Information Governance: A Practical UK Guide for M365

Information Governance: A Practical UK Guide for M365

Employee records rarely sit in one neat system. In most mid-market businesses, HR keeps contract variations in SharePoint, managers discuss absence issues in Teams, payroll data lives elsewhere, and somebody still has a spreadsheet for Right to Work tracking. That mix feels normal until a subject access request lands, a leaver's data remains visible to the wrong people, or nobody can say with confidence which document is the current version.

That's where information governance stops being theory. It becomes a practical operating model for controlling how people data is collected, used, shared, retained and deleted across Microsoft 365.

For HR and IT leaders, the pressure point is often the same. The business has grown faster than its controls. The UK government's Data Sharing Governance Framework says senior leaders should make data sharing a strategic priority, yet many mid-market organisations still struggle to apply that to HR workflows such as Right to Work checks, employee relations files and recruitment screening. That's the gap. The principle exists, but the day-to-day method often doesn't.

Taming Your Data The Modern Imperative of Information Governance

A familiar pattern shows up in growing organisations. HR starts with a simple filing structure. Then acquisitions happen, hybrid working expands, more managers need access, and new apps get added. Before long, employee data is spread across Outlook mailboxes, Teams chats, SharePoint libraries, local downloads and line-of-business systems.

The risk isn't only a breach. The bigger problem is inconsistency. One manager keeps investigation notes in a private folder. Another stores them in a shared Team. Recruitment keeps CVs longer than intended because no one owns deletion. IT can lock systems down, but if nobody has agreed what should be kept, who should see it, and when it should be removed, the technical controls only solve part of the problem.

Where HR governance usually breaks down

In practice, the weak spots are predictable:

  • Joined-up ownership is missing: HR owns the process, IT owns the platform, and legal or compliance owns the policy. If nobody connects those threads, controls stay partial.
  • Data sharing is treated as ad hoc: Managers send documents because the task feels urgent, not because the sharing route is approved and logged.
  • Retention is vague: Teams keep data “just in case”, which is exactly how unnecessary risk accumulates.
  • Permissions drift over time: People change roles, but access often remains broader than it should.

Practical rule: If you can't explain where a category of employee data lives, who can access it, and when it should be deleted, you don't have information governance. You have storage.

For mid-market firms, healthcare-style governance models don't always fit neatly. Healthcare has mature frameworks and long-established discipline around sensitive data. Commercial HR teams in non-health sectors often have less guidance for applying the same level of rigour to onboarding, attendance, grievances, payroll interfaces or AI-assisted screening.

That's why good information governance has to be operational. It must work inside the systems your staff already use, especially Microsoft 365, where most of the main activity already happens.

What Good Information Governance Looks Like

Good information governance looks less like a policy binder and more like a well-run professional library. Every item has an owner, a purpose, an authorised audience and a clear lifecycle. Nothing valuable is left in a random pile, and nothing sensitive is handed out casually.

A diagram outlining the seven key principles of effective information governance as a trusted national asset.

The seven working principles

A practical model usually rests on seven pillars:

PrincipleWhat it means in practice
AccountabilityA named business owner decides the rules for each data category.
TransparencyStaff know what data is held and why, and public-facing notices are clear where required.
IntegrityRecords are accurate, current and protected from casual alteration.
SecurityAccess is limited to the people who genuinely need it.
CompliancePolicies reflect actual UK legal duties, not generic templates.
RetentionEach record type has a defined retention period.
DisposalData is deleted or anonymised in a controlled, auditable way.

The part most organisations skip is the last one. They get better at storing information but not at disposing of it.

Why retention matters more than most teams think

Under UK GDPR Principle (e) Storage Limitation, keeping personal data indefinitely without a defined legal basis is a breach. If the data is no longer needed for its original purpose or to defend legal claims, which typically expire after 6 years, it must be deleted or anonymised, as set out in the Legal Ombudsman information retention and disposal policy.

That has direct HR consequences. Candidate records, disciplinary files, occupational health documents and historic performance material should not sit in Microsoft 365 forever because deleting them feels inconvenient.

Keep less. Classify better. Delete on purpose.

What works and what doesn't

What works is a short list of approved record categories mapped to real systems such as SharePoint, Exchange, Teams and Dataverse. What doesn't work is a huge policy nobody reads, combined with a shared drive full of unlabeled folders.

