Records Management

Records Management in Microsoft Compliance Solutions

Records Management in Microsoft Purview: A Complete Guide

Why Is Records Management Important?

Organizations across every industry are subject to regulatory, legal, and business requirements that mandate them to retain certain types of content for specific periods. Records management is critical because it helps organizations:

- Comply with regulations: Industries such as healthcare, finance, and government are bound by laws like HIPAA, SEC Rule 17a-4, GDPR, and more. Failure to properly manage records can result in heavy fines and legal penalties.
- Reduce risk: By systematically disposing of content that is no longer required, organizations minimize the risk of exposing outdated or sensitive information during litigation or data breaches.
- Ensure business continuity: Properly managed records ensure that critical business information is available when needed and disposed of when it is no longer valuable.
- Support defensible disposition: Organizations need to prove that they disposed of records appropriately and at the right time. Records management provides an auditable trail of these actions.

What Is Records Management?

Records management in Microsoft Purview is a comprehensive solution that helps organizations manage their high-value content for legal, business, and regulatory obligations. It goes beyond simple retention policies by providing a more sophisticated and granular approach to managing the lifecycle of content.

Key concepts to understand include:

- Records: When an item is declared as a record, restrictions are placed on it. The item cannot be permanently deleted, and certain modifications are limited depending on the record type.
- Regulatory records: A more restrictive type of record. Once an item is marked as a regulatory record, it cannot be removed, and the retention label cannot be changed. This is the most immutable form of content protection and is designed for the strictest compliance requirements (e.g., SEC Rule 17a-4).
- Retention labels: These are the mechanism used to declare items as records or regulatory records. Retention labels define what happens to the content—how long it is retained and what happens at the end of the retention period.
- File plan: An advanced framework within records management that allows administrators to bring in additional metadata and descriptors for their retention labels, such as file plan descriptors (department, category, authority type, provision, and citation).
- Disposition: At the end of a retention period, content may be subject to a disposition review, where designated reviewers decide whether the content can be permanently deleted or if retention should be extended.

How Does Records Management Work?

Records management in Microsoft Purview operates through a structured lifecycle:

1. Labeling Content
Retention labels can be applied to content in several ways:
- Published to users: Retention labels are published to locations such as Exchange, SharePoint, OneDrive, and Microsoft 365 Groups. Users can then manually apply these labels to content.
- Auto-applied: Retention labels can be automatically applied based on conditions such as sensitive information types, keywords (using KQL queries), or trainable classifiers.
- Applied by default: A default retention label can be applied to a SharePoint document library, folder, or document set so that all content in that location inherits the label automatically.

2. Declaring Records
When a retention label is configured to mark items as a record:
- The item is subject to restrictions. For standard records, the content can still be edited, but the item cannot be permanently deleted until the retention period expires.
- When a retention label is configured to mark items as a regulatory record, even more restrictions apply. The label cannot be removed, the retention period cannot be shortened, and the item cannot be deleted.

3. Record Versioning
For documents in SharePoint and OneDrive that are declared as records, record versioning allows users to continue editing documents. Each time a document is unlocked and re-locked, a new version is stored in the document's version history. The record version remains immutable while users work on the latest draft.

4. File Plan Management
The file plan in Microsoft Purview provides an enhanced view for managing retention labels. Key capabilities include:
- Importing retention labels in bulk using a CSV template.
- Exporting retention labels for offline review or bulk editing.
- Adding file plan descriptors such as business department, category, authority type, provision/citation, and reference ID for better organization and classification.

5. Disposition
When the retention period ends, the following actions can be configured:
- No action: The content remains in place.
- Delete the content automatically: The content is permanently deleted without further review.
- Start a disposition review: Designated reviewers are notified and must review the content before it can be permanently deleted. Reviewers can approve disposal, extend retention, or apply a different retention label.
- All disposition actions are logged in the disposition tab in the Microsoft Purview compliance portal, providing a full proof of disposition for auditing purposes.

6. Proof of Disposition
Microsoft Purview maintains a complete audit trail of disposition activities, which serves as evidence that records were properly disposed of in compliance with regulatory requirements.

Key Features Summary

- Retention labels that mark items as records or regulatory records
- File plan with rich metadata and bulk import/export
- Disposition reviews with multi-stage approval
- Record versioning in SharePoint and OneDrive
- Event-based retention (retention triggered by a specific event, such as an employee leaving the organization or a contract expiring)
- Proof of disposition for compliance auditing
- Integration with Microsoft 365 workloads including Exchange, SharePoint, OneDrive, Teams, and Yammer

Records Management vs. Retention Policies

It is important to understand the distinction:
- Retention policies are broad, location-based policies that apply retention settings to all content in a given location (e.g., all content in a SharePoint site).
- Retention labels (used in records management) provide item-level granularity. They can mark individual items as records, support disposition reviews, and carry file plan metadata.
- Records management uses retention labels, not retention policies, to declare records.

Exam Tips: Answering Questions on Records Management

Here are essential tips for answering SC-900 exam questions about records management:

1. Know the difference between records and regulatory records: Standard records allow some modifications (such as editing the document via record versioning), but regulatory records are the most restrictive—labels cannot be removed, and the item cannot be deleted. If a question mentions the strictest compliance requirement (like SEC 17a-4), the answer is likely regulatory records.

2. Understand that retention labels (not retention policies) are used to declare records: Exam questions may try to confuse you by presenting retention policies as a mechanism for declaring records. Remember: only retention labels can mark items as records or regulatory records.

3. Remember the file plan: The file plan is a feature specific to records management. It provides additional capabilities like file plan descriptors, bulk import/export of labels, and a centralized view. If a question asks about organizing and categorizing retention labels with additional metadata, the answer is the file plan.

4. Disposition review is a key differentiator: If a question asks about reviewing content at the end of a retention period before it is deleted, the answer relates to disposition review in records management.

5. Event-based retention: Know that retention can be triggered by specific events (e.g., employee departure, contract expiration). If a question describes retention starting when something happens rather than when content is created or labeled, think event-based retention.

6. Record versioning: If a question asks how users can continue editing a document that has been declared as a record in SharePoint, the answer is record versioning. This creates a new version each time the document is unlocked.

7. Proof of disposition: If a question asks how an organization can demonstrate that records were properly deleted in compliance with regulations, the answer is the disposition tab and proof of disposition in the compliance portal.

8. Location awareness: Records management works across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft 365 Groups. Be aware that Teams messages and Yammer messages can also be managed through retention, but nuances exist.

9. Watch for keywords in questions: Words like immutable, declare, regulatory, lifecycle, disposition, and file plan are strong indicators that the question is about records management rather than basic data retention or data loss prevention.

10. Microsoft Purview compliance portal: Records management is configured and managed within the Microsoft Purview compliance portal (compliance.microsoft.com). Know that this is the centralized location for all compliance-related tasks in Microsoft 365.

By thoroughly understanding these concepts and distinctions, you will be well-prepared to answer any SC-900 exam question related to records management confidently and accurately.