The Microsoft Office suite is familiar to most organisations today in its longstanding role as an enabler of workplace productivity. As organisations grow and adapt however, there is a need for increasingly mobile and interconnected work environments, leading to the uptake of Microsoft 365 (M365). While use of M365 in organisations is increasing, we are also seeing a steady decline in use of more traditional electronic document and records management systems (EDRMS). Many organisations are decommissioning their EDRMS in favour of native records and information management functionality available in M365.
In order to effectively utilise the M365 suite it is important that organisations understand their business and regulatory information governance requirements for securing, describing, using and managing information assets. With a good understanding of these requirements organisations can explore how native features in M365 can help meet these requirements, and where information governance compliance gaps might exist.
In this series we will look at various M365 features across three key areas:
- Information management
- Information security
- Search and discovery
Information Management – Retention
Microsoft 365 provides centralised management of retention through the Security and Compliance Centre via:
- Retention Policies – broad retention control
- Retention Labels – granular retention control
Policies and labels can be used simultaneously within Microsoft 365, with the longest retention period taking precedence.
|Event based retention
|Manage SharePoint, OneDrive, Groups and Exchange content
|Manage Microsoft Teams (Chats and Channel messages), Skype for Business and Exchange Public Folders content
|Manage content as a finalised record
|Apply based on sensitive information
|Apply based on specific words and phrases
|Can be manually applied to specific documents
It is critical that organisations have a clear understanding of the type of information assets that will be captured within the various M365 solutions. Having this understanding will support identification of requirements for retention and defensible disposal of information assets. Understanding these requirements will allow for retention controls to be appropriately planned for at implementation.
In the coming weeks we will be looking at the various aspects of retention in M365 to help you better understand how you can meet your retention requirements:
- Retention policies
- Retention labels
- Retention label policies
- Event-based retention
About the Author
Adelaide Copland has worked as an information specialist and CM/TRIM application administrator since 2014. Adelaide has experience in Microsoft 365 implementations, process improvement, records training delivery, development of policies and procedures, strategy and establishing digitisation programs.
A digital transformation is underway in your organisation.
“Digital Transformation” by Cerillion is licensed under CC BY 2.0
- An organisational rollout of Microsoft 365 tools and applications.
- Provision of a user centric environment where staff can work collaboratively, and access and share information easily where ever located, using a standard toolset.
- Replacing a rigid technology platform with a flexible and agile cloud environment.
- Decommissioning the electronic document and records management system (EDRMS) because it is not particularly user friendly and/or built on outdated technology.
The above points will be familiar to many as organisations transition to environments that support dynamic collaborations, co-authoring and flexible remote working with complete access to the information needed.
BUT the EDRMS is being decommissioned…
- what about your recordkeeping requirements?
- you have obligations to recordkeeping legislation as well as to privacy legislation amongst others?
- How will compliance be assured?
You are the Information/Records Manager, what must you bring to the transformation project for consideration and what are your challenges:
- The importance of maintaining the current high level of records management compliance provided by the EDRMS.
- Management of the migration of records from the EDRMS to ensure that the recordkeeping metadata associated with the records is not lost to maintain the integrity and auditability of the record.
- The migration of shared drive files and folder structures. Is this just moving an uncontrolled environment to another potentially uncontrolled environment? How could / should this be done?
- Information management governance of the collaborative environments to ensure there is a strong understanding of how Microsoft 365 applications will be used and for what types of information.
- Where will high value / high risk records be captured, so that these records are identified and not captured in sites that are designed for routine or ephemeral information.
- Management of and access to audit histories in the new environment.
- Are additional tools required to achieve records management compliance or will M365 meet our requirements out of the box?
About the Author
Adelle Ford is an information and records management professional having worked in this sector since 1979, having been employed in various capacities by both public and private sector organisations. Adelle has extensive experience in strategic planning, development of records and information management frameworks, policy and procedures, business classification schemes and retention authorities for large scale organisations operating in legislatively complex business environments. Adelle has experience in and a sound knowledge of a range of information management systems, the specification of requirements, selection of enterprise content and records management systems to meet business needs, implementation of a broad range of software products and associated change management.
