Control 4.7: Copilot Feedback and Telemetry Data Governance
Control ID: 4.7 Pillar: Operations & Monitoring Regulatory Reference: GLBA 501(b), SEC Reg S-P, State Privacy Laws, FFIEC IT Examination Handbook Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish governance controls for Copilot user feedback data (thumbs up/down, written feedback) and telemetry data (diagnostic data, usage signals) to address privacy implications, data collection scope, data residency requirements, and regulatory expectations for managing AI-generated behavioral data within financial services environments.
Why This Matters for FSI
Microsoft 365 Copilot collects two categories of data beyond the content it processes: feedback data provided voluntarily by users and telemetry data collected automatically about Copilot interactions. Both categories create governance obligations for financial institutions.
Feedback Data Concerns:
When a financial services employee provides feedback on a Copilot response (thumbs up/down, written comments), that feedback may inadvertently include or reference sensitive information. For example, a user might submit negative feedback stating "This summary missed the key point about the XYZ Corp merger" -- thereby creating a record that references MNPI about a pending transaction. Under GLBA 501(b), the institution must protect customer information through appropriate safeguards, which extends to incidental data collection channels like AI feedback mechanisms.
Telemetry Data Concerns:
Diagnostic telemetry from Copilot interactions captures metadata about how users interact with AI features -- what features they use, how often, error rates, performance metrics, and interaction patterns. While Microsoft represents that this data does not include the content of user prompts or Copilot responses (at the required diagnostic level), the behavioral patterns themselves may be sensitive in a financial services context. Patterns of Copilot usage in specific applications at specific times could, in aggregate, reveal information about the institution's business activities.
SEC Reg S-P requires financial institutions to provide privacy notices and maintain safeguards for customer information. If Copilot telemetry or feedback data could be linked to customer interactions (e.g., a user provides feedback while processing a customer request), the privacy implications extend to customer data protection.
Disclaimer
This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.
Control Description
User Feedback Data Types
Copilot collects the following categories of user feedback:
| Feedback Type | Description | Privacy Risk Level |
|---|---|---|
| Thumbs Up/Down | Binary satisfaction rating on Copilot responses | Low -- no content included |
| Written Feedback | Free-text comments about Copilot responses | High -- may include sensitive content |
| Feature Feedback | Feedback on specific Copilot features | Low -- structured data |
| Report a Concern | User-reported issues with Copilot output | High -- may describe sensitive scenarios |
| In-product Surveys | Periodic satisfaction surveys within M365 apps | Medium -- may include contextual information |
Telemetry Data Categories
Microsoft 365 Copilot telemetry follows the M365 diagnostic data framework:
| Category | Description | Configuration |
|---|---|---|
| Required Diagnostic Data | Minimum data needed for service operation; includes basic usage events, error data, and device/app identifiers | Cannot be fully disabled; required for service function |
| Optional Diagnostic Data | Enhanced diagnostic data including feature usage details, performance telemetry, and error context | Can be disabled via M365 Apps Admin Center |
| Connected Experiences Data | Data from features that connect to Microsoft cloud services | Configurable per connected experience category |
| Service-Generated Data | Logs generated by Microsoft during Copilot service operation | Managed by Microsoft per data processing agreement |
Feedback Data Controls in M365 Admin Center
Administrators can configure feedback collection settings:
| Setting | Location | FSI Recommendation |
|---|---|---|
| Allow users to submit feedback | M365 Admin Center > Org Settings > User Feedback | Evaluate risk; consider disabling written feedback for regulated roles |
| Allow users to include screenshots | M365 Admin Center > Org Settings > User Feedback | Disable -- screenshots may capture sensitive data |
