Guidelines for acceptable use of Microsoft 365 Copilot and Copilot chat

This guideline is jointly issued by the University’s Access to Information and Privacy Office (AIPO), Information Technology (IT), Information and Archives Management (IAM) and the Office of the Chief Risk Officer (OCRO), reflecting a co-ordinated University approach to responsible, privacy protective and humanrights affirming use of Microsoft Copilot within the University’s Microsoft 365 tenant (Enterprise version). 

These guidelines apply to everyone who uses University information while accessing Copilot. “University Information” refers to a broad range of information, regardless of format or medium, used to support University academic, research, administrative and other activities that is created, received or held by or on behalf of the University.

Given the rapid evolution of Copilot and of the University’s uses and needs, these guidelines may be reviewed and updated accordingly.

Other AI generative tools are not covered by this guideline and must not be used with University information unless specifically approved by the University.

Copilot protects University information through enterprise data protection. This means that prompts, responses and content accessed by Copilot are all handled under Microsoft’s enterprise data protection safeguards. 

Copilot respects the user’s permissions and does not use University information for its models. 

It operates strictly within the University’s Microsoft 365 tenant, drawing only on information the user has access to through our University Microsoft 365 account. 

All Copilot use must comply with University policies and applicable privacy laws, including:

• Policy 23 — Policy on Information Management
• Policy 90 — Access to Information and Protection of Privacy
• Policy 116 — Use and Security of Information Technology Assets
• Policy 117 — Information Classification and Handling
• Procedure 20-4 — Disposition of Information
• Procedure 20-8 — Privacy Breach Response Protocol
• Procedure 20-12 — Handling Confidential and Internal Information
• Information Disposition Schedule

All Copilot use related to the development and review of research proposals submitted for grant applications must comply with the federal government’s guidance on the use of artificial intelligence (AI).

The University is committed to the sustainable, responsible use of AI technologies, including Copilot.

Users must:

• Use Copilot to support legitimate organizational or academic work.
• Use Copilot purposefully and efficiently, avoiding unnecessary or repetitive prompts that don’t add value.
• Prioritize concise prompts and targeted use cases that reduce excessive processing.
• Apply Copilot where it meaningfully improves productivity, quality or accessibility, rather than as a default replacement for human judgment.

Responsible AI use includes being mindful of the environmental impact, operational costs and the broader University footprint of AI technologies, while maintaining a focus on accuracy, fairness and accountability.

You can use Copilot to:

• Draft, summarize and transform internal University content (e.g., summarize meeting notes, produce first drafts of communications, refine writing tone, extract action items). 
• Translate records that present little to no risk, such as routine one-on-one communications with colleagues or clients on low-risk and non-sensitive matters. In limited circumstances, such as a complaint process, it can also be used for sensitive information when: 
  • there is a clear, legitimate purpose 
  • informed consent has been obtained from the complainant 
  • applicable privacy and security requirements are followed (e.g. translating a complaint with the complainant’s consent)
• Accelerate routine tasks (e.g., create agendas, convert notes into tasks, generate outlines) where human review is maintained. 
• Analyze authorized-access data, while respecting information classification in accordance with Policy 117 — Information Classification and Handling. 
• Prepare learning or teaching aids with unrestricted material, ensuring no personal information of students or employees is disclosed without authority. 

You must not use Copilot to:

• Collect, use, disclose or input personal information without legal authority and a legitimate University purpose. Users must apply the data minimization principle, limiting personal information to what is strictly necessary to perform authorized work and avoid inputting sensitive personal information (e.g., personal health information, HR or legal material, or any other information where disclosure could cause significant harm to an individual or the University). 

Any use involving personal information must comply with the Ontario Freedom of Information and Protection of Privacy Act (FIPPA) and other protection of privacy statutes and regulations that may apply to the University, and applicable University policies and procedures listed above.