Information Governance is by its very nature interdisciplinary. Of course, it needs leaders, but great information governance leaders are those that enable a multi-disciplinary team approach to thrive. This is best done by allowing the distinct approaches to information brought by members of the team to exist in both cooperation and creative dissent. The organisational context and information culture determines exactly which skills are brought into the collective mix of information governance, but typically it includes compliance, risk, privacy, risk, security, recordkeeping, data management and analytics (and more in the American context, e-discovery). Each of these focus areas brings specific approaches to their patch of information governance – the trick is to get each to play to their strengths without drowning out or diminishing the important roles of others. Playing nicely across information disciplines is not a given and fostering that capability is the skill of the information governance leader.
So what exactly does the recordkeeping discipline bring to the mix? The overwhelming focus is to ensure that authoritative traces of activity exist in order to document, defend and enable efficient business. Throw aside any preconceptions you may have of this discipline: in particular, any misapprehensions that the focus is on paper, storage or cleaning up accumulated digital or paper remnants. The reality is that today’s recordkeeping professional is focussed on enterprise-wide framework issues including mechanisms to manage authoritative information effectively with all existing and planned systems. The importance of inter-disciplinary working is drilled into the professional approaches, and today’s recordkeeping professional should be well versed in identifying and working with the specific professional concerns of cognate disciplines.
An emerging framework for understanding organisational recordkeeping is that of recordkeeping informatics, which stresses the need for agility, interdisciplinary focus and the need to adapt practices and requirements in ever-changing technological environments. Focussing approaches on two solid foundation blocks – continuum thinking and metadata, recordkeeping informatics uses three facets of analysis – organisational information culture, business analysis, and access.
Continuum thinking is, in part, a sensibility and an orientation to information managed for specific evidential purposes. It brings an understanding that in order to keep, often fleeting, digital communications, a robust understanding of complex and often competing demands must be met. If the information is to provide the authoritative resource organisations require, it must be proactively designed as fit for purpose – whether it needs to last a nanosecond or a millennium. But information, particularly digital information, can be paradoxically fragile. If the preconditions are not consciously architected to enable contextual management of information over time, then the information will lose its authoritative nature very quickly, possibly only surviving as useful resources for the memory-span of an individual connected with its creation or management. Continuum thinking stresses connections with the future but also with the past, positioned in situated analysis of the organisation within its ever-changing social environment, where multiple perspectives need to be identified and consciously incorporated into organisational approaches.
No information discipline can operate in today’s digital world without a solid appreciation and understanding of the role of metadata in the design and continuing implementation of management strategies. For recordkeeping, the metadata is not a post hoc add on, but a fundamental component of any digital recordkeeping approach. It is part of the record, which, while it may be stored separately is none-the-less an inherent component of the record, as important as, and arguably more important than, the content and its physical manifestation. Recordkeeping professionals deal in complexity and manage in context. This involves continuously ensuring relationships are defined and managed – including components needing to be bundled together, content objects managed in cascades of drafts, versions and multiple states of formality, identified roles, and responsibilities for actions that are hugely dynamic and ever-changing reflecting organisational realities. These are just a few of the organisational relationships managed through ever-accumulating recordkeeping metadata. This metadata is used to make assertions about the reliability and trustworthiness of the state of the information resource managed as records.
A recordkeeping professional grounds their approaches in organisational context. The importance of knowing the regulatory and compliance environment is key as it determines the requirements for records to support organisational responsibilities. The capacity to implement recordkeeping in systematic ways is driven by the information culture that derives from the organisational culture. Some organisations are risk-takers, some are more than mindful of regulatory compliance, and sometimes multiple information cultures will exist within one organisation. Diagnosing the state of the information culture will determine where a successful recordkeeping intervention is likely – through technological mechanisms, through behavior, through policy or other tactics.
