Understanding Your Data Security Responsibilities

AI tools that have not gone through Emory’s EASAT review process may not be suitable for handling sensitive information such as Confidential or Restricted data (Refer to Emory Disk Encryption Policy). This applies to the entering of Sensitive Information into consumer-facing AI tools or deploying applications that process Sensitive Information without proper institutional approval.

Users should consult the Emory EASAT website for the current list of approved tools, tool description, and use scope. Even when working with publicly available or de-identified data, AI usage restrictions, along with any contractual or other legal obligations must be followed.

All data may only be used in accordance with applicable policies, laws, and regulations. Only Emory-approved, secure AI technologies (EASAT) may be used when inputting or analyzing Sensitive Information such as Confidential and Restricted data, as defined by the Emory Disk Encryption Policy.

If Sensitive Information is inadvertently shared with a non-approved AI tool, the incident should be reported immediately to the Office of Information Security and the Office of Compliance for risk mitigation, assessment, and remediation.

When using AI to assist with sensitive academic writing, such as letters of recommendation for faculty promotions or academic appointments, users must not enter personally identifiable information into public systems. If AI is used to assist with drafting, individuals should use aliases (e.g., “John Doe”) in place of real names and remove all identifying details. Any further drafting should occur within secure environments (e.g., EASAT approved tools) and follow institutional policies related to academic communication, confidentiality, and FERPA compliance.

Before inputting copyrighted or licensed materials, such as journal content, proprietary datasets, or third-party documentation, into any AI system, including EASAT, users must confirm that the intended use is legally permitted. Access to content through Emory’s institutional subscriptions does not automatically authorize AI-based processing. In particular, many license agreements explicitly prohibit inference-based use, such as summarization, question-answering, or semantic analysis.

Some commercial and academic content providers prohibit any automated analysis. Therefore, users must not upload entire PDFs of third-party licensed content or other proprietary files into generative AI tools, even for seemingly minor tasks such as paraphrasing or summarization, unless explicit permission has been granted.

To avoid potential violations, assess whether the use qualifies under fair use or other exclusions or privileges, falls within Emory’s institutional license agreements, or is otherwise authorized. If there is any uncertainty regarding usage rights, employees should consult the Office of General Counsel, Emory Communications and Marketing, or Emory Healthcare Marketing.

Unauthorized use or alteration of Emory trademarks, including logos, is strictly prohibited. For comprehensive instructions, please refer to the Emory Logo Use Standards.

Select and limit AI tool inputs to the smallest amount of data necessary to fulfill the intended purpose. Remove unnecessary identifiers, redundant variables, or extraneous records before processing. Examples of data minimization include:

• Using aggregated or de-identified data when individual details are unnecessary (including ensuring protected health information is deidentified in accordance with HIPAA standards)
• Restricting datasets to relevant time periods or cohorts 
• Excluding variables unrelated to analysis objectives 

Follow established data minimization guidelines (e.g. California Consumer Privacy Act CCPA) or HIPAA’s de-identification requirements. When in doubt, collaborate with the Office of Chief Data and Analytics Officer, Office of Information Technology, Office of General Counsel or Office of Compliance to determine the appropriate data scope.