Microsoft 365
This guide is designed to help public offices and local authorities adopting Microsoft 365 services.
Microsoft 365 (20/G18, approved September 2023)
Please note that the PDF of this page has been removed because the content is the same and our website has a feature to print a webpage. You can also see a preview of this by using the print command (CTRL + P). If you still require a PDF version, please contact us at rkadvice@dia.govt.nz
What Microsoft 365 is
Microsoft 365 is a suite of online products that includes SharePoint Online and is provided as a set of cloud-based subscription services. The subscription includes automatic software updates, which means that subscribers always have access to the latest version.
Software services commonly part of Microsoft 365 suite include:
email services (for example, Outlook Mail, Outlook Calendar, Outlook People, Outlook Tasks and Clutter)
hosted services (for example, Exchange, Skype for Business, SharePoint Online, and the browser-based Office Web Apps suite)
office applications (access to the current versions of the Office desktop applications)
collaboration tools (for example, OneDrive for Business, SharePoint Online, Microsoft Teams, Stream, Yammer, Skype for Business, Outlook Online and Delve boards).
Achieving compliance with the Public Records Act and Information and records management standard
Implications of Microsoft 365 for information and records management
Like many software implementations, Microsoft 365 functionality in its 'vanilla' rollout form is not compliant with the Information and records management standard (16/S1) (the Standard) or the Public Records Act 2005 (the Act).
The implications of Microsoft 365 for information and records management in your organisation will depend on:
how the software is configured
the type of license held
whether or not Microsoft 365 is integrated with an electronic document and records management system (EDRMS) or an enterprise content management system (ECMS).
How to move towards compliance
To move towards compliance, you need to:
develop a knowledge of the administrative applications and tools used to manage information and records in Microsoft 365
understand where and how things are stored across the Microsoft 365 suite — this includes not just how different applications behave, but whether or not offshore storage is appropriate for your business
cultivate a close working partnership between your information and records management staff and your IT services
identify the appropriate level of governance licencing for your organisation
close any capability gaps by using third party add-ons for information and records management (ECMS or EDRMS) functionality
build an awareness of Microsoft 365 information and records management functionality and how it can be used to manage disposal of information and records
in conjunction with your IT support, plan to monitor and aggressively manage your instance of Microsoft 365 to ensure that Microsoft’s delivery method of updates and enhancements doesn't impact on the operation of any compliance measures you may have implemented
plan for and, where appropriate, implement the opportunities Microsoft 365 provides to automate many information and records management processes.
The Standard sets clear expectations on public sector organisations for managing information and records. The minimum compliance requirements contained in the Standard (supported by the Implementation guide (16/G8)) apply to the Microsoft 365 environment as they do to any system that creates and manages public or local authority records. The list at the bottom of this page highlights some of the key compliance requirements that relate to an implementation of Microsoft 365.
Applying information and records management controls
Include controls from the start
Ideally, you should include information and records management controls during the planning and configuration stage. If this does not happen, then you can introduce various controls post-implementation. But it's preferable to design these in at that start rather than retrofit.
Key controls
Key controls you should consider include:
labels and labelling policies that can be used to manage retention of information and records and security regimes, including sensitivity classifications (note that content can have one retention and one sensitivity label applied at the same time)
automated labelling can be applied, but currently only come with the Enterprise E5 licence (as of Q3 2020)
electronic approval processes can be set up using the application Power Automate, if you have established that electronic approval will meet your organisation's business needs and legal obligations
access permissions can be applied through SharePoint Permissions to sites, libraries and to groups, or through an Azure Information Protection label assigning usage rights protection to specific documents (if they need to remain secure regardless of where they are stored)
unique IDs for documents can be set up within SharePoint Online using the automatic SharePoint Document ID functionality, but this is not the default and the functionality must be activated by a site administrator
alerts can be set up or customised to advise of unauthorised deletions, changes, and amendments
standardised metadata can be applied through site scripts and site designs for common sites, such as Team sites, Project sites
eDiscovery tools that search all content, including email, can be set up through the Security and Compliance Centre (note that for some eDiscovery functionality a Microsoft 365 E5 license is currently required — Digital.govt.nz has information about all-of-government licencing for Office 365).
