Secure Document Sharing & Retention Framework
This framework provides actionable guidance for managing document sharing, permissions, offboarding, and retention in Google Workspace and Microsoft 365 environments.
Part 1: Core Principles
Least Privilege Access
Give users the minimum permissions needed to do their work. Default to restrictive permissions and grant additional access only when justified.
Regular Permission Audits
Access requirements change as projects evolve and staff transitions occur. Quarterly reviews prevent permission creep and orphaned access.
Clear Ownership
Data Classification
Not all information requires the same protection. Classify data by sensitivity (Low, Medium, High) to apply appropriate controls.
Retention by Purpose
Keep data only as long as it serves organizational needs or legal requirements. Unnecessary data creates liability.
Part 2: Data Classification Framework
Public Information
Definition: Already published or intended for public consumption
Examples: Press releases, published reports, public event information
Sharing: Can be shared widely with "anyone with the link"
Storage: Standard organizational drives
Retention: Permanent archive appropriate
Internal Information
Definition: Not sensitive but intended only for organizational use
Examples: General staff communications, non-confidential meeting notes, internal newsletters
Sharing: Organization-only; no external sharing
Storage: Organizational shared drives
Retention: 3-7 years typical
Confidential Information
Definition: Sensitive information requiring protection
Examples: Strategic plans, donor information, financial records, personnel files, legal documents
Sharing: Named individuals only; explicit approval for external sharing
Storage: Restricted folders with audit logging
Retention: Varies by type; often 7+ years
Highly Sensitive Information
Definition: Information that could cause significant harm if disclosed
Examples: Legal strategy, whistleblower communications, information about vulnerable individuals
Sharing: Extremely limited; requires executive approval for any sharing
Storage: Encrypted cloud storage (Tresorit) or encrypted local storage
Retention: Minimum necessary; destroy when no longer required
Part 3: Permission Management
Google Workspace Permission Levels
Viewer
- Can view and download files
- Cannot edit or share
- Use for: External partners needing read-only access, staff viewing reference materials
Commenter
- Can view and add comments
- Cannot edit content directly
- Use for: Review processes, feedback collection without editing rights
Editor
- Can edit content and share with others
- Cannot change ownership
- Use for: Active collaborators on shared documents
Owner (Google-specific)
- Full control including deletion and ownership transfer
- Only role that can permanently delete from shared drives
- Use for: Primary document steward
Microsoft 365 Permission Levels
Read
- Can view and download
- Cannot edit or share
- Use for: Reference materials, read-only external access
Edit
- Can modify content
- May or may not be able to share (configurable)
- Use for: Active collaborators
- Complete administrative control
- Can change permissions and settings
- Use for: Site administrators only
Permission Best Practices
Default to "Specific People" Never use "anyone with the link" for anything beyond public information. Even for internal documents, explicitly name users or groups.
Use Groups, Not Individual Accounts Create groups for recurring access needs:
- Communications Team
- Finance Staff
- Board Members
- Program Directors
This simplifies management when people join or leave roles.
Time-Limited Access for External Collaborators When granting access to external partners:
- Set expiration dates where possible
- Use "commenter" or "viewer" rather than "editor" unless editing is essential
- Document why access was granted
- Review after 90 days
Avoid Editor Rights to External Parties External collaborators should rarely need editing rights. Use comment access and have internal staff make approved changes.
Regular Permission Audits Quarterly, review:
- Who has access to confidential folders
- External shares across the organization
- Shared drives with "anyone with the link" settings
- Users with ownership rights
Part 4: Sharing Workflows
Internal Sharing (Google Workspace)
For Individual Documents:
- Open sharing settings
- Select "Restricted" (not "Anyone with the link")
- Add specific people or groups
- Choose appropriate permission level
- Uncheck "Notify people" if you'll inform them separately
- Document the share in your records if sharing confidential information
For Folders:
Internal Sharing (Microsoft 365)
For OneDrive:
- Use OneDrive for personal working files, not organizational documents
- Move files to SharePoint when they need team access
- Avoid long-term storage of organizational content in personal OneDrive
For Teams:
- Each Team has an underlying SharePoint site
- Files shared in Teams channels are stored in SharePoint
- Team owners manage member access
- External guest access requires explicit enablement
External Sharing
Risk Assessment First Before sharing anything externally:
- What information does this contain?
