Across Australian state government agencies and local councils, something of a quiet shift has been underway. For years, records and information management sat in its own corner, handled by stand-alone, purpose-built Electronic Document and Records Management Systems (EDRMS) that operated largely separately from the tools staff used every day to collaborate, communicate, and get work done.
That separation is increasingly being questioned. More and more government agencies are recognising the practical and strategic benefits of consolidating their information management and compliance capabilities into Microsoft 365, the same platform their people already use for email, documents, and team collaboration. The logic is compelling: reduce the friction of switching between systems, improve staff adoption, and bring records management closer to where work actually happens.
Microsoft 365 has become the platform of choice across much of the Australian public sector, and rightly so. It is powerful, familiar, and well-supported, and the case for making it the centre of gravity for a modern digital workplace is strong.
Here is where many agencies are discovering an important distinction:
Migrating away from a legacy EDRMS and landing on Microsoft 365 is not the same as having a compliant, well-governed information management framework.
Microsoft 365 provides an excellent foundation. What it does not automatically provide is the governance rigour, records classification, granular retention and disposal automation, and audit-ready oversight that government information management obligations demand. These include the State Records Act (and its equivalents across jurisdictions), obligations under the Privacy Act and relevant state privacy legislation, Freedom of Information (FOI) requirements, audit readiness expectations, and the need to demonstrate accountability to ministers, oversight bodies, and the public.
Records managers in a public sector environment are not simply trying to keep things tidy. They are responsible for ensuring that official records are captured, classified, retained for the correct period, and disposed of lawfully. Information managers are trying to give staff the ability to find what they need, when they need it, without creating governance risks. And business leaders are trying to balance operational efficiency with increasing scrutiny around how government information is handled.
And as the volume of digital content continues to grow across SharePoint sites, Teams channels, shared drives, and email threads, the question that information and records managers are increasingly asking is not simply where their records live, but whether they are actually in control of them.
Microsoft 365's out-of-the-box capabilities, while genuinely strong for general collaboration, can leave some important gaps when measured against the specific compliance obligations of the public sector.
The gaps that matter most in government
Microsoft 365 and the Purview Suite offer a lot. SharePoint, Teams, and OneDrive are excellent tools that, when well configured and supported by Purview compliance functionality, can enable highly effective digital workplaces. The challenge is that configuring them to meet the nuanced compliance requirements of government requires significant IT expertise, ongoing maintenance, and a level of consistency difficult to sustain without dedicated resources or purpose-built tools.
These content management and compliance challenges most commonly surface in many of our government client meetings:
- Outdated information architecture.
Many SharePoint sites are a reflection of the aged File Shares that were migrated to the cloud “as is”. Without a modern, aligned structure, designed and integrated with your Business Classification Scheme (BCS), information will be harder to find, classify, and govern. - Manual and unreliable records classification.
Getting staff to consistently apply the right retention labels or metadata to documents is one of the most persistent challenges in records management. When classification depends on individual judgment and voluntary action, compliance gaps are almost inevitable and often invisible until it is too late. - Retention and disposal that are difficult to automate reliably.
Aligning retention schedules with your State Records disposal authority in a way that records managers can actually trust is not a straightforward task. There are some gaps within Microsoft's out-of-the-box functionality that need consideration. Many agencies find themselves managing retention manually, which is time-consuming, inconsistent, and difficult to audit. - Limited visibility across the information landscape.
As Teams sites, SharePoint sites, and OneDrive accounts multiply, it becomes increasingly difficult to understand what content exists, where it lives, who has access to it, and whether it is appropriately governed. For senior information managers, this lack of visibility is both a compliance risk and a reporting challenge. - External sharing risks.
Collaboration with contractors, consultants, community members, and other agencies is a normal part of how councils and government bodies operate. But managing external guest access, such as ensuring it is granted appropriately, monitored, and revoked when no longer needed, requires more governance capability than most organisations realise. - Over-reliance on IT for everyday business needs.
In many agencies, whenever a new project workspace or team site is needed, a request is submitted to IT. This creates bottlenecks, slows down business teams, and diverts technical resources away from higher-priority work. Content Management with consistency at scale is not as straightforward as it initially appears. - Productivity costs are often invisible but significant.
