Data privacy and retention

Generative AI systems touch **prompts, retrieved documents, logs, embeddings (OpenAI embeddings guide), and tool outputs**. Each layer can persist personal data longer or wider than users expect. Privacy review in week five of a pilot forces rework or shutdown.

Legal and privacy teams need plain-language answers: what is collected, where it is stored, who can access it, how long it is kept, and whether providers train on customer content. Engineering implements those answers in architecture, not in footnotes.

Sensible pilots proceed when **data classification (Microsoft Copilot data protection), minimisation, and retention schedules** are documented before indexing. Blocking everything blocks learning; indexing everything blocks compliance.

Not every document belongs in a **vector index (Azure vector search) or general copilot. Separate public, internal, and restricted** corpora with different access controls, retention, and model routes.

HR files, customer PII, health information, and legal privilege material often require exclusion, redaction, or dedicated indexes with stricter IAM. Default deny beats default include.

Classification must match source system ACLs. If SharePoint (Azure RAG concepts) denies a user the file, RAG (Azure RAG concepts) must not surface it. Pilots that ignore ACLs create audit findings at scale.

Champions often push for "just add one more folder." Council should require classification label and owner signature per new source.

Users paste names, employee IDs, customer account numbers, and medical details into chat despite training. Assume prompts contain sensitive data unless proven otherwise.

Minimisation means redacting or blocking patterns before model send where policy requires. Detectors are imperfect; combine automated redaction with user warnings and refusal for high-risk workflows.

Structured workflows should collect identifiers in forms with explicit purpose, not free-text chat, when possible. Forms enable validation and audit.

Tool calls can leak PII into logs and third-party systems. Scrub tool arguments in logs and restrict tool scopes to least privilege.

Decide explicitly whether you store full prompts, model outputs, hashes only, or redacted excerpts. Each choice affects debugging, eval replay, and legal discovery.

Align retention with DPAs, employment law, and sector rules. Some providers offer zero-retention or no-training options for eligible tiers. Document what you purchased vs what you assume.

Shorter retention reduces risk but limits incident investigation. Typical pattern: 30 to 90 days for redacted conversation logs in production, longer for aggregated metrics only.

User-facing privacy notices must match actual retention. If logs exist for security, say so plainly.

Vector indexes store **embeddings (OpenAI embeddings guide) derived from source documents**. Even when raw text is not stored in the index, embeddings can enable reconstruction or inference in some threat models. Treat indexes as sensitive assets.

Re-index when documents change classification or are deleted. Stale chunks in an index are a retention violation if source deletion should remove access.

Separate indexes by classification and region. Do not mix ANZ HR policies with EU customer data in one searchable pool without legal review.

Backup and disaster recovery copies inherit the same retention and access rules as primary indexes.

Data residency commitments often drive cloud anchor choice. Document which regions host models, search, logs, and backups. User travel and remote work can complicate jurisdiction assumptions.

Cross-border transfer requires legal mechanism: standard contractual clauses, adequacy decisions, or binding corporate rules. Engineering cannot resolve this alone.

Failover to another region for availability may violate residency if not disclosed. Gateway failover rules need legal review, not only SRE review.

Australian organisations often require APAC regions with clear subprocessors list. Publish region map in security evidence pack (review pack guide).

Vendor questionnaires ask whether customer content is used to train foundation models. Answers vary by product tier, configuration, and date. Version your answers when providers update terms.

Maintain a **subprocessor (production readiness conversation) list**: model providers, embedding services, safety APIs, observability (AI SDK telemetry) vendors, and log storage. Procurement and privacy rely on the same register.

Enterprise agreements may add contractual terms beyond public policies. Track which workloads are covered by which agreement.

When switching models via gateway, subprocessors change. Treat model promotion as a privacy change requiring review if data handling differs.

A bank pilots HR policy Q&A for 2,000 staff. Corpus excludes individual case files and performance reviews. Only published policies with effective dates enter the index.

Users receive notice that questions may be logged in redacted form for 90 days. PII redaction (Azure Content Safety) runs on outbound prompts. Escalation to HR advisers for personal cases is mandatory when questions include individual identifiers.

Legal accepts pilot because citations tie to approved documents and restricted data never entered the index. Scale requires quarterly ACL (Azure RAG concepts) sync and privacy impact assessment update.

Lesson: narrow corpus and clear escalation beat broad "ask anything HR" scope.

A telco builds **CRM (AI SDK agents) research assist** for account managers. Customer names and account numbers appear in tool responses. Logs scrub arguments; only internal user IDs correlate sessions.

Customer PII never enters the general copilot index. CRM (AI SDK agents) tool reads live with OAuth scoped to the user’s accounts. Outputs stay inside CRM UI, not emailed externally by default.

Retention on CRM (AI SDK agents) tool audit logs follows customer record policy, often seven years. Chat ephemeral layer retains 30 days redacted.

Privacy sign-off requires DPIA referencing both CRM (AI SDK agents) DPA (Microsoft Copilot data protection) and model provider DPA.

Who may read conversation logs, index contents, and eval datasets? Restrict to break-glass roles with MFA (OWASP LLM Top 10) and audit trail.

Support staff debugging production need redacted views by default. Full prompt access requires ticket and manager approval.

Champions and sponsors should not browse employee chats casually. Programmes lose trust quickly when measurement feels like surveillance.

Align access model with existing SIEM (AI SDK telemetry) and ticketing roles rather than inventing parallel admin groups.

Privacy intersects safety when outputs expose third-party personal data or confidential material from retrieved documents. Content safety (Azure Content Safety) filters reduce harm but do not replace access control.

Configure safety thresholds with legal for regulated industries. Log safety scores without storing blocked harmful content verbatim when possible.

Incident response for privacy breach via model output mirrors traditional data breach playbooks: contain, notify, preserve evidence, remediate index or prompt path.

Azure Content Safety (overview) and similar services are subprocessors with their own data handling terms—see the Azure Content Safety.

Security and privacy reviews ask for data-flow diagrams, retention schedules, **subprocessor (production readiness conversation) lists, and sample redacted logs**. Prepare these once and version per release.

Answer questionnaires with specific configuration facts: region, retention days, training opt-out status, encryption modes. Avoid generic "we use Azure" responses.

Link controls to demo patterns in vendor documentation (Azure AI Foundry documentation) as reference implementations, not proof your production config is compliant.

When auditors visit, show deletion job success metrics and ACL (Azure RAG concepts) sync lag dashboards, not only policy PDFs.

Pilots may use synthetic or anonymised data and smaller cohorts, but should still implement classification, ACL (Azure RAG concepts)-aware retrieval, and documented retention. "Pilot" is not an excuse for production customer PII in dev tenants.

Production bar adds tested deletion, legal hold integration, DPIA (Microsoft Copilot data protection) or PIA on file, user notice, and quarterly access reviews.

Graduating pilot to production triggers privacy change assessment if scope, region, or data classes expand.

stop rules (NIST AI RMF) from scoping guide apply: if privacy blockers cannot close in two weeks, pause rather than bypass.