- What's the business justification?
- What's the minimum access level needed?
- How long should access last?
- Do we have a non-disclosure agreement if appropriate?
Google Workspace External Sharing:
- Prefer "Commenter" or "Viewer" access
- Require email verification (under Sharing settings)
- Set expiration dates where platform allows
- Use link passwords for sensitive materials
- Monitor access through activity logs
- Revoke access when collaboration ends
Microsoft 365 External Sharing:
- Use sensitivity labels to control what can be shared externally
- Require expiration for guest access
- Enable "reauthentication" requirements
- Use "Anyone" links only for truly public information
- Set organizational policies blocking external sharing of confidential content
Alternative: Secure Sharing Platforms For highly sensitive materials, consider:
- Tresorit Send for encrypted file transfer
- Password-protected, time-limited links
- Watermarked documents for leak detection
- Client portals with MFA requirements
Part 5: Offboarding Procedures
30 Days Before Departure (If Possible)
Document Ownership Transfer
- Identify all documents owned by departing staff
- Determine new owners for each document/folder
- Transfer ownership to permanent employees, not other departing staff
- Document the transfers
Knowledge Transfer
- Create list of key files and their locations
- Document any unique sharing arrangements
- Identify external parties with whom staff member shared documents
Google Workspace Pre-Departure:
1. Run ownership audit: Use Admin Console → Reports → Drive → File ownership
2. Transfer ownership: Admin Console → Apps → Google Workspace → Drive → Transfer ownership
3. Document external shares: Check user's "Shared with me" and outgoing shares
4. Notify replacement of important shared resources
Microsoft 365 Pre-Departure:
1. List OneDrive files: PowerShell command or manual review
2. Identify SharePoint site ownerships
3. Document Teams where user is sole owner
4. Plan ownership transfers for critical content
Day of Departure
Immediate Actions:
Google Workspace:
- Transfer ownership of critical documents immediately
- Remove from all organizational groups
- Convert account to suspended (not deleted yet)
- Change account recovery options
- Review and revoke external shares made by user
- Set email forwarding to appropriate staff member (if approved)
- Document the account status
Microsoft 365:
- Transfer ownership of critical SharePoint content
- Remove from all Microsoft 365 groups and Teams
- Revoke active sessions
- Block user sign-in (don't delete yet)
- Set email forwarding (if approved)
- Convert mailbox to shared mailbox if retention needed
- Document account status
30 Days After Departure
Account Cleanup:
Google Workspace:
- Complete all ownership transfers
- Download archive of user's Drive content
- Delete account OR transfer to archived account
- Maintain access logs per retention policy
- Revoke any remaining external shares
- Remove from any vendor systems using Google SSO
Microsoft 365:
- Ensure all necessary content preserved
- Convert mailbox to shared mailbox or archive
- Remove licenses to save costs
- Delete account after 30-90 days depending on retention needs
- Maintain audit logs per retention policy
Special Cases
Executive Departures: Require extended review period. Often legal or board oversight of data transfers.
Sudden Departures: Follow immediate action procedures. Prioritize security over complete documentation.
Consultant/Contractor Departures: Should have limited access from start. Remove all access same day.
