Controlling the exposure of data with M365 copilot and Microsoft copilot in Queensland Government guideline

Document type:

Guideline

Version:

v1.0.0

Status:

CurrentNon-mandated

Owner:

QGCDG

Effective:

September 2024–current

Security classification:

OFFICIAL-Public

Category:

Digital capability

Purpose

This guideline provides information and advice for agencies to consider when implementing Microsoft 365 copilot and Microsoft copilot. The purpose of this guideline is to promote a common approach to evaluating, communicating, and managing risks and issues associated with the uncontrolled or unauthorised exposure of data with M365 copilot and Microsoft copilot in a Queensland Government context. The use of such generative Artificial intelligence products and services for Queensland Government is governed by the same responsibilities, obligations, and policies as the use of other digital products or services.

Audience

This document is intended for:

• Senior executives
• Chief Information Officers
• Risk managers
• Procurement officers.

Scope

This guideline sets out data control considerations for two generative artificial intelligence (AI) Microsoft products: Microsoft 365 (M365) copilot and Microsoft copilot.

The document is provided as guidance only and does not seek to create new regulation governing the use of M365 copilot or Microsoft copilot for the Queensland Government or to provide legal, ethical, or implementation advice on the use of any specific product or service.

Background

Microsoft 365 (M365) copilot is a general-purpose AI chatbot within the M365 environment and available in all M365 applications including Word, Excel, PowerPoint, Outlook, and others. M365 copilot uses data within the agency’s M365 tenant to answer user questions and perform tasks such as summarising, analysing, and evaluating documents, researching new ideas, or help structure work packages, projects, and proposals.

M365 copilot uses as input data from the user’s environment including conversation history, documents associated with the prompt, and other M365 data available to the user. Web grounding is a M365 copilot plugin that, when enabled, uses additional information from the web as input for M365 copilot to provide better responses to the user. Web grounding uses data in accordance with the access classification and permissions configured by the user and by the agency's information management and technology management services.

A similarly named but separate product is Microsoft copilot (formerly called Bing Chat and Bing Chat Enterprise.) Microsoft copilot is a general-purpose AI chatbot that is available to users signed in using their organisation’s Entra ID account. It helps users find information, generate content, and increase productivity. It is available online, is embedded in Windows, and is integrated into Edge web browser.

Microsoft copilot uses as input data from the user's conversation history and other metadata. Commercial Data Protection ensures user data is encrypted and dissociated from the user’s and tenant’s details and no copilot data is retained by Microsoft.

In the context of this document, the terms ‘data’ and ‘information’ are used interchangeably. Further, the uncontrolled or unauthorised exposure of data means ‘…the accidental or deliberate exposure of data into an uncontrolled or unauthorised environment, or to persons without a need-to-know.’ (Australian Cyber Security Centre).

Takeaways

For M365 copilot

1. Agencies should assess and mitigate the risk of uncontrolled or unauthorised data exposure when enabling web grounding or any similar plugins within M365 copilot.
2. It is recommended agencies consider disabling web grounding if it poses an unacceptable risk of accidental or deliberate exposure of data into an uncontrolled or unauthorised environment, or to persons without a need-to-know.
3. When web grounding is enabled, M365 copilot may automatically generate a web search query using the data sources it has access to in the user’s environment. These may contain personal, protected, sensitive, or official information that has been misclassified by the user or the agency’s information manager.
4. The contents of the query that M365 copilot generates are variable and cannot be anticipated by the copilot user. Agencies need to assess and mitigate the risk that these queries may contain personal, protected, sensitive, or official information.
5. Data contained in the search query leaves the agency’s tenancy when the query is sent to Bing Search API and is then no longer subject to security and risk mitigation controls of the tenant. Data located outside the M365 service boundary, including data that is transferred using M365 copilot plugins or connectors is not covered by the Microsoft Data Protection Addendum.
6. Agencies should consider the advice provided by the Office of the Victorian Information Commissioner to disable data connectors in platforms such as Power Platform and Dynamics 365 as it may lead to the exposure of personal information. For further information see Use of Microsoft 365 copilot in the Victorian public sector. Advice from the Office of the Information Commissioner (Qld) is that the disclosure of personal information or the transfer of personal information overseas may constitute a breach of the Information Privacy Act 2009.
7. Data sources accessed by M365 copilot may contain personal, protected, sensitive, or official information that has been misclassified or secured appropriately. This may lead to the uncontrolled or unauthorised exposure of data to other users or to other M365 copilot plugins within a tenancy.
8. Risk mitigation should include sufficient controls to reduce the residual risk of uncontrolled or unauthorised exposure of data to an acceptable level and may include responsible user training and awareness programs, policies, monitoring, system configuration (including disabling web grounding), information management audit, data security, privacy and user training and awareness programs.

For Microsoft copilot

1. Microsoft copilot may generate a web search query using the data sources it has access to. Depending on what a user has disclosed as part of the conversation with copilot, these data sources may contain personal, protected, sensitive, or official information that has been misclassified by the user or by the agency’s information manager.
2. Data contained in the search query leaves the agency’s tenancy when the query is sent to Bing Search API and is then no longer subject to security and risk mitigation controls present in the tenant. Data sent to Bing Search API is not covered by the Microsoft Data Protection Addendum which sets Microsoft’s obligations toward data security.
3. Agencies should assess and mitigate the risk of uncontrolled or unauthorised data exposure when enabling Microsoft copilot.
4. Risk mitigation should include sufficient controls to reduce the residual risk of uncontrolled or unauthorised exposure of data to an acceptable level and may include policies, monitoring, system configuration (including disabling Microsoft copilot), an information management audit and user training and awareness programs.

