Data, Privacy, and Confidentiality

Learning Goal

Classify information by sensitivity, decide what should not be shared with an AI system, and redesign the task so useful work can continue with less exposure.

Interactive Lab

The data boundary test

0/5

Scenario

A public office teammate wants to paste inbox messages into an AI tool to summarize service themes and suggest process improvements. The task sounds ordinary. The data is not.

For each message, choose the handling action and the risk signals. Then write the sanitized summary and safer prompt you would actually use.

Summarize these public-service inbox messages by theme and suggest three process improvements. Include examples and identify urgent cases.

Use as-isNo sensitive or unnecessary detail is present for the task.

Redact firstRemove direct identifiers such as names, emails, case IDs, or exact records.

Generalize/abstract firstReplace specifics with categories while preserving the useful theme.

Approved process firstStop and use an approved office route before putting this information into AI.

Message 1

My benefits renewal link does not work. My case number is A-104928 and my email is maya.rivera@example.org.

What would you do before using this message?

Use as-isRedact firstGeneralize/abstract firstApproved process first

What risk signals do you see?

Direct identifierCase or record detailInternal or office-sensitive detailUrgency or deadline cueSensitive service contextPrivacy concern

Message 2

The lobby check-in kiosk is confusing. It asked me to scan the same document twice.

What would you do before using this message?

Use as-isRedact firstGeneralize/abstract firstApproved process first

What risk signals do you see?

Direct identifierCase or record detailInternal or office-sensitive detailUrgency or deadline cueSensitive service contextPrivacy concern

Message 3

The disability accommodation form is not compatible with my screen reader, and my hearing is Friday.

What would you do before using this message?

Use as-isRedact firstGeneralize/abstract firstApproved process first

What risk signals do you see?

Direct identifierCase or record detailInternal or office-sensitive detailUrgency or deadline cueSensitive service contextPrivacy concern

Message 4

The public-records request portal times out when I upload exhibit PDF files for request PRR-22017.

What would you do before using this message?

Use as-isRedact firstGeneralize/abstract firstApproved process first

What risk signals do you see?

Direct identifierCase or record detailInternal or office-sensitive detailUrgency or deadline cueSensitive service contextPrivacy concern

Message 5

Please add a note to my housing case: I am staying at a confidential shelter after a safety incident and cannot receive mail at my old address.

What would you do before using this message?

Use as-isRedact firstGeneralize/abstract firstApproved process first

What risk signals do you see?

Direct identifierCase or record detailInternal or office-sensitive detailUrgency or deadline cueSensitive service contextPrivacy concern

Create a sanitized summary that preserves useful public-service themes but removes unnecessary exposure.Write at least 88 characters. Use at least 14 words.Write a safer prompt for the AI tool.Write at least 72 characters. Use at least 11 words.Judgment Challenge: separate theme summary from case follow-up.Role: you are preparing a morning briefing for the office director. The director wants useful process themes, not a case review, but the inbox includes people who may need urgent help.

Before You Act

Choose at least two considerations that should shape the boundary between AI-assisted theme analysis and approved case follow-up.

Which details are actually needed for theme analysis?Which messages are really case follow-up, not feedback?Which deadlines or hearings could be harmed by delay?Is this tool approved for this kind of office data?Who owns urgent or sensitive follow-up after the summary?

Decide what can safely be summarized by AI and what must stay in an approved office process because it involves a person, record, deadline, accommodation, housing, or safety issue.Write at least 104 characters. Use at least 19 words.

What your answer shows so far

0/5 usable checks

This section shows what the page can detect in your answer so far. At least 3 checks are needed before the review opens. You may manually mark one missed check when your answer is defensible. This still does not verify correctness, policy compliance, or role authorization.

0/5 checked by you

• Removes direct identifiers and case specificsThe summary task does not require emails, case numbers, request IDs, confidential locations, or safety details.
• Preserves useful public-service themesMinimization should not erase the public-service purpose of the task.
• Separates urgent follow-up from theme analysisSome cases need routing or follow-up, not just aggregation into themes.
• Tells AI not to infer sensitive factsA safer prompt sets boundaries on what the model should not infer.
• Keeps approval or policy uncertainty visibleThe learner should not assume every tool is approved for every data exposure.

Before reveal

• Choose a handling action for every message
• Flag risk signals for every message
• Write a sanitized public-service summary
• Write a safer prompt
• Show at least 3 review checks, including up to one learner-marked override
• Choose at least two Before You Act considerations
• Complete the Judgment Challenge

Reveal boundary review

Productive Struggle

The trap is that the task sounds routine: “summarize the public office inbox.” But the inbox messages mix ordinary service-improvement feedback with direct identifiers, case or record details, urgency cues, and sensitive benefits, accessibility, public-records, housing, or safety context.

The learner should experience that data risk is not always obvious from the task label.

Debrief

Useful AI work often starts by reducing exposure. The goal is not always to avoid AI entirely. The goal is to decide what information the task actually requires and remove what the task does not need.

Strong answers should notice:

• direct identifiers
• case numbers, request IDs, or other record references
• office-sensitive or policy-sensitive details
• urgency or deadline signals
• possible sensitive service context
• whether the AI tool and organizational policy allow the use
• what can be safely summarized and what requires an approved route

Self-Check Rubric

• Emerging: notices obvious personal identifiers but misses indirect or office-sensitive details.
• Developing: redacts direct identifiers and flags at least one non-obvious service or record sensitivity.
• Proficient: creates a useful sanitized version while preserving the public-service purpose.
• Advanced: separates theme analysis from cases that need approved follow-up or escalation, and defends what should stay out of the AI tool.

Transfer Principle

Before using AI, ask what data is being exposed, whether the tool is approved for that exposure, and whether the task can be redesigned with less sensitive input.

Grounding

This module aligns with privacy risk management, data minimization, and organization-specific approval boundaries.

• NIST Privacy Framework
• NIST AI RMF

Source note: these references support privacy-risk thinking and data-boundary questions. They do not replace an organization’s data classification rules, contracts, security review, or legal obligations.