Skip to content

Control 1.9: Data Retention and Deletion Policies

Overview

Control ID: 1.9 Control Name: Data Retention and Deletion Policies Regulatory Reference: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404 Setup Time: 2-3 hours (initial); ongoing policy management

Purpose

Data Retention and Deletion Policies ensure that agent-related data—including conversation logs, knowledge sources, and configuration history—is retained for required periods and properly deleted when no longer needed. For financial services, proper data lifecycle management is critical for:

  • FINRA 4511: Retain books and records for required periods (3-6+ years)
  • SEC 17a-3/4: Securities industry records retention with WORM requirements
  • GLBA 501(b): Protect and retain customer NPI appropriately
  • SOX 404: Internal control documentation retention
  • Right to Deletion: Managing customer deletion requests within regulatory constraints
  • Agent Compliance: Ensuring AI conversation logs meet regulatory retention

Prerequisites

Primary Owner Admin Role: Purview Records Manager Supporting Roles: None

Required Licenses

  • Microsoft 365 E5 OR Microsoft 365 E3 + Compliance add-on
  • Microsoft Purview Data Lifecycle Management

Required Permissions

  • Compliance Administrator (create retention policies)
  • Records Management Administrator (records management)
  • Power Platform Administrator (Power Platform data policies)

Dependencies

  • Control 1.7 (Audit Logging): Audit data covered by retention
  • Control 4.3 (SharePoint Retention): SharePoint-specific retention
  • Control 2.13 (Documentation): Documentation retention requirements

Pre-Setup Checklist

  • [ ] Regulatory retention schedule documented and approved
  • [ ] Data classification for retention identified
  • [ ] Agent conversation log locations identified
  • [ ] Disposition reviewers assigned
  • [ ] Legal hold procedures documented

Governance Levels

Baseline (Level 1)

Define retention schedule aligned to regulations; implement basic Purview retention policies.

Automated retention with disposition review workflow; separate policies per governance tier.

Regulated/High-Risk (Level 4)

Policy-driven automated retention with legal hold support; immutable deletion audit trail.

Setup & Configuration

Step 1: Create Retention Labels for Agent Data

Portal Path: Microsoft Purview Compliance PortalData lifecycle managementMicrosoft 365Labels

  1. Navigate to Microsoft Purview Compliance Portal
  2. Go to Data lifecycle managementMicrosoft 365
  3. Select Labels tab → + Create a label

Label 1: Agent Conversations - 7 Year

  1. Name: FSI-AgentConversations-7Year
  2. Description: "Agent conversation logs - FINRA/SEC 7-year retention"
  3. Retention settings:
  4. Retain items for: 7 years
  5. Start retention based on: When items were created
  6. At end of retention period: Start a disposition review
  7. Disposition reviewers: Compliance team, Records Management
  8. Click Create

Label 2: Agent Configuration - 6 Year

  1. Name: FSI-AgentConfig-6Year
  2. Description: "Agent configuration and settings history"
  3. Retention settings:
  4. Retain items for: 6 years
  5. At end of retention period: Delete items automatically
  6. Click Create

Label 3: Agent Knowledge Sources - Match Content

  1. Name: FSI-AgentKnowledge-Regulatory
  2. Description: "Applies source content retention to agent knowledge"
  3. Retention settings:
  4. Retain items for: Based on source document label
  5. Purpose: Inherit retention from underlying documents
  6. Click Create

Label 4: Agent Audit Logs - 10 Year

  1. Name: FSI-AgentAudit-10Year
  2. Description: "Agent audit and compliance logs - extended retention"
  3. Retention settings:
  4. Retain items for: 10 years
  5. At end of retention period: Start disposition review
  6. Mark as regulatory record: Yes (immutable)
  7. Click Create