Considerations

Uncontrolled data exposure risk in M365 copilot

M365 copilot uses data from the user’s conversation history, documents associated with the prompt, and other M365 data available to the user. These data sources may contain personal, protected, sensitive, or official information that has been misclassified by the agency.

Enabling web grounding presents a risk of uncontrolled data exposure outside an agency’s tenancy. When web grounding is enabled in M365 copilot, a web search query may be generated to improve the quality of the response. The query uses as input the user’s prompt, conversation history, and other related data and documents accessible through M365. The search query may include information the agency deems as personal, protected, sensitive or official. The search query is then passed to the Bing Search API and leaves the tenant’s boundary.

According to Microsoft advice, the following information is not included in the search query sent to the Bing Search API:

• the user’s original prompt
• entire Microsoft 365 files (e.g. emails or documents)
• any identifying information based on the user’s Entra ID (e.g. username, domain, or tenant ID).

Other potential sources of uncontrolled or unauthorised exposure of data are any M365 plugins or connectors, including connectors to Microsoft Power Platform Services and Dataverse. These connectors may be the source of misclassified personal, sensitive, protected or official information used for web grounding. Agencies should consider the advice provided by the Office of the Victorian Information Commissioner on data sharing with Microsoft in platforms such as Power Platform and Dynamics 365. For further information see Use of Microsoft 365 copilot in the Victorian public sector.

Advice from the Office of the Information Commissioner (Qld) is that disclosure of personal information or the transfer of personal information overseas may constitute a breach of the Information Privacy Act 2009.

Agencies should satisfy themselves that the operation of M365 copilot including the use of web grounding and other plugins does not pose the risk of uncontrolled or unauthorised exposure of data.

Summary of risks

Potential for uncontrolled or unauthorised exposure of information that has been misclassified or not secured appropriately to M365 copilot users: Depending on what the user discloses in the conversation history, M365 documents accessible to the user, and additional information from the Microsoft Graph, and the user’s or organisation’s semantic index M365 copilot may access personal, protected, sensitive, or official information.

Potential for uncontrolled or unauthorised exposure of data from an agency’s tenant when web grounding is enabled: The contents of the query that copilot generates is variable and cannot be anticipated by the user. Agencies need to assure themselves that queries do not contain personal, protected, sensitive, or official information

Potential for breach of the Information Privacy Act 2009: search queries generated when web grounding is enabled and sent to the Bing Search API may constitute a breach of the Information Privacy Act 2009 if personal information is disclosed, used, or transferred overseas.

Outside Service Boundary: Bing Search API is outside the M365 service boundary and is therefore not subject to the tenant’s security and risk mitigation controls. Data shared with the Bing Search API is not covered by the Microsoft Data Protection Addendum which sets Microsoft’s obligations toward data security.

Recommended action

The risk of uncontrolled or unauthorised exposure of data increases if the agency has not implemented robust M365 user access controls and user awareness and training to prevent uncontrolled or unauthorised access to data in the agency’s information environment.

Agencies should consider and mitigate the risk of enabling web grounding for M365 copilot and any other plugins that could potentially lead to the uncontrolled or unauthorised exposure of data outside the agency’s tenancy.

Risk mitigation should include sufficient controls to reduce the residual risk of uncontrolled or unauthorised exposure of data to an acceptable level and may include training in the responsible use of AI, policies, monitoring, system configuration (including disabling web grounding), information management audit, data security, privacy, data quality management, and change management programs.

Agencies should assess and mitigate the risk of data exposure when enabling connections to Dataverse, Microsoft Graph, and other Microsoft platforms such as Power Platform and Dynamics 365 as per advice from the Office of the Victorian Information Commissioner.

It is recommended that an agency should disable web grounding if it poses an unacceptable risk of the accidental or deliberate exposure of data into an uncontrolled or unauthorised environment, or to persons without a need-to-know.

Resources

• Data, Privacy, and Security for Microsoft Copilot for Microsoft 365 (published 21/06/2024)
• Bing Search Trends
• Bing Search Keywords Tool

National framework for the assurance of artificial intelligence in government: A joint approach to safe and responsible AI by the Australian, state and territory governments (Department of Finance).

Uncontrolled data exposure risk for Microsoft copilot

Microsoft copilot, including when used with commercial data protection, may generate a web search query to improve the quality of its responses. The web search query uses information from the user's conversation history, relevant context, and other metadata including IP address, browser location services, and browser cookies before it is passed to the Bing Search API.

Summary of risks

• Potential for uncontrolled or unauthorised exposure of data from the agency’s tenant: web search queries may contain unclassified data that includes personal, protected, sensitive, or official information. Such information might be included in the user prompt or accessed automatically by copilot from an open webpage or PDF file in Edge.
• Potential for breach of Information Privacy Act 2009: Web search queries that include personal information may constitute a breach of the Information Privacy Act 2009 if the personal information is disclosed, used, or transferred overseas.
• Outside service boundary: While web search queries are disassociated from the user ID and tenant ID, web search queries may still include personal, protected, sensitive, or official data depending on what a user may have included in the prompts. Data shared with the Bing Search API is not covered by the Microsoft Data Protection Addendum.

Recommended action

Assess and mitigate the risk of data exposure risks when enabling Microsoft copilot with Commercial Data Protection. Risk mitigation should include sufficient controls to reduce the residual risk of uncontrolled or unauthorised exposure of data to an acceptable level and may include communications to improve user awareness, training in the responsible use of AI, policies, and monitoring.