OneNote Compliance, Records Management, and Governance - O365

Scenario

• OneNote (part of the Office 365 suite of tools) is used to store information that may be considered records (official information)
• Your compliance or governance teams may want retention, legal holds, or other policies configured on these records

Issues

1. Mixed Content: OneNote notebooks contain mixed content with differing record policies.
• Ex: Meeting minutes in one section, project info in another, and issues in a third section.
• You cannot apply policies at the page level.
• Note: This issue is the same as any other document containing mixed content (Word, Excel, etc.), however it is easier to use OneNote in this manner.
2. Time Span: OneNote notebooks contain content spanning multiple days, months, or years
1. This means disposition policies may not apply correctly, delaying or accelerating policy dates
3. Legal Holds: Legal holds may inadvertently block an entire notebook from being editable
4. Incompliant Locations: If  OneNote usage is discouraged or blocked, records are more likely to end up in  incompliant locations and users may experience broken integration features
1. Incompliant alternatives: Notepad saved locally, Evernote, cell phone pictures and voice memos (Office Lens), emails, other online services, a personal OneDrive OneNote account, or a locally stored OneNote
2. To avoid OneNote, users would also need to ignore the extensive OneNote integration features provided in Outlook, Windows, and the other Office products.
3. There is not a good alternative note-taking tool that would better meet compliance policies.

Solutions

1. Mixed Content

OneNote notebooks with records should live in SharePoint, not in OneDrive or on a file share.

• SharePoint allows for version tracking at the library level
• Note: This is in addition to the limited OneNote versioning.
• SharePoint also allows content policies to be applied at the section or Notebook level

OneNote notebooks with differing compliance policies should be split into separate notebooks

• The policies should then be applied at the notebook level

2. Time Span

Notebook policies should be applied based on the parent SharePoint site policy whenever possible and should be defined based on the overall work being done. 

• Example: A notebook for a project would last as long as the policy for the entire project.
• Example: A team site notebook would expire when the team was disbanded.
• Example: A department level knowledge-base notebook should not auto expire unless the department goes away.  A separate policy for archiving historical content can still be put into place.

Users can also be trained to export and archive specific content using any time frame required by your policies.  Users may automatically be assigned tasks to remind them to do this.

• Example Policy: Meeting minutes should be exported quarterly to PDF format and minutes deleted from the notebook for the prior quarter.
• Example: Project notebook should be exported yearly to XPS or PDF formats.

3. Legal Holds

For legal holds that block edits, records living in OneNote should be exported to an appropriate format (PDF, Word, etc.) and the hold should be applied to the exported document which would then be the official record and not block additional modifications to the entire notebook.  An alternative approach is to export the entire notebook and place a hold on the exported copy.  This issue applies to all document types that are actively used, but may be more impactful for OneNote if mixed content is contained in the notebook. 

4. Incompliant Locations

The best solution is to provide the user with compliant locations that are easy to use.  This can be done by provisioning SharePoint sites and OneNote notebooks for common records management use cases.  In this way, notebooks will already be split by appropriate policy groupings and correctly configured for versioning and compliance policies.

Restricting usage and adherence to best practices is the hardest to control and must be enforced through user training.  Some incompliant locations may be blocked by IT through firewall rules, but users can always get around these by using their own mobile devices.