MyAnalytics privacy guide
MyAnalytics is best thought of as a “fitness tracker for the workplace.” By using data generated from everyday work in Office 365, MyAnalytics helps people understand how they spend their limited time and who they spend it with, and then presents intelligent tips on how to work smarter.
This page answers key questions on how MyAnalytics processes information in a manner that protects employee privacy and supports compliance with local regulations like General Data Protection Regulation (GDPR)
Summary of key points
MyAnalytics is not designed to enable employee evaluation, tracking, or monitoring.
MyAnalytics provides insights to individuals through a personalized dashboard, a weekly email digest, an Outlook Add-in, and nudges in Outlook. MyAnalytics has no mechanism or option that allows anyone but the user to access the personalized information that is displayed through these surfaces, unless that person purposefully and independently shares that information.
MyAnalytics does not give employees access to new personally-identifiable information on other coworkers.
MyAnalytics converts data into insights by performing calculations on information that people generate just by going about their work day. The majority of the data that employees see in MyAnalytics is simply an aggregation of information to which they already have access, but that they wouldn’t be able to quickly perform calculations on without some support.
MyAnalytics data is processed and stored in the employee’s Exchange Online mailbox.
MyAnalytics processes data from two sources: Exchange Online email and calendar data, and Skype for Business Online chat and call signals. MyAnalytics stores and processes this data inside each employee’s Exchange Online mailbox.
- MyAnalytics supports General Data Protection Regulation (GDPR) compliance. Microsoft has designed MyAnalytics to support customers’ needs to comply with GDPR requirements.
- MyAnalytics can be configured so that individuals must purposefully opt in. By default, any time a MyAnalytics license is assigned to a person, that person is automatically opted in. However, administrators can configure MyAnalytics to be "default off," so that people can choose for themselves whether to opt in after the license has been assigned to them.
MyAnalytics and Delve are separate applications with no interdependencies.
MyAnalytics and Delve are both first-party Microsoft Graph applications and have no overlap. These applications can be managed and licensed separately, without settings from one impacting the settings of the other.
MyAnalytics reminds people that their data is private and secure.
Three days after a MyAnalytics license is assigned to a person, that person receives a welcome email that clearly lays out how MyAnalytics works, with a reminder that all of their data is private. The other MyAnalytics user interfaces, such as the weekly email digest and personal dashboard, reinforce this message.
How MyAnalytics works
MyAnalytics presents insights through four different surfaces:
MyAnalytics provides insights by using two types of data:
Mailbox data: Email, calendar, and Skype for Business Online chat or call activity that people generate by using Office 365, such as time spent in meetings and emails sent to a specific person.
Incremental data: data that would otherwise be unavailable to the employee but is presented in an aggregated form that is designed to protect individual privacy.
Mailbox data represents information that people already have access to simply by going about their job, such as sending emails, arranging meetings, or chatting with coworkers. MyAnalytics processes and displays this information in new ways that make it actionable.
For example, MyAnalytics provides views that allow people to quickly understand how much time they spend in meetings, and in email every day, who they collaborate with the most, who they are losing touch with, and to whom they have made commitments and requests.
People can take action on this information —they might decide that they spend too much time in meetings, for example, and adopt a personal goal of running more efficient meetings.
These insights are derived from data that is already available to people in their Exchange Online mailbox and Skype for Business Online chat or call history. MyAnalytics simply applies some basic calculations and rules to make that data more actionable. Mailbox data is stored directly in each employee's Exchange Online mailbox.
For example, if people want to determine which colleagues sent them the most email over the past week, they could technically do so without MyAnalytics by manually counting emails from coworkers in their inbox. Similarly, people could determine their coworkers’ average response time to the emails that they send by using timestamp information readily available in their mailbox. MyAnalytics saves people the trouble of having to perform these tedious calculations.
In a few cases, MyAnalytics provides people with de-identified information on other people that would not have otherwise been available to them. Both are described in the following table.
|Company averages (displayed in the personal dashboard)||For Meeting hours, Email hours, Focus hours, and After hours metrics, MyAnalytics shows people how they compare with the company average. To protect the privacy of others, this metric does not show if the user’s organization has fewer than five people. It is available only in aggregated form —there is no “drill-down” to see other individuals’ data. To calculate these averages, de-identified metadata from individual user profiles is extracted to a transient store within the Office 365 environment, where it is then processed to produce an average calculation before being distributed to each employee’s mailbox. No personally-identifiable information is extracted or transferred, and the process abides by the same compliance policies as Office 365 overall. Note that data from unlicensed employees (for example, Exchange Online mailboxes that do not have a MyAnalytics license assigned to them) also contributes to company average calculations, although companies can choose to exclude them and process data only for licensed employees (see next section for more details).|
|Email read rates (displayed in the Outlook Add-in)||For emails that a person sends to five or more people, MyAnalytics tracks the percentage of recipients who opened the message. In order to preserve privacy, if the message is sent to fewer than five people, MyAnalytics does not track read rates. In addition, MyAnalytics does not show read rates of 0% or 100%, as that would allow people to make definitive conclusions about individual coworker actions. Instead, the read rate renders as “Low” or “High.” This metric is calculated based on the “read” flag in Exchange Online. For some people, messages may be flagged as “read” when they open a message in the Outlook preview pane; for others, they may need to double-click to open the message to mark it as "read". People can control this setting in the Outlook settings panel. To display these signals in the sender’s mailbox, the “read” flag is copied to a transient store within the Office 365 environment, and then delivered to the sender’s mailbox. All data in the transient store is deleted after 14 days.|
MyAnalytics provides flexible and configurable controls that are designed to enable organizations and their members to address varying legal and policy needs regarding privacy and use of employee data. When enabling MyAnalytics for the organization, admins can make the following choices:
- Determine which people have access to MyAnalytics. Admins can determine which people can access and use MyAnalytics by issuing licenses to only those people who should have access.