Understanding the meaning of information over time is important. To do that in ways that support not only the current business but future requirements including those imposed by external stakeholders and users requires the construction of records in ways that reflect the business that was going on when the authoritative information was created and used. This locks recordkeeping informatics approaches into design strategies reflecting the realities of current business processes. Of course, making records creation and capture automatic, invisible, and able to operate as a continuing organisational resource to improve business practice is a major driver here. Locking the contextual understanding of the information created in, and supporting, the business process is a core requirement. And here too, the discipline of knowing how long information should be retained for comes into the mix. Defensible disposal is now an issue facing all organisations. The ‘keep everything, storage is cheap’ and ‘we’ll derive huge, but as yet unknown, value from accumulating our data’ approaches are beginning to lose viability as costs spiral, risks of exposure and unintended disclosures grow higher with uncontrolled and unknown data swamps, and information stored but contextless and unmanaged threatens to overwhelm. Coming to a more mature approach to managed information includes embracing defensible disposal and that is a long demonstrated recordkeeping skill.
Finally, no organisation can manage information resources without an access and permissions framework. Notions that this is purely a responsibility of single sign-ins or something determined by cybersecurity experts ignore the complex multi-system, multi-participant nature of business processes. The notion that ‘information just wants to be free’ is not an organisational reality. Protecting that which needs to be secured is not only a technological requirement from the cybersecurity community of the information governance matrix. Who has permission to do what, and for how long, who they are, responsibilities and delegations – all this is part and parcel of documenting and enabling business which is immediately reflected in the information created to document that business.
Look again, with fresh eyes at the role of recordkeeping within information governance. Recordkeeping is a fundamental approach to architecting information management approaches within a governed information framework. It is not stand alone, nor are today’s recordkeeping approaches for information governance post hoc, retro-fitted or simply defensive. Rather it is a dynamic, participatory, tailored approach to effective management of authoritative information for today’s business environment, tailored to re-use, business efficiency and grounded in robust interdisciplinary collaboration.
About this article
This article was written by Barbara Reed, Director, Recordkeeping Innovation. The article was first published on the Information Governance ANZ blog http://www.infogovanz.com/recordkeeping-in-information-governance in September 2018.
We are inundated by information and data every day and creating more information than ever before in all aspects of our lives. However, how much of the information created today is actually being preserved for future use? How, as information professionals can we ensure digital preservation of the information and records that are the life blood and the building blocks of our organisations and businesses?
As Information and Records Managers we understand:
- That many records need to be retained long term.
- That education and communication with users, stakeholders and other information professionals from different disciplinary backgrounds is invaluable to establishing an information culture.
- The need to engage with IT and other information areas to make use of existing expertise and knowledge within an organisation.
- The importance of metadata to ensure access to authentic records and information and that these can be understood in the future.
- The risks to the organisation if valuable information is lost due to technological obsolescence and media degradation.
- The need for standard file formats,
- The need for standards to ensure that the data and information identified for preservation can be transferred to trusted digital repositories.
- The importance of planning and developing strategies supported by sound policy.
Digital preservation is a complex area and it is often underestimated or even overlooked. It is often challenging convincing senior management that preservation of digital assets is an important initiative. So how do we go about or even start thinking about the digital records that we need to preserve in perpetuity for our organisations? How do we convince IT that the backup systems they have in place are not sustainable in ensuring that important records are accessible into the future; that digitisation of physical records is not preservation, much more is needed to ensure that digitised items can be accessed in the years to come. What are the critical things we should be considering and planning for so we can avoid the loss of valuable information? What tools are available to us to assist? Where do we go for advice?
We can look to the research data management and cultural heritage world for a wealth of guidance, advice and tools on digital preservation that can be applied to corporate records and information. The Digital Preservation Coalition provides an online handbook that provides good practice in creating, managing and preserving digital materials and provides a range of practical tools to assist.
Another useful tool is the Community Owned Digital Preservation Tool Registry (COPTR). This site provides a registry of tools to assist practitioners find the right tool for the digital preservation job. This site also provides an interactive grid to assist with navigating the large number of tools in the registry.
Figure 1: Interactive grid – COPTR
To protect valuable information assets organisations must be planning for digital preservation and engaging with all areas of the business receiving and producing records and information.