A solid governance model also recognises trade-offs. HR often wants quick access. IT wants security. Compliance wants defensibility. You don't solve that tension by letting one team win. You solve it by setting rules that preserve speed while controlling access, retention and auditability.

Understanding Your Legal Duties in the UK

An HR manager gets a subject access request on Monday morning. By lunch, they need to find interview notes in Outlook, absence data in an HR app, investigation documents in SharePoint, and old access records tied to a leaver account in Entra ID. If those records sit in different places without clear ownership, the legal risk shows up fast.

The legal baseline is still the same. The Data Protection Act 2018 and UK GDPR set the rules for how UK businesses collect, use, secure and dispose of personal data. For HR teams, that covers some of the most sensitive information in the business, including recruitment records, health data, disciplinary material, payroll identifiers and evidence used in employee relations cases.

A close-up of legal documents, including an employment contract and data protection policy, on a wooden desk.

The ICO is active, and enforcement is only one part of the pressure. Complaints, data subject requests, internal grievances and tribunal disclosure all test whether governance works in practice. For a mid-market business, the issue is rarely the law in theory. It is whether the business can show what it holds, why it holds it, who can access it, and when it will be deleted.

HR data makes this harder because one employee can generate many record types with different legal bases and retention periods. A Right to Work document, a sickness record, a grievance note and a performance review should not all be treated the same way. In Microsoft 365, that means designing different controls for different data, not dropping everything into a single HR Team or shared mailbox.

Three duties need clear operational ownership:

  • Lawful use: record why the data is being collected and the legal basis for using it.
  • Access control: restrict visibility by role, especially for special category data and employee relations matters.
  • Retention and disposal: define how long each record is kept, where it is stored, and what triggers deletion or review.

In practice, many firms encounter difficulties. HR often has a policy. IT has a platform. Neither has a joined-up control model across SharePoint, Exchange, Teams, Dataverse and Entra ID.

That matters because UK data protection law is not limited to security breaches. It also covers over-collection, poor access discipline, vague retention, weak complaint handling and slow responses to employee rights requests. If a manager keeps informal notes in Teams chats, or if a leaver still has access through an unreviewed group in Entra ID, the problem is governance, not just admin.

For a practical view of how those controls work day to day, see this guide to employee data security in Microsoft environments.

New legal pressure on complaint handling

The UK Data (Use and Access) Act 2025, which came into force on 5 February 2026, raised the maximum penalty for PECR breaches to £17.5 million or 4 percent of global annual turnover, whichever is higher, as explained in the analysis of the reforms to UK data protection and privacy laws. That matters if the business uses employee monitoring tools, tracks communications data, or runs marketing activity that crosses into privacy and consent issues.

Another recent change affects how complaints are handled. Since 19 June 2026, individuals have had a statutory right to complain directly to data controllers before escalating matters to the ICO. For HR and compliance teams, that raises the bar on response workflows, case ownership and audit trails. The business needs to acknowledge complaints, investigate them properly and show what action was taken.

Microsoft 365 design choices start to matter legally. Dataverse can give HR teams structured records and clearer process history for case handling. Entra ID can enforce role-based access and reduce the spread of sensitive files. SharePoint can hold controlled employment documents with version history and permissions that stand up better under scrutiny than email folders and chat threads.

A short overview of the wider regulatory context is useful here:

A governance model that cannot survive a complaint, an audit or a manager leaving the business is not mature enough.

Using Microsoft 365 for Effective Governance

Most UK businesses already own much of the tooling needed for stronger information governance. The problem is rarely missing technology. It's poor configuration, weak ownership and too many exceptions.

Start with the platform you already have

SharePoint should be the controlled document layer for HR records that need version history, permissions and structured storage. Teams should support collaboration, but not become the permanent home for critical employment records. Outlook and Exchange need retention logic that reflects legal obligations, not mailbox size complaints.

Microsoft Entra ID is where access discipline becomes real. If HR, payroll, line managers and external advisers all need different levels of visibility, role-based access has to be designed deliberately. Too many businesses still rely on broad Microsoft 365 group membership and inherited permissions that nobody reviews.

