Does anyone have a guide to implementing Office 365 compliancy and retention policies to be compliant with a government records act? In New Zealand we have the public record act and customers are asking what they need to do to be compliant and where the gaps might be, Microsoft NZ are informing customers that it can be compliant but not guidance on how or have actual sign off that it is compliant.
Unfortunately there is no definitive guide to the New Zealand Public Records Act that Microsoft supplies. Any guidance we supply to New Zealand Government organisations are normally in relation to an All of Government perspective where guidance is of benefit to every agency or as requested by agencies like the GCDO.
The NZ PRA is silent on matters of technology and its relationship to the Act. Choice of Office 365 or any other tool(s) e.g. GSuite makes no difference to an agencies’ responsibilities under the Act. The question of how they might choose to use a tool to meet their record keeping obligations will vary based on considerations such as what types of records that are the focus for the agency, and how they are currently managed and stored.
Each agency within New Zealand has a requirement to understand the data that they work with and the information that they need to retain as related to their information types. This varies from agency to agency. This is therefore difficult for Microsoft (or any other vendor) to provide standard or common guidance without great overhead and expense to maintain the content.
We have found that some partners in the local market have invested time and expense to understand how they can work with agencies to translate the individual agencies requirements into technology tooling configuration. As I am sure you are aware this also involved an investment from the agency themselves.
Sorry we can’t provide more guidance in this area.