AI & Data Protection
2 Simple Rules
"What am I allowed to do with AI?" is a simple question with a complex answer... the landscape of AI tools is constantly evolving, so even the most comprehensive guide is out of date by tomorrow. That is why it is important for staff to understand the principles those decisions are based on.
Here are the two simple rules for keeping data safe:
This page will guide you through each rule and explain what you need to consider when using AI, as well as demonstrate some of the capabilities it offers. All the graphics and videos on this page were generated using AI tools.
1. Know your data
WeST classifies its data into four categories: Public, Internal, Confidential, and Highly Confidential.
Most files and email will not have any obvious label to tell you its classification. But it is implied by the nature, source, and content of the data.
The majority of our work in WeST will be using Internal or Confidential data. The most sensitive data we work with is Highly Confidential. We also work with large quantities of Public data which includes anything created by WeST for release (e.g. school newsletters) as well as anything anyone else has made publicly available on the internet.
Click the image above if you would like a 2 minute breakdown of our Data Classifications, created by an AI.
2. Know your tools
The higher the data classification, the greater the risk, and therefore the fewer AI tools it is appropriate to use. In WeST, we have Enterprise-level Data Protection Agreements with companies like Microsoft and Google for Education, that allow sensitive data to be input into specific AI tools safely. Outside of those Agreements, it is essential we do not breach Data Protection by inputting and pupil or staff data.
Be especially wary of any free online tools you use. Remember: if a tool is free to use, then they are making money from your data and inputs.
| Data Classification | Can I use AI with this data? | Approved AI Tools | Mandatory Safeguards* |
|---|---|---|---|
| Public | ? Yes | Microsoft 365 Copilot, Google Gemini, NotebookLM, ChatGPT, Claude... Any tool that meets WeST's basic AI requirements (see below) |
Always verify quality and accuracy before releasing or making decisions based on AI generated content. |
| Internal | ? Yes (with care) | Microsoft 365 Copilot, Google Gemini, NotebookLM | As above, and must be logged-in to the platform with your School/WeST account, not a personal or guest account. |
| Confidential | ?? Limited | Microsoft 365 Copilot | All of the above, and must be used with Work M365 Copilot only (via Chat, or using Copilot hosted within apps like Work and Excel). |
| Highly Confidential | ?? Very limited | Microsoft 365 Copilot | All of the above, but with particular thoughtfulness and care. |
*Want to know why these Safeguards are in place? Click here.
| Data Classification | Safeguard | Reason |
| Internal | Users must be logged-in to the platform with your WeST account, not a personal or guest account. | This helps to ensure that work-material and your personal usage are kept separate, and one can be deleted without losing the other. This is basic, healthy work/personal separation. |
| Confidential | Must be used with Work M365 Copilot only (via Chat, or using Copilot hosted within apps like Work and Excel). | With any sensitive information, the more copies there are and the more often it is copied into other platforms and services, the greater risk there is of accidental release. Copilot is built-in to our infrastructure, and so can work with data within our tenancy without any need to export it elsewhere. |
| Highly Confidential | Must be used with Work M365 Copilot only (via Chat, or using Copilot hosted within apps like Work and Excel). | AI tools can surface, summarise, and recombine information in unexpected ways, increasing the risk of unintended disclosure. Use of Highly Confidential data is therefore restricted to Copilot. |
Summary
If you are making lesson plans and resources, or trying to get a summary of a long DfE publication, or working with any other Public data, it's absolutely fine to use whichever AI tool you are most comfortable with, and best suits your needs.
It is when you want to work with any pupil or staff data, even if it is only names, that it immediately becomes essential to only use tools we have Data Protection Agreements for. Many software platforms and tools have AI built into them; every platform we use in WeST must have a Data Protection Impact Assessment (DPIA) completed to ensure it uses our data safely. So if an AI tool is provided for you by WeST/your school (e.g. Copilot), that will have a DPIA in place to ensure it uses data safely.
No pupil, staff, or other Confidential or Highly Confidential data should ever be input into a tool that does not have a DPIA.
Basic AI Tool Requirements
For all work purposes, WeST expects AI tools to be legal and appropriate for business use. Mainstream tools like Copilot, ChatGPT, etc., easily meet all of these criteria.
All AI tools used for any work purposes in WeST must fulfil all the following criteria:
- Provide information detailing how personal data is collected, used, and protected when using their services, and
- Allow use of the tool for business purposes, or otherwise do not restrict services to personal use only, and
- Disclose (at least in general terms) what kind of data the model was trained on, and if any special datasets (like copyrighted books, medical data, etc.) were included, and
- State explicitly whether the user’s input is used to train the AI model.