Empowering employees after the call: Enabling and securing Microsoft Teams meeting data retention at Microsoft

Microsoft Teams meetings help our globally distributed and digitally connected employees create meaningful hybrid work experiences. When those meetings are recorded and transcribed or their data becomes available to AI-powered digital assistants, their impact increases.

Although these features have proven to be incredibly useful to our employees and our wider organization, there are also concerns about how retaining Microsoft Teams meeting data might affect our security posture, records retention policy, and privacy. Just like any other company, we at Microsoft have to balance these varying aspects.

At Microsoft Digital, the company’s IT organization, we’re leading cross-disciplinary conversations to ensure we get it right.

{Learn how Microsoft creates self-service sensitivity labels in Microsoft 365. Discover getting the most out of generative AI at Microsoft with good governance.}

Policy considerations of Microsoft Teams meeting data retention

Our Microsoft Teams meeting data comes in the form of three main artifacts: recordings, transcriptions, and data that AI-powered Microsoft 365 Copilot and recap services can use to increase our general business intelligence.

We find meeting recordings and transcripts are helpful for many reasons, including helping us overcome accessibility issues related to fast-paced, real-time meetings or language differences—this is a powerful way to level the playing field for our employees. Our ability to share recordings and transcripts also supports greater knowledge transfer and asynchronous work, which is especially helpful for teams that operate across time zones.

Microsoft Teams Premium enables AI-generated notes, task lists, personalized timeline markers for video recaps, and auto-generated chapters for recordings. Within a meeting, the Microsoft 365 Copilot sidebar experience helps our late-joining employees catch up on what they’ve missed, provides intelligent prompts to review unresolved questions, summarizes key themes, and creates notes or action items.

The helpfulness of these tools is clear, but data-retention obligations introduce challenges that organizations like ours need to consider. First, producing and retaining this kind of data can be complex if it isn’t properly governed. Second, data-rich artifacts like video recordings occupy a lot of space, eating up cloud storage budgets.

“We tend to think of the recordings we make during meetings as an individual’s data, but they actually represent the company’s data,” says Rachael Heade, director of records compliance for Microsoft Corporate, External, and Legal Affairs (CELA). “We want to empower individuals, but we have to remember that retention and volume impacts of these artifacts on the company can be substantial.”

In light of these potential impacts, some organizations simply opt out of enabling Microsoft Teams meeting recordings.

Asking the right questions to assemble the proper guardrails

Our teams in Microsoft Digital and CELA, our legal division, are working to balance the benefits of Microsoft Teams meeting data retention with our compliance obligations to provide empowering experiences for our employees while keeping the company safe.

“Organizations are always concerned about centralized control over the retention and deletion of data artifacts,” Heade says. “You have excited employees who want to use this technology, so how do you set them up so they can use it confidently?”

Like many policy conversations, getting this right starts with our governance team in Microsoft Digital and our internal partners asking the employees from across the company who look after data governance the right questions:

• When should a meeting be recorded and when should it not?
• What kind of data gets stored?
• Who can initiate recording, and who can access it after the meeting?
• How long should we retain meeting data?
• Where does the data live while it’s retained?
• How can we control data capture and retention?
• What does this mean for eDiscovery management?

These questions help us think about the proper guardrails. Our IT perspective is only one part of the puzzle, so we’re actively consulting with CELA, corporate security, privacy, the Microsoft Teams product group, the company’s data custodians, and our business customers throughout this process.

“As an organization, this is about thinking through your tenant position and getting it to a reasonable state,” says David Johnson, tenant and compliance architect with Microsoft Digital.

Our conversations have brought up distinctions that any organization should consider as they build policy around Microsoft Teams meeting retention:

• The length of time a meeting’s data remains fresh, relevant, or useful
• The difference in retention value between operational and informational meetings, for example, weekly touchpoints versus project kick-offs or education sessions
• The different risks inherent in recordings compared to transcriptions
• Establishing default policies while allowing variability and flexibility when employees need it
• Long-term retention for functional artifacts like demos and trainings

From sharing perspectives to crafting policy

Our policies around Microsoft Teams meeting data retention continue to evolve, but we’ve already implemented some highly effective practices, policies, and controls. Every organization’s situation is unique, so it’s important that you speak to your legal professionals to craft your own policies. But our work should give you an idea of what’s possible through out-of-the-box features within Microsoft Teams.

The policies we’ve put in place represent a mix of technical defaults, meeting options, and empowering employees to make informed decisions about usefulness and privacy. They also build on the foundations of our work with sensitivity labeling, which is helping secure data across our tenant.

• Transcript attribution opt-out gives employees agency and reassures them that we honor their privacy.
• User notices alert employees when a recording or transcription starts, allowing them the opportunity to opt out, request that the meeting go unrecorded, or leave the call.
• Nuanced business guidance from CELA through an internal Recording Smart Use Statement document helps employees understand the implications of recording, when not to record, and when not to speak in a recorded call.
• Recommending that employees “tell and confirm” before recording empowers and supports our people to speak up when they don’t believe the meeting should be recorded or don’t feel comfortable.
• We didn’t wait for Compliance Recording: Although this choice would require that a user consent to recording before unmuting themselves, we decided that opt-outs and user notices provided sufficient agency to our employees.
• Meeting labels that limit who can record mean only the organizer or co-organizer can initiate recordings for meetings labeled “highly confidential.”
• Only meeting organizers can download meeting recordings tokeep the meeting data contained and restrict sharing.
• The default OneDrive and SharePoint meeting expiration is set to 90 days to ensure we minimize the risk of data leakage or cloud storage bloat.

These policies reflect three core tenets we use to inform our governance efforts: empower, trust, and verify.

“The bottom line is that we rely on our employees to be good stewards of the company,” Johnson says. “But because we’ve got a good governance model in place for Teams and good overall hygiene for our tenant, we’re well set up to deal with the evolution of the product and make these decisions.”

We can’t recommend that any organization follow our blueprint entirely, but asking some of the same questions as we have can help build a foundation. To start, read our blog post on how we create self-service sensitivity labels in Microsoft 365 and explore this Microsoft Learn guide on meeting retention policies in Microsoft Teams.

With a firm grasp of the technology and close collaboration with the right stakeholders, you can guide your own policy decisions and unlock the right set of features for your team.