Data Use and Protection
The following guidance outlines how to use data safely with AI tools at KU. It covers appropriate data use with public third-party AI tools, the role of Microsoft Copilot as the university’s primary enterprise AI platform, and how other AI tools may be accessed through approved sources or procurement channels.
| Public, third-party AI tools | Enterprise-approved AI tools |
| Operate outside KU’s enterprise environment and do not include institutional privacy or security protections. Treat any information entered into these tools as public. | Provided or authorized by the University and include additional contractual, privacy, and security safeguards designed to protect university data. |
⚠️ Do Not Share Sensitive, Confidential, or Restricted Data in Public, Third Party AI Tools
University data entered into public, third party AI tools (including tools you sign up for on your own) is not protected by the University. Sharing information in these tools should be treated as comparable to sharing it publicly.
Many public generative AI tools store user inputs and may use them to improve their systems. As a result, information you share may be retained, reviewed, or incorporated into future model training, including sensitive, confidential, or restricted data.
For guidance on data types and appropriate use, see the University’s Data Classification Policy.
To protect university data and privacy, only information classified as Public should be entered into public, third party AI tools unless you are using an enterprise approved, protected environment.
| Public Third-Party AI | |
| Public / Non-Sensitive | ✅ |
| Internal / Business Sensitive | ❌ |
| Confidential / Highly Sensitive | ❌ |
| Restricted / Regulated | ❌ |
*Public data is generally safe to use with public AI tools. However, using large datasets, combining multiple sources, or adding extra context can introduce new privacy, security, or ethical risks. Before sharing data, review the tool's terms of use and think carefully about how the data might be stored or reused. When in doubt, treat the data cautiously and use approved and trusted tools.
Enterprise approved AI
Enterprise-approved AI tools at KU and how they may be used with university data are described below.
Microsoft Copilot is approved for use with university data classified as public, sensitive, and confidential when:
- the user is signed in with a @ku.edu account, and
- Enterprise Data Protection is active (indicated by the shield icon).
Use of Copilot with restricted data requires prior consultation with departmental Technology Support Staff and may be subject to additional review or approval to ensure compliance with university data classification, security, and regulatory requirements.
See the Approved AI tools page for additional options at KU.
Microsoft Copilot is approved for use with university data classified as public, sensitive, and confidential when:
- the user is signed in with a @kumc.edu account, and
- Enterprise Data Protection is active (indicated by the shield icon).
KUMC Copilot operates within a HIPAA aligned enterprise Microsoft 365 environment and leverages enhanced technical, legal, and security controls in place through shared Microsoft 365 services with the University of Kansas Health System. When Enterprise Data Protection is active, Copilot may be used for routine, minimum necessary handling of restricted data in routine Microsoft Office workflows.
HIPAA-compliant AI tools may be available through the KUMC Office of Research Informatics, including approved Databricks and Azure OpenAI environments, to support research or operational use cases involving regulated data, higher volumes, or more advanced processing than is appropriate within standard Microsoft Office workflows.
Microsoft Copilot is approved for use with university data classified as public, sensitive, and confidential when:
- the user is signed in with a @ku.edu account, and
- Enterprise Data Protection is active (indicated by the shield icon).
Use of Copilot with restricted data requires prior consultation with departmental Technology Support Staff and may be subject to additional review or approval to ensure compliance with university data classification, security, and regulatory requirements.
See the Approved AI tools page for additional options at KU.
Microsoft Copilot is approved for use with university data classified as public, sensitive, and confidential when:
- the user is signed in with a @kumc.edu account, and
- Enterprise Data Protection is active (indicated by the shield icon).
KUMC Copilot operates within a HIPAA aligned enterprise Microsoft 365 environment and leverages enhanced technical, legal, and security controls in place through shared Microsoft 365 services with the University of Kansas Health System. When Enterprise Data Protection is active, Copilot may be used for routine, minimum necessary handling of restricted data in routine Microsoft Office workflows.
HIPAA-compliant AI tools may be available through the KUMC Office of Research Informatics, including approved Databricks and Azure OpenAI environments, to support research or operational use cases involving regulated data, higher volumes, or more advanced processing than is appropriate within standard Microsoft Office workflows.
⚠️ Advanced Use and High-Risk Data
Advanced or sustained AI use involving regulated or highly restricted data, particularly processing at scale, requires consultation with University information security and research support offices.
Do not enter Controlled Unclassified Information (CUI) into Microsoft Copilot or other AI tools unless an explicitly approved, compliant secure environment has been authorized.
For questions or unclear situations, contact ai_taskforce@ku.edu before proceeding.