Managing disposal of your information and records
If your Microsoft 365 service is integrated with an EDRMS or ECM system, then disposal controls can continue to be applied in that system through traditional methods (such as assigning retention periods through the business classification scheme and folder structure).
If there's no integration, you'll need to manage disposal within Microsoft 365 and SharePoint Online, which uses a slightly different approach.
Managing disposal in Microsoft 365 through retention policies
Disposal in Microsoft 365 environments is managed through retention policies in the Security and Compliance Centre. These may be set up and applied by either:
classification through the use of labels and labelling policies
Data Governance-Retention through a retention policy.
Classification through labels and labelling policies
Classification through the use of labels and labelling policies can be automated with an E5 license. Otherwise, the labels must be manually applied, which requires the user to select an appropriate label to apply where multiple labels exist. To do this, users need to be made aware of your organisation's retention policy.
Data Governance
Using the Data Governance application may be a better approach as it enables retention to be applied 'behind the scenes' without any user interaction. When applying retention policies, you need to consider the most appropriate level to apply the policy to. For example:
if applying at a high group level it may be useful to minimise and group retention periods to a few big buckets — these will round retention up to the relevant disposal class with the longest minimum retention period, aligning with the settings in most disposal authorities issued under the Act
if most of your information and records (apart from the odd few) is subject to one retention period, you can apply separate retention periods at individual document level — but this can be very onerous and document level retention is not usually advised.
Risks you need to consider
Meeting legislative requirements
Information and records still remain subject to privacy, security, official information and public sector records requirements while they are held externally in Microsoft 365 and SharePoint Online systems.
Mitigation
You can either integrate Microsoft 365 with a compliant system or configure Microsoft 365 in line with information and records management requirements to identify high-risk areas and their appropriate mitigation.
For example, information and records above a specific security classification may need to be only created or stored on systems that are under direct control of your organisation.
While a protected cloud environment may be an option for some information and records, the security classification of others may not allow them to be stored within an encrypted environment.
Ensuring evidential integrity, preventing unauthorised access and unlawful deletion
The collaborative design of Microsoft 365 places the user in a position of decision maker regarding the management of information and records when most users lack the appropriate skills and knowledge.
Mitigation
Put information and records management controls (automated where possible) in place to ensure that the evidential integrity of information and records is protected, and that they remain accessible but are not subject to unauthorised access or unlawful disposal.
For example, you can use sensitivity labels, an associated and relevant Label Policy, or audit log alerts to notify the appropriate staff if unauthorised access occurs.
Creating full and accurate records of government
It may be unclear who owns or holds what rights over the information and records in Microsoft 365 environments, including legal rights over information and records in the jurisdiction where they are being held.
Mitigation
Clarify ownership and rights over your organisation's information and records or, if there is lack of clarity, ensure that these are held within systems your organisation owns and controls. This clarification should also take into account the rights and interests that third parties might have, for example, the cultural interests of iwi, or those with intellectual property rights.
For example, you can ensure that information and records ownership and rights are clearly expressed in all contracts and agreements.
Losing information and records
The content of information and records, as well as metadata, may be lost as a result of Microsoft service changes, as part of normal service operations that may include automated deletion, or upon removal of a particular service by Microsoft.
Mitigation
You should review and remain up to date with service changes including release notices to ensure that any risk to information and records is known.
For example, if a Microsoft update or notice flags that a service will be disabled, you could either move or convert information and records from that service to one that is being actively managed.
Other considerations
Microsoft 365 is a cloud service that provides web-based applications (including forms of social media). As such, you should also consider the advice available on our website for:
View our resources on digital processes, practices and tools for public sector information managers
CAARA guidance for Microsoft 365
The Council of Australasian Archives and Records Authorities (CAARA) has created guidance for Microsoft 365. It outlines key principles to consider when selecting Microsoft 365 for managing information and records.
