Undertaking a Subject Access Request (SAR) can be a painful experience, particularly for smaller organisations, and for those experiencing the process for the first time. Office 365 provides some useful tools to help make the technical side of identifying and exporting content simple.
Office 365’s Security & Compliance Center provides a wealth of advanced tools for securing the information within your tenancy. I personally love making use of the Advanced Data Governance features that allow you to classify and retain your content for regulatory compliance. However, the ‘Content search’ tool provides an excellent, tenancy-wide tool for facilitating subject access requests.
Accessing the Content search
The first thing to establish is that you have permissions to access the Content search tool. To successfully execute a subject access request within Office 365, you need to be set up as a member of the eDiscovery Manager group (or eDiscovery Administrators).
Once you have permissions to use Content search, you should be able to navigate to the tool in your tenancy’s Security & Compliance Center. If you are struggling to find the tool, try using Edge, as we’ve found navigation within Security & Compliance can be inconsistent in other browsers.
The search and export process
Using Content search to facilitate a subject access request is a three-stage process.
Stage 1 – Search for content
Within Content search, click on ‘New search’ to configure keywords and conditions for your query. It’s often best to split the subject access request into a series of separate queries, to help return precise results.
These search query settings are critical to get right if you want to get an accurate outcome. If your search terms are too broad, they will likely result in significant volumes of data; whereas if you are too specific, you might well be excluding information that is subject to the access request.
It’s essential to take your time at this stage, to explore the various options, and make sure that you test the criteria you use. We’ve found that it’s important to make use of the various search operators to make your query accurate. Through a combination of parentheses, double quotes and boolean operators, it’s possible to construct really quite complex queries.
Before running the query, you need to determine which areas of the Office 365 tenancy you will search against. Your choice here will depend upon which services your organisation uses, but in our experience, it’s typically best to separate your Exchange and SharePoint searches so that you can apply different filters in each area. For example, within Exchange you can search specific mailboxes and by sender/receiver, whereas finding similar information within documents is likely to require additional keywords.
Once you have run your query, it’s always useful to take a look at the search statistics. You can do this by changing the ‘Individual results’ drop down on the preview page. Search statistics give you an excellent overview of your query, especially when multiple keyword conditions have been used, as they provide a breakdown of results by site, mailbox and even by specific query clauses.
When you first select ‘Save & run’, you will be asked to name your search. You need to be a little careful here, because there are certain characters (such as the semi colon) that can be used, but which will later prevent the content from being successfully exported to your local machine.
Stage 2 – Prepare results for export
Before you can download the search results, you first need to prepare them for export. To achieve this, navigate to the Search tab, then select the specific results you wish to export. NB, if you can’t see your query, try using the refresh button to reload the page.
A summary panel will appear providing you with an overview of the search, when ready, select ‘Export results’, found under the ‘More’ drop down list.
The Export results panel provides a number of different options to explore, which depend upon your specific need, however, we’d recommend considering the exclusion of results that are in an unrecognised format, and also enabling Exchange content de-duplication, both of which help to reduce the volume of information that is returned. It’s worth noting that duplicate emails are not removed from the result totals until after you have exported the data, but in most cases can more than halve the number of emails you need to download.
Once you select the ‘Export’ button the panel will close. Behind the scenes the export will be being prepared, this process should only take a few minutes for each query (depending upon the amount of data).
Stage 3 – Export to your local machine
After the results have been prepared for export, you will be able to find them listed on the ‘Export’ page. By choosing to ‘Download the results’ you will be given an export key, which can be used with the eDiscovery Export Tool to save the results to your local machine. Microsoft recommend downloading to a local disk drive, rather than a network drive, to increase the speed of download (by minimising disk activity).
The end to end process is a surprisingly fast way to export large volumes of data from your Office 365 tenancy. While this makes it very simple to technically comply with a subject access request, a lot of emphasis is placed on the quality of your search queries. We have found that it can often be challenging to find queries that provide a manageable volume of data, but still provide all of the results that contain personal information – this is especially the case once you consider searching by name. While the technology provides a great solution, often the real effort behind a successful subject access request is to carefully define the queries, to limit the results to a practical amount of content, so that following export the data can be manually processed.