| Allow Microsoft to contact users about feedback | M365 Admin Center > Org Settings > User Feedback | Disable -- external contact about internal AI usage not appropriate |
| Include Copilot feedback in surveys | M365 Admin Center > Org Settings > User Feedback | Configure per organizational policy |
Diagnostic Data Controls
| Setting | Location | FSI Recommendation |
|---|---|---|
| Diagnostic data level | M365 Apps Admin Center > Health > Diagnostic Data | Set to "Required" (not "Optional") to minimize data collection |
| Connected experiences | M365 Apps Admin Center > Customization > Policy Management | Review each category; disable non-essential connected experiences |
| Customer Experience Improvement Program | M365 Admin Center > Org Settings | Disable for regulated environments |
Copilot Surface Coverage
| Surface | Feedback Mechanism | Telemetry Level |
|---|---|---|
| M365 Business Chat | Thumbs up/down, written feedback | Required + Optional (configurable) |
| Teams Copilot | In-context feedback, meeting recap feedback | Required + Optional (configurable) |
| Outlook Copilot | Draft feedback, summarization feedback | Required + Optional (configurable) |
| Word / Excel / PowerPoint | Feature-specific feedback | Required + Optional (configurable) |
| SharePoint Copilot | Page summarization feedback | Required + Optional (configurable) |
| Copilot Pages | Content generation feedback | Required + Optional (configurable) |
Governance Levels
Baseline
- Review and configure Copilot feedback settings in M365 Admin Center
- Disable screenshot inclusion in feedback submissions
- Disable Microsoft contact permissions for feedback follow-up
- Set diagnostic data level to "Required" (not "Optional") unless specific business justification exists
- Document the types of telemetry and feedback data collected by Copilot
- Include Copilot feedback and telemetry data in the institution's data inventory
Recommended
- Disable written (free-text) feedback for users in regulated roles (registered representatives, advisers, traders)
- Configure data residency settings to align with the institution's data sovereignty requirements
- Establish a privacy review process for any changes to feedback or telemetry collection settings
- Include Copilot feedback and telemetry in the institution's privacy impact assessment
- Review Microsoft's Data Processing Agreement (DPA) coverage of Copilot feedback and telemetry data
- Create employee guidance on what information should never be included in Copilot feedback
- Monitor for changes to Microsoft's data collection practices through Message Center updates
Regulated
- Conduct annual privacy impact assessment specifically for Copilot feedback and telemetry data
- Include Copilot data collection practices in the institution's privacy notice to employees
- Implement DLP policies that scan Copilot feedback channels for sensitive data patterns (if technically feasible)
- Document Copilot data collection in the institution's vendor data processing inventory
- Review and negotiate Copilot-specific terms in the Microsoft enterprise agreement where necessary
- Maintain records of all configuration changes to feedback and telemetry settings for 7 years
- Include Copilot telemetry governance in regulatory examination preparation materials
Setup & Configuration
Step 1: Configure Feedback Settings
Navigate to M365 Admin Center > Org Settings > Organization Profile > User Feedback:
- Review each feedback setting:
- Allow users to submit feedback to Microsoft: Set per organizational policy
- Allow users to include screenshots and attachments: Set to Off
- Allow Microsoft to follow up on feedback: Set to Off
- Allow users to receive and respond to in-product surveys: Set per organizational policy
- Document configuration decisions with rationale
- Communicate feedback policy to employees
Step 2: Configure Diagnostic Data Settings
Navigate to M365 Apps Admin Center > Health > Diagnostic Data Viewer (or configure via Group Policy / Intune):
- Set diagnostic data level:
- Required Diagnostic Data: Minimum level (recommended for FSI)
- Optional Diagnostic Data: Disable unless specific business need
- Configure via Intune policy if using device management:
- For Group Policy environments:
- Computer Configuration > Administrative Templates > Microsoft Office > Privacy
- Configure the diagnostic data level to "Required"
Step 3: Configure Connected Experiences
Navigate to M365 Apps Admin Center > Customization > Policy Management:
