Compliant records management in Microsoft 365 for public authorities
Information management Microsoft 365More and more public authorities are looking to utilise Microsoft 365 to manage records. In many cases, employees are already heavily using the likes of SharePoint and Teams to create and store records. Sometimes these records make it to the ‘official’ eDRMS at the end of the lifecycle and sometimes they don’t.
The question on the tip of the tongue of every information manager and CIO is can compliant records management be achieved in Microsoft 365? And if so, what exactly are our requirements?
The answer? It depends on the unique business needs of your organisation and legislative requirements for your jurisdiction.
To make things easy, we have compiled a list of the latest resources from each jurisdiction across Australia to see what the authoritative word is on using Microsoft 365 for records management.
- NAA participated and endorsed the functional requirements for Microsoft 365 set out by CAARA in December 2021.
- Microsoft 365 can be customised to replicate properties of dedicated recordkeeping systems while maintaining functionality of a business information system.
- Advice includes a list of functional requirements for Microsoft 365 records management implementation.
- The latest recommendation looks at balancing compliance in records management while leveraging the collaboration capability of Microsoft 365 applications. Based on latest advice, this is not possible using off-the-shelf configuration.
- Agencies must configure the tools available in the Microsoft Purview to support retention.
- Microsoft Purview can be used to balance regulatory and productivity objectives.
- WA Public Sector departments who qualify under the State Government Enterprise Agreement will have access to an E3 license. This license level will not give you access to the full suite of Microsoft Purview tools.
- Agencies should take a well-planned approach considering project/program governance, information governance and design, solution design, and implementation approach. It is recommended that agencies address any implementation by means of a business case that considers the management of legacy information, systems, data migration, and changes in business processes.
- Public offices will need to assess Microsoft 365 compliance using the business systems checklist and consider the following options:
- Changes in the off-the-shelf configuration turning on/off features, leveraging automation, auditing, and other reporting features.
- Implementation of third-party software or APIs to extend features when needed.
- Integration with EDRMS when needed.
- Re-engineering existing business processes, implement policies, procedures, business rules, or guidelines to meet requirements.
- The design, configuration, and implementation of the records management solution in Microsoft 365 must consider requirements for metadata capture, discoverability, retention, disposal, as well as supporting the implementation of information protection and security controls.
- Ongoing governance structures must be in place to ensure updates, configuration, and system integration requirements are fit for purpose.
- We were unable to locate specific advice on management of records in Microsoft 365. However, State Records has published standards for managing digital records in systems. The standard outlines key requirements that are in line with those in other jurisdictions.
- A well planned and designed implementations of Microsoft 365 will meet key requirements such as:
- Key metadata capture to track business activity related to information
- Ensure accessibility, auditability, and protection using access controls.
The governance and compliance capability in Microsoft Purview can now help you manage records where they are used.
At Breadcrumb we can help you:
-
- create an architecture that supports user collaboration and compliant records management
- configure Microsoft Purview to enable compliant retention and disposal processes
- analyse and update business processes, policies, and procedures to govern your content
- assist in the migration of your content into Microsoft 365
- train and upskill your staff to manage records in Microsoft 365.