• Make decisions that affect individuals’ rights or interests without appropriate human review, documentation and due process. “Automation bias” (the tendency to rely on automated systems) must be mitigated. 
• Translate the following types of content: 
  • Records (AlertUO, security protocols, mental health resources, etc.) that could pose a risk to the health or safety of individuals.
  • Content (promotion to prospective students, staff recruitment, media relations, website pages) that could harm the reputation of the University of Ottawa.
  • Texts on matters (labour relations, governance) that could be a potential source of litigation.
  • Content (e.g., reflecting non-inclusive language or unequal treatment between Anglophones and Francophones) that could be perceived as discriminatory.

You must continue to seek support from Language Services for translations related to official University communications.

• Circumvent confidentiality requirements or security controls (e.g., uploading content from University legal counsel related to legal advice or other solicitor-client privileged content that could result in unauthorized disclosure). 

Review Copilot outputs before use, as Copilot can make mistakes. Always verify the facts, references, numbers and logic Copilot provides. Avoid automation bias and remember that users are accountable for any outputs they rely on or share. 

You should also cite and verify all sources, confirming that any references provided by Copilot are authentic and complete, and you should keep records of your validation steps for important work.

Avoid including sensitive details in prompts unless doing so is strictly necessary and authorized. For example, don’t enter personally identifiable information when a situation can be described in a general or de-identified manner. This helps reduce privacy risks and aligns with responsible information handling expectations. 

Write prompts in neutral, unbiased language. Avoid wording that could lead Copilot to generate outputs reflecting stereotypes or discriminatory assumptions. If biased or inappropriate output appears, re-prompt using more neutral language and document any corrections made, when the output will be used for significant or high-impact purposes. 

Respect copyright and third-party content restrictions when working with Copilot. This includes, but is not limited to, peer review material, student work, library resources (print, digital, electronic, audiovisual, and other resources, whether under licence or not).  

Some licences of library resources restrict or prohibit use as inputs to AI systems. Before inputting library resources or other copyrighted content or prompts to Copilot, verify that you have the right to access and reproduce the content or prompt.

Don’t prompt Copilot to reproduce copyrighted or paywalled material verbatim beyond what is legally permitted (e.g., providing an accessible version of a document for persons with print disabilities, on request). Although Microsoft provides certain copyright-related safeguards within Copilot, users must still exercise care and ensure compliance with licensing and copyright rules.

8.1 Use of Copilot in meetings

Be cautious when using Copilot during meetings and minimize the use of recording or transcription features. Don’t record Microsoft Teams meetings when personal information, health information, sensitive HR or student matters, or any topic that may fall under solicitor-client privilege or relate to anticipated litigation involving the University is being discussed. 

Never have Copilot record or transcribe privileged communications unless an approved exception is in place (e.g. for accommodation for disability purposes) or legal counsel has provided prior approval following a risk assessment. 

Recording or transcription may be appropriate in limited situations, such as training sessions where no personal information is discussed. In these cases, clearly notify all participants before recording or transcription begins. As well, ensure you have proper authorization and a legitimate reason for capturing any personal information, and verify that your retention practices align with the University's retention requirements.

When transcripts or AI generated summaries are kept, they become University records. You must therefore manage these materials under the appropriate classification, retention and access rules. Delete them when they are no longer required, in accordance with Procedure 20-4 – Disposition of Information.

8.2 Use of generative media features (images, video and visual content)

8.2.1 Images and visual content generation

You can only use Copilot features that generate images, diagrams, charts, or other visual content forlegitimate University purposes and only with information you are authorized to use.

When using Copilot to generate images or visuals:

• Ensure that no personal information, sensitive content or confidential University information is included in prompts unless explicitly authorized.
• Use generated visuals primarily for conceptual, illustrative or draft purposes, such as presentations, learning materials using unrestricted content or internal communications.
• Review all generated visuals for accuracy, appropriateness, bias and alignment with University values before sharing or publishing.
• Avoid using Copilot-generated images in a way that could mislead recipients regarding authenticity, authorship or factual representation.
• Avoid presenting Copilot-generated images as factual evidence, official records or authoritative representations without appropriate human validation and contextual explanation.

8.2.2 Video generation and multimedia outputs

Where Copilot features support video or multimedia generation (including scripted content, storyboards, or summaries):

• Use such features only for low risk, non-sensitive content, such as training concepts, internal briefings or draft communications.
• Don’t generate or distribute multimedia content that includes personal information, student data, HR information, legal discussions or other restricted material unless you have clear authority and an approved purpose.
• Disclose the use of AI-assisted generation clearly when the audience could reasonably assume the content was entirely human produced.

