, 3.2, 3.4 & 3.7||
7.1 Microsoft 365 can be configured to prevent premature deletion of content declared as a record and its associated metadata.
|8. Does or will the business system generate, log and show all actions carried out on the record or in the system?
For transactional systems where data is overwritten, is the system able to show the overwritten data, date it was overwritten and by whom?
|3.1, 3.2 & 3.3||
8.1 Microsoft 365 captures a range of metadata such as actions carried out on the record and can be configured to capture certain metadata.
|9. Does or will the business system set and manage access and security permissions?||3.2 & 3.5||9.1 Microsoft 365 can be configured to set and manage access and security permissions.|
|10. Does or will the system export all or select records (including associated metadata and system logs), regardless of format, without loss of content or metadata?||2.4, 2.5, 2.6, 3.2, 3.3 & 3.4||10.1 Records exported from Microsoft 365 lose certain contextual and/or user-defined metadata, only retaining metadata embedded in each content.|
|11. Does or will the system produce a report detailing success or any failure during the export process (including identification of those records which generated errors or were not successfully exported)?||2.6||11.1 No information available.|
|12. Does or will the system support controlled disposal or deletion of records legally authorised for disposal?||3.6 & 3.7||
12.1 Depending on your agency's licence, Microsoft 365 can be configured to facilitate the routine and regular deletion of records legally authorised for disposal.
12.2 Labels, label policies and retention policies can be configured to enable retention and automatic deletion of records.
|13. Does or will the system produce reports relating to deletion of records/information/data and its associated metadata, including:
• unique ID of records and information deleted
• date and time of deletion
• action done by (optional)
|3.6 & 3.7||
13.1 Microsoft 365 deletes content declared as a record and its associated metadata completely.
The metadata of content declared as a record needs to be retained a minimum of 20 years after records to which it relates to are destroyed or finally disposed of. (See GA28: Information Management - Control 12.9.3). To address this gap, public offices may:
References and further reading
Lappin, J, Thinking records: James Lappin’s records management blog, < https://thinkingrecords.co.uk > (viewed 26 November 2019)
Microsoft Corporation. Records management in Microsoft 365, 19 October 2019, < https://docs.microsoft.com/en-us/microsoft-365/compliance/records-manage... > (viewed 26 November 2019)
Public Record Office Victoria. Office 365: Recordkeeping within an Office 365 environment. 30 October 2019, < https://prov.vic.gov.au/recordkeeping-government/a-z-topics/office-365 > (viewed 26 November 2019)
Warland, A, Records about the world: thoughts and comments about managing information and other things, < http://andrewwarland.wordpress.com > (viewed 18 March 2021)
Published November 2019/Minimal update March 2021