Tools and Considerations
AI tools vary widely in how they collect, store, and use data. Selecting an appropriate tool is therefore not just a technical decision, but a matter of privacy, security, academic integrity, and institutional responsibility. Using the wrong tool with the wrong type of data can expose sensitive information, create compliance risks, or lead to unintended misuse of AI‑generated outputs. CMU encourages all users to begin with the question “What kind of data am I working with?” and then choose tools that are approved and appropriate for that level of sensitivity. The guidance below is designed to help you make informed, responsible choices that balance innovation with care.
| Data type | Definition | Examples | Permissible use in AI tools |
|---|---|---|---|
| Public/nonsensitive | Information that is intentionally made public or carries no reasonable expectation of privacy or confidentiality. Disclosure poses little to no risk to individuals or the university. | Published web content, publicly available reports, de-identified examples, general concepts. | May use consumer or enterprise tools such as Copilot, Gemini, ChatGPT or other generative AI apps. Review outputs for accuracy, bias, IP, and reputational impact. |
| Internal/protected | Information intended for use within CMU that is not public but does not rise to the level of regulated or legally protected data. Unauthorized disclosure could cause operational, reputational, or minor legal risk. | Draft memos, nonpublic course materials, internal FAQs, internal presentations. | Use enterprise-licensed Microsoft CoPilot with stated data protections; avoid unapproved consumer tools. |
| Confidential/student- or employee-related | Information protected by institutional policy or law because it is linked to identifiable individuals or sensitive university operations. Unauthorized disclosure could cause harm to individuals or significant institutional risk. | FERPA-covered student records including assignment grades, advising notes, HR records, personnel evaluations. | |
| Regulated/restricted | Information subject to strict legal, regulatory, contractual, or ethical controls. Mishandling may result in severe legal, financial, or compliance consequences. | HIPAA health data, PCI payment data, CUI, export-controlled data, IRB-restricted research data | Not permitted in generative AI tools unless CMU formally authorizes a compliant, secured environment. |