SharePoint and OneDrive DSAR Redaction Guide

Document-Centric DSAR Challenges

SharePoint sites and OneDrive for Business accounts store the documents that form the backbone of organizational knowledge — reports, spreadsheets, presentations, project plans, meeting notes, and collaborative workspaces. When these documents are included in a DSAR export, they bring a distinct set of redaction challenges that differ from email and chat data.

The primary difference is structural. Where email has predictable header fields and chat has participant metadata, documents have free-form content with personal data appearing anywhere — in body text, table cells, chart labels, comments, tracked changes, headers, footers, watermarks, and embedded document properties. A single SharePoint-hosted spreadsheet might contain personal data for hundreds of individuals across multiple worksheets and columns.

What Gets Exported from SharePoint and OneDrive

When Purview eDiscovery searches SharePoint sites and OneDrive accounts, results are exported in their native file formats — DOCX, XLSX, PPTX, PDF, and others. The export also includes SharePoint list data as CSV files and any web pages as HTML or ASPX files. SafeRedact directly processes DOCX, XLSX, PDF, CSV, TXT, HTML, and JSON files from these exports. For PPTX and ASPX files, convert to PDF before uploading.

Each exported file retains its metadata, including the document author, last modifier, creation date, and any custom properties defined by SharePoint columns. This metadata itself can contain personal data — the author field reveals who created the document, and custom columns might store employee IDs, department names, or other identifiers.

Hidden PII in Office Documents

Tracked Changes and Comments

Word documents with tracked changes contain a revision history that identifies every person who edited the document, along with their specific edits. Comments attribute each note to a named individual. Both tracked changes and comments persist even after the document appears to be in its final form — they are visible to anyone who enables the review features. These hidden layers require specific attention during DSAR preparation: organizations should accept all changes and remove comments before exporting documents for redaction, or flag these files for manual review.

Document Properties and Metadata

Every Office document stores metadata in its file properties: author name, last modifier, company name, and manager field. Some organizations configure templates that automatically populate additional metadata. This data is not visible when viewing the document normally but is accessible through file properties and programmatic inspection. Because this metadata sits outside the document's readable text, it requires separate handling — organizations should use the Document Inspector feature in Office applications to review and remove metadata before including files in a DSAR response package.

Embedded Objects

Documents may contain embedded Excel charts, linked files, or OLE objects that carry their own metadata and content. A PowerPoint presentation with an embedded Excel chart, for example, may expose the spreadsheet author's name and any personal data in the underlying data range. These embedded elements sit outside the primary text extraction path and should be flagged for manual review. Converting complex documents to PDF before processing can help capture visible embedded content in a format SafeRedact can analyze.

SharePoint List and CSV Exports

SharePoint lists exported as CSV files can contain personal data in any column. Contact lists, project tracking sheets, HR records, and customer databases are all commonly stored in SharePoint lists. Each row may represent a different individual, and the column structure means personal data appears in predictable positions — making automated detection particularly effective.

SafeRedact's Document Processing

SafeRedact extracts readable text from Office documents and passes it through the multi-layer detection engine. For Word documents (DOCX), the system uses body text extraction to capture paragraph content, which covers the primary text of the document. For Excel files (XLSX), every worksheet is processed cell by cell across all sheets, with individual cell values and full row content both analyzed for PII. SafeRedact does not currently process PPTX files — convert presentations to PDF before uploading for best results.

CSV files from SharePoint list exports are processed with column context. SafeRedact prepends column headers to each cell value before analysis — so a value like "07442 839 201" in a column labeled "Mobile" is sent to the detection engine as "Mobile: 07442 839 201," giving the AI layer additional context for accurate classification. Every cell in every row is analyzed, ensuring thorough coverage of personal data across the entire dataset.

SafeRedact's output is a set of redacted plaintext files with PII replaced by category markers like [NAME], [EMAIL], and [PHONE], packaged as a downloadable ZIP with an audit trail. This plaintext approach ensures that no hidden metadata, embedded objects, or revision history survives the redaction process — a significant advantage over tools that attempt to redact within the original file format and risk leaving PII in document properties or tracked changes. For files where the original format must be preserved, organizations should use SafeRedact's detection results as a guide for targeted manual redaction in the source document.

Microsoft, Microsoft 365, Office 365, Teams, SharePoint, Exchange Online, OneDrive, Outlook, and Purview are trademarks of Microsoft Corporation. SafeRedact is not affiliated with or endorsed by Microsoft.