Security and compliance for data usage

Microsoft Viva Glint helps organizations measure employee engagement and experiences so they can take action to improve them. Grounded in our approach to employee engagement, Glint offers a flexible surveying approach so organizations can gain a greater understanding of key experiences that shape an employee's journey and the resulting impact on individual and business outcomes.

With Viva Glint, organizations capture invaluable employee feedback and transform those insights into actions. Feedback and action-taking are brought directly into the flow of work. Managers and their teams are empowered to take joint ownership and drive meaningful actions and habits that support happiness, success, and wellbeing at work.

This resource explains how Viva Glint provides the customer admin with controls to manage personal data and implements protections within Viva Glint to maintain employee privacy. These controls and protections support customer compliance with regulations such as the European Union General Data Protection Regulation (GDPR). This document is specific to Viva Glint and provides a technical overview of how data and privacy are protected.

Understand the fundamentals of Viva Glint privacy

This section discusses concepts that provide a framework for understanding how Viva Glint approaches data protection.

Data entity

Contemporary privacy regulations, such as the GDPR, outline roles and responsibilities in thinking about data protection and privacy. These concepts help illustrate the respective responsibilities of the customer, Microsoft, and employees when it comes to processing and managing sensitive data.

The concepts of data controller, data processor, and data subject originate in European privacy law. These concepts provide a useful framework for thinking about data protection when using Viva Glint, regardless of where your organization is located.

This image shows the central position of the data controller, between the data subject and the data processor (Microsoft):

Screenshot that displays the data entity of Viva Glint.

Data controller

The data controller is a party that determines the purposes and means of processing a data subject's personal data.

When using Viva Glint, your organization is the data controller because your organization determines if, how, and why Viva Glint processes any personal data.

As the data controller, your organization:

  • Determined the scope of data to analyze and the purpose and objectives of the analysis.
  • Works with your organization's legal, privacy, and human resources teams for the following tasks:
    • Determining whether you should obtain consent from users in your organization.
    • Determining what information is provided to users about how your organization processes their personal data in Viva Glint.
    • Accounting for local considerations (for example, obtaining approval from local works councils, if applicable).
  • Uses Viva Glint privacy controls to direct which data is analyzed, how data appears in results, and who has access to both raw data and the results of analysis.
  • Reviews and is familiar with this document and other Viva Glint privacy documentation provided by Microsoft.

Data processor

The data processor is a party that processes personal data on behalf of the data controller. When your organization uses Viva Glint, Microsoft is the data processor.

As a data processor, Microsoft will:

  • Process personal data in accordance with your organization's instructions as directed through your settings configuration within Viva Glint
  • Through your use of Viva Glint, process all data provided to Microsoft (including personal data) according to the same general privacy and security terms in the Product Terms
  • As part of Microsoft's commitments under Product Terms and Microsoft Products and Services Data Protection Addendum (DPA), abide by the Standard Contractual Clauses and remain certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments that these frameworks entail legitimizing transfers of personal data from the EU and Switzerland to the U.S, though Microsoft doesn't rely on the EU-U.S. Privacy Shield Framework as a legal basis for transfers of personal data in light of the judgment of the Court of Justice of the EU in Case C-311/18
  • Contractually commit to abide by applicable provisions of applicable regulations such as the GDPR or California Privacy Rights Act (CPRA).
  • Provide Viva Glint features that help organizations meet their data controller obligations and honor data subject rights under the GDPR, including the rights of exclusion from processing, access, erasure, and transparency regarding methods of processing
  • Implement technical and organizational security measures to protect the confidentiality of your organization's (and employees') data in Viva Glint

In addition, Microsoft doesn't use customer data or personal data for advertising, nor does it volunteer to provide such data to law enforcement.

Data subject

A data subject is a person who can be identified through personal data. In the context of Viva Glint, the data subject is an employee or other user in your organization whose personal information is being processed. Personal data is any information that directly or indirectly identifies a person (the data subject).

Note

In most cases in the Glint product and documentation, we refer to a Data Subject simply as a "user," a "person," an "individual," or an "employee."

Understand which data gets processed

Viva Glint provides the customer with tools to manage the data Viva Glint processes and who has access to that data. Glint also gives customers the ability to receive and respond to Data Subject Rights requests from employees. Customers control what employee personal data they import to Viva Glint. Glint can then combine this customer-imported data with survey responses to provide extra insights. GDPR "sensitive data" has specific considerations that customers should assess in coordination with their HR, privacy, and legal teams.

Tip

Customers should upload the minimum and least sensitive data necessary to achieve their goals. It is the customer's responsibility to assess their privacy and compliance obligations and to determine whether Glint is suitable.

Manage who has access to survey feedback

The customer admin can assign user roles with varying levels of access to view survey feedback results. The admin also controls who can see the data and at what level of detail.

Viva Glint reporting, like other products that work with sensitive data (for example, HR systems), isn't meant for the general workforce. Its users are expected to have training in how to handle sensitive information. Topics might include your organization's HR policies, your organization's employee privacy policy and how to handle and store sensitive data.

Viva Glint admins may create the following types of User Roles:

  • Managers: These users might need to see the rollup for their teams and perhaps, one attribute. They often don't have the team size to see results by demographic analysis and lack the authority to act on them.

  • Senior managers: Due to their organizations' size, they might need to see data for various cohorts. They might need to see organizational demographics such as location, tenure, and job family as those are areas within their authority to act. Special category data, such as ethnicity, is often not provided to these users.

  • Human Resources Business Partners (HRBPs) with the ability to see divisions or even organization-wide, and the internal ability to see employee-level data. These users might need access to all attributes.

Read why Viva Glint collects employee attributes and how they're used in reporting.

Some countries require employers to consult with employee representatives or seek approval from a works council before deploying certain information technology services in the workplace.

More resources