Step 2: Publish Retention Labels

Portal Path: Purview → Data lifecycle managementMicrosoft 365Label policies

  1. Click + Publish labels
  2. Choose labels: Select all FSI agent labels
  3. Choose locations:
  4. ✅ Exchange email
  5. ✅ SharePoint sites
  6. ✅ OneDrive accounts
  7. ✅ Microsoft 365 Groups
  8. ✅ Teams channel messages (if applicable)
  9. Policy name: FSI-AgentData-RetentionLabels
  10. Click Publish

Step 3: Create Retention Policies for Agent Platforms

Portal Path: Purview → Data lifecycle managementMicrosoft 365Retention policies

Policy 1: Copilot Studio Conversation Logs

  1. Click + New retention policy
  2. Name: FSI-CopilotStudio-ConversationRetention
  3. Description: "Retain Copilot Studio agent conversations"
  4. Locations:
  5. ✅ Dataverse (where Copilot Studio logs are stored)
  6. ✅ Copilot interactions (Microsoft 365 Copilot; if available as a location)
  7. Retention settings:
  8. Retain items for: 7 years
  9. At end of retention period: Delete items automatically
  10. Click Create

Policy 2: Power Platform Activity Logs

  1. Click + New retention policy
  2. Name: FSI-PowerPlatform-ActivityRetention
  3. Locations:
  4. Power Platform logs (via Dataverse)
  5. Microsoft 365 audit log (Power Platform activities)
  6. Retention settings:
  7. Retain items for: 7 years
  8. Click Create
  1. Click + New retention policy
  2. Name: FSI-AgentEmail-Retention
  3. Locations:
  4. ✅ Exchange email (specific mailboxes if applicable)
  5. Advanced settings:
  6. Apply to emails containing "agent", "copilot", "AI assistant"
  7. Retention: 7 years
  8. Click Create

Step 4: Configure Dataverse Retention (Power Platform)

Portal Path: Power Platform Admin Center → Environments → [Environment] → SettingsData management

  1. Navigate to Power Platform Admin Center
  2. Select environment → Settings
  3. Under Data management, configure:

For Agent Activity Logs: 

Table: msdyn_copilotinteraction (or similar)
Retention Period: 7 years
Archive: After 1 year
Delete: After retention period

For Agent Sessions: 

Table: msdyn_copilotsession
Retention Period: 3 years
Archive: After 6 months
Delete: After retention period

Step 5: Set Up Disposition Review Workflow

Portal Path: Purview → Records managementDisposition

  1. Navigate to Records managementDisposition
  2. Configure reviewers for FSI labels:
  3. Stage 1: Records Management team (initial review)
  4. Stage 2: Compliance Officer (regulatory check)

  5. Stage 3: Legal (if litigation concerns)

  6. For each disposition item:

  7. Approve: Item deleted per policy
  8. Extend: Add additional retention period
  9. Relabel: Apply different retention label
  10. Export: Generate evidence of disposition

Portal Path: Purview → eDiscoveryCore or PremiumHolds

For agent data that may be subject to litigation:

  1. Navigate to eDiscoveryCore (or Premium)
  2. Create or select a case
  3. Click Holds+ Create
  4. Configure:
  5. Name: FSI-AgentData-LegalHold-[CaseName]
  6. Locations:
    • Relevant user mailboxes
    • SharePoint sites with agent content
    • Dataverse (if supported)
  7. Query: Filter for agent-related content if needed
  8. Click Create

Important: Legal hold overrides retention policies - content won't be deleted until hold is released.

