About the project
The main purpose of the project was to investigate whether and how a large public organisation like NTNU could use M365 Copilot.
About NTNU
NTNU is an international university based in Trondheim with campuses in Gjøvik and Ålesund. The university’s main profile is in science and technology, and offers a variety of programmes of professional study. Its academic breadth includes the humanities, social sciences, economics, medicine, health sciences, educational science, architecture, entrepreneurship and the arts. NTNU has 9,000 staff members and 43,000 students.
It is important to note that Microsoft uses the term ‘Copilot’ in various ways and several services operate under that name. This project is specifically about M365 Copilot, which integrates AI into existing Microsoft 365 services.
NTNU examined a number of different problems relating to the use of AI tools in the public sector. A key challenge was whether M365 Copilot can be used without personal data being processed in conflict with the GDPR. Another question was whether people would accept that their data could be used in contexts other than those for which they were originally collected. In addition, there are several ethical and organisational challenges related to the use of generative AI tools in general. NTNU also wanted to investigate risks associated with incorrect decisions as a result of, for example, discrimination and so-called ‘hallucination’.
NTNU also wanted to develop a toolbox with guidelines, frameworks and DPIAs that could be used by other public and private organisations. The goal was to make it easier to assess whether and, if relevant, how generative AI tools such as M365 Copilot can be implemented in the public sector in a responsible manner. NTNU also wanted to look at how suppliers could be influenced to consider data protection by design and by default early in the development process, with the aim of preventing privacy issues being an afterthought towards and the end of the procurement process.
Objective of the sandbox project
The scope of NTNU’s project was broad and covered more topics than just data protection. It was therefore important for the Norwegian Data Protection Authority to narrow down the scope of our involvement and assistance. The main objective has been to explore and clarify what data protection regulations require for NTNU and other public organisations to use tools such as M365 Copilot in a responsible and legal manner.
To do this, it has been necessary to look at:
- What M365 Copilot actually is and how it works, as well as generative large language models in general.
- How M365 Copilot can be understood in light of the data protection regulations at a high level.
- What prerequisites must be in place, including ‘getting your own house in order’.
- Whether one or more DPIAs are required, and what is particularly relevant to consider in light of M365 Copilot.
- Application of the Norwegian e-mail regulation.
Processing of special categories of personal data, cloud services in general, the transfer of personal data to third countries, and Microsoft’s role under the GDPR were outside the scope of the project.
Relationship to NTNU’s own findings report
NTNU published its findings report on 17 June 2024 in order to share its experience of M365 Copilot with other organisations. The report presents eight main findings that address not only data protection, but also ethical, legal, technical, and organisational issues.
The findings report may support and inspire both public and private organisations in their planning and assessment of generative AI tools, as well as contribute to the development of risk mitigation measures. In particular, we emphasise:
• NTNU’s toolbox, which provides information about what generative AI is and how to use it in a smart, safe and secure way.
• NTNU’s AI journey, with suggestions for an AI strategy, assessments per service and tips on procurement (NTNU’s findings report, pages 29–36).
• NTNU’s proposal for guidelines for generative AI.
We recommend that NTNU’s findings report be read in addition to this final report, which is intended to supplement the NTNU report in selected areas.
NTNU’s toolbox contains a data protection impact assessment (DPIA). NTNU chose to make an ‘overall’ assessment of M365 Copilot in the operational phase, where they looked at the technology as a whole. NTNU has not considered specific processing operations in light of specific purposes. This means that the work does not meet the requirements for what a DPIA must contain pursuant to Article 35 GDPR. However, the work provides information about NTNU’s experience of M365 Copilot and how the tool works in general, which can be useful if a DPIA is to be prepared.