Read CAARA's Functional Requirements for Managing Records in Microsoft 365
Relevant compliance requirements
Our Standard provides minimum compliance requirements for public sector information and records management, some of which are particularly relevant to the use of Microsoft 365 services.
Principle 1: Organisations are responsible for managing information and records
Requirement 1.5 Business owners and business units must be responsible for ensuring that information and records management is integrated into business processes, systems and services
Your organisation must identify business owners and system owners who are responsible for ensuring information and records management is included in all systems and processes used.
Those owners must be aware that information and records management requirements are needed when they:
move to a new service environment
develop new business processes, systems or services, or
improve on existing business processes, systems or services.
Responsibilities for business owners must be identified and assigned in policies and within performance plans.
Business owners must demonstrate that they have considered information and records management requirements and assessed risks as part of the development process.
This requirement places responsibilities more broadly within your organisation. It reflects a business manager’s detailed understanding of the information and records produced by and necessary to perform their work, and their responsibility for ensuring its management.
Cascading responsibility to different business areas of your organisation lets business unit staff and information and records staff work together to ensure that information and records management is integrated into business:
processes
systems
services.
What this requirement allows your organisation to do
Associate information objects and/or record aggregations with their business context and maintain these links through any business changes over time.
Requirement 1.7 Information and records management responsibilities must be identified and addressed in all outsourced and service contracts, instruments and arrangements
Your organisation’s strategy and policy must include responsibilities to ensure that information and records requirements and risks are identified and addressed in in all contracts, instruments and arrangements that your organisation agrees to.
For example, these may cover:
outsourcing some of the functions, activities or services of your organisation to an external provider
moving some functions, activities or services to a cloud service or other service provider (internal or external to the New Zealand public sector).
Your organisation must also ensure that the portability of your information and records and their associated metadata is assessed and appropriately addressed.
What this requirement allows your organisation to do
Ensure that ownership of any information and records created and maintained under a contractual agreement, is identified and conforms to jurisdictional, disposal, privacy, and other legislative requirements.
Requirement 1.8 Information and records management must be monitored and reviewed to ensure that it is accurately performed and meets business needs
Your organisation must regularly monitor information and records management activities, systems and processes to ensure they are meeting its needs and conforming to requirements. Any issues identified though a monitoring process must be addressed in a corrective action plan.
You must monitor activities such as process and system audits of systems that are high-risk, high-value, or both. Any system of assurance for information and records management should be integrated into your wider organisational assurance processes.
Your Executive Sponsor has responsibility for overseeing this monitoring.
What this requirement allows your organisation to do
Produce reports that can be used to monitor destruction, storage and use for management and audit purposes. These can support your leadership to demonstrate effective and legally compliant information management.
Principle 2: Information and records management supports business
Requirement 2.1 Information and records required to support and meet business needs must be identified
This requirement provides the foundation for managing information and records in all environments.
By analysing or appraising your organisation's functions and activities, you can identify what information and records it needs to support business. This can also help you identify other requirements, including:
Te Tiriti o Waitangi Treaty of Waitangi obligations
government expectations
community expectations.
This work provides the foundation for understanding what information and records to keep. It identifies:
what systems and business processes are high-risk, high-value, or both for your organisation
the information and records required to support these.
You must incorporate this appraisal into comprehensive and authorised disposal authorities for your organisation's information and records.
Your organisation must document in its business rules, policies and procedures, decisions about what information and records are required to be created and maintained. The decisions must also be reflected in specifications for systems and metadata schema.
What this requirement allows your organisation to do
Document and maintain systems design and configuration about your systems. This could include the setup and changes to digital decision-making tools like algorithms, artificial intelligence and integrated databases — including those built into analytics, workflow and search.
Requirement 2.2 High risk/high value areas of business, and the information and records needed to support them, must be identified and regularly reviewed
Your organisation must identify the areas of high-risk, high-value, or both of its business. This will enable you to better prioritise how to manage, treat and protect these critical systems and the information and records they contain.
You must identify likely or potential risks to information and records management and manage or mitigate them. This includes protecting the systems that manage information and records that are high-risk, high-value, or both, from loss and damage.
Your organisation should set up appropriate security measures and business continuity strategies and plans.