- Review connected experiences categories:
- Experiences that analyze content: Evaluate each for FSI appropriateness
- Experiences that download online content: Evaluate data flow implications
- Optional connected experiences: Disable unless specific business need
- Document which connected experiences are enabled and the business justification
Step 4: Document Data Flows
Create a data flow document for Copilot feedback and telemetry:
| Data Category | Collection Point | Storage Location | Retention Period | Access |
|---|---|---|---|---|
| Thumbs up/down | In-app feedback | Microsoft service | Per Microsoft DPA | Microsoft |
| Written feedback | In-app feedback | Microsoft service | Per Microsoft DPA | Microsoft |
| Required diagnostics | Automatic | Microsoft service | Per Microsoft DPA | Microsoft |
| Optional diagnostics | Automatic (if enabled) | Microsoft service | Per Microsoft DPA | Microsoft |
Step 5: Employee Communication
Develop and distribute employee communication covering:
- What feedback data Copilot collects and why
- What telemetry data is collected automatically
- What employees should never include in feedback (MNPI, client names, account numbers, trade details)
- How to opt out of optional data collection where available
- Where to report concerns about data collection
Financial Sector Considerations
Customer Information in Feedback: The most significant risk for financial institutions is the inadvertent inclusion of customer information in Copilot feedback. An employee frustrated with a Copilot response might write "It completely misunderstood the Smith account situation" -- creating a record that links a customer name to an account issue in Microsoft's feedback system. This could implicate GLBA and Reg S-P protections. Consider disabling written feedback for customer-facing roles.
MNPI in Feedback: Similarly, employees working on non-public transactions might reference deal details in feedback. "The summary was wrong about the ABC Corp acquisition price" creates a record of MNPI in an external system. This is a material concern for broker-dealers and investment banks.
Third-Party Data Sharing: Feedback data submitted to Microsoft constitutes data sharing with a third party. The institution's vendor management program should account for this data flow. Review whether the existing DPA adequately covers Copilot feedback data processing.
Regulatory Examination Scope: Examiners may ask about the institution's understanding of what data Copilot collects and sends to Microsoft. Having documented data flows, configuration decisions, and privacy impact assessments demonstrates governance maturity.
State Privacy Laws: Emerging state privacy laws (California, Virginia, Colorado, Connecticut, and others) may impose obligations regarding employee data collection and processing. Copilot telemetry may fall within the scope of these regulations depending on the specific data elements collected.
Data Residency: For institutions with data residency requirements, verify where Copilot feedback and telemetry data is processed and stored. Microsoft's data residency commitments for M365 may or may not extend to all categories of feedback and telemetry data.
Verification Criteria
| # | Verification Step | Expected Result |
|---|---|---|
| 1 | Review feedback settings in M365 Admin Center | Screenshots disabled, Microsoft contact disabled |
| 2 | Verify diagnostic data level configuration | Set to "Required" (not "Optional") |
| 3 | Confirm connected experiences settings | Non-essential connected experiences disabled |
| 4 | Review data flow documentation | Documented and current within past 12 months |
| 5 | Verify employee communication was distributed | Communication sent and acknowledged |
| 6 | Review privacy impact assessment coverage | Copilot feedback/telemetry included in PIA |
| 7 | Confirm DPA coverage of Copilot data | Microsoft DPA reviewed and coverage confirmed |
| 8 | Verify configuration change audit trail (Regulated) | Changes to feedback/telemetry settings are logged |
Additional Resources
- Microsoft 365 Copilot - Data, Privacy, and Security
- Diagnostic Data in Microsoft 365
- Microsoft Products and Services Data Protection Addendum (DPA)
- Microsoft Privacy Dashboard
- Connected Experiences in Microsoft 365
- GLBA Safeguards Rule
-
Related Controls: 4.5 Usage Analytics, 4.1 Admin Settings and Feature Management, 3.10 SEC Reg S-P Privacy, 1.10 Vendor Risk Management
FSI Copilot Governance Framework v1.2.1 - March 2026