Blog

Navigating productivity and privacy: A deep dive into Viva Insights governance

8 min read
Header_blogpost_A deep dive into Viva Insights governance
8 min read

Microsoft Viva Insights is a productivity tool within the Viva suite. Viva Insights allows you to gain visibility into your everyday workplace activities such as communication behaviors and collaboration patterns. The insights from this tool helps you to streamline your decision-making process and in turn, improve business performance. 

As discussed in our earlier introductory article, Microsoft Viva Insights uses data driven features to help you work more effectively without being overloaded. Features are available to individuals, managers and leaders at all levels to view metrics for themselves, their team and the organisation.  Access to team and organisation features is one of the key governance controls you will need to consider and is managed through roles and discussed in the manage access section of this article. 

Governing Viva Insights 

Viva Insights builds on Exchange Online and as such inherits the compliance features and settings from the configuration for Exchange, particularly as regards to data retention. Plus, as with any tool which has a Microsoft Teams app, the Microsoft Teams admin centre is used to control access to Viva Insights app in Teams. 

A specific governance concern with Viva Insights, even more than the other Viva tools is privacy of personally identifiable data. It is vital to consider the app specific controls and information visibility when designing your Viva Insights deployment.   

One of the key privacy configuration options is to decide if users will need to choose to opt-in to Viva Insights or be opted-in by default and able to choose to opt-out. This privacy setting can be configured at tenant level or user level using PowerShell. 

Microsoft has published guidance on privacy in respect of both personal insights and advanced insights including organisation (manager & leader) insights. This guidance gives more details on how Viva Insights processes data, including how this meets international personal data regulations. 

Data Location 

As stated earlier, Viva Insights primarily builds on Exchange Online. Viva Insights personal insights are processed and stored in the same geography as the user’s mailbox. This means that in a multi-geo tenant, each user’s personal insights respect the mailbox location.   

Manager, Leader and Advanced Insights data location is determined by the default location of the tenant, not the individual users. This does not mean it is held and processed within the same location but that the country determines the location.  As a tenant admin, you should look up the data location region on Microsoft Learn based on your tenant location. For example, a tenant based in the UK has manager, leader & advanced insights data held & processed within the EU region, as do tenants based in Germany, Saudi Arabia and the Seychelles.  For tenants based in the USA, Viva Insights leader, manager and advanced insights data is held & processed in the American region data centres, along with tenants from North & South America and the Caribbean. 

You can check your geography for Microsoft 365 Services in the Microsoft 365 Admin Center by selecting Settings > Org Setting > Organisation profile > Data location.

Viva_Insights_Governance_Intext_Image

App Specific Controls 

Viva Insights features are enabled via licences and also have additional configuration options available for personal, premium personal, manager/leader and advanced insights. From a governance perspective they key thing to look at is privacy options which can be set using PowerShell or via the advanced Viva Insights web app (https://analysis.insights.viva.office.com/).   

Viva insights seeded functionality (without the Viva Insights or Viva Suite license) is enabled by default when a user is assigned a license that includes Viva Insights component and premium features by assigning Viva Insights or Viva Suite license. Turning on Viva Insights also opts the user into data collection for leader/manager and advanced insights, unless the privacy default or user setting has been set to require users to opt-in.   

To be able to see Viva Insights manager & leader insights, a user needs a Viva Insights or Viva Suite license and to manage a team larger than the minimum size.  By default, this is a team of 10 Viva Insights licensed users though that number can be increased, if required.  The team size includes the manager and all employees who report directly or indirectly to the manager. The reporting link is determined by default from Microsoft Entra ID user profile based on the Manager field, unless additional data is supplied via the csv upload. 

Microsoft 365 Compliance, Security, Privacy and Access Controls 

Manage Access 

As with all tools and applications in Microsoft 365, the user must first be a licensed user in Azure AD to use a product before they can gain access. In the case of Viva Insights the licences needed are Exchange Online and, where premium experiences are deployed, the Viva Insights or Viva Suite license. 

Access to the manager & leader content is controlled with the combination of licences, organisational data and licences. Details on each role in Viva Insights and working with organisational data are also available.

Data Life Cycle Management 

Microsoft Purview Data Lifecycle Management is used to control retention and deletion of content stored in Microsoft 365. Viva Insights derives it data from Exchange Online data. Retention policies can be applied to an Exchange mailbox to control the default retention for all content in the mailbox and retention labels can be used to set item specific retention controls.   

The principles of retention in Microsoft 365 are used to determine if the system will retain an item when multiple retention settings are in force.  You can also use this flowchart to determine when an item will be retained or permanently deleted. 

Whilst this deletes the data from Exchange, Viva Insights also holds the collaboration data it collects separately.  On set up, Viva Insights collects 13 months worth of data.  Over time with weekly refreshes this increases to 27 months of data being held, at which point older data is deleted as newer data is collected.  

Data Loss Prevention 

Data loss prevention (DLP) features in Microsoft Purview are designed to control accidental or malicious oversharing of sensitive information. A DLP policy sets out customisable rules as to the circumstances in which sharing actions should be tracked or blocked. Working with Viva Insights does not involve DLP as all downloadable reports have personal data removed. However you may wish to consider your position on reports exported from the system to protect business sensitive information and take steps to protect those, for example by the use of a sensitivity label. 

Information Protection 

Microsoft 365 Information Protection solutions are also known as Sensitivity Labels which can take advantage of both Sensitive Information Types and Trainable Classifiers in Microsoft Purview.  Sensitivity Labels can be used to control features in Microsoft 365 Groups/Microsoft Teams teams/SharePoint Sites as well as providing content marking & encryption for documents, data, meetings and emails.   

Where sensitivity labels are applied to emails and meetings they do not impact on the collection of information into Viva Insights. 

Data Discovery 

Microsoft 365 includes three data discovery tools, Content Search and eDiscovery (Standard) and eDiscovery (Premium). All of the discovery tools can be used to search for content stored in Exchange Online.  As such there are no additional governance considerations for Viva Insights in relation to the discovery of data. 

Next Steps 

The next steps with governance decisions for Viva Insights are to consider which of those features are included in our licences. There are a number of tools which can be used for this, however the official source of information is the security & compliance licensing guidance

Consider the items discussed in this article and the administration and configuration article, what controls you want to place on your users in relation to Viva Insights. You should start by reviewing the existing configuration for Exchange Online. The review should also consider what frailties there are in your current configuration and if now is a good time to review those. Secondly, consider changes you need to make with regard to the introduction of Viva Insights.  

In circumstances where Microsoft Purview does not provide all the control and options which you require, feel free to look at Rencore Governance. The governance tool centralizes all Microsoft 365 service data – including Viva Insights – into one place and automates policy and lifecycle processes for complete governance and data understanding. 

 

Subscribe to our newsletter