Step 7: Enable Audit Logging for Deletion Events

Portal Path: Purview → AuditAudit retention policies

  1. Navigate to Audit
  2. Create retention policy for deletion events:
  3. Name: FSI-DeletionAudit-10Year
  4. Record types:
    • File deleted
    • Message deleted
    • Dataverse record deleted
  5. Duration: 10 years
  6. Click Save

PowerShell Configuration

# Data Retention and Deletion Policy Configuration
# Requires: Security & Compliance PowerShell

# Connect to Security & Compliance Center
Connect-IPPSSession

# ===== GET CURRENT RETENTION LABELS =====

Get-ComplianceTag | Select-Object Name, RetentionDuration, RetentionAction, IsRecordLabel |
    Format-Table -AutoSize

# ===== CREATE RETENTION LABELS =====

# Agent Conversations - 7 Year (FINRA/SEC)
New-ComplianceTag -Name "FSI-AgentConversations-7Year" `
    -Comment "Agent conversation logs - FINRA/SEC 7-year retention" `
    -RetentionDuration 2555 `
    -RetentionAction KeepAndDelete `
    -RetentionType CreationAgeInDays `
    -ReviewerEmail "compliance@contoso.com"

# Agent Configuration - 6 Year
New-ComplianceTag -Name "FSI-AgentConfig-6Year" `
    -Comment "Agent configuration and settings history" `
    -RetentionDuration 2190 `
    -RetentionAction Delete `
    -RetentionType CreationAgeInDays

# Agent Audit Logs - 10 Year (Regulatory Record)
New-ComplianceTag -Name "FSI-AgentAudit-10Year" `
    -Comment "Agent audit and compliance logs - extended retention" `
    -RetentionDuration 3650 `
    -RetentionAction KeepAndDelete `
    -RetentionType CreationAgeInDays `
    -IsRecordLabel $true `
    -Regulatory $true `
    -ReviewerEmail "records@contoso.com"

# ===== CREATE RETENTION POLICIES =====

# Copilot Studio / Power Platform retention
New-RetentionCompliancePolicy -Name "FSI-CopilotStudio-Retention" `
    -Comment "Retain Copilot Studio conversation logs" `
    -ExchangeLocation "All" `
    -SharePointLocation "All"

New-RetentionComplianceRule -Policy "FSI-CopilotStudio-Retention" `
    -Name "FSI-CopilotStudio-7Year-Rule" `
    -RetentionDuration 2555 `
    -RetentionDurationDisplayHint Days `
    -RetentionComplianceAction KeepAndDelete

# Agent-related email retention
New-RetentionCompliancePolicy -Name "FSI-AgentEmail-Retention" `
    -Comment "Retain agent-related email communications" `
    -ExchangeLocation "All"

New-RetentionComplianceRule -Policy "FSI-AgentEmail-Retention" `
    -Name "FSI-AgentEmail-7Year-Rule" `
    -ContentMatchQuery "(copilot OR agent OR 'AI assistant' OR chatbot)" `
    -RetentionDuration 2555 `
    -RetentionComplianceAction KeepAndDelete

# ===== PUBLISH LABELS =====

# Get all FSI agent labels
$AgentLabels = Get-ComplianceTag | Where-Object { $_.Name -like "FSI-Agent*" }

# Create label policy
New-RetentionCompliancePolicy -Name "FSI-AgentLabels-Publish" `
    -Comment "Publish FSI agent retention labels" `
    -SharePointLocation "All" `
    -ExchangeLocation "All"

# Note: Adding labels to policy requires additional configuration via portal

# ===== CHECK POLICY STATUS =====

Get-RetentionCompliancePolicy |
    Select-Object Name, Mode, Enabled, DistributionStatus |
    Format-Table -AutoSize

# ===== AUDIT RETENTION CONFIGURATION =====

# Create audit log retention policy for deletions
New-UnifiedAuditLogRetentionPolicy -Name "FSI-DeletionAudit-10Year" `
    -Description "Extended retention for deletion events" `
    -Operations FileDeleted, FileVersionRecycled, HardDelete, MoveToDeletedItems `
    -RetentionDuration TenYears `
    -Priority 100