Part 6: Email Retention Policies
Why Email Retention Matters
Email creates significant organizational risk:
- Legal discovery: Email is frequently subpoenaed in litigation
- Compliance requirements: Many regulations mandate email retention
- Storage costs: Unlimited retention is expensive
- Security exposure: Old emails contain outdated information and credentials
- Operational efficiency: Finding relevant information in massive archives is difficult
Retention Principles
Balance competing needs:
- Legal/compliance requirements (retain)
- Security and privacy (minimize)
- Operational utility (retain what's useful)
- Cost management (delete unnecessary data)
Policy should be:
- Documented in writing
- Applied consistently
- Reviewed annually
- Enforced through technical controls where possible
Sample Retention Schedules
Standard Business Email
- Retention: 3-7 years
- Rationale: Covers most legal requirements while limiting unnecessary accumulation
- Examples: Project correspondence, vendor communications, routine internal messages
Executive/Legal Correspondence
- Retention: 7+ years or permanent
- Rationale: May be needed for legal defense or historical reference
- Examples: Board communications, contracts, legal advice, major decisions
Transactional/Ephemeral Email
- Retention: 30-90 days
- Rationale: Short-term utility, no long-term value
- Examples: Meeting confirmations, routine scheduling, FYI forwards, "thanks" emails
HR/Personnel Records
- Retention: 7 years after separation (varies by jurisdiction)
- Rationale: Legal requirements around employment records
- Examples: Performance reviews, disciplinary actions, accommodation requests
Financial Records
- Retention: 7 years minimum (often longer)
- Rationale: Tax and audit requirements
- Examples: Invoices, receipts, financial approvals, donor communications
Legal Holds
When litigation is anticipated or ongoing, implement legal hold:
- Suspend automatic deletion for affected accounts
- Preserve all potentially relevant communications
- Document the hold and affected users
- Release hold only after legal authorization
Implementation:
- Google Vault for Google Workspace
- Microsoft Purview for Microsoft 365
- Alternative: Export and preserve externally
Implementation Approach
Google Workspace:
1. Use Google Vault for retention policies
2. Create rules based on: organizational unit, time period, search terms
3. Set retention rules BEFORE implementing deletion
4. Test with small group before organization-wide
5. Communicate policy to staff
6. Document exceptions and legal holds
Microsoft 365:
1. Use Microsoft Purview (formerly Compliance Center)
2. Create retention policies for Exchange Online
3. Apply to: entire organization, specific users, or based on labels
4. Retention policies override user deletions
5. Set deletion policies separately from retention
6. Monitor policy effectiveness through reports
Staff Communication
Before Implementation:
- Explain the "why" behind retention policies
- Give advance warning before deletion policies take effect
- Provide guidance on what to preserve outside email
- Train on proper record-keeping practices
Ongoing:
- Remind staff of retention policies annually
- Update policies as regulations change
- Address questions about specific situations
Part 7: Document Retention Policies
Categories and Retention Periods
Organizational Governance
- Articles of Incorporation/Bylaws: Permanent
- Board meeting minutes: Permanent
- Board resolutions: Permanent
- Annual reports: Permanent
- IRS determination letter: Permanent
Financial Records
- Audit reports: Permanent
- Tax returns and supporting documentation: 7 years
- General ledgers: 7 years
- Bank statements: 7 years
- Invoices/receipts: 7 years
- Grant agreements and reports: 7 years after grant ends
- Payroll records: 7 years after separation
Contracts and Legal
- Contracts: 7 years after expiration
- Leases: 7 years after expiration
- Legal correspondence: 7 years or permanent for major matters
- Litigation files: Permanent
- Insurance policies: Permanent
Human Resources
- Personnel files: 7 years after separation
- I-9 forms: 3 years after hire or 1 year after separation (whichever is later)
- Benefits records: 7 years after separation
- Payroll records: 7 years
- Job applications (not hired): 1-2 years
Program/Operations
- Program files: 7 years after program ends
- Communications/correspondence: 3-7 years depending on content
- Donor records: Permanent or 7 years after final gift
- Vendor files: 7 years after relationship ends
- Routine administrative: 2-3 years
Implementation Strategy
Phase 1: Inventory and Classification (Month 1-2)
- Survey existing document storage locations
- Identify major document categories
- Assign preliminary retention periods
- Consult legal counsel on jurisdiction-specific requirements
Phase 2: Policy Development (Month 2-3)
- Draft written retention policy
- Review with leadership and legal counsel
- Board approval of policy
- Create retention schedule matrix
Phase 3: Technical Implementation (Month 3-4)
- Organize existing files into retention categories
- Configure retention policies in Google Workspace/Microsoft 365
