Microsoft has announced the general availability of Records Management in Microsoft 365 (formerly known as Office365) for “Eligible Microsoft 365 E5 customers”, a new tool to help businesses protect and manage sensitive data. E5 is the top tier and highest priced enterprise level of Microsoft 365

While all Microsoft 365 users will see the Records management tool in the Microsoft 365 compliance center, this will change according to release notes.

“At this time any customer will be able to see the solution even if you’re not licensed for it, although not all functionality will work as expected. In the near future, this will change, and you won’t be able to see records management options if you’re not appropriately licensed.”

The new Records Management solution differs from SharePoint’s in-place records management or records center.

“This solution is our next evolution in providing Microsoft 365 customers with records management scenarios. It uses a different underlying technology than our legacy functionality in SharePoint, and also goes across Microsoft 365 beyond just SharePoint. This new solution is where our future investments in records management will be made and we recommend any SharePoint Online customers using SharePoint’s in-place records management, content organizer, or the SharePoint records center to evaluate migrating to this new way of managing your records,” Microsoft states.

The new tool promises the ability to:

• Classify, retain, review, dispose, and manage content without compromising productivity or data security
• Leverage machine learning capabilities to identify and classify regulatory, legal, and business critical records at scale
• Demonstrate compliance with regulations through defensible audit trails and proof of destruction

A new Harvard Business Review research report, commissioned by Microsoft, found 77% of organizations believe an effective security, risk, and compliance strategy is essential, but 61% face challenges in creating one. More than half (53%) have not developed a strong, business-wide data governance approach. The majority (82%) say protecting information has grown increasingly difficult due to new risks and complexities brought on by digital transformation.

"With many employees working remotely right now, one of the things we hear is security and risk management are arguably more important than ever," says Alym Rayani, senior director at Microsoft 365. The HBR survey was conducted before the coronavirus pandemic, he notes, but its data is just as important at a time when businesses are relying on remote employees. 

A higher volume of information, transmitted through and stored in multiple collaboration systems, drives complexity for managing records with cost and risk implications. Companies facing increasing regulations often move data into different systems of record to comply. This can increase the risk of missing records or not properly declaring them, he says in a blog post.

The records-management solution supports the following elements:

• Label content as a record. Create and publish retention labels that declare content as a record that can then be applied by end users or auto-applied by identifying sensitive information, keywords, or content types.
• Migrate and manage your retention plan with file plan and use file plan manager to bring in your existing retention plan, or build new with file descriptors and expanding hierarchies.
• Establish retention and deletion policies. Define retention and disposition periods based on various factors that include the date last modified or created.
• Trigger event-based retention with event-based retention.
• Review and validate disposition with disposition reviews and proof of records deletion.
• Export information about all disposed items with the export option.
• Set specific permissions for records manager functions in your organization to have the right access.

According to one local records management expert, there may be some challenges in adapting the solution for conditions in Australia and New Zealand.

"The design will be based on the US vision for records management – i.e. applying a file plan classification (label) to a records in place, and not place the records in context. The UK/AUS approach to records management is to collect the records together so it makes up a story – i.e. the evidence of a business transaction is clearly understood because you can see the context of the story. The US method usually leaves the document/record where it is, which makes it hard to find in the Office 365 information maze.

"As an example, one Australian Federal Government department tried many years ago to re-configure an American document management system to manage records by collecting the records into a file to ensure they showed context. But it broke the system and it was eventually recommended that the system be replaced."

Office 365 and SharePoint specialist Andrew Warland, who blogs at andrewwarland.wordpress.com, notes that the concept of 'declaring' a record is an American concept that isn't used here. 

“I'm very familiar with the information governance aspects of Microsoft Office 365 and have been critical of some of the things like auto-classification (for E5 only) as, while it is well-intentioned and would probably work well for some organisations, there are some potential risks in doing things this way as opposed to a good combination of retention policies applied to the different workloads across the environment,” said Warland. 

 “What I am not clear about, yet, is the extent to which some of these functions will be limited to E5 customers or will remain with the more common E3 licence. For example, the creation of 'explicit' retention labels (published as retention policies) or 'implicit' (invisible to users) retention policies, which can be applied to almost all of the ecosystem, are still visible in my E3 tenant. I've seen some people say that these will be removed, only accessible by E3 licence holders, but I'm not sure about that. Certainly, other features such as auto-classification, or more granular event-based policies, may require the E5 licence. 

“When it comes to auto-classification I am curious why Microsoft made this sound like new technology. Products like Recommind (now owned by Open Text) have been doing that for close to 20 years. 

“I agree with Microsoft that there is now so much digital content you cannot realistically expect to manage retention manually. However, the ability to create and apply both 'implicit' and 'explicit' (label based) policies cover almost all the content fairly well. I'm not sure what value things like auto-classification brings to the market and I'm a bit sceptical with the use cases suggested for event-based retention policies - for example, things like contract expiry dates or the date when employees leave an organisation can both be impacted by factors out of an organisation's control (litigation, investigations). I wouldn't want to see critical records vanish without a trace in this way.”