Skip to content
Intric Intric Help Center

Classified information, four questions, and tips

Introduction

Section titled โ€œIntroductionโ€

๐ŸŽฏ Learning goals

  • Understand that classified information and personal data are separate categories
  • Know to check your organizationโ€™s information classification policy, not just data protection rules
  • Leave with a practical checklist and the tools to correct common myths

When information is sensitive for other reasons

Section titled โ€œWhen information is sensitive for other reasonsโ€

Not all sensitive information is personal data. Classified information โ€” in the sense of information your organization has marked as restricted or confidential for operational or security reasons โ€” is a separate category.

Examples:

  • Internal government deliberations that havenโ€™t been made public
  • Commercially sensitive procurement information
  • Security-related information (threat assessments, infrastructure vulnerabilities)
  • Information subject to professional secrecy (such as certain types of legal or medical advice within an organization)

GDPR doesnโ€™t cover this type of information โ€” but your organizationโ€™s own information security policies do, and so does general administrative law in many cases.

What this means in practice

Section titled โ€œWhat this means in practiceโ€

Your organizationโ€™s information classification policy determines what can go into which systems. Even if a given assistant is technically approved for personal data, it may not be approved for classified internal information โ€” and these are different questions.

Before working with classified documents or sensitive internal information in an assistant, check:

  • What classification level has your organization assigned to this information?
  • What does your IT or information security policy say about using AI assistants with this classification?
  • Is the assistant you want to use deployed in an environment consistent with that classification?

When in doubt, treat the information as more sensitive than less, and ask.

Example: Youโ€™re drafting a report for your municipality that references an internal legal opinion marked โ€œfor official use only.โ€ Whether you can include that in an assistant prompt depends on the classification of both the document and the assistant โ€” not just one of them.

Four questions to ask before you start

Section titled โ€œFour questions to ask before you startโ€

Before using an assistant with data youโ€™re not certain about, run through these quickly:

  1. Is this assistant approved for this type of data? Check the security classification. If youโ€™re unsure, ask your administrator.
  2. Am I sharing only whatโ€™s actually needed for this task? Think about whether you can accomplish the same result with less personal information.
  3. Is a human making the final decision here? If the AIโ€™s output will directly result in a consequence for a person, make sure a human reviews and takes responsibility.
  4. Does this feel like a new use case? If the way youโ€™re using the assistant differs meaningfully from its intended purpose, or involves sensitive categories of data at scale, flag it to your DPO before proceeding.

Tips and myths

Section titled โ€œTips and mythsโ€

A few things you might hear from colleagues โ€” and how to respond:

โ€œIf a human reviews the output, everything is fine legally.โ€

Mostly, yes โ€” but the review has to be genuine. If someone is technically โ€œin the loopโ€ but in practice never changes or questions the AIโ€™s output, regulators and courts may not treat that as meaningful human oversight. The human reviewer needs to actually understand what the AI recommended and be in a position to disagree.

โ€œAI assistants are trained on what I type, so I should avoid personal data entirely.โ€

Intric, by default, does not use your prompts or data to train AI models. Your data stays yours. This is one of the key differences between a platform like Intric and a consumer AI product. That said, this doesnโ€™t mean anything goes โ€” data protection requirements apply regardless of training.

โ€œA DPIA is a massive legal project โ€” we canโ€™t do one every time we use AI.โ€

A DPIA isnโ€™t required for every use of AI. Itโ€™s triggered by specific circumstances (as described in the previous section). For many everyday uses of an assistant โ€” drafting, summarizing, researching โ€” no DPIA is needed. What matters is recognizing when the threshold is crossed.

โ€œThe AI Act and GDPR say the same thing, so I only need to think about one of them.โ€

Theyโ€™re related but distinct. GDPR is about protecting personal data. The AI Act is about the safety and trustworthiness of AI systems. They often point in the same direction, but they have different requirements and different triggers. For AI Act obligations specific to your organization, see the AI Act course.

There is a lot of myth and uncertainty circulating about AI and data protection. When in doubt, go to your administrator or data protection officer, check your organizationโ€™s internal guidelines, or read primary sources โ€” youโ€™ll get a more accurate picture than from most online summaries.

Test your knowledge

3 questions ยท 100% correct to pass ยท Review your answers when done