Using productivity platforms as a records management system

Understand the risks and requirements that productivity platforms should address to be used as a records management system.

Last updated:: 26 March 2026

Listen

On this page

^{This guidance has been developed for State Records NSW by Andrew Warland, a consultant with many years of experience advising organisations on effective recordkeeping.}

Cloud-based productivity platforms such as Microsoft 365 and Google Workspace (formerly ‘G Suite’) include a range of communication and collaboration functionality including email, chat, planning and task management, document management and generative AI.¹ These platforms have experienced a steady increase in their use over the past decade, particularly as organisations transition from on-premises to cloud-based systems. ²

Microsoft 365 is used by many NSW government organisations because of licencing agreements that bundle Windows, Microsoft Office and Microsoft 365 applications into the same licence. These licences provide access to online communication (email, Teams) and collaboration (SharePoint, OneDrive) systems, applications and functionality. Google Workspace may also be used by NSW government organisations.

The primary issues with and risks of using online productivity platforms and collaboration systems to create, capture, store and manage records is that, out of the box, they were not designed to be dedicated recordkeeping systems. See our guidance on electronic document and records management systems to learn more about dedicated recordkeeping systems.

Microsoft 365 includes functionality across the platform that can be used to support recordkeeping but it must be configured to meet compliance requirements. Records may be created or captured and remain stored ‘in place’ in any of the following systems or applications:

personal and other mailboxes including, for Exchange Online, hidden folders that are used to store copies of Teams chats and messages and AI interactions
chat and messaging systems
document management systems (such as Google Drive or SharePoint/OneDrive) that store records and other content including online meeting recordings
Other collaboration applications used for planning or task management.

Core requirements for systems and applications used to manage records

AS ISO 16175-1:2021 defines functional requirements for any application or system used to manage digital records, in four key outcome areas:

Records capture and classification	Creation, capture and import Metadata capture Records classification Managing business classification schemes
Records retention and disposition	Retention, review, transfer and destruction Migration and export
Records integrity and maintenance	Authenticity and security Storage, reporting and metadata management
Records discovery, use and sharing	Search, retrieval, presentation, use and interoperability Access restrictions and permissions Duplication, extraction and redaction

Any business system or application used to manage records must meet these requirements and the requirements outlined in the Standard on records management.

See the Checklist for assessing business systems for recordkeeping for further information.

Issues and risks associated with using productivity platforms for records

Records stored in productivity platforms, such as Microsoft 365, without any recordkeeping controls may be subject to any or all of the following risks:

Authenticity	The authenticity, reliability and integrity of records cannot be assured. Records may not be managed as authentic evidence of business activities, to meet statutory and operational responsibilities, and to assist in addressing long-term needs for records and information as required under Part 2 of the State Records Act 1988.
Architecture	There may be few or inadequate controls over the manner or ‘architecture’ in which records are stored or where (e.g., mailboxes or in complex folder structures), or how they are named or metadata applied. Consequently, it may be difficult to locate or find these records resulting in duplication and uncertainty over which version is the actual final record.
Metadata	Records may be assigned only a minimum set of system-generated metadata (e.g., date created, date modified). While many records may be automatically assigned the minimum required set of metadata, other descriptive metadata will facilitate finding and grouping those records.
Classification	Records may not be assigned terms from classification schemes or other descriptive metadata that can be used to create and establish contextual relationships, and assist with finding related records. Note that AI tools and graph-based technologies could be used to achieve a similar but non-recordkeeping outcome.
Findability	It may be difficult to find records via a search or in the different contexts as required by the business. Records need to be searchable not just for business use but also for possible legal action such as legal discovery, court cases, formal access applications under the Government Information (Public Access) Act 2009. Naming conventions may not exist or may not be followed effectively.
Versioning	Records may not be subject to suitable version controls. It may be difficult to identity the most current version of a record. Additionally, built-in versioning settings could result in too many ‘working’ versions being captured, thereby adding to storage and storage costs.
Security	Records may not be subject to suitable or even adequate access and security controls, including when items are shared with others (including oversharing). Security may be compromised. There may be no audit history.
Over-retention	Records may remain stored indefinitely in the location where they were created or captured, including if they are subject to retention policies or labels that result in ‘soft-deleted’ items being retained in the background. Over-retention will result in increasing data storage space and costs, could compromise personal information via cyber security incidents such as data breaches, could make that information accessible to AI agents, and increases the risks that records that should have been destroyed (including personal information, in line with the Privacy and Personal Information Protection Act 1998) may be found (including via a GIPA request), accessed or shared. Records should be destroyed on a regular basis in line with approved records and disposal authorities.
Illegal or premature destruction	Records could be destroyed without authorisation and with no record retained of the original, as required under Part 3 Protection of Records of the State Records Act 1988.
Migration	Records and their associated metadata could become inaccessible, unusable or even lost if there is a requirement to export or migrate them, including for Machinery of Government (MoG) changes, and this is not carefully planned. Records that are moved or migrated could lose their original system metadata (created by and date, modified by and date), and any added metadata.
Technology/equipment dependent	It may be difficult to access and/or preserve high value/high risk records, especially those required as State archives, if they are dependent on specific technology or equipment. This includes older legacy records that may have been migrated from network drives.

The consequences arising from these issues and risks can include non-compliance with legal requirements (including for the management of personal information), adverse publicity, financial loss, inefficient business functions and processes, and a reduction in the organisation’s capacity to prosecute or defend allegations.³

Mitigating the risks

Organisations that create, capture, store and manage records in productivity platforms can mitigate the risks through the following methods.

Having active and ongoing senior management support for and commitment to recordkeeping.
Establishing effective governance arrangements.
Establishing a detailed information architecture model that describes how SharePoint or similar sites should be provisioned and configured, and how records should be managed including metadata requirements.
Establishing integration with other systems as required, including with an existing EDRMS.
Training or guidance for new and continuing staff on the use of cloud-based productivity platforms, including where it is integrated with an EDRMS, and their individual recordkeeping responsibilities.
Creating and implementing retention policies and, where appropriate, retention labels in line with disposal classes defined in Records Disposal Authorities (RDAs).
Establishing and implementing a proactive disposal program (or extending an existing such program) for records and other content stored across the environment. The program should include an agreed process or procedure for the authorised destruction of records.
Using audit logs to investigate and report on user activities, including in specific locations.
Monitoring who has access to what across the environment to minimise the risks associated with oversharing and the use of AI tools that could ground their responses in content the user can access.
Configuring and implementing security policies and proactively reviewing alerts and incidents.
Configuring and implementing any available ‘out of the box’ features, options, tools and methods that can be used to support the management of records.

Resources

^{[1] Other products include Apple’s iWork suite, Zoho, and Dropbox. [2]}^{Productivity Software Market Forecast & Size Insights 2026–2035}^{. [3] Text from AS ISO 16175-1:2020, section 8.4 ‘Risk assessment’.}

Related information

Top