Recordkeeping Innovation is company with extensive experience in the information management field. Our team of consultants are experts and have a wealth of experience in development and implementation of information management frameworks, policy and strategy development, digital preservation policy, strategies and planning and development of metadata schemas. The team at Recordkeeping Innovation can assist in you in planning for digital preservation. Learn more at http://www.records.com.au/
About the Author
Adelle Ford has worked in the information and records management sector since 1979, having been employed in various capacities by both public and private sector organisations. Adelle has developed records management policies, strategic plans and operational procedures for large scale organisations operating in legislatively complex business environments. Adelle has experience in and a sound knowledge of a range of information management systems and has developed information governance frameworks and information inventories. Adelle has taught records management courses through Sydney Institute (TAFE) and continues to conduct system and records management training for clients. Adelle is currently completing a Graduate Certificate in Data Management
The health system is undergoing a digital transformation as more health services and practitioners adopt electronic health records. I recently attended a seminar on digital health information held by the International Association of Privacy Professionals, iapp- ANZ, and sponsored by Microsoft, that explored the many benefits, as well as the potential impediments for e-health records.
The panel of experts all acknowledge the benefits of e-health systems, especially for big data analysis supporting better disease recognition, familial tracing and diagnosis and the linking of screening program and treatment data. We are only at the beginning of health system improvements based on digital health records. Researchers are gaining new insights as existing data is enriched, digital images are captured and made accessible for improved or remote diagnosis. Data analytics and new tools can identify disease and treatment patterns in large datasets.
By Intel Free Press http://www.flickr.com/photos/intelfreepress/6948764580/sizes/o/in/photostream/
Individuals receive better health care from fully informed practitioners. Practitioners need to know that frail or elderly patients are being prescribed a wide variety of medicines that may interact to cause adverse reactions. Hospitals need timely access to diagnostic test results and avoid the costs incurred when tests have to be duplicated because data cannot be accessed. Complete medical history can be accessed when a patient moves hospitals or to a new provider or is frail or incapacitated. Digital access, flexibility and sharing of data leads to better health outcomes and reduced health system costs. Australian governments are currently making significant investments developing e-health platforms to achieve these benefits.
Trust and privacy protection
How will government win trust so that patients accept e-health records? Can patients ensure that their privacy is protected? Can patients control what information is shared, who can access it, and they can withdraw their consent?
Individuals will only agree to upload and maintain their e-health records when they trust the system, when they trust the government to act as the custodian of their private information. A new regime of documented and specific consent is needed that empowers patients to control their e-health record.
Managing consent: what, how and when
1. Consent for a specific purpose
Legislation requires that e-health data can only be used for the purpose that it was collected, in most cases for individual treatment, unless the patient provides consent that information can be used for a secondary purpose. So we have the situation that data has been collected e.g. for a medical research purpose, and now we could re-use this data for analysis, treatment reviews and modelling using new techniques, but this re-use requires patients consent for a secondary purpose. However, gaining patient consent retrospectively is impractical, and requesting consent for potential and future uses is problematic when these are not yet known. Consent will need to become a more nuanced and updateable record which enables a user to withdraw consent at some future time.
2. Consent must not be a pre-condition for service delivery
Health services will need to ensure that default consent is not required or required as a condition to receiving a service. So when a patient gives permission to share test results, that doesn’t give consent for the data to be shared with others, to be sold or re-used for commercial purposes.
3. Keeping records of consent
Health practitioners and consumers need better awareness about privacy protection and the management of user’s consent. A draft consultation paper from the UK’s Information Commissioner provides guidelines on how to manage patient consent, including advice on the recordkeeping requirements for user consents. The guidance is based on principles and supporting guidelines:
- Consent should offer genuine choice and control,
- Requires a positive opt-in, not opt out
- Explicit consent requires clear and specific statement of consent
- Make it easy to withdraw consent, and tell people how
- Keep evidence of consent,
- Avoid making consent a precondition of a service.
- Consent should be clear, concise and easy to understand
- Consent should be separate from other terms and conditions.
- Health services should provide instructions if the patient wants to withdraw their consent.
Health service providers should keep records of consent, including when and how consent was given, and updated. Health services will need to retain records to show evidence of consent. Although there is an overhead to keep sound records, the long term benefits will be a trusted e-health system.
Without trust, without explicit consent and the confidence that consent is controlled by patients, users are less likely to accept and use e-health systems.
About the Author
Kerry Gordon is a Director and Consultant with Recordkeeping Innovation. She works on digital recordkeeping and archives for clients in Australia and SEAsia. Kerry delivers regular training programs in records management and managing digital records. Kerry has a Masters Degree in Information Management from Monash University, Melbourne and has experience in developing large scale strategic studies for digital transition, classification and retention, managing administrative and organisational change, project management and communications supporting information governance.
