Data Retention, Access, & Privacy in Copilot and other Microsoft Tools

The following is a copy of a message sent on October 16, 2024, to all JMU employees.

Artificial intelligence (AI) is rapidly advancing and evolving, and the productivity and collaboration tools that many of us use daily are changing apace. In September, we shared information regarding Copilot with Data Protection, the new generative AI chat service provided to all faculty and staff through your campus Microsoft 365 account. Since then, Microsoft has introduced two significant updates in appearance and functionality of which I would like to make you aware:

• When you log into Copilot with your JMU credentials, data protections continue to apply to your session(s), but the icon indicating protection has changed. Formerly, the icon was a green shield, but Microsoft has now changed the icon to a black outline of a shield. An example, including login instructions, can be found on our Generative AI service page.

• Copilot chat session history is now saved for your convenience in recalling Copilot’s responses to your prompts. Each time you return to Copilot, you are shown a list of your recent sessions in chronological order. At your option, you may delete an individual stored session by clicking the ellipsis next to the item and choosing the “Delete” option, or you can delete your entire Copilot history at one time. The history feature cannot be disabled administratively. Data from Copilot interactions are stored in a manner that is not designed to be accessed by JMU technology staff.

Speaking of data, I would like to take this opportunity to discuss other Microsoft tools, including email, OneDrive, and Teams. IT is often asked whether our staff or others on campus may be reading messages or files stored within these tools. In short, the answer is no. Generally, if you abide by JMU Policy 1207 on Appropriate Use of Information Technology Resources, IT has no reason to access any of your data. There are limited exceptions, and I would like to clearly identify some notable ones:

• Your data may be accessed as required for legal discovery. JMU is sometimes involved in legal proceedings and is also subject to regulations including the Freedom of Information Act (FOIA). When a legal situation arises requiring access to your data, Information Technology works with the Office of University Counsel to collect and review this information according to established procedures.

• Your data may be accessed to perform maintenance or provide technical support. In cases where an individual contacts IT with an issue or question, data may be accessed while the requested support is being provided. This access ceases when the issue is resolved. Similarly, data may be accessed during system-wide maintenance or support operations, such as when troubleshooting email delivery, storage consumption, system inaccessibility, or other issues impacting many individuals at once. Again, the focus of IT staff in these situations is not your data; their focus is on determining the cause of an issue and resolving it.

• Your data may be accessed by automated tools for university data protection. Information Technology uses tools such as Spirion Sensitive Data Finder to ensure that sensitive information is not inadvertently stored in an area where such storage is not allowed. When these tools scan for sensitive data, they perform pattern matching to identify files where sensitive data may be located. IT then uses scan results to contact file owners and alert them to the presence and location of the data, but IT does not read or analyze the data itself.

Please know that IT takes its responsibilities to steward institutional data and protect your privacy seriously, and we strive to always bring you the latest information about our tools and services. You can learn more about JMU’s shared approach to data governance here, and should you ever have questions or want more information, you can always reach out to us through the IT Help Desk at (540)568-3555 or helpdesk@jmu.edu.

Robin Bryan, AVP for Information Technology/CIO