Empowering employees after the call: Enabling and securing Microsoft Teams meeting data retention at Microsoft

Dec 7, 2023   |  

A cross-disciplinary team is helping us put policies in place to retain Microsoft Teams meeting data like meetings and transcriptions safely and effectively.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

Microsoft Teams meetings help our globally distributed and digitally connected employees create meaningful hybrid work experiences. When those meetings are recorded and transcribed or their data becomes available to AI-powered digital assistants, their impact increases.

Although these features have proven to be incredibly useful to our employees and our wider organization, there are also concerns about how retaining Microsoft Teams meeting data might affect our security posture, records retention policy, and privacy. Just like any other company, we at Microsoft have to balance these varying aspects.

At Microsoft Digital (MSD), the Microsoft IT organization, we’re leading cross-disciplinary conversations to ensure we get it right.

[Learn how Microsoft creates self-service sensitivity labels in Microsoft 365. Discover getting the most out of generative AI at Microsoft with good governance.]

Policy considerations of Microsoft Teams meeting data retention

Our Microsoft Teams meeting data comes in the form of three main artifacts: recordings, transcriptions, and data that AI-powered Microsoft 365 Copilot and recap services can use to increase our general business intelligence.

The three key artifacts of Microsoft Teams meeting data retention: recordings, transcriptions, and the data used by AI-powered tools.
Our Microsoft Teams meeting data retention efforts focus on three key artifacts: recordings, transcriptions, and the data used by AI-powered tools.

We find meeting recordings and transcripts are helpful for many reasons, including helping us overcome accessibility issues related to fast-paced, real-time meetings or language differences—this is a powerful way to level the playing field for our employees. Our ability to share recordings and transcripts also supports greater knowledge transfer and asynchronous work, which is especially helpful for teams that operate across time zones.

We tend to think of the recordings we make during meetings as an individual’s data, but they actually represent the company’s data. We want to empower individuals, but we have to remember that retention and volume impacts of these artifacts on the company can be substantial.

—Rachael Heade, director of records compliance, Microsoft Corporate, External, and Legal Affairs

Heade and Johnson pose for pictures assembled into a collage.
Rachael Heade from CELA and David Johnson from Microsoft Digital are part of a collaborative team thinking through how we govern Microsoft Teams data and artifacts.

Microsoft Teams Premium enables AI-generated notes, task lists, personalized timeline markers for video recaps, and auto-generated chapters for recordings. Within a meeting, the Microsoft 365 Copilot sidebar experience helps our late-joining employees catch up on what they’ve missed, provides intelligent prompts to review unresolved questions, summarizes key themes, and creates notes or action items.

The helpfulness of these tools is clear, but data-retention obligations introduce challenges that organizations like ours need to consider. First, producing and retaining this kind of data can be complex if it isn’t properly governed. Second, data-rich artifacts like video recordings occupy a lot of space, eating up cloud storage budgets.

“We tend to think of the recordings we make during meetings as an individual’s data, but they actually represent the company’s data,” says Rachael Heade, director of records compliance for Microsoft Corporate, External, and Legal Affairs (CELA). “We want to empower individuals, but we have to remember that retention and volume impacts of these artifacts on the company can be substantial.”

In light of these potential impacts, some organizations simply opt out of enabling Microsoft Teams meeting recordings.

Asking the right questions to assemble the proper guardrails

Our teams in MSD, our IT group, and CELA, our legal division, are working to balance the benefits of Microsoft Teams meeting data retention with our compliance obligations to provide empowering experiences for our employees while keeping the company safe.

“Organizations are always concerned about centralized control over the retention and deletion of data artifacts,” Heade says. “You have excited employees who want to use this technology, so how do you set them up so they can use it confidently?”

As an organization, this is about thinking through your tenant position and getting it to a reasonable state.

—David Johnson, tenant and compliance architect, MSD

Like many policy conversations, getting this right starts with our governance team in MSD and our internal partners asking the employees from across the company who look after data governance the right questions:

  • When should a meeting be recorded and when should it not?
  • What kind of data gets stored?
  • Who can initiate recording, and who can access it after the meeting?
  • How long should we retain meeting data?
  • Where does the data live while it’s retained?
  • How can we control data capture and retention?
  • What does this mean for eDiscovery management?