By identifying high-value information and records at creation, your organisation can better manage and use these core assets.
What this requirement allows your organisation to do
Migrate or export information or aggregations without losing context (metadata). This is essential when systems are implemented or decommissioned, or organisations merge.
Test that the integrity of the information and records including associated metadata is not degraded during migration and export. For example, content must be able to be exported or migrated more than once.
Requirement 2.3 Information and records management must be design components of all systems and service environments where high risk/high value business is undertaken
In complex business and systems environments, it's important to design information and records management at the start. This is particularly important where the business involved is high-risk, high-value, or both.
Include information and records management when you specify systems and service environments which manage high-risk and/or high-value information and records. You'll be better able to manage and use the information and records.
Your organisation must consider at the start how to make system maintenance, migrations and decommissioning easier. In taking this 'by design' approach, you can ensure that:
systems specifications for information and records that are high-risk, high-value, or both, include requirements for managing them
systems specifications include requirements for minimum metadata needed to support information and records identification, usability, accessibility and context
documentation is maintained about systems design, configuration and any changes made over time.
Migrating and decommissioning systems can be expensive and time-consuming. Your organisation may hold insufficient documentation about:
the information and records held in the systems
the configuration of the systems
the disposal requirements for information and records held in the systems.
What this requirement allows your organisation to do
Capture core metadata — at a minimum, the metadata specified in the Standard.
Capture and maintain core process metadata to record the use of information or record aggregations.
Assign and persistently link unique identifiers to each information object and record aggregation. This requirement must not undermine the restrictions on assigning unique identifiers to individuals under the Privacy Act 2020.
Document and maintain systems design and configuration about your systems. This could include the setup and changes to digital decision-making tools like algorithms, artificial intelligence and integrated databases, including those built into analytics, workflow and search.
Requirement 2.5 Information and records management must be designed to safeguard information and records with long-term value
This requirement ensures your organisation identifies which systems and service environments hold information and records with identified long-term value. This requirement builds on Requirements 2.1 and 2.2.
Once you know what information and records are needed long-term and where they are kept, you can more appropriately safeguard and manage them.
Information and records required for the long-term will outlive both:
the systems in which they are managed
any outsourcing arrangements and contracts with service providers.
Your organisation must ensure it plans and manages the protection of long-term information and records during transitions of systems and changes to service arrangements.
2 examples of transitions are:
system migrations
decommissioning.
2 examples of changes to service arrangements are:
the termination of services
new outsourcing arrangements.
Your organisation must protect its long-term information and records during changes in administration and through changes in the machinery of government. This includes where information and records may be transferred between organisations as a result.
To help with identifying long-term information and records, refer to any authorised disposal authorities your organisation has or had.
What this requirement allows your organisation to do
Associate information objects and/or record aggregations to their business context and support ongoing links to business context through business changes over time.
Identify information or record aggregations of information of long-term value. This is to ensure that you are able to maintain access via migration or format change. We suggest long-term value equates to retention for more than 10 years for digital information and records.
Requirement 2.6 Information and records must be maintained through systems and service transitions by strategies and processes specifically designed to support business continuity and accountability
This requirement ensures that information and records are managed appropriately through system migrations and service transitions. Two examples are:
upgrades of systems
services offered in cloud environments.
Your organisation must have:
documented migration strategies
appropriate planning and testing processes.
These must ensure that information and records are not 'left behind' or disposed of unlawfully.
Your organisation must use a managed process to migrate information and records and associated metadata from one system to another. The process must be managed to deliver records that are accessible, reliable and trustworthy. Maintaining appropriate system documentation will help make migration strategies successful.
Your organisation must use migration and decommissioning processes that ensure information and records are kept for as long as needed for:
business
legal requirements (including in line with authorised disposal authorities)
government expectations
community expectations.
This requirement builds on Requirements 2.2 and 2.5. These require that information and records that are high-risk, high-value, or both, are supported and migrated appropriately.
The portability of information and records and associated metadata must be assessed in outsourced or service arrangements. Information and records must not be 'left behind' in outsourced arrangements. Such arrangements must include provisions for transferring the information and records back to the organisation.
