What is SharePint, Anyway?



I posted a question to one of the SharePoint forums on LinkedIn – directed toward other presenters and SharePoint Saturday organizers – asking what we can do to get more people participating in the post-event SharePint activities. There was a large response, and many great ideas were discussed. At the core, however, was the simple need to let people know what a SharePint is, and answer some basic questions:

First, SharePint is about socializing with other members of the community, pure and simple. These sometimes impromptu events follow just about every SharePoint conference and major event – or happen whenever a couple of SharePointers are in town and looking to connect with the local community. I like to tell people that 3 or more SharePointers in a public location constitutes a SharePint.

Second, yes, the event includes the word “Pint” instead of “Point,” but that doesn’t mean everyone attending is consuming adult beverages. The sole purpose of SharePint is to help the community connect, socialize, extend their learning. Venues vary, but each location generally offers food and drink, and plenty of space to congregate and get to know each other.

Third, several of the suggestions from the LinkedIn forum mentioned the need to do a better job of letting people know when and where a SharePint is happening. I believe it is a safe assumption that during or following any SharePoint conference there will be a SharePint. They are always spearheaded by one or more community members, sometimes with sponsors. RackSpace has been sponsoring quite a few, creating a shirt and logo, as well as buying everyone a round of draft beer. Most, however, are less formal (although, who can refuse a free t-shirt?).


Some of the best practices we are trying to promote through the SharePoint Saturday events is to identify the SharePint location well in advance and to include details and maps on the event site, as well as to ask presenters to mention details – and whether they plan to attend or not – during their sessions, and to personally invite all to attend.

I would love to continue to have this discussion here on NBSP.com and get more feedback from the community on how we can better connect experts and the community, whether through SharePints or other social gatherings.

My call to action for all of you is to not let the next SharePint come and go without participating. Take advantage of this great opportunity to socialize, and participate!

Quick Access to Contacts


Ivan writes on Stump the Panel,

In SP 2007 custom list I have for example first , last name, phone number and e-mail address columns.

In order to show this list view on the front page (with limited space) I would like to show icon representing this column values linked to data instead showing the actual data (phone number or mailto:e-mail)

John Doe [Icon1] [icon2]
Jane done [Icon1] [icon2]

Icon1 or Icon2 are small pics of phone and envelope.
When you click on Icon1 user see (pop-up, hoover, tooltip…) phone number
When user clicks on icon2 will open e-mail client (Outlook)

He had also pinged me on Twitter that this should be a no code solution. I’ll try to keep it as no code as possible, but it won’t be easy. We will have to grab Christophe Humbert’s glorious text to HTML script in order to make this work. I’ll also throw in a bonus offer of a data view web part solution, since no code has different interpretations depending on who you talk to.

The calculated column method

If you’re new to Sharepoint 2007 or just emerging from under your rock, you should already know the magic of Christophe’s text to html script. If not, it allows us to use calculated columns to create html markup and have it render AS html when the page is rendered, which is wicked cool in my opinion. Without the script, it renders as straight text not interpreted by the browser as html.

So with ivan’s requirements in hand, I went to find a basic starting point to at least showcase what is possible with calculated columns. This can be taken and run with. I was working off a Contacts list, but a custom list would work fine too, the concept is still the same.

In my list, I created a new column called emIcon of type calculated with the following function where Email Address is the email address column in my list:

=CONCATENATE("<DIV><a href='mailto:",[E-mail Address],"?subject=test'><img src='http://spdomain/sites/sitecollection/_layouts/images/gmailnew.gif' alt='Email User' style='border:0px' /></a></DIV>")

What this will render is a clickable image that will open an Outlook message window. The image I chose to use is located in the _layouts folder, you could always upload and link to your own icon if you want. To see all the images in the _layouts folder, check out Peter Allen’s SharePoint Layout Images page.

The next step is to show the phone number. I went with a simple approach using the calculated column since I didn’t want to start trying to write javascript inline in the function. It’s the old SharePoint alt img trick. So I created a new calculated column called phIcon with the following function:

=CONCATENATE("<DIV><img src='http://spdomain/sites/sitecollection/_layouts/images/plplay1.gif' alt='Phone Number: ",[Business Phone]," title='Phone Number: ",[Business Phone],"' /></DIV>")

This will just show an image (no phone-esque images in the layouts folder unfortunately) and when you mouse over the image, will show Phone Number: 419-555-1234. Shout out to Northwest Ohio there, sorry let’s continue.

