Understanding where your data is stored is crucial for both records management (data retention) and retrieving personal data in cases of Subject Access Requests.  This article looks at where Microsoft 365 stores it's data.
The information in this article was inspired by a Microsoft 365 Governance and Compliance Blog but does highlight issues that we often see with schools - not knowing where their data is held exactly and not removing it when it is no longer needed. The blog details which Microsoft 365 applications hold data where.  Where your data is held will tell you the location and the law and rules that apply to it - crucial for understanding where your personal and special category data is. 

The blog lists what content is stored:

• In  User's Exchange Online Mailbox
• In a Microsoft 365 Group Mailbox
• In Bookings Exchange Online Mailbox
• In User's OneDrive
• In SharePoint Online

The full blog can be read here:  Where does Microsoft Store your data? A detailed guide.

If your data is being held in a different country it's important to have done some due diligence around the cloud provider; the DfE Digital Standards document specifically says that a DPIA should be completed when implementing a cloud solution: Meeting digital and technology standards in schools and colleges: Cloud solution standards.

Technical requirements to meet the standard

Your DPO should carry out data protection impact assessments (DPIA) for any cloud solutions that store personal and or sensitive personal data (also known as special category data).

The DfE further advises that your data protection officer should be consulted in the Server and Storage platforms section in relation to data retention and sharing.

Records Management and Data Retention

We would always advise that data retention is applied to both physical and digital files and when this can be done organisation -wide from an admin control perspective it ensures standardisation across the organisation.  It should be part of an organisation's information governance framework.  Further help and advice about records management can be found in our Records Management Best Practice Area.

Subject Access Requests

When good data retention procedures are in place gathering the information for a subject access  request is much easier.  The amount of data is considerably less and so the amount of redaction required is also less.  Microsoft does provide the eDiscovery tool for such requests, and information on how to use that is available in the Microsoft online support pages:Search for content with eDiscovery.

Data Breaches

Understanding where your data is held is crucial if there is a cyber attack or a data breach, knowing what has been breached means you are able to understand who is affected and what the risk might be to any individuals.  Further help and advice about data breaches can be found in our Data Breach Best Practice Area.