Office 365 Disposition Reviews Process Sensitive Information
Office 365 Classification Labels and Retention Policies
In April, I reported on the new Office 365 data governance framework. Classification labels are part of the framework and allow users to mark documents and email as being especially important. A label can have a retention action (some labels do not, in which they mark items with a simple classification) to instruct Office 365 to keep any marked content for a certain period or to remove content after it reaches a certain age. Best of all, classification labels work across Exchange, SharePoint, OneDrive for Business, and Office 365 Groups with support for other Office 365 locations due soon.
Manual Disposition is Sometimes Necessary
Classification labels are good for marking Office 365 content for retention or removal, However, sometimes you do not want an automated process to function without supervision. For instance, you might have a classification label to mark documentation for customer projects. Usually the projects finish in a few months and it is certainly safe to remove them after five years. However, in some more complex or extended projects, you need to keep the documents for longer. A label that removes all documents classified as project documentation after five years would not work. The same might be true for items that the company might need for litigation or audit purposes.
Manual disposition means that human intervention is necessary to check expired content to decide whether the business still needs the items or if they can be removed. A workflow notifies one or more expert reviewers, nominated because they have the skills needed to make decisions about content, when the retention period expires for marked items. The expert then decides to keep the material or to approve its removal.
The review process also helps you to understand whether people are applying labels correctly. For instance, if you see documents stamped with a label that is obviously inappropriate, you might ask why people use the label in error and then take steps to update procedures or change behavior.
As this SharePoint blog from 2006 reveals, manual disposition is not a new idea. What is new is that the latest update to classification labels means that you can mark content for manual disposition from all the Office 365 workloads covered by data governance instead of just SharePoint. For now, Microsoft has enabled “Disposition Review” for SharePoint and OneDrive for Business with the intention of supporting other workloads later, Exchange being the obvious next step.
Marking Content for Disposition Review
Classification labels and the policies used to distribute the labels to the Office 365 workloads are managed through the Security and Compliance Center. You must be a member of the Compliance Administrator role group to manage classification labels and policies.
If they have a retention action, classification labels can keep or remove content. To enable manual disposition, Microsoft has expanded the retention options to include the choice to trigger a review (Figure 1). You cannot update existing labels to amend the retention action. Instead, if you want to use manual disposition, you must create new classification labels and publish them to allow users to begin placing the labels on documents and mail items.
When Content Expires
Before manual disposition was available, the actions available when an item’s retention period expires were to remove the item or do nothing. Now, when the retention period expires, if the content triggers a disposition review, notifications go to the individuals selected in the label settings to tell them that content awaits their decision. As noted above, at present, you can only trigger a disposition review for SharePoint and OneDrive for Business content. You can apply the same labels to Exchange items but these items will not appear for review and Exchange removes the items when their retention period expires.
Our example label specifies that two named individuals perform the disposition review. The GUI allows you to use a distribution group to nominate experts, but not an Office 365 Group or security group. If you want to use an Office 365 Group or security group to define reviewers, you must connect to the Security and Compliance Center with PowerShell and run the New-ComplianceTag cmdlet to create the label, passing the name of the group in the ReviewerEmail parameter. When you specify a reviewer email address for a new label, Office 365 knows that this means that the label triggers a disposition review.
Reviewers must have accounts in the tenant. They must also be a member of a role group that includes the Disposition Management and View-Only Audit Logs roles. Apart from Organization Management, none of the out-of-the-box Security and Compliance role groups hold these roles. You must either create a new role group or add the necessary roles to an existing role group, such as Compliance Administrator. After you add reviewers to the role group, they can process the content awaiting review.
Reviewing Expired Content
Different workloads apply different retention methods to content deleted by users. For example, SharePoint Online uses two recycle bins, one for the site and one for the site collection. These bins are often called the first-stage and second-stage recycle bins because items can only get into the second-stage bin if a user removes them from the first-stage bin. Users can see items in the site recycle bin but only site administrators can see items in the site collection recycle bin. An item can spend a total of 93 days in both bins, with the countdown starting when a user first deletes the item. After this point, the items expire and are eligible for permanent deletion. A SharePoint timer job runs regularly to remove expired items from the recycle bin. By default, SharePoint does not index the items in the recycle bin, so they do not turn up in search results.
When an item marked for review reaches the point where Office 365 is about to permanently remove it, the deletion process pauses and notifies the reviewers defined in the label settings that items are available for their examination. The reviewers can then go to the Dispositions section under Data governance in the Security and Compliance Center to view the waiting items (Figure 2). Not shown here is the choice to export details of items awaiting disposition to a CSV file that experts can use to make decisions that are later actioned by someone else such as a compliance administrator.
The options available to deal with reviewed items are:
- Delete permanently: The organization no longer needs this content. When a reviewer approves an item for final deletion, Office 365 releases the block on permanent deletion and logs the action in an ApproveForDelete audit record. Office 365 captures the actual file deletion in a Deleted file or Deleted file from second-stage recycle bin audit record. The delay in deletion is because of the need to run background jobs to process the disposition decisions.
- Apply another label: The organization should keep this content. The other label might not have a retention action or have a longer retention period. Office 365 logs this action in a ComplianceSettingChanged audit record.
- Extend retention period: Keep the original label but extend the retention period to a specific date (a one-year extension is the default) after which the item will go through the review process again. This action overwrites the computed retention date for the item with the retention date selected by the reviewer. Office 365 records the extension in an ExtendRetention audit record. The audit record does not capture the new retention date.
To help them decide how to dispose of an item, the reviewer can click the link to the item to view its content. However, a reviewer can only view content if they have the necessary permission. Office 365 does not reveal content to a reviewer if they cannot access the location where it belongs, which means that sometimes a reviewer will have to consult with the owner of the content to decide on its disposition. Office 365 moves items that a reviewer extends or assigns another label to back to their original location.
To help them keep up to date, reviewers receive email notifications after items go through disposition review. Reviewers can see details of Items that they or other reviewers previously authorized for deletion by selecting “Completed dispositions” in the Show drop-down box (Figure 3). This view only shows items that reviewers approved for disposition that are awaiting final deletion. It does not show items where the reviewer decided to apply a different label or extend the retention period.
Obviously, a busy tenant can generate a heavy workload of review items if disposition review is the norm rather than an exception. For this reason, users should receive training about when they should apply labels that trigger reviews. Reviewers also need training to understand how to deal with items awaiting their attention.
Another Part in the Data Governance Framework
The basics of retention and deletion have been in Office 365 for years. What we see now is a gradual build-out of new functionality to provide tenants with the ability to construct flexible data governance frameworks that match their business needs. Not everyone will need supervision policies, auto-label policies, or disposition reviews. But it is nice to know that the features exist inside Office 365, just in case.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.