8.3 Use of Copilot agents

Creators are responsible for the design of shared Copilot agents, and users are accountable for how agent outputs are used.

8.3.1 Creation of Copilot agents

Users can only create Copilot agents when this capability is enabled by the University and only for clearly defined, legitimate University purposes. 

When creating Copilot agents, you should:

• Ensure they align with approved administrative, operational or support activities.
• Only use them as a disability accommodation measure where appropriate and reasonable.
• Not use them to replace human decision-making where outcomes could affect individuals’ rights, services, employment, academic standing or legal obligations.
• Prevent situations where an agent might independently initiate actions, generate decisions or operate without meaningful human review, unless you have explicit approval.
• Specify the agent’s intended purpose, scope and limitations.
• Avoid embedding personal information, sensitive data, credentials, confidential material or proprietary instructions in agent prompts or configurations.
• Ensure the agent only accesses information the creator is authorized to access and that access is appropriate for the intended use.

8.3.2 Sharing Copilot agents

You can share Copilot agents only where there is a legitimate business need.

When sharing an agent:

• Share only with individuals authorized to access the information the agent may reference.
• Confirm authorization with the data owner before sharing an agent that uses a restricted-access knowledge source.
• Ensure that sharing does not result in broad or unintended access to University information.
• Communicate the agent’s intended use limitations and any known risks or assumptions clearly.
• Understand that agents using enterprise data (SharePoint, OneDrive, etc.) can only be accessed by users with an M365 Copilot add-on licence.

8.3.3 Using shared Copilot agents

When using Copilot Agents created by others you must:

• Understand the agent’s stated purpose and limitations before relying on its outputs.
• Validate outputs for accuracy, appropriateness and context prior to use or dissemination.
• Avoid using shared agents for purposes beyond those originally intended or communicated.

Using a shared agent does not reduce your accountability. You remain responsible for decisions, actions and communications informed by agent outputs.

Only share documents with those who need to know. Copilot inherits user access rights, so it brings up what recipients can already access. Even when Copilot draws from sources that are individually classified at a lower level of confidentiality, the combined (aggregated) output can reveal confidential information. 

Thus, treat any Copilot output according to the highest sensitivity level of the information it contains (including where aggregation increases sensitivity) and handle, store and share in accordance with Policy 117.

Only use your University of Ottawa Microsoft 365 account in the University tenant. Don’t copy University information into personal or external AI tools or personal cloud accounts.

Copilot conversations and outputs are retained for 90 days. Chats and prompts are considered transitory working material and should only be kept for as long as needed to complete the task at hand. If you want to save prompts or outputs, do so in a separate University-approved repository, such as your personal OneDrive repository. 

If a Copilot output (e.g., a summary, draft or analysis) is used to inform decisions, becomes part of official correspondence or has ongoing value, saved it in the appropriate University repository in accordance with Policy 23 — Policy on Information Management. Apply the correct classification and disposition schedule, and avoid storing important records only within a chat.

All Copilot outputs, including Copilot chats, are subject to access to information requests under FIPPA.

Where appropriate, you must disclose that Copilot was used in drafting or analysis, especially for formal communications or documents that will be archived. Complete a human review and apply any corrections before sharing.

Don’t misrepresent AI-generated content as solely human authored when it would be misleading or contrary to academic or administrative integrity norms. 

If you know or suspect that personal information has been inappropriately collected, used, disclosed, lost or accessed during the use of Copilot, you must:

1. Contain the incident immediately, if possible (stop sharing, revoke access, secure files).
2. Report it at once to your immediate supervisor.
3. Complete a Privacy Breach Report Form to report a privacy breach, whether confirmed or suspected, to the Access to Information and Privacy Office. You must answer three preliminary questions to enter you information in the appropriate boxes.

Privacy breaches are handled in accordance with the University’s Privacy Breach Response Protocol (Procedure 20-8).

You must complete the required Copilot training modules before using the tool with University information.