Computer Forensics Lab — e-discovery.uk
e‑discovery.uk
Computer Forensics Lab · eDiscovery
← Blog
Challenges · 22 June 2026 · 6 min

Slack, Teams and the collaboration-data problem in eDiscovery

Collaboration platforms are now the hardest data source in modern disclosure. The practical problems they create and how to handle them defensibly.

Ref · E-D · 2026 · §BLGClass · ConfidentialJuris · England & WalesStatus · Active

For most corporate custodians in 2026, the centre of working life is no longer email. It is a Teams channel, a Slack workspace, or a mix of both, with conversations, file shares, video calls and decisions taking place in threads rather than in inboxes. That has consequences for any matter where disclosure or investigation reaches into business communications.

Why collaboration data is hard

Several features of these platforms make them genuinely awkward to handle:

  • Conversations don't fit the document model. A Slack channel or Teams chat is a continuous stream, not a self-contained document. Cutting it into reviewable units without losing context is a design choice.
  • Edits and deletions are routine. Users can edit and delete messages, and platforms often retain only the latest version. The fact that a message was changed is itself evidentially relevant.
  • Attachments and reactions add layers. Files, links, emojis, threaded replies and reactions all carry meaning that a flat export loses.
  • Retention varies. Enterprise tenants may have retention policies, eDiscovery holds and exports built in; smaller tenants often do not.

The defensible approach

The defensible approach starts with the platform's own admin tooling rather than screenshots. Microsoft Purview eDiscovery (Premium) for Teams and Microsoft 365, and Slack's Discovery API for enterprise grids, are the documented routes for preserving, exporting and searching collaboration data with the metadata intact.

From there, the data needs to be normalised into something a review team can actually use. RSMF (Relativity Short Message Format) has become the de facto standard for loading chat data into Relativity in a way that preserves conversational structure. A useful Relativity overview is in their documentation on Short Message Format processing.

What this means for scoping

Treating collaboration data as just another email source tends to produce one of two failure modes: missing relevant content because the platform was overlooked, or collecting whole workspaces and trying to deal with the volume in review. Neither is proportionate.

A better starting point is to identify, for each relevant custodian, which collaboration tools they actually used for the issues in the matter, then agree which channels, direct-message groups and date ranges are in scope. That conversation belongs in the DRD under PD 57AD or its equivalent in other regimes, not in the middle of review.

And then there's mobile

Personal mobile devices remain the messiest corner of all of this. WhatsApp business use, signal-style ephemeral messages, and chats that live only on devices rather than in any central system, all sit outside the platform-admin route entirely. Forensic extraction from the device, with a clear record of what was preserved and what could not be, is usually the only defensible option.

Bottom line

Collaboration data is no longer an edge case. Disclosure exercises that ignore it look incomplete; disclosure exercises that collect it carelessly look disproportionate. Building a sensible approach into scoping is the simplest way to keep both problems out of the case.

Instruct the practice

Bring us in early. Defensibility is built, not retrofitted.

Whether you are responding to a regulator, preparing for disclosure, or scoping an internal investigation — start the chain of custody with a short, confidential conversation.

Open a confidential matter+44 (0)20 7164 6971Direct lineinfo@e-discovery.ukEncrypted