Limitation
M365 Copilot is a multi-functional tool that can be used for a variety of tasks. Given its wide range of functions, it can also be used to process personal data as part of its operations.
It is not possible to conclude on a general basis that the tool can be used in accordance with data protection regulations. Although certain tasks performed by M365 Copilot do not in principle require the processing of personal data, such processing will almost always occur due to the tool’s inherent characteristics.
In this final report, we have chosen to focus on a few basic topics. First, we explain what M365 Copilot is and how it works. We then provide a general description of how we understand M365 Copilot in light of data protection regulations, together with a review of key terms and factors to be aware of. We also look at the basic prerequisites for using M365 Copilot, including the need for ‘getting your house in order’. These assessments are also relevant for other AI tools. Finally, we highlight the importance of data protection impact assessments (DPIAs) and what to be aware of if you are considering using M365 Copilot.
NTNU tested M365 Copilot on three use cases: ‘beginning an official study’, ‘minutes function’ and ‘case management
via e-mail’.
Read more about the use cases in NTNU's report, pages 43-51 (in Norwegian only).
These use cases were chosen because they may also be relevant for other public sector organisations. In this final report, we have taken NTNU’s use cases as a starting point, but we have made use case C a little more specific in order to have a clear and distinct purpose. This example does not necessarily reflect NTNU’s actual work process, but is used for the sake of illustration. It is important to note that each use case may involve several types of processing of personal data.
Three use cases
| Use case A: | A researcher uses M365 Copilot to collect information (data collection) before the official study can start. The researcher has access to information from the internet, previous documents they have written themselves or documents they have access to (but written by others). M365 Copilot can help the researcher to get an overview of relevant data material in order to make necessary assessments in line with the instructions for the study, get help with the actual writing (drafting) and proofreading/improving the language. |
| Use case B: | An employee is assigned responsibility for ensuring that agreement on something is reached in an internal meeting between two or more parties. They call a digital Teams meeting, or a physical meeting where Teams actively listens to the meeting. The meeting is recorded and transcribed. M365 Copilot uses the transcript, the calendar invitation information, and ‘nearby documents’ to summarise the meeting. |
| Use case C: | An employee is going to assess whether an application for admission to a master’s programme submitted by email is complete (i.e. contains all the required information) and respond to the application by either confirming that the application is complete or requesting more information. |