- Label documents with retention categories
- Set up automated deletion where appropriate
Phase 4: Training and Rollout (Month 4-5)
- Train staff on retention policy
- Provide job aids for common scenarios
- Begin enforcement
- Monitor compliance
Phase 5: Ongoing Management
- Quarterly spot checks
- Annual policy review
- Update as regulations change
- Archive or destroy per schedule
Part 8: Practical Tools and Processes
Permission Audit Checklist
Quarterly Review:
[ ] Export list of all external shares organization-wide
[ ] Review users with "Owner" role on Shared Drives/SharePoint sites
[ ] Check for "Anyone with the link" shares
[ ] Verify all external collaborators still require access
[ ] Remove access for departed staff (double-check)
[ ] Review access to confidential folders
[ ] Update group memberships
[ ] Document findings and actions taken
New Employee Onboarding
Access Provisioning:
[ ] Add to appropriate Google Groups/Microsoft 365 Groups
[ ] Grant access to relevant Shared Drives/SharePoint sites
[ ] Provide editor access to their project folders
[ ] Document access grants in HR system
[ ] Train on document classification
[ ] Review security policies including sharing rules
Project Collaboration Setup
Starting a New Project:
[ ] Create dedicated Shared Drive (Google) or SharePoint site (Microsoft)
[ ] Set up folder structure (Active, Archive, Reference)
[ ] Add team members with appropriate permissions
[ ] Configure default sharing settings (restrict external sharing)
[ ] Create README documenting folder purpose and policies
[ ] Set calendar reminder for quarterly permission review
Incident Response for Unauthorized Sharing
If You Discover Inappropriate Sharing:
1. Document what was shared, with whom, and when
2. Immediately revoke access if clearly unauthorized
3. Notify information security team or executive director
4. Determine if sensitive data was exposed
5. Check access logs to see if data was accessed
6. Consider legal notification requirements
7. Review how sharing occurred and prevent recurrence
8. Document incident and response
Part 9: Technical Implementation
Google Workspace Configuration
Admin Console Settings:
Sharing settings > Sharing options:
- [ ] Allow users in [org] to receive files from users outside of [org]
(Enable selectively, not organization-wide)
- [ ] When sharing outside of [org] is allowed, users in [org] can make files
visible to anyone with the link
(Disable for confidential organizational units)
- [✓] Recipients only (for external sharing)
(Forces named recipients, prevents link sharing)
- [✓] Sharing outside of [org] requires access checker approval
(Enables approval workflow for external shares)
1. Create organizational structure matching teams/departments
2. Set permissions at drive level, not individual files
3. Limit "Manager" role to 2-3 people per drive
4. Use "Content Manager" for most staff
5. Regularly audit drive membership
Google Vault Setup:
1. Enable Vault for your organization
2. Create retention rules by organizational unit
3. Set rules for: Email (3-7 years), Drive files (varies), Chat (1-3 years)
4. Create matter for legal holds when needed
5. Regularly export important archives
Microsoft 365 Configuration
Policies > Sharing:
- [ ] Content can be shared with: Most permissive: Anyone
Recommended: New and existing guests
- [✓] Guests must sign in using the same account to which sharing invitations are sent
- [✓] Guests must verify their identity through a verification code
- [✓] Allow only users in specific security groups to share externally
(Set up approval group)
- Set expiration for "Anyone" links: 30 days
- Set expiration for guest access: 90 days
Sensitivity Labels (Microsoft Purview):
Create labels:
- Public
- Internal Only
- Confidential
- Highly Confidential
Configure actions:
- Encryption (for Confidential+)
- Content marking (headers/footers)
- External sharing restrictions
- Auto-labeling based on content
Retention Policies:
Microsoft Purview > Data lifecycle management:
1. Create retention policies for:
- Exchange (email)
- SharePoint sites
- OneDrive accounts
- Microsoft Teams
2. Set retention periods by:
- Location (specific sites/users)
- Content type
- Sensitivity label
3. Configure deletion policies after retention periods expire
Part 10: Training and Culture
Building Security-Conscious Culture
Regular Training:
- Annual comprehensive training for all staff
- Onboarding training for new hires
- Quarterly reminders via email/newsletter
- Scenario-based learning (real examples)
Make It Easy:
- Provide clear job aids and checklists
- Create standard folder templates
- Set secure defaults in platforms
- Automate enforcement where possible
Leadership Modeling:
- Executives follow same rules
- Leadership discusses security in meetings
- Celebrate good security practices
- Address violations consistently
Common Scenarios Training
Scenario 1: Sharing with External Consultant
Wrong approach:
- Share entire folder with "Editor" rights
- Use "Anyone with the link"
- No expiration date
Right approach:
- Share specific files needed
- Use "Commenter" or "Viewer" access
