Secure Document Sharing & Retention Framework This framework provides actionable guidance for managing document sharing, permissions, and offboarding in Google Workspace and Microsoft 365 environments. Part 1: Core Principles Least Privilege Access Give users the minimum permissions needed to do their work. Default to restrictive permissions and grant additional access only when justified. Regular Permission Audits Access requirements change as projects evolve and staff transitions occur. Quarterly reviews prevent permission creep and orphaned access. Clear Ownership Every shared resource needs a designated owner responsible for managing access and ensuring appropriate use. Data Classification Not all information requires the same protection. Classify data by sensitivity (Low, Medium, High) to apply appropriate controls. Retention by Purpose Keep data only as long as it serves organizational needs or legal requirements. Unnecessary data creates liability. Part 2: Data Classification Framework Public Information Definition: Already published or intended for public consumption Examples: Press releases, published reports, public event information Sharing: Can be shared widely with "anyone with the link" Storage: Standard organizational drives Retention: Permanent archive appropriate Internal Information Definition: Not sensitive but intended only for organizational use Examples: General staff communications, non-confidential meeting notes, internal newsletters Sharing: Organization-only; no external sharing Storage: Organizational shared drives Retention: 3-7 years typical Confidential Information Definition: Sensitive information requiring protection Examples: Strategic plans, donor information, financial records, personnel files, legal documents Sharing: Named individuals only; explicit approval for external sharing Storage: Restricted folders with audit logging Retention: Varies by type; often 7+ years Highly Sensitive Information Definition: Information that could cause significant harm if disclosed Examples: Legal strategy, sensitive external communications, information about vulnerable individuals Sharing: Extremely limited; requires executive approval for any sharing Storage: Encrypted cloud storage (Tresorit) or encrypted local storage Retention: Minimum necessary; destroy when no longer required Part 3: Permission Management Google Workspace Permission Levels Viewer Can view and download files Cannot edit or share Use for: External partners needing read-only access, staff viewing reference materials Commenter Can view and add comments Cannot edit content directly Use for: Review processes, feedback collection without editing rights Editor Can edit content and share with others Cannot change ownership Use for: Active collaborators on shared documents Owner (Google-specific) Full control including deletion and ownership transfer Only role that can permanently delete from shared drives Use for: Primary document steward Microsoft 365 Permission Levels Read Can view and download Cannot edit or share Use for: Reference materials, read-only external access Edit Can modify content May or may not be able to share (configurable) Use for: Active collaborators Full Control (SharePoint) Complete administrative control Can change permissions and settings Use for: Site administrators only Permission Best Practices Default to "Specific People" Never use "anyone with the link" for anything beyond public information. Even for internal documents, explicitly name users or groups. Consider Using Groups, Not Individual Accounts Create groups for recurring access needs: Communications Team Finance Staff Board Members Program Directors This simplifies management when people join or leave roles. Time-Limited Access for External Collaborators When granting access to external partners: Set expiration dates where possible Use "commenter" or "viewer" rather than "editor" unless editing is essential Document why access was granted Review after 90 days Avoid Editor Rights to External Parties External collaborators should rarely need editing rights. Use comment access and have internal staff make approved changes. Regular Permission Audits Quarterly, review: Who has access to confidential folders External shares across the organization Shared drives with "anyone with the link" settings Users with ownership rights Part 4: Sharing Workflows Internal Sharing (Google Workspace) For Individual Documents: Open sharing settings Select "Restricted" (not "Anyone with the link") Add specific people or groups Choose appropriate permission level Uncheck "Notify people" if you'll inform them separately Document the share in your records if sharing confidential information For Shared Drives: Use Shared Drives (not "My Drive") for team collaboration Assign team members to the Shared Drive with appropriate roles Set default permissions at the drive level Individual files inherit drive permissions unless specifically overridden For Folders: Share the folder, not individual files when possible Use consistent permission structure Name folders clearly to indicate sensitivity level Include a README file explaining the folder's purpose and access requirements Internal Sharing (Microsoft 365) For SharePoint Sites: Use SharePoint sites for department/project collaboration Assign users to appropriate SharePoint groups (Members, Visitors, Owners) Site-level permissions cascade to libraries and files Use sensitivity labels to enforce encryption on confidential content For OneDrive: Use OneDrive for personal working files, not organizational documents Move files to SharePoint when they need team access Avoid long-term storage of organizational content in personal OneDrive For Teams: Each Team has an underlying SharePoint site Files shared in Teams channels are stored in SharePoint Team owners manage member access External guest access requires explicit enablement External Sharing Risk Assessment First Before sharing anything externally: What information does this contain? What's the minimum access level needed? How long should access last? Who would benefit from gaining access to this information? Google Workspace External Sharing: Prefer "Commenter" or "Viewer" access Monitor access through activity logs Revoke access when collaboration ends Microsoft 365 External Sharing: Use sensitivity labels to control what can be shared externally Require expiration for guest access Use "Anyone" links only for truly public information Set organizational policies blocking external sharing of confidential content Alternative: Secure Sharing Platforms For highly sensitive materials, consider: Tresorit Send for encrypted file transfer Tresorit to host and share documents Password-protected, time-limited links Watermarked documents for leak detection Part 5: Offboarding Procedures 30 Days Before Departure (If Possible) Document Ownership Transfer Identify all documents owned by departing staff Determine new owners for each document/folder Transfer ownership to permanent employees, not other departing staff Create a spreadsheet to document the transfers Knowledge Transfer Create list of key files and their locations Document any unique sharing arrangements Identify external parties with whom staff member shared documents Day of Departure Immediate Actions: Google Workspace: Transfer ownership of critical documents immediately Remove from all organizational groups Convert account to suspended (not deleted yet) Review and revoke external shares made by user Set email forwarding to appropriate staff member (if approved) Document the account status Microsoft 365: Transfer ownership of critical SharePoint content Remove from all Microsoft 365 groups and Teams Revoke active sessions Block user sign-in (don't delete yet) Set email forwarding (if approved) Convert mailbox to shared mailbox if retention needed Document account status