Data Privacy and Responsible Use

Why this matters more for professional services

Professional services firms handle sensitive information as a matter of course: client identities, legal strategy, financial details, health information, personnel records. The same information that makes your work valuable also makes data handling a serious responsibility.

Most consumer-facing AI tools were not designed with professional confidentiality obligations in mind. Some log conversations. Some use inputs to improve future models. The approved tools in your GuideHerd workflow have been selected with these concerns in mind — but the rules in this lesson apply regardless of which tool you are using.

Rule 1: Use only approved tools

Your firm has approved specific AI tools for specific workflows. Use those tools. Do not use consumer AI tools (free chatbots, browser extensions, personal subscriptions) for firm work involving client information, even for quick tasks.

The approval process for a tool includes evaluating its data handling practices, its terms of service, and whether it meets the firm's confidentiality requirements. Using an unapproved tool bypasses that evaluation.

Rule 2: Never paste secrets, credentials, or tokens

Do not paste the following into any AI tool under any circumstances:

• Passwords
• API keys or access tokens
• Database connection strings
• Private keys or certificates
• Two-factor authentication codes
• Login credentials of any kind

This applies even if you trust the tool and even if you are just "trying something." Credentials entered into a third-party system are credentials that have left your control.

Rule 3: Avoid sensitive client data unless the workflow is approved

Sensitive client data includes names combined with identifying details (matter number, case details, financial information), health information, personnel records, and anything covered by a confidentiality agreement or professional duty of confidentiality.

Before pasting client information into an AI tool, confirm that the workflow you are using has been approved for that type of data. When in doubt, redact or generalize before submitting.

Rule 4: Redact unnecessary details

Most AI tasks do not require full identifying information to produce useful output. Before submitting a prompt that includes client details, remove anything that is not necessary for the task.

• Replace client names with descriptors ("the client," "the counterparty," "a mid-size manufacturer")
• Remove matter numbers unless they are needed for the task
• Remove specific dates that identify the matter when general timing is sufficient
• Remove financial figures when the task is about structure, not specific amounts

Redacting unnecessary details before submitting is a habit, not an extra step. It takes seconds and reduces the information footprint of your AI use.

Rule 5: Treat AI output as draft material

AI output has not been verified. It should not be stored in a client file, sent to a client, or treated as the firm's work product until a qualified person has reviewed and approved it.

This matters for data handling because drafts that contain errors — including AI-fabricated details — can create a misleading record if they are stored or shared before review. Keep AI output clearly labeled as draft until it has been reviewed.

A note on model training

Some AI tools use conversation inputs to improve their future models. Most enterprise-grade tools offer a setting to disable this, and GuideHerd-approved tools are evaluated for this requirement. Even so, operate as though anything you type could be retained — because in some contexts, it can be. This is another reason to redact client details that are not necessary for the task.