Microsoft offers several analytical and reporting functionalities with its Office 365 products. Microsoft Teams comes with “a new analytics and reporting experience” - in the words of Microsoft itself. This blog discusses one specific report in the Teams admin center: the user activity reports.
A Teams user activity report gives insight into the types of activities of individual end users. A Teams admin can find detailed information on each user about for example the time spent in videocalls and the number of chat messages posted in the Teams admin center. For each meeting, the admin can see the meeting start time and date, duration, number of participants, names of participants, device and system information for each participant, connectivity and network information, as well as ‘other’ data related to the quality of the connection.
The report provides insight in how you use Teams, and detailed information about your interactions in Teams.
You might be unhappy about the user activity report because:
Microsoft, can you start respecting Privacy by Default, please.
If you use Teams at work, ask who is the Teams admin. Inform with him/her if the analytics and reporting functionality is used. Reach out to your privacy officer or Data Protection Officer and inform about the Data Protection Impact Assessment (DPIA). The DPIA should provide you with the comfort that someone assessed privacy risks and took measures. Measures include changing the admin view on the data to only show pseudonymous data and implementing policies to prevent use of the analytics and reporting functionality for anything but for managing the application. If an organization finds some analytics to be necessary, the legal ground of the processing and the purposes must be clearly defined in transparent policy rules.
Yes. Next to the Microsoft Teams admin center, Teams activities are reported in the Microsoft 365 admin center. Microsoft Viva Insights combines for example detailed user activity insight of Teams, OneDrive and SharePoint. Microsoft MyAnalytics, Microsoft Delve, and Workplace Analytics (the latter now part of Viva Insights) offer additional analytical and reporting functionalities. Combined, these tools can negatively be used as an employee monitoring tool, to assess productivity, attendance, behavior and calculate hours worked.
Organizations that use Teams should at least select the pseudonymization option, create clear rules for the permitted use of the analytical reports, and perform a DPIA on the impact of combined analytical tools.
Apart from analytics and reporting, your organization should carefully consider the impact of the use of additional tooling such as the Connected Experiences, SMS for authentication, the risk of undue access by US government authorities, and more.
Organizations bear a responsibility to assess and control privacy risks when deploying Microsoft Teams
Privacy Company has pointed out that Microsoft should comply with the principle of privacy by default. Though Microsoft offers an option to present a pseudonymous view of the users in the Teams admin center, we believe this measure is not sufficient (see our most recent DPIA). Microsoft does not explain what the result is of the pseudonymization choice offered to admins: does this also have an impact on the raw Diagnostic Data held by Microsoft? Because Microsoft creates the Teams analytics and reports by default, Microsoft also factually determines this purpose of the data processing, and behaves as a joint controller. With the absence of privacy by default, and the lack of information on the pseudonymization choice, nor your organization, nor Microsoft can successfully invoke any legal ground for this processing.
Privacy Company continues to inspect the data processing activities by Microsoft. We contribute to worldwide improvements by handing over our findings as part of negotiations between Microsoft and the Dutch government. Our work is not limited to Microsoft: we also perform DPIAs on services from other big cloud providers, such as Zoom and Google. At Privacy Company, we are happy to help you assess the specific risks when you deploy tools from cloud providers.