What this requirement allows your organisation to do
Associate information objects and/or record aggregations with their business context and support ongoing links through business changes over time.
Identify information or record aggregations of information of long-term value. This is to ensure that you are able to maintain access via migration or format change. We suggest long-term value equates to retention for more than 10 years for digital information and records.
Migrate or export information or aggregations without losing context (metadata). This is essential when systems are implemented or decommissioned, or organisations merge.
Test that the integrity of the information and records including associated metadata is not degraded during migration and export. For example, content must be able to be exported/migrated more than once.
Document and maintain systems design and configuration about your systems. This could include the setup and changes to digital decision-making tools like algorithms, artificial intelligence and integrated databases, including those built into analytics, workflow and search.
Principle 3: Information and records are well managed
Requirement 3.2 Information and records must be reliable and trustworthy
Your organisation’s information and records must have enough metadata to ensure they're reliable and trustworthy.
Information and records must be:
accurate
authentic
reliable as evidence of transactions, decisions and actions.
This requirement ensures that information and records have appropriate minimum metadata to provide meaning and context (including te reo Māori), and that this metadata remains associated or linked.
Do regular assessments or audits to demonstrate that management controls of business rules, procedures and systems are operating correctly. This provides assurance of the integrity of the information and records stored in the system.
This requirement builds on the earlier principles in the Standard.
What this requirement allows your organisation to do
Capture core metadata — at a minimum, the metadata specified in the Standard.
Capture and maintain core process metadata to record the use of information or record aggregations.
Migrate or export information or aggregations without losing context (metadata). This is essential when systems are implemented or decommissioned, or organisations merge.
Test that the integrity of the information and records, including associated metadata is not degraded during migration and export. For example, content must be able to be exported or migrated more than once.
Requirement 3.3 Information and records must be identifiable, retrievable, accessible and usable for as long as they are required
Information and records must be:
identifiable
retrievable from storage (physical or digital)
accessible, usable and reusable for as long as required.
To maintain the accessibility and usability of physical information and records, your organisation must store them in appropriate storage areas and conditions.
To maintain the accessibility and usability of digital information and records, your organisation must ensure it regularly migrates or moves them from one system or platform to another.
Your organisation must associate or link appropriate minimum metadata (including te reo Māori terms) to information or records to ensure the information and records can be identified, retrieved and shared.
Your organisation must regularly test systems and perform assessments or audits to demonstrate that the systems can locate and produce information and records that people can read and understand.
This requirement builds on the earlier principles in the Standard.
What this requirement allows your organisation to do
Capture core metadata — at a minimum, the metadata specified in the Standard.
Capture and maintain core process metadata to record the use of information or record aggregations.
Assign and persistently link unique identifiers to each information object and record aggregation. This requirement must not undermine the restrictions on assigning unique identifiers to individuals under the Privacy Act 2020.
Identify information or record aggregations of information of long-term value. This is to ensure that you are able to maintain access via migration or format change. We suggest long-term value equates to retention for more than 10 years for digital information and records.
Ensure a digital preservation plan can be applied to your information and record aggregations of long-term value without degradation, while maintaining relationships between exported components and their associated metadata. This is likely to entail format migration or export/migration of content — maybe more than once.
Migrate or export information or aggregations without losing context (metadata). This is essential when systems are implemented or decommissioned, or organisations merge.
Test that the integrity of the information and records including metadata is not degraded during migration and export. For example, content must be able to be exported/migrated more than once.
Ensure that information and records are securely stored and remain accessible over the time required to meet minimum retention periods.
Enable content search in order to make information and records accessible and usable. This would typically include a variety of search and retrieval methods, including simple and advanced search, and so on.
Requirement 3.4 Information and records must be protected from unauthorised or unlawful access, alteration, loss, deletion and/or destruction
Your organisation must protect information and records.
Your organisation must implement an information security policy and appropriate security mechanisms. The policy must cover information and records held physically or digitally — or both.
