FOI requires 1 year retention. M365 defaults: Deleted emails gone forever after 30 days. Your compliance gap: 335 days.
The city’s legal counsel calls your office. The development company’s lawyer is demanding to know why key emails about the rezoning decision are missing from the FOI response. “This looks like deliberate destruction of evidence,” they’re saying.
Your FOI coordinator explains that staff deleted routine emails months ago, and your IT systems automatically purged them after 30 days. The lawyer isn’t buying it. “Government records disappearing during a controversial decision? We’ll see you in court.”
What started as a standard FOI request is now threatening to become a legal battle - all because of a default setting in Microsoft 365 that nobody chose.
This headache was completely avoidable. Your Microsoft 365 license includes retention policies that would have preserved those emails. Your IT team can activate them.
How This Became Your Problem
Microsoft designed M365 for private sector efficiency, not government transparency requirements. Their default settings automatically delete “deleted” emails after 30 days - fine for a startup, problematic when lawyers start questioning your record-keeping practices.
Your municipality pays thousands annually for M365 Business Premium licenses that include enterprise retention capabilities. These features ship disabled because Microsoft assumes organizations will configure them based on their specific requirements. With Microsoft constantly updating M365 features and settings, your IT team is already managing daily operational demands, security patches, and user support requests. Retention policy configuration - buried in compliance menus most IT professionals rarely visit - easily falls through the cracks.
The result: You’re in the impossible position of defending Microsoft’s default settings to lawyers who see missing records as potential evidence tampering. Microsoft chose efficiency over transparency - you’re dealing with the consequences.
What This Crisis Actually Costs Your Organization
Legal Exposure: Missing records during controversial decisions invite accusations of deliberate destruction, even when the deletion was purely technical and automatic.
Reputational Damage: “City loses key emails” becomes a media narrative that frames every subsequent FOI response as potentially incomplete or suspicious.
Operational Disruption: Your senior team spends time managing legal and communications challenges instead of governing, while FOI responses become more complex and time-consuming.
Council Relations: Elected officials face questions about transparency and record-keeping that they can’t answer without understanding technical systems they never chose.
These consequences extend far beyond IT department problems. They create organizational credibility issues that affect your ability to implement policy and maintain public trust.
The Solution You Need
Configure M365 retention policies to preserve deleted emails for whatever timeframe your organization requires. This addresses the immediate compliance gap and provides defensible documentation of your record-keeping practices.
More importantly, it shifts the narrative from “our system deleted records” to “our retention policies preserved records as required.” The same FOI scenario becomes: “All requested records from March are available through our configured retention system.”
Your IT team can implement email retention using existing licensing and Microsoft’s documented procedures. The storage capacity is already included in your M365 subscription, and retention policies can extend to SharePoint, Teams, and OneDrive files for comprehensive coverage.
Your Action Plan
Immediate Actions (Next 30 Days):
- Direct your IT team to audit current M365 retention settings and report back on the gap between defaults and your operational needs
- Set a deadline for implementing email retention policies - this addresses the highest-risk scenario and provides the foundation for comprehensive records management
- Document the decision for your FOI coordinator and legal counsel so they understand your new capabilities
Implementation Phases:
Phase 1 - Email Protection: Configure email retention for all municipal accounts immediately.
Phase 2 - Document Retention: Extend policies to SharePoint sites, Teams conversations, and key OneDrive folders containing municipal records.
Phase 3 - Ongoing Compliance: Monitor implementation to ensure policies work as expected and provide the protection you need.
The technical solution exists, the storage is included, and the administrative tools are available. This issue resolves through organizational prioritization, not budget increases or complex procurement.
Don’t wait for another lawyer’s call that could have been avoided.
Need help assessing your municipality’s M365 retention requirements? Reach out for leadership-focused guidance that addresses both technical implementation and organizational risk management.