Now you just need to create a view with the user and these 2 calculated columns and put it on the home page. Once you have that positioned, drop in Christophe’s text to html script right below it and you’ll have something that should look like this:


The data view web part method

In part 2, I’ll show a method to accomplish this in a data view web part. Stay tuned.

Using SharePoint Excel Web Services


Today a teacher came to me to ask if there was a way that she could show a section of an Excel spreadsheet on our Learning Gateway, yes of course there is I said. This post will now detail what steps we took to complete her request

Named Section

The first task I needed the teacher to do was decide which section of the spreadsheet they wanted to appear on the Learning Gateway. In SharePoint 2010 you can show the complete spreadsheet but what is really neat is the ability to show just the cells or worksheet you want the users to see.


As you can see the spreadsheet is only using a small number of cells so the best way is to just present this to the user through SharePoint 2010. To do this highlight the cells you want to show and right click somewhere in the highlighted cells


From the pop up menu select Define Name

Give the selection a name in the dialogue box and click OK


The selection now has a name that can be used in SharePoint 2010

Excel Web Services

Once the selection has been named you will need to upload the file to a document library.

Once this is done, create a new web part page and add the Excel Web Access web part to the page


You should now see this on the page


Clicking on the link to open the tool pane will allow you to specify where the Excel spreadsheet is located


In this box you can enter the address if you know it or use the button to browse the site for the file

The second box is where the named section comes into play that we created earlier. In this text box enter the name you gave the highlighted section of the spreadsheet.

Click OK and you should now see just the cells that you highlighted in the spreadsheet. The graphic below shows one we use in our School, obviously the names are all blacked out, but you can see that the user is presented with just the cells that are relevant from the spreadsheet.


What this allows you to do is present data in a spreadsheet to a user in a simple way. You can go into even more detail by allowing editing and hyperlinks etc but in its simplest use, it just makes accessing data so much easier.

How are businesses using SharePoint?

Next Monday, January 31, Derek Weeks and I will be presenting the results gathered from the survey taken at SPSEMEA. We had over 800 responses, so what you’ll see is the most recent data we have and how we are interpreting it.

The session will be live online, sponsored by SharePoint Saturday Boston Webinar Series. Plan on joining us. You’ll get the latest info we have, plus we’ll get you a copy of the slidedeck so you’ll have something you can refer to.

Looking forward to seeing you there.

Registration: https://www1.gotomeeting.com/register/627540137  

11:45 AM EST - 11:55 AM EST Welcome and Sign-In
11:55 AM EST - 12:00 PM EST Speaker Introduction
12:00 PM EST - 1:00 PM EST Presentation


SharePoint Survey


SharePoint 2010 Branding Series – Part Two


2011-01-26-SP2010BrandingPart02-01a.pngAs promised at SharePoint Saturday EMEA, here is the second part of the branding series the rest will follow shortly.

In part one of the series we looked at what you need to get started so I will assume you have SharePoint Designer in whatever flavour suits youand a copy of Randy Drisgil’s Starter master page.

The assumption is that you will be using a publishing site although I will try and mention any of the differences when and where I know about them.

To enable the publishing features in a team site you have to enable the site collection feature called “SharePoint Server Publishing Infrastructure” and the site feature called “SharePoint Server Publishing”.

Remember to add http:// before the web address or you may hit the following problem

Firstly, start up SharePoint designer and connect to your chosen site, so in my example I am using the http://www.spsdemo.com/sites/weknownothing/ site and once we have connected we face the SharePoint Designer welcome screen which gives you an overview of the site with site information, permissions, customization, settings and subsites (if you have any).


On the left hand side you will see “Master Pages” which, if you click the pin (see below),


will open a small pane below the categories and display all the Master Pages and relevant page layouts, although it doesn’t show the masterpage browser so we will need to click anywhere else on that category (i.e. not the pin – this is just a good way to see the files).

The first thing you will notice is that we don’t have the Starter Master Page and we will need to upload the master page for it to appear in this list.