Dataverse is especially important when HR processes move beyond documents into applications. Once recruitment, onboarding, absence, case management or employee change workflows sit in Dataverse, you gain a stronger audit trail, structured data, security roles and process consistency.

Match controls to the record type

A practical governance design in Microsoft 365 usually looks like this:

  • SharePoint for controlled HR documents: Contracts, policy acknowledgements, investigation packs and leaver documentation belong in governed libraries with metadata.
  • Teams for working collaboration: Useful for discussion, but not the final resting place for sensitive records.
  • Exchange retention for regulated communication: Mail that forms part of a business record needs explicit policy treatment.
  • Entra ID for access segmentation: Separate who can view, edit, approve and export.
  • Dataverse for process-led HR data: Best suited where forms, workflows, approvals and audit history matter.

The retention side deserves careful design. In the UK, the FCA requires email records to be retained for 6 years, which is a key specification when configuring retention policies in platforms such as Microsoft 365 and Dataverse, as outlined in the UK data retention requirements guidance. If your environment auto-deletes too early, you create compliance risk. If it keeps everything forever, you create a different kind of risk.

What tends to work in real projects

The best Microsoft 365 governance projects are boring in the right way. They standardise naming, classify HR content sensibly, reduce one-off workarounds and automate retention where possible.

What usually fails is overengineering. If staff need to choose from too many labels, libraries or exception paths, they won't follow the model consistently. Simplicity beats theoretical perfection.

A strong document retention policy for Microsoft 365 environments should connect legal requirements to actual workloads, not sit as an isolated compliance document.

Your Step by Step Information Governance Roadmap

Most businesses don't need a grand transformation programme first. They need a sequence that brings control back without overwhelming HR and IT teams.

A six-step information governance roadmap graphic showing the progression from current state to future state.

Phase one assess current state

Start with discovery. You need to know which employee data exists, where it sits, who touches it and whether duplicate copies are floating around.

Focus on real workflows, not abstract categories. Follow a starter, a job applicant, a grievance case and a leaver record through the systems. That exposes the practical weaknesses quickly.

A useful checklist:

  • Map systems first: Include SharePoint, Teams, Exchange, payroll interfaces, file shares and any Power Platform apps.
  • Identify sensitive categories: Health data, identity records, disciplinary material and financial details need tighter treatment.
  • Trace access paths: Find out not just who should have access, but who has access.

Phase two define strategy and policies

Once the map is clear, decide the rules. Keep them short enough to use. Long governance documents often fail because they read like legal appendices rather than operating instructions.

Good policy is specific enough for IT to configure and simple enough for managers to follow.

Set policy around three things first. Access, retention and approved storage locations. If those are unclear, everything else becomes inconsistent.

You can use a practical GDPR compliance checklist for Microsoft-based organisations as a working reference when turning legal obligations into operational controls.

Phase three implement tools and controls

Microsoft 365 proves its value through these actions: Apply conditional access where appropriate, tighten SharePoint permissions, structure Teams ownership properly, and configure retention labels or policies only after the categories are agreed.

Avoid a common mistake here. Don't automate disorder. If the information architecture is weak, automation just scales the weakness.

Phase four train staff and review regularly

Governance fails fastest at the manager layer. Senior HR may understand the rules, and IT may configure them correctly, but line managers still decide where to save documents, what to share and how much context to include in messages.

Training should cover ordinary decisions:

  • Where to store formal employee records
  • When not to use Teams chat for sensitive matters
  • How to handle requests for access or correction
  • What to do when a retention period expires

Review should be routine. Permissions drift. New Teams are created. New apps appear. If governance isn't revisited, entropy wins.

Enhancing HR Governance with DynamicsHub

A mid-market HR team usually hits the same wall. Microsoft 365 gives them SharePoint, Teams, Entra ID and Purview controls, but the actual work still happens across inboxes, spreadsheets, local folders and manager workarounds. That is usually when governance starts to slip, especially around recruitment files, contract changes, Right to Work evidence and employee relations cases.

Generic tools give you the base. A purpose-built HR layer addresses the operational detail that generic repositories do not handle well.

We are DynamicsHub.co.uk. Experience HR transformation built around your business. Hubdrive's HR Management for Microsoft Dynamics 365 is the premier hire‑to‑retire solution, more powerful, more flexible, and more future‑ready than Microsoft Dynamics 365 HR.

