Back to top

What is Microsoft 365?

Microsoft 365 refers to the online subscription of services and applications offered by Microsoft. Depending on the licencing plan Microsoft 365 (M365) includes, but is not limited to: 

  • desktop, web, and mobile Office applications for word processing, spreadsheet, and presentations 
  • email and calendaring
  • hosted services (Exchange, Skype for Business, SharePoint)
  • collaboration tools (SharePoint, Teams, Yammer)
  • file storage and sharing services (OneDrive and SharePoint)
  • security and compliance tools
  • business analytics tools.
Back to top

Microsoft 365 and records management compliance

To achieve compliance with the Standard on records management and the State Records Act 1998, public offices will need to assess Microsoft 365 with the business systems checklist.

The organisation needs to consider how to best configure and use M365 to meet organisational needs and recordkeeping requirements – and identify where there may be gaps. To bridge these gaps, consider the following strategies: 

  • Change the configuration of the system, for example: turn on/off particular features
  • Implement third-party software or APIs (Application Programming Interface) – to extend the features and functionality of security, compliance, and/or record tools within M365
  • Integrate the business system with an external recordkeeping system, such as EDRMS
  • Export records and save the exported records into an external recordkeeping system, such as EDRMS
  • Re-engineer existing business processes or introduce new work processes
  • Implement policies, procedures, business rules or guidelines to meet recordkeeping requirements and/or
  • Use multiple approaches to achieve compliance.

Document any configuration settings, policies, or strategies employed. To ensure that they continue to meet the organisation’s needs and recordkeeping requirements.

Consider machinery of government (MoG) changes, process change, system upgrades, or migrations – as they may create risks to meeting recordkeeping requirements in M365.

Back to top

Stategies for effective recordkeeping in M365 

When assessing Microsoft 365 with the business systems checklist, consider the following strategies/actions:

  1. Examine the administrative applications and tools used to manage records in M365. M365 is structured with multiple administrative centres. Settings in these centres will need to be configured for records management functions.

  2. Investigate M365 records management functions. M365 records management functions should be understood so that gaps can be covered, and risks mitigated. Evaluate whether M365 configurations for retention and disposal of records are appropraite for organisation's business needs. QSA's guidance for example, provides some useful strategies for managing disposal functions within M365.

  3. Conduct a gap analysis. Review the configuration options to ascertain if there are any gaps in meeting recordkeeping requirements. Consider any additional controls/configuration/integration that may need to be implemented. 

  4. Defining a record in M365. Content needs to be declared as a record to be defined as a record in M365. Without the record declaration, metadata, retention and/or disposal documentation will not be retained. This will need to be configured in M365 settings.  

  5. Review the organisation’s behavioural culture around recordkeeping. Assess the likelihood and the consequences of users not complying with M365 records management controls. 

  6. Implement appropriate user control settings for records management. Consider the user experience and the implementation of preventative measures to minimise risk of non-compliance. 

  7. Develop and maintain an integration management plan. If a third-party software or API is installed, develop a plan that defines how M365 updates and upgrades will be monitored and risk to disruption of recordkeeping processes minimised.  

  8. Use automation, where possible, to minimise risk to records. Identify where and how automation can be enabled to improve record control and risk. 

  9. Assess migration risks. Identify any migration risks to records when importing into M365 from another system (including systems that manage email) or exporting from M365 to another system. Troubleshoot migration risks to ensure accessibility, authenticity, and accuracy of records is kept.  

  10. Complete a risk-based assessment of records and map retention policies and periods to locations and services in M365. For containers, set the retention period to the longest minimum retention period required where there are multiple retention periods in the same location. 

  11. Consider where information is located within M365. Certain systems/applications of M365 do not support retention labels or policies, or records management functionalities. Assess strategies on how to manage this – to ensure that the records are captured and managed accordingly. 

  12. Labelling. Review M365 retention configuration practices to ensure that retention and disposal authorities issued by the State Records NSW are effectively configured into the system. Consider developing a local, streamlined version of relevant retention and disposal authorities and classes prior to creating bulk retention labels in M365.

  13. Assess M365 reporting/auditing features. Consider what reporting tools will need to be implemented. Review the business systems checklist to ensure that M365 meets the necessary reporting/auditing requirements. Other strategies may need to be considered and/or implemented to meet the specifications. M365 has the configuration ability to set up alerts for unauthorised deletions, changes, and amendments. 

Back to top

Acknowledgement and further resources

State Records NSW acknowledges the use of Public Record Office Victoria’s (PROV) M365 advice in the development of this guidance for NSW public offices.

Additional useful resources for implementing M365 include:

Published February 2022

Back to top
Recordkeeping A-Z