Staff who cannot find the information they need, who duplicate work because they do not know it already exists, or who spend time navigating inconsistent folder structures are losing productive hours every week. Across a large agency or council, this adds up. - The risk of not knowing what you hold.
Agencies that cannot account for their records or cannot demonstrate what information they hold, who can access it, and how long it will be retained are not just exposed to regulatory scrutiny. In an era of increasing community expectations around government transparency and data stewardship, this is also a matter of public trust.
For many agencies and councils, the response to information management challenges has historically been to defer action: to wait for a major project, a new system, or a resourcing uplift that never quite arrives. But this approach carries real and accumulating costs.
Compliance risk is the most immediate. An FOI request, a ministerial inquiry, or a data breach can quickly expose information management deficiencies. The inability to promptly locate records, demonstrate appropriate retention, or account for disposal decisions is not a minor administrative issue. It is a governance failure with potentially serious audit challenges and consequences.
What good information governance actually looks like in practice
Effective information governance in a Microsoft 365 environment is not about locking things down or making collaboration harder. It is about creating the conditions where doing the right thing is also the easiest thing, where staff naturally work in a way that produces well-governed, compliant records without additional effort.
In practical terms, this means:
- Governance is built into the way workspaces are created.
Rather than allowing teams to spin up sites and channels ad hoc, well-governed organisations establish consistent, structured templates for common workspace types such as projects, contracts, committees, and controlled documents. Every workspace starts with the right structure, permissions, and metadata in place, automatically drawing from the organisation’s BCS. - Classification that does not depend entirely on staff behaviour.
The most resilient records management frameworks reduce reliance on individual decisions about how content should be labelled or where it should be stored. Automation, intelligent defaults, and structured templates all help make classification more consistent and defensible. - A retention framework that the whole organisation can trust.
Records managers need confidence that retention schedules are being applied correctly, that content due for disposal is surfaced through a proper review process, and that disposal decisions are documented in a way that satisfies audit requirements. This is not achievable through manual processes at scale. Done well, content retention and disposal rules and notifications are automatic based on the content type and workspace focus. - Meaningful oversight for information managers.
Senior information and records managers should have a clear view of the information landscape–what exists, how it is classified, what governance actions are pending, what is marked for disposal, and where the risks lie. Without this visibility, governance becomes reactive rather than proactive. - External access that is managed end-to-end.
From the moment an external collaborator is invited to work on a government project, through to the point where their access is revoked, there should be a clear, auditable process. Unmanaged external access is one of the most common sources of information risk in government environments.
A Sector-Specific Challenge Requiring a Sector-Specific Lens
It is worth acknowledging that the information management challenges facing Australian government agencies and local councils are genuinely distinct from those in the private sector. The obligations, accountability mechanisms, and consequences of getting things wrong differ, and they play out in a public arena.
This means that general-purpose guidance about Microsoft 365 governance, while useful, only goes so far. Information and records managers in government need to be thinking specifically about how their digital workplace aligns with the State Records Act, how it supports their obligations under relevant privacy legislation, how it would hold up under FOI scrutiny, and how it demonstrates the accountability that public sector governance requires.
These are not IT questions. They are organisational governance questions, and they deserve to sit at the leadership table alongside conversations about service delivery, budget, and workforce.
The path to better information governance does not have to be a multi-year transformation program.
Organisations that make meaningful progress tend to start with a clear-eyed assessment of where their current environment falls short. Not just technically, but in terms of how people actually work and where the real compliance risks lie.
From there, the most effective approaches tend to be incremental and targeted: addressing the highest-risk gaps first, building governance into the fabric of how work gets done, and creating the visibility that allows information managers to stay ahead of problems rather than respond to them.
Microsoft 365 gives Australian government agencies and councils an excellent foundation. The question worth asking, particularly for those who already leverage Microsoft 365 for content management, is whether the governance layer sitting on top of your Microsoft 365 environment is genuinely fit for compliance purposes and easy to apply, scale and manage, or whether it is simply the best you currently think it can be?
That is a question worth answering before the next FOI request, the next audit, or the next incident makes it unavoidable.