Screenshot from https://www.dynamicshub.co.uk

Built on Microsoft Dataverse, Hubdrive's HR Management for Microsoft Dynamics 365 keeps HR data inside the customer's own Microsoft environment instead of scattering it across separate HR apps. For UK businesses, that matters for a simple reason. The more your HR records sit inside the Microsoft 365 stack, the easier it is to align access with Entra ID, apply retention logic consistently, and keep an audit trail that IT and compliance can review.

That design choice solves a practical problem. HR governance often fails at the handoff points between systems, not in the policy document.

Why specialist HR tooling closes the gap

Broad governance principles sound sensible until HR has to apply them to live processes. Candidate records need controlled access before employment starts. Manager approvals need traceability. Case files need tighter visibility than a standard team site. A specialist platform closes that gap by turning policy into structure.

In practice, that means:

  • Recruitment and onboarding: Candidate data sits in a managed workflow rather than in inbox chains and ad hoc folders.
  • Right to Work checks: Supporting evidence can stay with the employee record in the same governed environment.
  • Retention and auditability: HR teams can apply lifecycle decisions with clearer ownership and a better record of who changed what.
  • Role-based access: Sensitive information can be segmented properly across HR, line managers and administrators.

For mid-market firms, this is often the trade-off. A general Microsoft 365 setup is cheaper to start with, but it relies heavily on staff discipline and manual consistency. A Dataverse-based HR layer takes more design upfront, but it reduces the day-to-day guesswork that creates governance failures later.

A more defensible way to run confidential HR processes

HR confidentiality depends on more than system security. It depends on who can see what, how records are classified, whether approvals are captured properly, and whether the business can explain its handling of sensitive people data under scrutiny. Teams that want an outside perspective on those obligations may also find this expert guide on PEO HR compliance helpful, particularly as a companion read on confidentiality expectations and practical controls.

The strongest advantage of a Microsoft-native HR platform is control inside one environment. Data stays in the tenant. Permissions can follow Entra ID groups and roles. Dataverse gives HR a structured data model instead of a loose document dump, which makes it easier to separate employee data, track process history and support defensible decisions when a query, grievance or access request lands.

Moving Beyond Compliance to Competitive Advantage

The businesses that handle information well don't just reduce risk. They make better decisions, respond faster to employee issues and waste less time hunting for records. Information governance improves trust because staff can see that sensitive matters are handled consistently, not improvised.

For HR and IT leaders in mid-market firms, that's the opportunity inside Microsoft 365. You already have a capable foundation in SharePoint, Teams, Entra ID and Dataverse. The difference comes from using those tools with clear ownership, controlled access, sensible retention and auditable processes around people data.

Done properly, information governance supports growth. It helps integrate acquisitions, standardise ways of working and reduce the drag caused by duplicate records and unclear responsibilities. It also gives the business a stronger position when a complaint, audit or data request arrives.

Control is the point. Not bureaucracy for its own sake, and not technology for technology's sake. The goal is a working system where HR, IT and compliance can rely on the same rules, the same records and the same source of truth.


DynamicsHub helps UK organisations turn that model into a practical HR operating environment inside Microsoft 365. If you want a more controlled, audit-ready approach to HR data, visit DynamicsHub, phone 01522 508096 today, or send us a message.

author avatar
Chris Pickles Director / Dynamics 365 and Power Platform Architect & Consultant
Chris Pickles is a Dynamics 365 specialist and digital transformation leader with a passion for turning complex business challenges into practical, high-impact solutions. As Founder of F1Group and DynamicsHub, he works with organisations across the UK and internationally to unlock the full potential of Dynamics 365 Customer Engagement, HR solutions, and the Microsoft Power Platform. With decades of experience in Microsoft technologies, Chris combines strategic thinking with hands-on delivery. He designs and implements systems that don’t just function well technically — they empower people, streamline processes, and drive measurable performance improvements. Known for his straightforward, people-first approach, Chris challenges conventional thinking and focuses on outcomes over features. Whether modernising customer engagement, transforming HR operations, or automating processes with Power Platform, his goal is simple: build solutions that create clarity, capability, and competitive advantage.

Related Posts

© 2026, DynamicsHub, AllRights Reserved