These questions help us think about the proper guardrails. Our IT perspective is only one part of the puzzle, so we’re actively consulting with CELA, corporate security, privacy, the Microsoft Teams product group, the company’s data custodians, and our business customers throughout this process.

“As an organization, this is about thinking through your tenant position and getting it to a reasonable state,” says David Johnson, tenant and compliance architect with MSD.

Our conversations have brought up distinctions that any organization should consider as they build policy around Microsoft Teams meeting retention:

  • The length of time a meeting’s data remains fresh, relevant, or useful
  • The difference in retention value between operational and informational meetings, for example, weekly touchpoints versus project kick-offs or education sessions
  • The different risks inherent in recordings compared to transcriptions
  • Establishing default policies while allowing variability and flexibility when employees need it
  • Long-term retention for functional artifacts like demos and trainings

From sharing perspectives to crafting policy

Our policies around Microsoft Teams meeting data retention continue to evolve, but we’ve already implemented some highly effective practices, policies, and controls. Every organization’s situation is unique, so it’s important that you speak to your legal professionals to craft your own policies. But our work should give you an idea of what’s possible through out-of-the-box features within Microsoft Teams.

The bottom line is that we rely on our employees to be good stewards of the company. But because we’ve got a good governance model in place for Teams and good overall hygiene for our tenant, we’re well set up to deal with the evolution of the product and make these decisions.

—David Johnson, tenant and compliance architect, MSD

The policies we’ve put in place represent a mix of technical defaults, meeting options, and empowering employees to make informed decisions about usefulness and privacy. They also build on the foundations of our work with sensitivity labeling, which is helping secure data across our tenant.

  • Transcript attribution opt-out gives employees agency and reassures them that we honor their privacy.
  • User notices alert employees when a recording or transcription starts, allowing them the opportunity to opt out, request that the meeting go unrecorded, or leave the call.
  • Nuanced business guidance from CELA through an internal Recording Smart Use Statement document helps employees understand the implications of recording, when not to record, and when not to speak in a recorded call.
  • Recommending that employees “tell and confirm” before recording empowers and supports our people to speak up when they don’t believe the meeting should be recorded or don’t feel comfortable.
  • We didn’t wait for compliance recording: Although this choice would require that a user consent to recording before unmuting themselves, we decided that opt-outs and user notices provided sufficient agency to our employees.
  • Meeting labels that limit who can record mean only the organizer or co-organizer can initiate recordings for meetings labeled “highly confidential.”
  • Only meeting organizers can download meeting recordings to keep the meeting data contained and restrict sharing.
  • The default OneDrive and SharePoint meeting expiration is set to 90 days to ensure we minimize the risk of data leakage or cloud storage bloat.

These policies reflect three core tenets we use to inform our governance efforts: empower, trust, and verify.

“The bottom line is that we rely on our employees to be good stewards of the company,” Johnson says. “But because we’ve got a good governance model in place for Teams and good overall hygiene for our tenant, we’re well set up to deal with the evolution of the product and make these decisions.”

We can’t recommend that any organization follow our blueprint entirely, but asking some of the same questions as we have can help build a foundation. To start, read our blog post on how we create self-service sensitivity labels in Microsoft 365 and explore this Microsoft Learn guide on meeting retention policies in Microsoft Teams.

With a firm grasp of the technology and close collaboration with the right stakeholders, you can guide your own policy decisions and unlock the right set of features for your team.

Key Takeaways
Here are some tips for approaching meeting data retention at your company:

  • Face the fear and get comfortable with being uncomfortable: First, establish your concerns, then work toward optimizing your policy compliance.
  • Consider how to support your company’s compliance obligations while allowing your employee population to take advantage of the product, and let those things live together side-by-side.
  • Connecting with your legal team is essential because they’re the experts on assessing complex compliance questions.
  • Investigate meeting labels and what policies you might want to apply to meetings based on sensitivity and other attributes.

Try it out
See how Microsoft Teams Premium can help you manage your data retention.

Related links

We'd like to hear from you!
Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

Tags: , , , , , ,