Despite the recent spate of interest in privacy and security in the consumer realm, these concerns extend beyond the personal realm. Organizations are increasingly cognizant of the need to protect sensitive information and to retain important information for business purposes. At the same time, they are equally eager to dispose of unnecessary information as quickly as possible in their efforts to reduce information clutter as well as reduce liability. This renewed interest in business privacy and security has led organizations to initiate focused email and document records management projects.
To help businesses in these efforts, Microsoft has recently introduced retention and sensitivity labels. These labels are specialized metadata that dictate how long content needs to be retained and who can access and edit emails and documents, respectively.
Labels are powerful tools, though they don’t fulfill all of the requirements of a typical records management project, so it’s important to understand what they provide. Let’s look at how labels work and how they can help with your initiative.
Microsoft’s Retention Labels
Retention labels make it possible for knowledge workers to specify the amount of time emails and documents need to be retained before they are deleted.Retention labels can be applied to emails (in Outlook 2010 and later) and documents in OneDrive, SharePoint and in Office 365 groups.
There are two stages to using retention labels: creating labeling policies, which is an administrative task; and application of retention labels to actual emails and documents. While application of labels to content can be automated through administrative rules, Microsoft notes that manual application is often the most practical method “since workers know best what kind of content they are working with, they can classify it and the appropriate policy applied.”
Here are some things you can do with retention labels:
- Assign a label that defines a date upon which you can either delete the content or trigger a disposition review.
- Use a retention label to classify content as a “record.” In this case, a label can’t be changed or removed, and the content can’t be edited or deleted.
- Start a retention period from when the content is created or from the time when the label was applied.
- Apply a default retention label to an entire document library.
Here are some things you need to know about using retention policies:
- Only one retention label can be assigned to an email or document.
- An automatically-applied label can be removed or edited manually.
- A manually-applied label cannot be replaced by an automated label.
- If multiple rules assign an automatically-applied label, the oldest rule is the one that is applied in practice.
Microsoft’s Sensitivity Labels
Sensitivity labels help protect restricted emails or documents when shared with colleagues inside or outside the organization. As with retention labels, administrators assign label policies while knowledge workers apply labels to individual emails and documents. Administrators define custom categories for sensitivity levels, but typical categories are Personal, Public, Confidential, Highly Confidential, which defines who can view and edit each piece of content. An email or document can only be assigned a single sensitivity value.
Sensitivity labels can also be used to accomplish the following:
- Encrypt content.
- Add custom watermarks, headers or footers that specify the defined level of sensitivity.
- Activate endpoint protection in Intune — for example, preventing copying content to Dropbox, Gmail or a USB drive.
- In contrast to retention labels, which are published to storage locations, sensitivity labels are published to users or groups, specifically security groups, distribution groups, Office 365 groups, or dynamic distribution groups.
What About Record Retrieval?
While labels offer important new capabilities for records management, it’s important to understand what they can and can’t do.
When used in conjunction with Microsoft’s Record Center, retention and sensitivity labels appear to round out a complete email and document records management solution. However, while labels add important technical requirements of a records management solution, as mentioned before, they do not fulfill the business requirements of such projects. Examples of situations where businesses need to manage emails and documents include:
- Client/Case Management: Organizations that provide service to customers maintain teams of service reps who need to find, share and reference client correspondence, as well as documents such as proposals and contracts.
- Regulation Compliance: Industries such as finance, insurance and healthcare have strict legal requirements to produce emails and documents upon demand. Failure to do so can incur punitive fines.
- Supply Chain Management: Manufacturing companies need to retain records related to supplier engagements. For example, in case of component failures, manufacturers need to identify and recoup outlays from suppliers.
- Freedom of Information: Over 100 countries and countless state and local governments have instituted freedom of information laws, whereby citizens have the right to request access to public documents.
In each of these cases, organizations need to not only retain and limit access to emails and documents, they need to be able to find and retrieve them in the normal course of business. And because labels do not help classify emails and documents by business criteria, organizations will continue to rely upon traditional metadata for this purpose. And because metadata can only be applied to SharePoint items, additional steps are still needed to accurately capture and classify the important emails and documents that are needed to fulfill the business requirements of records management initiatives.
Furthermore, although labels can be applied to emails in Outlook and documents in OneDrive and SharePoint, each piece of content remains stored within its respective app’s storage container. Out of the box, emails remain in individual’s inboxes, not accessible to colleagues who may need real-time access to respond to clients or auditors. Finding information across multiple apps remains a challenge for knowledge workers who want to focus on their job and not on toggling between apps looking for information.
Important Label Caveats
Before you roll out labels, it’s important to note the following technical caveats:
- Retention policies require Office 365 Enterprise license E3 or E5.
- Because automated policies may define retention labels to the same email or document, which may be overturned by manual label application, you’ll need to verify that you do not have conflicting policies.
- Automatically-applied labels are not activated immediately; they have to be synced first from the Microsoft Security and Compliance Center.
- When administrators publish new labels to Exchange, it can take up to seven days for end users to see these labels, and then only when their mailbox contains at least 10MB of data.
- When you auto-apply retention labels to content-matching conditions, it can take seven days for the labels to be applied to all the content that matches all the conditions.
- Retention labels are not uniformly applied. Specifically, manual labels can be applied to Exchange, SharePoint, OneDrive and Office 365 groups, while auto-applied labels may not be applied to Office 365 groups or some Exchange elements, depending on the criteria for assigning the labels. Microsoft provides more detailed information on labels here.
Labels: Helpful in Measure
Retention and sensitivity labels are important new tools for the records manager’s toolbox. They add a new dimension for enforcing access and retention requirements. But they do not solve the business requirement of making emails and documents-readily accessible to knowledge workers in the normal course of business. You will continue to rely upon metadata for this purpose. Microsoft Graph offers some hope for solving the classification challenge for emails and documents, but that is the topic of another article ….