- Determine default opt-in settings. Admins can configure MyAnalytics to be "default off", meaning that licensed employees must individually opt in to MyAnalytics in order to contribute to incremental data and have access to their dashboard and Outlook Add-in. Alternatively, MyAnalytics can be configured to be "default on", meaning that licensed employees automatically contribute to incremental data and have access to their dashboard and Outlook Add-in, but can subsequently opt out through the Settings menu. Learn more here
- Determine which employees in sensitive roles should be excluded from incremental data. Some organizations may have employees in sensitive roles who should never contribute to incremental data. To support this, MyAnalytics provides admins with the ability to mark such employees as “excluded.” Excluded users cannot opt in to contribute to incremental data. However, the MyAnalytics experience will still be available to such users provided that they are licensed.
Note that if default settings are used, the following applies:
- All employees in your organization contribute to incremental data whether or not they have been issued MyAnalytics licenses.
- MyAnalytics is automatically enabled for employees after a license is assigned to them. If, instead, you want licensed employees to have the choice to opt in, you must change the default settings.
How employees can opt-in and opt-out
End users can opt-in or opt-out of MyAnalytics via the Feature Settings menu in Office 365, as shown here:
MyAnalytics vs. Workplace Analytics, Delve, and the Microsoft Graph
The following section describes the differences between these Microsoft products:
MyAnalytics vs. Workplace Analytics
Although MyAnalytics is an individual productivity tool, Workplace Analytics enables organizations to view aggregated, de-identified collaboration data of employees. The applications are purchased and licensed separately. If an employee opts out of MyAnalytics, this does not impact the opt-in status for Workplace Analytics (and vice versa).
MyAnalytics vs. Delve
MyAnalytics and Delve are both first-party applications based on the Microsoft Graph, and are independent applications with different use cases. Delve uses intelligence to help employees discover relevant content and people across their organization. Each application is licensed separately and settings from one do not impact the settings of the other.
There may be some confusion about this, because MyAnalytics used to be called “Delve Analytics” but was rebranded in fall 2016. The MyAnalytics personal dashboard still shows up in the Delve user interface. However, MyAnalytics will eventually be decoupled from Delve and have its own unique URL.
Administrators and individuals can disable Delve content-discovery functionality without impacting access to MyAnalytics, and vice-versa. The personal dashboard and all other MyAnalytics surfaces will remain functional. Learn more about Delve administration.
MyAnalytics and Delve are first-party applications built on the Microsoft Graph. The Microsoft Graph consists of a set of REST-based API calls that allow developers to interact with the Microsoft technologies that a given organization uses. In order to use these API calls, developers must have specific permissions to access any data they request. Administrators control both the deployment of any Microsoft Graph application and permissions to access these applications.
The Microsoft Graph cannot be turned on or off globally through the Office 365 Admin Center, but administrators can achieve this effect by blocking employees’ ability to install third-party apps or by restricting developer access permissions. Learn more about Microsoft Graph.
Employee experience of MyAnalytics
Dashboard and Outlook Add-in
Within one to three days of the assignment of a MyAnalytics license to an employee —either as part of an overall E5 license or as an add-on license —the user’s MyAnalytics personal dashboard and Outlook Add-in become available.
To notify employees that their dashboard and Outlook Add-in have been enabled, MyAnalytics delivers a Welcome email within three days of license assignment. The email introduces people to the application and contains a reminder that MyAnalytics is private and personal.
Weekly digest email
The week after the welcome email is delivered, users begin to receive the weekly digest email.
As is the case with the full Office 365 suite, MyAnalytics helps support compliance with GDPR requirements. Microsoft helps data controllers meet the following obligations for MyAnalytics:
Secure and protect personal data of data subjects.
All MyAnalytics data is stored in the employees’ Exchange Online mailbox. MyAnalytics appends computed metrics such as “Meeting hours” to the mailbox. Thus, MyAnalytics meets this obligation by virtue of Exchange Online also meeting the obligation:
- Microsoft will not mine customer data in Exchange Online for advertising
- Microsoft will not voluntarily disclose Exchange Online customer data to law enforcement agencies
- Microsoft will meet all requirements related to encryption of Exchange Online data and implement controls to reduce security risks and help ensure business continuity, as laid out by ISO 27001 and 27018
Notify data subjects in the event that a breach is detected. Microsoft will notify customer privacy contacts within 72 hours of Microsoft becoming aware of a breach by using Office 365 incident response standard operating procedures.
Honor data subject requests (DSRs) to export, delete, or restrict processing personal data. Microsoft supports your need to honor data subject requests in the following ways:
- Data export requests: submit data export requests via the Microsoft Service Trust Portal. Separately, people can also take screenshots of their MyAnalytics dashboards.
- Request to restrict processing: use PowerShell to opt employees out of MyAnalytics
- Delete employee data: sign in to Azure Active Directory admin center and then remove the employee's data through the User Management Portal.
Learn more about GDPR compliance.