# ===== GENERATE RETENTION REPORT =====

# Get all retention policies
$Policies = Get-RetentionCompliancePolicy

$PolicyReport = foreach ($Policy in $Policies) {
    $Rules = Get-RetentionComplianceRule -Policy $Policy.Name

    foreach ($Rule in $Rules) {
        [PSCustomObject]@{
            PolicyName = $Policy.Name
            RuleName = $Rule.Name
            RetentionDays = $Rule.RetentionDuration
            Action = $Rule.RetentionComplianceAction
            Status = $Policy.DistributionStatus
            Enabled = $Policy.Enabled
        }
    }
}

$PolicyReport | Export-Csv "C:\Governance\RetentionPolicies-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# ===== CHECK DISPOSITION REVIEWS =====

# Get pending dispositions
$Dispositions = Get-ComplianceTagStorage | Get-DispositionItem -Status Pending

Write-Host "`nPending Disposition Reviews:" -ForegroundColor Yellow
$Dispositions | Select-Object ItemName, Location, RetentionLabel, DispositionDate |
    Format-Table -AutoSize

# ===== COMPLIANCE SUMMARY =====

$Summary = @{
    TotalRetentionLabels = (Get-ComplianceTag).Count
    TotalRetentionPolicies = $Policies.Count
    PoliciesEnabled = ($Policies | Where-Object { $_.Enabled }).Count
    PendingDispositions = ($Dispositions | Measure-Object).Count
    AuditRetentionPolicies = (Get-UnifiedAuditLogRetentionPolicy).Count
    ReportDate = Get-Date
}

Write-Host "`n=== DATA RETENTION COMPLIANCE SUMMARY ===" -ForegroundColor Cyan
$Summary | Format-List

Financial Sector Considerations

Regulatory Retention Requirements

Regulation Record Type Retention Period Notes
FINRA 4511 General books/records 6 years Various by type
SEC 17a-3 Customer records 6 years First 2 years accessible
SEC 17a-4 Communications 3 years WORM required
GLBA 501(b) Customer NPI Life + 5 years Secure disposal
SOX 404 Financial records 7 years Audit evidence
Bank Secrecy Act SAR/CTR 5 years No disclosure

Agent Data Categories for Retention

Data Category Description Retention Regulation
Conversation Logs User-agent interactions 7 years FINRA 4511, SEC 17a-4
Agent Configuration Settings, prompts, parameters 6 years SEC 17a-3
Knowledge Sources Documents used by agents Match source Varies
Audit Logs Security and admin events 10 years SOX, internal
Error Logs Agent failures and issues 3 years Best practice
User Feedback Ratings and corrections 3 years Model improvement

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Conversation Retention: 1 year (minimum)
Configuration Retention: 6 months
Audit Logs: 1 year
Disposition: Automatic deletion
Legal Hold: On request

Zone 2 (Team Collaboration)

Conversation Retention: 3 years
Configuration Retention: 3 years
Audit Logs: 3 years
Disposition: Manager review
Legal Hold: Department-level

Zone 3 (Enterprise Managed)

Conversation Retention: 7 years
Configuration Retention: 6 years
Audit Logs: 10 years
Disposition: Compliance review required
Legal Hold: Automatic for litigation
Record Lock: WORM for regulated records

FSI Retention Schedule

Content Type Tier 1 Tier 2 Tier 3
Agent Conversations 1 year 3 years 7 years
Agent Config 6 months 3 years 6 years
Knowledge Docs Source retention Source retention Source retention
Audit Logs 1 year 3 years 10 years
Error Logs 6 months 1 year 3 years
User Feedback 1 year 2 years 3 years

FSI Configuration Example: Broker-Dealer

Scenario: A broker-dealer needs to retain customer service agent conversations for SEC/FINRA compliance.