Now there are a few ways to do this,

a. Copy and paste the file from your computer into the masterpage browser inside SharePoint Designer

b. Click “import files” within the SharePoint Designer ribbon and browse for the file.

c. Go to Site “Site Actions” > “Site Settings” and click “Master Pages” or ”Master Pages and Page Layouts” which is under the “Galleries” section. You then need to click on documents in the ribbon and upload document.

Now the problem with methods a and b is that the masterpage doesn’t seem to appear in the list at least certainly not for me. Not only that but it is also unavailable in the browser unless it is checked in and published.

Therefore, my method for uploading is c. This allows you to select the content type, which for us is Publishing Master Page.

If you select the wrong content type the master page will not appear in SharePoint Designer under masterpages as I think SharePoint Designer uses the content type to group the, well, the content types2011-01-26-SP2010BrandingPart02-05.gif

What we need to do now is create a stylesheet and then link the style sheet to the masterpage and that will conclude part two of the series.

Create your stylesheet in the Style Library by navigating to All Files

Where you put the stylesheet isn’t that important as long as you can reference it in a logical way i.e. storing it in a subsite document library that may be permissioned for certain users, is not a good idea.

With this in mind and with the fact that I remember them being stored in Style Library in SharePoint 2007, I tend to stick to that location.

Unfortunately in SharePoint Designer, there is no easy way to get to the Style Library, so it will just be a case of browsing All Files to find it. Once you are inside Style Library you can click File in the ribbon and then CSS (this will allow you to rename the file).

Finally, we will open our masterpage and add the link to the stylesheet.


Now we have uploaded the files to the relevant areas, I will assume you know where they are when I refer to them. It is important to get your head around the structure of SharePoint and more importantly, the way SharePoint Designer 2010 structures the catagories on the left and has the All Files section at the bottom.

Open the masterpage (if you have publishing enabled it will ask you to check it out), switch to code view if it’s not there already and then navigate to line 74 and 75 which look like this;

 <!-- link to our custom css  -->
<SharePoint:CssRegistration name="/Style Library/sitename/style.css" After="corev4.css" runat="server"/>

You will now need to change the code to reflect the location of the css file you have created. You can then go ahead and save the file and we may as well check it in and publish it at this point.

 <!-- link to our custom css  -->
<SharePoint:CssRegistration name="/Style Library/engageinsharepoint-v1.css" After="corev4.css" runat="server"/>

That concludes the second part of the series and I apologise for the laboureous nature of this part. I promise in the next part we will start getting into the meaty part of editing the masterpage and CSS.

Download the two files in the following zip
Share Point Branding Series V1

Matthew Hughes

SharePoint 2010 Related List Pre-fill


If you need to track relational information in SharePoint 2010, this solution is 80% likely to make your life easier with little effort. It makes adding a child items under a parent smoother for the end user.

About Related Lists

SharePoint 2010’s related lists enables parent-child relationships between lists.

For example, I have a list of donors, and for each donor I have multiple contributions.

John Smith has made two contributions, a scholarship and cars:


The Problem

I want to add a new contribution for John. I click Add New Item under John’s contributions above. A new contribution form appears, but John’s name is not pre-filled.


I have to pick John manually before adding the new contribution.


This fix will pre-fill John’s name. More generally, it pre-fills the lookup to the proper parent item when adding a child. It does not require Designer or custom code, just JavaScript and the JQuery library.

Familiar with Related Lists?

If not, check out this overview from SharePoint 911. To move forward, you must have: 1.) a parent list, 2.) at least one child list, 3.) related list web part(s) on the parent list’s display form.

Applying the Fix

First, download SharePoint 2010 Related List pre-fill and JQuery. Place these files in a library on your farm. End users must have read access to the scripts.

Go to any view in the parent list - in this case, Donors. Select List Tools / List on the ribbon, then click the pencil icon (edit list forms) and select Default Display Form.



The display form for Donors appears in Edit mode. Under Insert in the ribbon, click Web Part. Select the Content Editor Web Part.



Click into the Content Editor Web Part to get a cursor, then in the ribbon choose to edit the HTML source.


Paste this code, replacing PATHTOJQUERY and PATHTOJS with the appropriate directories:

Save the page.


Go to any view in the child list - in this case, Contributions.


Select List Tools / List in the ribbon, then click the pencil icon (Edit List Forms) and select Default New Form.


Follow the same instructions to add a content editor web part and paste the following code. Replace PATHTOJQUERY and PATHTOJS with the appropriate directories. Replace NAME OF LOOKUP FIELD with the lookup field in the child that refers to the parent - in this case, Donor.

Save the page.

That’s it!

The Result

Now, when a user views a Donor record and adds a new contribution, the donor field pre-fills.

More generally, on your site, the parent-child relationship is smoother.

Clicking add new under Contributions (a related list in Donors)…


… pre-fills the related donor automatically.


Another Way

Laura from SharePoint 911 blogged about a similar method using a data view web part.

SURVEY RESULTS - SharePoint 2010 Adoption Eclipses SharePoint 2007


Earlier this month, EndUserSharePoint.com and Global 360 conducted the latest update to their survey “How are businesses using SharePoint?” The first survey in August 2010 collected 886 responses, and this latest update captured 830 responses. The goal of the survey was to:

  • Determine the breadth and depth of SharePoint usage in the market today vs. August 2010
  • Understand how companies are driving value out of their implementations, and
  • Identify challenges related to their investment.

We were certainly surprised at the changes revealed in SharePoint over the past six months, including:

SharePoint 2010 Adoption Surges in Past 6 Months. The survey revealed that SharePoint 2010 deployments increased from 8% in Aug-10 to 44% in Jan-11. Not only was the growth of SharePoint 2010 deployments impressive, but they outpaced the SharePoint 2007 deployments noted by 43% of survey participants – down from 81% who took the August 2010 survey. The January survey also revealed that the Middle East leads SharePoint 2010 deployments with 3:7 ratio of 2007 to 2010 deployments. North America lags the world with a 2:1 ratio of 2007 to 2010.


SharePoint is solidifying position as mission-critical part of IT and business. As SharePoint is deployed across more organizations, 33% of companies say over half the documents in SharePoint are considered mission-critical, up from 27% in Aug-10. With its growing presence in the enterprise, we expect that this growth was attributed to SharePoint capturing more content that would have been previously slated for other enterprise content management solutions. Additionally, as businesses are increasing using SharePoint for workflow and process management, mission-critical content can now be put in motion across the business. Nearly 6 in 10 survey respondents are using or plan to use workflow/BPM applications with their SharePoint platform.


“SharePoint as a Development Platform” is still frustrating users. As Microsoft and its partners continue to promote SharePoint as an application development platform, users are not necessarily finding it easier to use. Even though SharePoint 2010 adoption increased dramatically in the past 6 months, the #1 challenge survey participants noted in both the Aug-10 and Jan-11 surveys was “development time and effort to build business applications”. The challenge of development time and effort also points to reasoning behind the #2 challenge revealed in the Jan-11 update, “end user training / adoption”. If end users are not finding applications that suit their needs, they are less likely to use or readily adopt SharePoint – certainly one of the challenges expressed in an earlier EUSP article, “SharePoint’s Inconvenient Truth”.

On Monday, January 31st, Mark Miller and Derek Weeks will be presenting many of the results from the 2011 survey and comparing them with the 2010 survey results. The presentation was already scheduled as an online recap of the 2010 survey presentation they gave at SharePoint Saturday Boston in September 2010. To register for Monday’s webinar comparing the 2010 and 2011 SharePoint survey results, you can register on the SharePoint Saturday Boston site here.

Anyone can download a free paper detailing the 2010 survey responses here (no registration required). On the same page, you can also register to receive a copy of the 2011 report. If you are one of the 1700+ who participated in the 2010 or 2011 surveys, you will automatically be sent a copy of the updated 2011 paper when it is published (target: February 7th).

In this session, Derek Weeks and Mark Miller will do a broad analysis of the SharePoint market. They will also compare some of the surprising deltas between the Aug-10 and Jan-11 survey responses. For example, did you know that SP2010 deployments have increased 5x in the past 6 months?

The presentation includes a drill down on SharePoint in the real world using the following survey findings:

  • Adoption of SharePoint
  • Widespread Deployment
  • Using SharePoint for Portals, WorkFlow, and Process Management
  • Mission-Critical Processes and SharePoint Documents
  • Challenges with SharePoint Implementations
  • Exposing Legacy or Other Application Data to SharePoint
  • Conclusions and Recommendations

Those attending the session will receive a color printed copy of the survey and will receive updates every six months as the data is refreshed.

SharePoint 2010 Branding Series – Part One


Straight from SharePoint Saturday EMEA here is the branding series which compliments my session and gives a step by step guide to the work I was doing during the session.

The design I have is something I created a short while ago for the Samworth Enterprise Academy Website which, I must say, isn’t brilliant but I have always maintained I am a developer more then a designer.

Samworth Enterprise Academy Website

So that’s the design now how do we get it into SharePoint?

What you will need

For this series we will be using Randy Drisgill’s (@drisgill) Starter Master Page which you can find on codeplex.

My last plug for Randy will be the book available from Amazon which will probably make my series of posts look amateur. You can find the book here.

Of course you will also need SharePoint Designer in either 32-bit or 64-bit and I think with that we are good to go.

The site I will be working on will be available shortly and I will make each masterpage available in each post and at the end of the series.

Check back over the next few days for the next part of the series or follow me on twitter (@mattmoo2) and you will see when it’s posted.

Matthew Hughes

Mike Oryszak and Jeff Willinger on Improved Social Features



In this latest installment of the video series The One Thing You Need to Know About SharePoint 2010, I spoke with SharePoint MVP and Principal Consultant at Intellinet Mike Oryszak, following the SharePoint Saturday Virginia Beach event, about rich user profiles. His comments were in alignment with the feedback from Jeff Willinger, Director of Social Computing at RightPoint, when we talked at SharePoint Saturday Boston about the much improved social experience in SharePoint 2010.

As both experts point out, at the center of the social computing experience in SharePoint 2010 is the rich user profile, which is an update to the My Sites — but is much more closely aligned to the search experience, and drives much of the social features in the platform. As Jeff states, SP2010 is much more social with its tagging, comments and ratings, ease of sharing documents and end user status, and to search for and find expertise. He refers to the My Sites as a "poor man’s Facebook for the enterprise" (which seems to contradict all the licensing pricing I’ve seen), which means it is a personal information hub for the enterprise user.

Mike expands on this idea by describing it as an aggregated profile that users can utilize to find each other and their content, but also which can be utilized by complex business processes, such as approval workflows, to power business logic within tools and services in SharePoint. In the past, this information was split up across several locations, but with SP2010, its all in one place.

Here are some additional resources for My Sites and social computing in SharePoint 2010:

SharePoint and Personally Identifiable Information (PII) – Part II


2011-01-21-SPAndPersonallyIdentifiableInfo-01.pngSeveral months ago I wrote an article on SharePoint, Data Security and Personally Identifiable Information that talked about PII and Data Security and why it is important that you be aware of these things as a SharePoint Administrator. In this article I have taken a bit deeper dive specifically into the realm of PII since it is my belief that this area will become more and more of an issue as aspects of SharePoint 2010 are implemented. This will be especially true in the area of compliance and I think it will become more evident as the efforts to put better laws in place to protect our personal privacy are put in place at a federal level.

As someone that has supported implementations for SharePoint’s largest customer, the US Federal Government, working around the issues brought on by the collection, management, retention and removal of PII has become almost a daily event for me over the last several years. For most SharePoint Administrators supporting implementations at private or publically held organizations this probably isn’t the case……………………yet.

That’s right, I said “yet”.

As the federal government comes to realize, more and more, that the way our personal information is handled is important to us as citizens and consumers, and as the web becomes even more of the way we handle our day to day lives (paying bills, making online purchases, having health related information made available across networks to doctors across the country and around the world, etc….) the more likely it is that our elected representatives will get off their collective butts and address an issue that they have all but ignored.

Who is collecting what information about you, where are they storing it, how long are they storing it for, who are they sharing it with, how are they securing it, and what processes are in place to both prevent a security breach of the system storing your personal information and what are they going to do if a breach of that system occurs?

That’s a pretty long list of things to address and not something to be undertaken lightly. In this article we are going to talk about what PII is, the “concept” of PII, where you might find instances or examples of PII in your SharePoint implementation, and what steps you can take to mitigate or manage that information.

What is Personally Identifiable Information or PII?

The United States Office of Management and Budget defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”1

Let’s consider a couple of examples that I have seen over time that in most environments wouldn’t be considered an issue but when used in a Federal Government SharePoint implementation are sure to cause administrators a considerable amount of heartburn.

  • In MOSS 2007 one of the things that excited a number of groups in my end user community was the ability to easily associate a photograph with someone’s profile. That functionality seems innocent enough until you take the description above by OMB and apply those guidelines. By combining a name with an image you have crossed the line of what constitutes PII.
  • In SPS 2003, MOSS 2007 and SP 2010 the contacts list by default includes a field for home phone number. Again, you wouldn’t normally think of this as an issue but when you combine the home phone number with a name or home address you have once again crossed the line into the land of PII.

The Concept of PII

It’s very important to realize that the concept of privacy and its relation to the law is somewhat illusive. Nowhere in the United States Constitution or the Bill of Rights does the word “privacy” appear. There have been numerous court rulings, international agreements, executive orders and laws that form the basis of what we consider to be our right to privacy. In addition to forming the basis of our right to privacy those executive orders and laws were also created to address concerns regarding the protection of personal information held by the federal government. It’s extremely important to realize that these laws deal specifically with federal government entities and do not have any authority over the collection, use and storage of personal information by other public and private entities.

The two most important and broadly scoped of those laws are the Privacy Act of 1974 and the Computer Matching and Privacy Act. The Privacy Act was an extension of the Freedom of Information Act (FOIA) of 1966. The Privacy Act was adopted to protect personal information stored in federal databases as well as to provide individuals with certain rights over the information stored in those databases. Some of the highlights of the Privacy Act include:

  • Covers the vast majority of personal records systems maintained by the federal government.
  • Was developed to specifically address problems posed by electronic record keeping technologies being introduced.
  • Provides individuals with the right to access and challenge contents of records related to them.
  • Requires that content may only be exposed with the individual’s consent or for purposes announced in advance.
  • Requires that federal agencies publish an annual list of systems maintained by the agency that contain personal information.

The Computer Matching and Privacy Act of 1988 was an amendment to the Privacy Act and specifically addressed the sharing of personal information between agencies for the purpose of determining eligibility for federal benefits programs, recouping payments or recovering debts under those programs.

In addition to these two initial acts there are a large number of more narrowly scoped laws in place that are applicable to privacy and data protection. These laws generally fall into one of two categories: the status of information held by the federal government and the treatment of sensitive personal information held by sources outside the federal government. Some examples of each would include:

  • National Education Statistics Act – amended provisions for the National Center for Educational Statistics and the National Assessment of Educational Progress which dramatically revised confidentiality and dissemination practices in place at both Centers.
  • Tax Reform Act – put changes in place that limit disclosure of returns and returns information, makes information contained in a tax return confidential, and identifies specific procedures for the disclosure of information, authorizes users that suffer an unauthorized disclosure to bring civil action for damages and costs related to the disclosure.
  • The Fair Credit Reporting Act – provides regulation of the personal information and financial information used by the various credit reporting agencies.
  • Video Privacy Protection Act of 1988 – provides that the disclosure of video rental records containing PII is against the federal criminal code (with certain exceptions), authorizing any person wronged by the release of PII associated with a video rental record to bring a civil action and requires the destruction of PII records within a specific period of time.

Classification of PII

PII is generally classified by an organization’s senior leadership and/or legal counsel and usually results in two groupings: Moderately Sensitive PII and Highly Sensitive PII. Once the classifications have been set information considered to be of a personal nature is grouped under each classification. For example the legal counsel of an organization may decide that a portion of the information they collect from their employees is “less” sensitive than another subset so they might break their information set up as follows:

  • Moderately Sensitive PII
    • Name – first and last or first initial and last name
    • Home address
    • Home phone number
    • Cell phone number
    • Date of birth
    • E-mail address or addresses
  • Highly Sensitive PII
    • Social Security Numbers or individual Tax IDs
    • Bank or checking account information
    • Credit card information (PCI) (number, CCV, expiration date etc….)
    • Debit card information (number, PIN)
    • Previous names (maiden, aliases, mother’s maiden name)
    • Physical characteristics (eye color, height, weight, scars, tattoos)
    • Passport number
    • Digital or electronic copies of a personal handwritten signature
    • Drivers license number
    • Protected Health Information (PHI) – HIPPA related information

Both of these types of personal information must be protected by implementing measures that address storage, transmission, retention and destruction of these information types.

We’ll get to that in just a minute.

For now we’ll cut to the chase and talk about PII and SharePoint in the same context. (I bet you never thought we would get to this did you?)

Where Would I Find PII in my SharePoint Farm?

If you look at the two lists above the answer to at least a portion of this questions should be very obvious. Almost all of the information in the list of Moderately Sensitive PII is part of the default content type for the SharePoint Contacts list. The only item not there is date of birth and I have seen administrators that added that so that teams could easily schedule birthday parties.

The contents of the second list, Highly Sensitive PII, would not be normally found as part of a list or content type. However, take into consideration what your organization or customer may be using SharePoint for and that could very well change. Also keep in mind that PII wouldn’t necessarily be stored as a column in a list or library (although it could be). It is almost a certainty that one of the items listed in either of the lists above will be found in a document in your SharePoint farm. Some areas that this would be likely in:

Human Resources – does your customer or organization use SharePoint for HR purposes? If so this is a location that would be highly susceptible to having PII stored somewhere.

  • Emergency Contact Information – home address and phone number as well as the name(s) of people close to you as an emergency contact.
  • Resumes – contact information (email addresses, home addresses, phone numbers etc…), or educational history. However, of more concern might be something like salary history if it was included in someone’s resume.
  • Direct Deposit information – although normally used by accounting (you’ll see it there also) almost all HR offices will keep copies of this information which includes not only your checking account number, but routing information, contact information and if you elected to have it on your check, your social security number.
  • Performance evaluations – salary history, disciplinary actions (if any), possible bonus information, job responsibilities.
  • Benefits – this is a highly sensitive area because it could include medical insurance information, names and social security numbers of your family members, 401k or retirement information and contact information again. Health Insurance Portability and Accountability Act (HIPAA) – applies to protected health information (related to treatment, payment and operations activities).
  • Personnel records – depending on the guidelines in place at your customer or organization you may find that employee personnel records not only include contact information (name, address and phone number) but social security numbers as well.

Accounting – almost anything connected to financials is going to be considered to be at least moderately sensitive PII. Salary and billing rates, bank account information (from direct deposit), or any corporate credit cards you may hold (account numbers, authorization names, contact information). There are also a several high profile laws that may fall under accounting that would address issues pertaining to PII (among other things):

  • Sarbanes-Oxley (SOX) – applies to accounting information stored electronically in spreadsheets.
  • Payment Card Industry Data Security Standard (PCI) – applies to credit and debit card information stored, processed or accessed in an Information System (IS), in this case it could be your SharePoint farm.
  • Gramm Leach Bliley Act (GLBA) – applies to financial information commonly stored in customer databases and spreadsheets.

In House Travel – storing travel profiles in SharePoint? Then you may see things like passport numbers, credit card information, upcoming travel dates and destinations, or frequent flyer program information.

Legal – it’s LEGAL! Storing contracts, leases, ongoing lawsuits, depositions? Any of those things would likely be considered highly sensitive by corporate counsel.

Contracts – some of the organizations I’ve worked with manage all the documentation associated with a contract competition in SharePoint. Almost all of that information would be considered highly sensitive as a great deal of it is company proprietary or of a personal nature; resumes, billing rates, salaries, contact information, etc….

Obviously this is a short list of where you might find PII in your SharePoint farm. If you take a few minutes to give it some thought you can probably come up with some others. One other thing that you may have noticed is that in addition to PII you see several instances that could be considered compliance related (as in being compliant with a legal statute or law) or related to data security. I think that over time you will find that all 3 (PII, compliance and data security) are closely tied together.

Addressing PII in your Organization

Time for the $64,000 question, how do I handle PII in my organization? The short answer is, tread lightly and write well. The longer, more complicated answer is, make sure that when you write your governance plan you address the issues of PII and compliance clearly and completely. My personal opinion is that it is crucial that you keep your governance plan as short as possible while covering as many of the bases as possible. If you fail to do this and end up with a governance plan that is 30 pages long there is a good chance that nobody will ever read it, much less know it and adhere to it.

I think you would be much better served by creating a separate policy to address issues surrounding PII, compliance and data security and referencing that policy from your governance plan. How that policy is structured and what it actually contains is obviously up to you, but a few areas I feel it is imperative to address:

  • Education and awareness are keys in any effort to manage and maintain PII in your SharePoint farm. If your end users and administrators don’t know and understand what PII is, what pieces of information constitute PII, and why it is important to know where PII exists and who put it there then they won’t ever make the effort to follow any guidelines you put in place.
  • There should be a process or procedure in place to identify areas within your SharePoint farm where PII or sensitive information/data exists. This might be something as simple as a checkbox in a list used to track new site creation requests that asks “Will this site be used to store, manage or maintain any kind of PII related information?”
  • Implement a process or procedure that identifies and tracks the criteria that must be met before a SharePoint site, or applications within your SharePoint farm, that will contain PII or sensitive data may be created as well as the identity of the approval authority for that request.
  • Implementation of a process or procedure that tracks the individuals responsible for the management of SharePoint sites, or applications within your SharePoint farm, that contains PII or sensitive information.
  • Tracking who has access to sites, applications, lists or libraries where PII related information is stored is essential. This should also be combined with the auditing and logging of those areas where PII is stored or maintained.
  • Set retention policies for PII related information or data. Bearing in mind that this is mandated for certain kinds of PII by various laws (for example The Video Privacy Protection Act of 1988 mentioned above) you should have a procedure in place that not only addresses how long PII related information is retained but what happens when that retention period is reached.
  • Address data encryption - where possible encrypt any PII sent out side of your organizations corporate network. The encryption of data at rest or in transmission is quickly becoming a requirement of the numerous laws, regulations, contractual requirements and industry standards that govern data security. Additionally, when you consider it is more than likely that you have a large number of users that are “mobile” via laptop, tablet or smartphone when you encrypt data sent outside the network, both in transit and in storage, the likelihood of a privacy breach will be reduced significantly.
  • Consider establishing a process or procedure that manages how access is granted, removed and access requests are tracked. It is critical that you know how and when users are added and removed, who added or removed a user, and what was the business justification for granting a user access to a specific resource. In the event of a privacy or data breach this information will be a key in identifying who had access to the compromised resource.
  • Consider establishing a process or procedure for the periodic review and assessment of the information stored in your SharePoint farm paying particular attention to those sites where privacy information was NOT previously stored. There are a number of 3rd party tools that do this automatically.


The following list of resources will provide you with links to 3rd party tools specific to SharePoint for doing compliance scans of your farm content and links to websites that while not necessarily SharePoint specific will provide you with a wealth of knowledge regarding privacy, PII and data security.

Information Shield - United States Privacy Laws
Information Shield - International Privacy Laws
LawBrain - US Privacy Law
TechPolicy.com - Data Privacy Law: The Basics
NYMITY - Privacy Breach Analysis
InformationWeek - States’ Rights Come to Security Forefront

Links to the following applications are not intended as endorsements of those applications

HiSoft - Compliance Sheriff for Microsoft SharePoint Server 2007/2010
AvePoint - Compliance Products
CipherPoint - SP Enterprise


Do you remember when I said that “For most SharePoint Administrators supporting implementations at private or publically held organizations this probably isn’t the case……………………yet.”?

The main reason I said that is there is a growing momentum for the regulation of online data and privacy. With continued stories about the never ending issues surrounding privacy and Facebook and/or Google in the news, what seems like daily, our elected representatives are finally waking up and may look at doing something about the problem. There are currently at least 3 congressional initiatives regarding legislation to address privacy concerns. The one very large problem is that within the United States there are probably too many privacy laws so there is no single overarching law that addresses concerns at the state and federal level.

Eventually we, as a country, will get there. It’s just a question of when and who will be driving the bus. If rumors are to be believed the entity that ends up with oversight of online privacy and data security may well be the Federal Trade Commission (FTC).

Regardless it’s better to be ahead of the curve than behind it!