eDiscovery and Retention in Office 365

Reading Time: 3 minutes

This post will demonstrate how to use a retention policy defined in the Office 365 Security and Compliance Center’s Data Governance section to ensure you remain compliant with your organization’s regulatory requirements. I’ll demonstrate this by showing how content covered by the policy, even if deleted by an end-user, is discoverable in an eDiscovery request.


Setup Retention Policy

RetentionPolicy
Retention Policy

For this fictitious example, imagine our organization requires us to keep all event-related material for 1 year before it’s deleted. (Maybe not a realistic example, but simple enough to demonstrate how this works) To do this, we need to create a retention policy in the Data governance section of the Security and Compliance Center. The important thing to know about a retention policy defined here is an end-user will still be able to add/change/delete content on the site while the policy is in effect. However, all of those changes are being tracked in a hidden location.

The location? The Preservation Hold library.

To carry on with our example, we define the retention policy with a retention period of 1 year and publish it (apply it) to our Events SharePoint Group. (image)


End-user works with content

An end-user creates a new document in the Events Group titled ‘SharePoint Conference 2018 notes.docx‘ and makes several edits. The end-user experience is no different than it would be working in a site with no policy applied. During this time, no content is added to the Preservation Hold library. The image below is the version history of the document capturing all changes:

VersionHistorybeforedeleting

 

Now, the end-user decides to delete the above document. There is nothing in the retention policy preventing them from doing this and the document is deleted.

 

DeleteTheDocument


Preservation Hold Library

Immediately upon deletion, the following entries are written to the Preservation Hold library. (If the library didn’t exist prior to this, it would be automatically provisioned)

PreservationHoldLibrary

Important thing to notice: each version of the document is written as a separate document in this library. This is a critical detail particularly if this document becomes part of an eDiscovery case in Office 365.


eDiscovery Search results

To demonstrate how eDiscovery works with the Preservation Hold library, let’s continue our example and imagine there was a litigation case where we were required to return all documents in our tenant for anything relating to “SharePoint Conference 2018”. To do this, we would create an eDiscovery case and enter that phrase as the Search query keyword. Lo and behold, all 6 results from the Preservation Hold library are returned:

eDiscoveryResults

 


Wrap it up

If you are required to retain certain information in your tenant for a specified period of time, a retention policy is a feature you can use to do this. It allows the end-user to continue working in their site while still retaining the information for regulatory reasons. These types of policies are invisible to the end-user and can be used in tandem with retention label policies which are controlled and visible by an end-user as a label. Together they apply different types of retention across all Office 365 workloads.

Thanks for reading.

-JCK


Credit: Photo by Jeroen den Otter on Unsplash

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.