- Set 90-day expiration
- Require email verification
- Document the share and business justification
Scenario 2: Board Meeting Materials
Wrong approach:
- Email attachments to board members
- Use personal email addresses
- No expiration on access
Right approach:
- Create dedicated Board folder in Shared Drive/SharePoint
- Add board members to secure folder
- Use organizational email addresses only
- Remove access when terms end
- Enable audit logging
Scenario 3: Collaborative Document with Partner Organization
Wrong approach:
- Give partner staff direct access to internal folders
- Share "My Drive" documents
- No documentation of what was shared
Right approach:
- Create project-specific Shared Drive/SharePoint site
- Add only necessary staff from partner
- Use "Editor" only if editing required, otherwise "Commenter"
- Set quarterly review reminder
- Document access grants
Part 11: Monitoring and Compliance
Audit Activities
Monthly:
- Review new external shares across organization
- Check for policy violations (e.g., "anyone with link" to confidential folders)
- Monitor for unusual access patterns
Quarterly:
- Comprehensive permission audit
- Review and remove unnecessary access
- Update groups as staff roles change
- Test random samples for policy compliance
Annually:
- Full retention policy review
- Update retention schedules as regulations change
- Comprehensive external sharing audit
- Staff training refresh
Metrics to Track
Access Management:
- Number of external shares
- Average number of people with access to confidential folders
- Time to revoke access after staff departure
- Group membership accuracy
Compliance:
- Percentage of documents properly classified
- Time to implement legal holds
- Retention policy exceptions granted
- Policy violations identified and resolved
Efficiency:
- Time to grant new access requests
- User satisfaction with access procedures
- Volume of access-related support tickets
Reporting Structure
To Leadership:
- Quarterly summary of sharing metrics
- Significant policy violations
- External sharing trends
- Offboarding compliance rates
To Staff:
- Reminders of policies
- Anonymized examples of violations
- Updates to procedures
- Recognition of good practices
Part 12: Special Considerations
Remote Work Challenges
Increased External Sharing: Remote staff may be more likely to share documents externally or use personal accounts. Provide clear guidance and easy-to-use secure alternatives.
Device Management: Ensure remote workers use organizational accounts on trusted devices. Consider:
- Mobile device management (MDM)
- Endpoint protection software
- VPN requirements for sensitive access
Vendor Management
Third-Party Access: When vendors require access to documents:
- Create vendor-specific folders/sites
- Grant minimum necessary access
- Set expiration dates
- Require NDAs for confidential information
- Audit vendor access regularly
SSO and Identity Management: Use Single Sign-On (SSO) where possible to:
- Centralize access control
- Enable quick revocation
- Monitor vendor access
- Simplify user experience
Bring Your Own Device (BYOD)
Risk Management: If allowing personal device access:
- Require device encryption
- Enforce app-based access (not web browsers for sensitive docs)
- Enable remote wipe capability
- Prohibit downloading confidential documents to personal devices
- Regular security training
International Considerations
Data Sovereignty: Organizations with international operations must consider:
- Where data is stored (geographic regions)
- Compliance with GDPR, other data protection laws
- Data transfer restrictions
- Localization requirements
Google Workspace:
- Choose data regions in Admin Console
- Enable data region policies
Microsoft 365:
- Configure Multi-Geo capabilities (requires licensing)
- Set data residency preferences
Appendices
Appendix A: Sample Policies
Document Retention Policy Template
[ORGANIZATION NAME] Document Retention Policy
1. Purpose
This policy establishes standards for retaining organizational documents to meet legal
requirements while minimizing unnecessary data accumulation.
2. Scope
Applies to all employees, contractors, volunteers, and board members.
3. Responsibilities
- Staff: Follow retention schedules and classification guidance
- IT: Implement technical controls and manage archives
- Executive Director: Oversee policy compliance
- Board: Approve policy and major updates
4. Retention Schedule
[Insert your retention schedule matrix here]
5. Legal Holds
In the event of litigation or investigation, normal retention schedules are suspended for
affected materials. Legal holds override automatic deletion policies.
6. Secure Destruction
Documents exceeding retention periods shall be securely destroyed:
- Electronic: Permanent deletion with logging
- Paper: Shredding by certified vendor
7. Annual Review
This policy shall be reviewed annually and updated as needed.
Approved by Board of Directors: [DATE]
Next Review Date: [DATE]
External Sharing Policy Template
[ORGANIZATION NAME] External Document Sharing Policy
1. Purpose
Establish controls for sharing organizational documents with external parties.