Security measures must include:
access and use permissions in systems
processes to protect information and records no matter where they are located, including in transit and outside the workplace
secure physical storage facilities.
Undertaking regular assessments or audits will help you verify that access controls have been implemented appropriately and are working.
What this requirement allows your organisation to do
Capture and maintain core process metadata to record the use of information or record aggregations.
Fix and protect content and metadata from unauthorised alteration and deletion.
Produce reports that can be used to monitor destruction, storage and use for management and audit purposes. These can support your leadership to demonstrate effective and legally compliant information management.
Apply security and access permissions ensuring that only authorised users can access information and records appropriate to their access rights.
Assign and actively manage New Zealand Government information security classifications.
Requirement 3.5 Access to, use of and sharing of information and records must be managed appropriately in line with legal and business requirements
This requirement builds on the requirements in Part 3 of the Public Records Act 2005.
Your organisation must ensure that access to, use and sharing of information and records are in line with legal requirements including:
the Official Information Act 1982
the Local Government Official Information and Meetings Act 1987
the Privacy Act 2020
the Health Information Privacy Code 1994
organisational policies, business rules and procedures.
Undertaking regular assessments or audits of systems will help you verify that access to, use and sharing of information and records is managed in line with:
business requirements
legal obligations
the New Zealand Government ICT Strategy or Action Plan (where appropriate).
What this requirement allows your organisation to do
Apply security and access permissions ensuring that only authorised users can access information and records appropriate to their access rights.
Assign and actively manage New Zealand Government information security classifications.
Requirement 3.6 Information and records must be kept for as long as needed for business, legal and accountability requirements
Your organisation must implement policies, business rules and procedures to ensure that information and records are kept for as long as required — and to identify how their disposal is managed.
Your policies, business rules and procedures must be in line with the requirements of the Act.
Information and records must be sentenced and disposed of in line with authorised disposal authorities. This includes physical and digital information and records managed by or located in:
business systems
outsourced or service arrangements
offsite storage.
Disposing of digital information and records may also be part of a planned migration process or the decommissioning of systems.
When authorised and no longer needed for business purposes, all information and records of permanent value that are identified as public or local authority archives must be transferred to:
us
an approved repository, or
a local authority archive as appropriate.
What this requirement allows your organisation to do
Ensure a digital preservation plan can be applied to your information and record aggregations of long-term value without degradation, while maintaining relationships between exported components and their associated metadata. This is likely to entail format migration or export/migration of content — maybe more than once.
Schedule information and record aggregations for deletion (by an authorised person). The deletion or destruction process must allow for complete obliteration of the content and all components of an information object so that it cannot be restored.
Schedule information and record aggregations for transfer to an appropriate archive (including key metadata).
Maintain an auditable record of disposal actions. This includes key metadata documenting the deletion or destruction, or transfer.
Ensure information and records are securely stored and remain accessible over the time required to meet minimum retention periods.
Requirement 3.7 Information and records must be systematically disposed of when authorised and legally appropriate to do so
Your organisation must implement policies, business rules and procedures that identify how the disposal of information and records is managed. This includes:
assigning responsibility for sentencing and disposal of information and records (sentencing is using a disposal authority to decide which information and records to keep, destroy or transfer)
using disposal authorisation processes
implementing disposal actions
deleting metadata
decommissioning systems
documenting the disposal of information and records.
Your organisation must be able to account for the disposal of information and records in:
business systems
outsourced arrangements
offsite storage.
This includes providing evidence that the disposal of information and records is permitted and authorised under legal obligations — including the Act.
What this requirement allows your organisation to do
Capture and maintain core process metadata to record the use of information or record aggregations.
Schedule information and record aggregations for deletion (by an authorised person). The deletion or destruction process must allow for complete obliteration of the content and all components of an information object so it cannot be restored.
Schedule information and record aggregations for transfer to an appropriate archive (including key metadata).
Maintain an auditable record of disposal actions. This includes key metadata documenting the deletion or destruction, or transfer.
Be able to stop the disposal process (sometimes referred to as a 'legal hold process').
Ensure information and records are securely stored and remain accessible over the time required to meet minimum retention periods.