Records management of Confluence: what you need to know

Tip Sheet

Confluence is a popular platform with great productivity capability, but it does not include compliant records management, and has some gaps for information governance. For regulated organisations using Confluence, they need to make sure their business use of the system is capturing, classifying, and sentencing records in accordance with their obligations, for their whole lifecycle.

Confluence is a content collaboration and management workspace, designed to help teams work together effectively. It creates a site that allows teams to share knowledge and collaborate on project data. Confluence can be hosted on premises or in the cloud (SaaS), or in a Data Centre (self-managed).

Confluence contains records of business: that is, evidence of decisions, processes, and outcomes. Sometimes, the only evidence for a decision is in Confluence, because it is difficult to copy the content and context of this tool into a traditional record-keeping system. As such, the platform needs the following basic capability:

  • Records Management with automatic registration, classification, sentencing, and disposition  
  • Security and Privacy Management by automatically identifying high-risk information
  • Audit and monitoring with events captured on all records, by all users, and across all systems
  • Alerts and reporting when high-risk or high-value content is created, modified, or moved  
  • eDiscovery with powerful and defensible search, ontology, and relating records across systems, as well as Legal Hold

Confluence is designed for seamless productivity, not information and records governance.

  • There is no formal records management or retention management in Confluence. Data is retained in the system unless and until it is deleted by a user.
  • Data security and privacy: this is managed via a data security policy, which is comprised of policy coverage and policy rules. The data security policy can identify some types of PII data or other sensitive information. This is only available in Atlassian Access, the Confluence cloud authentication integration subscription.
  • Audit logging: this is limited in Confluence unless the organisation has a subscription to Atlassian Access. These logs are only stored for 180 days. Tracking user-created activity in the audit log is only available on the Enterprise plan.
  • Alerts and reporting: search results can be: emailed to users according to their preferred schedule; exported in RSS or Excel for example; and displayed in report format or in the UI.
  • Legal hold: There is no formal legal hold in Confluence and this function is managed by changing permissions.

So how can you achieve effective information governance in Confluence, even using the Enterprise plan and/or Atlassian Access?

Our clients use Castlepoint with Confluence (on premises and cloud hosted) to provide autoclassification, compliant records management, and to make it discoverable through a single pane of glass with their other enterprise systems. They use Castlepoint’s organisation-specific sensitive data detection capability to manage security and privacy risk in Confluence, and to alert and report on breaches or spills. They can use Castlepoint to apply Legal Hold for ESI, and to compliantly preserve or export its content as required.

All this is done in an agentless, connectorless model. Castlepoint is a manage-in-place solution, and does not copy, move, or modify Confluence content. It does not change the Confluence user experience in any way, or install any components or customisations.

Content in Confluence is broken up into Spaces. Spaces contain pages, and pages can have attachments and comments.

Castlepoint can treat the whole system, each Space, or each Page, as a meaningful record, containing record associations (or ‘items’). The context level is configurable and based on your organisation’s preference.

  • For System-level records, all pages and attachments found below that system are identified as a record association/item
  • For Space records, all pages and attachments found below that Space are identified as a record association/item
  • In the case of Page records, both a record and item are created for that page. Any attachments are also represented as items.

Castlepoint registers, reads, and automatically classifies the content and metadata of all items and records, and assigns a sentence and retention period for each record automatically. It also manages the rest of the information governance lifecycle, from security and privacy, through to auditing and reporting, to eDiscovery. Deployment of Castlepoint and interface with Confluence can be completed in hours, getting you compliant quickly without overheads or impacts.

Contact our team for a demonstration of this capability, or to see how Castlepoint manages other systems like Jira, Google Workspace, Box, AWS buckets, Azure Blob storage, Content Manager, Salesforce, OpenText, the Microsoft 365 platform (Teams, SharePoint, OneDrive, and Exchange Online), or even local workstations.