2. Prohibited Actions
- Sharing confidential documents via "anyone with the link"
- Granting external parties "Owner" permissions
- Sharing to personal email accounts of external parties
- Sharing without business justification
3. Approval Requirements
- Internal/Public documents: Department head approval
- Confidential documents: Executive director approval
- Highly sensitive: Board/legal approval
4. Required Controls
- Use named recipient sharing only
- Set expiration dates (90 days maximum)
- Use minimum permission level needed
- Document sharing decision and duration
- Quarterly access review
5. External Party Requirements
- Organizational email address required (no personal emails)
- NDA for confidential information
- Security training for long-term collaborators
- Acceptance of organizational data handling policies
Appendix B: Common Questions
Q: What if external collaborators don't have organizational email addresses? A: For short-term access, their personal email may be acceptable with:
- Viewer or Commenter access only
- 30-day expiration
- Manager approval
- Alternative: Use secure sharing platform like Tresorit Send
Q: How do I handle confidential documents that multiple departments need? A: Create a cross-departmental Shared Drive/SharePoint site with carefully controlled access. Use groups to manage permissions, not individual accounts.
Q: Can board members access documents on personal devices? A: Yes, with restrictions:
- Must use organizational app (Google Drive/OneDrive app)
- Device must have passcode/biometric lock
- No downloading confidential documents to device storage
- Remote wipe capability enabled if possible
Q: What happens to documents when someone leaves? A: Ownership transfers to their replacement or department head. Access is revoked immediately upon departure. Account remains suspended for 30 days before deletion.
Q: How long should we keep emails? A: Depends on content. Business emails: 3-7 years. Legal/executive correspondence: 7+ years. Transactional emails: 30-90 days. See full retention schedule.
Q: What if someone accidentally shares something confidential externally? A: Immediately revoke access. Document the incident. Notify leadership. Assess if data was accessed. Implement controls to prevent recurrence.
Appendix C: Tool-Specific Guides
Google Workspace: Finding External Shares
Method 1: Admin Console (Admins only)
1. Admin Console → Reports → Audit → Drive
2. Filter: Event name = "Change document access scope" or "Share outside the domain"
3. Review results for policy violations
4. Export for documentation
Method 2: Google Drive UI (Individual users)
1. Drive → Shared with me
2. Look for external user icons
3. For your own shares: Drive → My Drive → Right-click → Share → See who has access
Method 3: Google Vault (Admins only)
1. Vault → Search
2. Create search: Shared with external users
3. Export results for review
Microsoft 365: Auditing External Access
1. SharePoint Admin Center → Reports → Sharing
2. View: External sharing by site
3. Export list of all external users
4. Review access dates and permissions
Method 2: Microsoft Purview
1. Microsoft Purview → Audit → Search
2. Activities: "Shared file, folder, or site"
3. Filter: External users
4. Export for review
Method 3: PowerShell (Advanced)
Connect to SharePoint Online and run:
Get-SPOExternalUser | Export-Csv external-users.csv
Appendix D: Incident Response Checklist
[ ] Immediately revoke access
[ ] Document: what was shared, with whom, when
[ ] Check access logs: was data actually accessed?
[ ] Notify: Information security team or executive director
[ ] Assess sensitivity: What information was exposed?
[ ] Legal review: Any notification obligations?
[ ] Determine cause: How did unauthorized sharing occur?
[ ] Implement controls: Prevent recurrence
[ ] Staff training: Address gaps if policy misunderstanding
[ ] Document: Full incident report for records
[ ] Follow-up: Verify controls effective after 30 days
Conclusion
Effective document sharing and retention requires balancing competing priorities: collaboration versus security, transparency versus confidentiality, convenience versus control.
Key Takeaways:
- Default to restrictive sharing; expand only when justified
- Use groups for permission management
- Audit access quarterly
- Implement clear retention policies
- Make offboarding a checklist-driven process
- Train staff regularly on secure practices
- Monitor compliance and adjust policies as needed
Organizations that invest in thoughtful document governance protect their missions, their stakeholders, and their reputations while still enabling effective collaboration.
Resources:
- K'lal Tech: https://klal.tech
- Google Workspace Admin Help: https://support.google.com/a
- Microsoft 365 Documentation: https://docs.microsoft.com/microsoft-365
Document Version: 1.0
Last Updated: December 2025
Next Review: June 2026