Retention Configuration: 

1. Customer Service Agent Conversations
   ├── Label: FSI-AgentConversations-7Year
   ├── Retention: 7 years from creation
   ├── First 2 years: Readily accessible
   ├── Years 3-7: Archive storage acceptable
   ├── Disposition: Compliance + Legal review
   └── WORM: Enabled (immutable)

2. Trade Inquiry Conversations
   ├── Label: FSI-TradeRecords-6Year
   ├── Retention: 6 years (SEC 17a-4)
   ├── WORM: Required
   ├── Disposition: Automatic after regulatory period
   └── Exception: Legal hold on request

3. Agent Configuration History
   ├── Label: FSI-AgentConfig-6Year
   ├── Retention: 6 years
   ├── Includes: Prompt templates, topics, settings
   ├── Purpose: Audit trail for agent behavior
   └── Disposition: Automatic deletion

4. Compliance Audit Logs
   ├── Label: FSI-AgentAudit-10Year
   ├── Retention: 10 years (extended for audit)
   ├── Immutable: Yes
   ├── Includes: Access, changes, errors
   └── Disposition: Archive review

Verification & Testing

Verification Steps

  1. Confirm Labels Created:
  2. Purview → Data lifecycle management → Labels

  3. EXPECTED: All FSI agent labels listed

  4. Verify Policy Distribution:

  5. Purview → Data lifecycle management → Retention policies

  6. EXPECTED: Policies show "Success" status

  7. Test Label Application:

  8. Apply label to test content

  9. EXPECTED: Label appears in document properties

  10. Test Retention Hold:

  11. Attempt to delete labeled content

  12. EXPECTED: Deletion blocked during retention

  13. Validate Disposition Workflow:

  14. Create test item with short retention
  15. EXPECTED: Item appears in disposition review

Verification Evidence

  • [ ] Screenshot: Retention labels with settings
  • [ ] Screenshot: Retention policies with locations
  • [ ] Export: Policy distribution status
  • [ ] Documentation: Retention schedule mapping to regulations
  • [ ] Screenshot: Disposition review configuration
  • [ ] Audit log: Deletion prevention test

Troubleshooting & Validation

Issue: Retention Policy Not Applying

Symptoms: Content not being retained as expected

Solutions:

  1. Verify policy is enabled and distributed
  2. Check location scope includes target content
  3. Allow propagation time (up to 7 days)
  4. Verify no conflicting policies
  5. Check for exclusions in policy

Issue: Content Deleted Before Retention End

Symptoms: Items missing before retention period

Solutions:

  1. Check for user or admin deletion
  2. Verify retention policy scope
  3. Review if legal hold should apply
  4. Check audit log for deletion events
  5. Verify retention action is "Keep" not just "Delete"

Issue: Disposition Review Not Triggering

Symptoms: Content at retention end not appearing for review

Solutions:

  1. Verify label has disposition review action
  2. Check disposition reviewers are configured
  3. Confirm label is applied to content
  4. Review retention start date calculation
  5. Allow time for processing

Issue: Cannot Delete Content After Retention

Symptoms: Content stuck even after retention period

Solutions:

  1. Check for legal hold on content
  2. Verify disposition review was completed
  3. Check for regulatory record flag
  4. Review if preservation lock is enabled
  5. Contact compliance for manual disposition

Retention Period Requirements

Regulation Minimum Retention Applies To
FINRA 4511 6 years Books and records, communications
SEC 17a-3/4 6-7 years Trade records, communications
SOX 404 7 years Financial audit documentation
GLBA 501(b) Per company policy Customer financial information

SEC 17a-4 WORM Requirements

Broker-Dealers

SEC Rule 17a-4(f) requires electronic records to be preserved in non-rewritable, non-erasable (WORM) format. Standard Microsoft 365 retention policies do not meet this requirement. See Control 1.7 for WORM compliance options.

Additional Resources

Control Relationship
Control 1.7 Audit log retention
Control 4.3 SharePoint retention
Control 2.13 Documentation requirements
Control 1.5 Sensitivity labels integration
Control 3.1 Agent inventory for retention scope

Support & Questions

For implementation support or questions about this control, contact:

  • Records Management: Retention label and policy configuration
  • Compliance Officer: Regulatory retention requirements
  • Legal: Legal hold and disposition review
  • Power Platform Admin: Dataverse retention settings

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification