Would you like to share detailed information on how you use Microsoft Teams? Oh… chances are you are doing so already!
Microsoft offers several analytical and reporting functionalities with its Office 365 products. Microsoft Teams comes with “a new analytics and reporting experience” - in the words of Microsoft itself. This blog discusses one specific report in the Teams admin center: the user activity reports.
A Teams user activity report gives insight into the types of activities of individual end users. A Teams admin can find detailed information on each user about for example the time spent in videocalls and the number of chat messages posted in the Teams admin center. For each meeting, the admin can see the meeting start time and date, duration, number of participants, names of participants, device and system information for each participant, connectivity and network information, as well as ‘other’ data related to the quality of the connection.
The report provides insight in how you use Teams, and detailed information about your interactions in Teams.
You might be unhappy about the user activity report because:
- You were unaware that Microsoft saves all this data on how you use Teams. And that Microsoft presents your activity data to the Teams admin(s) who can view it as trends, sort users by their activity, and drill down into the finest detail in the Teams admin center.
- It makes you wonder which colleague(s) has/have access to the user activity reports. And what (s)he does with this information. If you’re working for a fairly large or formalized organization, the Teams admin probably sits in the IT-department with well-established policies which ensure that the admin center is used for managing the application. And for nothing else. However, in many organizations, roles might not be strictly divided. It could be your colleague or manager ‘who does IT on the side’, who has access to the reports with your activities in great detail.
- Knowing that your activities in Teams can be monitored, can create a chilling effect on your use of Teams. This can infringe on your privacy rights, and impede your exercise of related fundamental rights such as the freedom to send and receive information.
- Microsoft turns all analytic views on by default. So, if no one paid attention when your organization implemented Teams, this is happening. Now. The data goes back to the last 90 days.
Microsoft, can you start respecting Privacy by Default, please.
What can you do?
If you use Teams at work, ask who is the Teams admin. Inform with him/her if the analytics and reporting functionality is used. Reach out to your privacy officer or Data Protection Officer and inform about the Data Protection Impact Assessment (DPIA). The DPIA should provide you with the comfort that someone assessed privacy risks and took measures. Measures include changing the admin view on the data to only show pseudonymous data and implementing policies to prevent use of the analytics and reporting functionality for anything but for managing the application. If an organization finds some analytics to be necessary, the legal ground of the processing and the purposes must be clearly defined in transparent policy rules.
Are there more considerations?
Yes. Next to the Microsoft Teams admin center, Teams activities are reported in the Microsoft 365 admin center. Microsoft Viva Insights combines for example detailed user activity insight of Teams, OneDrive and SharePoint. Microsoft MyAnalytics, Microsoft Delve, and Workplace Analytics (the latter now part of Viva Insights) offer additional analytical and reporting functionalities. Combined, these tools can negatively be used as an employee monitoring tool, to assess productivity, attendance, behavior and calculate hours worked.
What can your organization do?
Organizations that use Teams should at least select the pseudonymization option, create clear rules for the permitted use of the analytical reports, and perform a DPIA on the impact of combined analytical tools.
Apart from analytics and reporting, your organization should carefully consider the impact of the use of additional tooling such as the Connected Experiences, SMS for authentication, the risk of undue access by US government authorities, and more.
Organizations bear a responsibility to assess and control privacy risks when deploying Microsoft Teams
What does Privacy Company do?
Privacy Company has pointed out that Microsoft should comply with the principle of privacy by default. Though Microsoft offers an option to present a pseudonymous view of the users in the Teams admin center, we believe this measure is not sufficient (see our most recent DPIA). Microsoft does not explain what the result is of the pseudonymization choice offered to admins: does this also have an impact on the raw Diagnostic Data held by Microsoft? Because Microsoft creates the Teams analytics and reports by default, Microsoft also factually determines this purpose of the data processing, and behaves as a joint controller. With the absence of privacy by default, and the lack of information on the pseudonymization choice, nor your organization, nor Microsoft can successfully invoke any legal ground for this processing.
Privacy Company continues to inspect the data processing activities by Microsoft. We contribute to worldwide improvements by handing over our findings as part of negotiations between Microsoft and the Dutch government. Our work is not limited to Microsoft: we also perform DPIAs on services from other big cloud providers, such as Zoom and Google. At Privacy Company, we are happy to help you assess the specific risks when you deploy tools from cloud providers.