Microsoft 365 (M365) is a suite of office productivity software.

To use M365 as an official Electronic Document Records Management System (EDRMS) agencies must assess M365’s compliance against the Managing Digital Records in Systems Standard (System Standard) and the Minimum Recordkeeping Metadata Requirements Standard (Metadata Standard).

The Council of Australasian Archival Records Authorities (CAARA) have released Functional Requirements for Managing Records in M365. State Records endorsed these requirements for use in the South Australian government provided they are implemented in conjunction with State Records Standards and information management advice.

The term ‘information asset’ refers to information, data and records, in any format (whether digital or hardcopy), where it is created or received through the conduct of government business.

What is needed for appropriate information management within M365?

To appropriately manage information assets within M365, your agency needs to ensure:

• all information assets are protected from unauthorised access, edits or deletion
• additional controls are in place for sensitive information (the Information Classification System defines Sensitive Information as information whereby compromise may cause limited damage to an individual, organisation or government at a minimum)
• metadata is created to enable the business context to be understood and to facilitate effective management of the information assets
• information remains accessible for as long as needed according to current approved Disposal Schedules
• deletion of information assets are adequately documented and can only occur if there is disposal coverage in the form of an approved Disposal Schedule.

This can be achieved by establishing effective governance arrangements and configuring M365 to meet the criteria of the System and Metadata Standards.

To do this, your agency needs to:

• understand it’s information requirements to support their business activities and processes, including retention requirements
• understand the controls available in M365 for managing information, including metadata and labels, and functionality that can be used to manage disposal
• undertake a gap analysis to determine whether these controls are sufficient or whether additional configuration or integration is required, or whether information assets need to be saved into other systems
• establish structures (e.g. in SharePoint) and set controls within M365 that both support the user experience and minimise the risk of non-compliance (balancing user and business needs)
• determine where certain information assets should reside (M365, EDRMS, business system)
• establish governance arrangements, including policies and procedures, that advise staff of the business rules for creating, saving, editing, accessing, exporting and deleting information
• monitor and audit the use of M365 to ensure information is managed in accordance with requirements outlined in the System and Metadata Standards
• ensure all users are educated and trained in using M365 and they understand their responsibilities in managing information assets within M365.

The Systems and Metadata Standards provide further information on managing digital information assets.

What to do if M365 does not meet State Records’ Standards

Where it is not possible to configure M365 as a compliant system in accordance with the System and Metadata Standards, consider either:

• integrating M365 with an EDRMS or business system, or
• ensuring information assets created with M365 are saved in an EDRMS or business system.

In this instance your agency may decide it is appropriate to keep short-term, low-value, low-risk temporary value information assets in M365, whilst requiring higher value, higher risk records with longer-term retention to be saved within an EDRMS or business system, outside of M365.

Specific Risks and Challenges of M365