We all recognise that things move quickly, the technology we have today will be surpassed swiftly by innovative solutions. Diversity of digital channels for social interaction and communication are expanding rapidly and being adopted in business environments.
Many of these channels are relatively young compared to mobile phones, email and other portable devices… Many of these channels are relatively young compared to mobile phones, email and other portable devices…
It is fascinating to look at preparations for change in administration from the Obama Presidency to the next. It illustrates the level of adoption of social channels as a means to engage people. President Obama used a variety of channels extensively. Over his 8 year period in office the White House used Twitter, Facebook, Instagram, Snapchat, YouTube. Medium, Tumblr and Flickr. You might find these articles describing the social media aspects of the Presidential Transition and plans to preserve and pass on the digital legacy of this group an interesting read. Another recent article outlines comments from Atlassian co-founder Mike Cannon-Brookes relating to economic changes stemming from technological advances. He cites an example relating to 2.5 million people driving cars as a significant part of their job, saying “Those jobs are all going away whether it takes 10 years, 15 years or 20 years, it doesn’t matter”. We have also seen “disruption” through establishment of innovative online services (e.g. AirBnB, Uber). While comments about workforce and industrial changes may sound gloomy, it also provides opportunity for innovation, highlighting the need to think differently about our work – to be “change ready”. How can we think differently about technology in our professional world? Electronic document and records management systems (EDRMS) have been implemented over the last 20+ years as “a” means to manage information. Many of these products are born from systems that managed paper records. They may be integrated with other business systems if the funding and executive sponsorship exist. Changes we are seeing in the social media realm extend into the broader business environment, with documents generated by multiple business systems and a workforce that is much more mobile. Some options to manage the information generated might include:
- Using an EDRMS as a single tool to manage documents and records
- Capturing records created by other business systems in an EDRMS, either as an export or a manual process
- Integrating with business systems to capture and manage records via an EDRMS for recordkeeping purposes
- Managing records within source business systems
Not an exhaustive list, but some of the approaches we see across the range of organisations we work with. Issues Sticking with EDRMS as a single tool is becoming less and less practical:
- Business models are less stable – frequent organisational change, services may be provided through third parties, outsourced or privatised
- Organisations implement an array of systems to manage core business functions
- Business systems may have some of the features expected from a recordkeeping perspective, but they seldom have all the functionality required to meet recordkeeping standards.
- Exporting information from or integrating with business systems is often complex, expensive, takes time to plan and implement.
In a fast paced business environment there is little tolerance for projects take a long time to implement – agility is needed. To quote one of my favourite songs by Queen – I want it all and I want it now. So where are the opportunities? There is definitely potential to manage our information by design, looking at the broad information architecture within organisations to:
- Focus on work processes and the information created
- Identify information assets, where they are and how they are managed (beyond EDRMS)
- Take a risk and value based approach, applying our scarce resources to mitigate and control risks
- Influence early through established frameworks:
- Business planning, risk assessment and management
- Procurement processes, contract and project management
- Ensuring system requirements address recordkeeping requirements, assessing their level of compliance as part of system acquisition or upgrade
- Information security, privacy and access arrangements
- Information governance and other communities of practice
Taking a “by design” approach beyond EDRMS might include:
- Developing simple tools to assist non-specialist staff to navigate requirements as part of their business and system planning activities
- Designing self-assessments for business systems to identify risks and mitigation strategies
- Information management plans fit for purpose – for simple or complex systems, guidance on migration or decommissioning
Traditional approaches are changing, as professionals we can add value to management of information across operations, providing guidance as part of business processes and systems – by design. About the author Toni Anderson has worked in the information and records management field for a substantial period in a range of Local, State, Commonwealth government organisations and the private sector, nationally and internationally, building a strong professional profile through participation in industry forums and associations. Toni has extensive experience in strategic planning, development of records and information management frameworks, policy and procedures, business classification schemes, retention authorities, the specification of requirements, selection of enterprise content and records management systems to meet business needs, implementation of a broad range of software products and associated change management. Toni has been instrumental in transitioning from project to business as usual operations, and leading teams providing high quality information services.