Document Versions

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by cloudwarrior, Jan 31, 2018.

  1. cloudwarrior

    cloudwarrior UKBF Newcomer Free Member

    3 0
    Hello
    How do we stand if someone either wants to correct some data or asks for a right to be forgotten and we use O365 with document versioning turned on?
    Do we just amend/remove references to the individual in the latest version or do we have to go back through the 20-30 version and amend those?

    regards
     
    Posted: Jan 31, 2018 By: cloudwarrior Member since: Jan 31, 2018
    #1
  2. fisicx

    fisicx It's Major Clanger! Staff Member

    28,848 8,530
    Expunge from everything.

    This is problem many organisations are facing - they have huge archives of old data that needs sorting.

    The solution to your problem would be to delete all older versions once the document has been issued.
     
    Posted: Jan 31, 2018 By: fisicx Member since: Sep 12, 2006
    #2
  3. cloudwarrior

    cloudwarrior UKBF Newcomer Free Member

    3 0
    Thanks for the prompt update. I figured as much. I think we will limit the number of versions that Onedrive & SharePoint keep to 2-3
     
    Posted: Jan 31, 2018 By: cloudwarrior Member since: Jan 31, 2018
    #3
  4. ffox

    ffox UKBF Regular Free Member

    1,035 184
    But, this is not a solution where the versions of the document map how the relationship, and/or conversation with the customer has changed over time. If this history is essential to the business, you need to approach the retention of the data via a Lawful Basis for Processing other than Consent. This could be Contract, Legal Obligation, Vital Interest or Legitimate Interests.
    See - https://ico.org.uk/for-organisation...-regulation-gdpr/lawful-basis-for-processing/
     
    Posted: Jan 31, 2018 By: ffox Member since: Mar 11, 2004
    #4
  5. fisicx

    fisicx It's Major Clanger! Staff Member

    28,848 8,530
    Indeed, but very often businesses update documents and pdf the latest version with the current info. For example, meeting minutes. Copies of the PDF are kept for archiving but the Word document may contain years of revisions all with sensitive data.
     
    Posted: Jan 31, 2018 By: fisicx Member since: Sep 12, 2006
    #5
  6. cloudwarrior

    cloudwarrior UKBF Newcomer Free Member

    3 0
    Hello both
    This word version issue is what i was thinking about, rather than published versions of a document. Every time you check out a document in O365 and add a 'full stop' a new version is made. For most documents this is fine. But some depts (HR) may/will be producing documents with personal data and if any change is made, then a new version is added.
     
    Posted: Jan 31, 2018 By: cloudwarrior Member since: Jan 31, 2018
    #6
  7. fisicx

    fisicx It's Major Clanger! Staff Member

    28,848 8,530
    In which case turn off version control (if that's possible with O365) @ffox - over to you...
     
    Posted: Jan 31, 2018 By: fisicx Member since: Sep 12, 2006
    #7
  8. ffox

    ffox UKBF Regular Free Member

    1,035 184
    You can switch off versioning for any library, you can also limit versioning for major changes only, or set it for both major and minor changes. In the same control you can set the number of versions you wish to keep (I usually limit this to three).

    The control is accessed through the library settings. Open the library using an admin account, click the gear wheel, select library settings and click Versioning Settings under the heading General Settings (top left of the page) and select your preferences.

    You ought to create a general information management policy for the business and state what your versioning settings are for each library and storage area. This can be appended to your GDPR documentation to show due diligence.
     
    Posted: Jan 31, 2018 By: ffox Member since: Mar 11, 2004
    #8
  9. Simon Knights

    Simon Knights UKBF Newcomer Free Member

    6 2
    Is it worth looking at not storing personal or sensitive data in documents and rather a database or a portal? documents can be hard to audit and trace as they are portable and can be emailed, put on a pendrive etc, so you need to make sure your security is up to scratch and everything is audited and traceable. Having data in an encrypted database or system maybe a lot less man hours for compliance and longer term to maintain
     
    Posted: Feb 7, 2018 By: Simon Knights Member since: Feb 7, 2018
    #9
  10. ffox

    ffox UKBF Regular Free Member

    1,035 184
    The OP is using Office 365. All documents and information in SharePoint lists are, by default, stored in an encrypted database. Further, all information content, including scanned PDF document content, is crawled and indexed and therefore searchable. Share, download and copy rights are controlled from a single security administration panel.
    In such a system redaction of data can be focussed and proactive, rather than reactive.

    A corporate information policy is still required to formalise the intent on data retention.
     
    Posted: Feb 8, 2018 By: ffox Member since: Mar 11, 2004
    #10
  11. Simon Knights

    Simon Knights UKBF Newcomer Free Member

    6 2
    Sounds like you have it under control. What about documents in onedrive? I'm assuming if they are shared outside the organisation everything is still logged?
     
    Posted: Feb 8, 2018 By: Simon Knights Member since: Feb 7, 2018
    #11
  12. ffox

    ffox UKBF Regular Free Member

    1,035 184
    OneDrive for Business is a SharePoint resource. As such anything in OneDrive is stored in an SQL Database. Sharing outside the organisation is controllable under the admin control panel.

    No organisation should ever share personal information externally, unless the subject has been consulted and has agreed. The corporate information policy should define who is responsible for the compliance of any personal information exported. Download to employees personal devices is unnecessary when using Office 365.
     
    Posted: Feb 8, 2018 By: ffox Member since: Mar 11, 2004
    #12
  13. Simon Knights

    Simon Knights UKBF Newcomer Free Member

    6 2
    I totally agree with the sharing of data externally and also the downloading of data. Sounds like you have things well under control there.
     
    Posted: Feb 8, 2018 By: Simon Knights Member since: Feb 7, 2018
    #13