Canvas is the exclusive LMS (Learning Management System) for the UH main campus.

AI Privacy & Data Security

AI as the New Digital Literacy

Generative AI is no longer an experiment; it is embedded into the digital infrastructure of higher education. Conversations that once centered almost entirely on academic integrity now focus on a more complex question:

How do we protect student privacy, institutional data, and intellectual property while using AI to enhance teaching and learning?

As faculty, you play a dual role:

Using AI responsibly in your own teaching, and
Modeling ethical, privacy-conscious practices for students.

This guide distills the latest guidance from higher-education associations, universities, and 2025 policy updates to help you make informed, secure decisions when integrating AI into coursework.

A strategic framework diagram titled 'Core Principles for 2026 and Beyond,' outlining six key guidelines for ethical and secure AI integration in higher education. The principles are displayed as cards: Privacy First: Never upload identifiable student data into non-enterprise AI systems. Transparency: Clearly communicate AI expectations to students. Data Governance: Use tools approved through institutional review and adhere to data classification standards. Equity: Ensure AI usage does not disadvantage learners with disabilities or limited tech access. Verification: Require human oversight of AI-generated content to validate accuracy. Intellectual Property (IP) Protection: Avoid sharing unpublished research or proprietary teaching materials with public models

1. The Ongoing Core Risks

A. The “Free Tool” Trap: Student Data Exposure

Most free AI tools rely on a “data-for-service” model. According to the University of Pittsburgh Center for Teaching and Learning, free chatbots are not FERPA-, HIPAA-, or GDPR-compliant, and user inputs may be reused for training or analysis.

Risk: Students who enter personal reflections, peer names, draft essays, or case information unintentionally release this data permanently into a public large language model (LLM).

Reality: These models can store, analyze, and learn from inputs submitted in free accounts—constituting a form of public disclosure.

B. Intellectual Property (IP) Leakage

The Harvard University Information Technology office warns that, by default, information submitted into external generative AI tools is not private and may be used to improve the model.

Risk: Uploading unpublished research, exam banks, grant proposals, or proprietary course materials into a public chatbot can jeopardize:

Patentability of research
Copyright over instructional materials
Confidentiality of sensitive departmental documents

2. Best Practices: How to Protect Your Classroom

A. Vetting and Tool Selection

Use Enterprise / University-Licensed Tools

Whenever available, use institutionally supported AI tools (e.g., Microsoft Copilot with Data Protection, institutionally vetted ChatGPT Enterprise, LMS-integrated AI).
Enterprise tools typically include:

Data encryption
No training on user inputs
FERPA-aligned contractual protections
Vendor accountability through procurement agreements

University of Houston Context: UHS faculty and staff have access to Microsoft 365 Copilot with commercial data protection when logged in with their UHS credentials. This ensures user data is not saved or used to train the models.

Follow “No-Go” Lists

Multiple institutions, such as Albany State University, explicitly prohibit entering confidential or student-identifying data into public AI tools.
Source: https://www.asurams.edu/docs/ai/AISafetyGuidelines.pdf

Rule of thumb:
If IT has not vetted it > assume it is insecure for student or institutional data.

University of Houston Context: UHS SAM 07.A.08 explicitly prohibits inputting Level 1 (Confidential/Mission Critical) or Level 2 (Protected) data into public AI tools. This includes student records (FERPA), health information (HIPAA), and critical research data.

B. Syllabus Statements and Transparency

Your syllabus is your first line of defense.

- Define "Open" vs. "Closed" Loops: Clearly state if students are allowed to use AI, and specifically which tools.
  - Open-use AI: students may use any AI with guardrails
  - Restricted AI: only approved tools
  - Closed-use AI: assignments that prohibit AI entirely
  - University of Houston Context: UH Downtown and UH Clear Lake have published specific syllabus decision trees and sample language ranging from "No AI Allowed" to "AI Encouraged with Attribution."
- Opt-Out Options: Following guidance from the Yale Poorvu Center, if you wish to use a non-university supported tool, providing an alternative assignment for students who are uncomfortable creating external accounts is a best practice to respect their privacy rights.

C. Practice Data Hygiene in AI Prompts

Teach students (and model yourself) how to “clean” data before submitting prompts:

Remove any personally identifiable information (PII): Strip names, IDs, addresses, specific locations, and health or financial details
Generalize context: Instead of "Write a critique of John Doe's performance in Bio 101," use "Write a critique of a hypothetical student's performance in an introductory biology course."

This protects student privacy and reduces institutional risk.

3. Teaching Students About AI Privacy

AI literacy is now inseparable from privacy literacy. Embedding even short activities into your course helps students enter a workforce where AI and data ethics are fundamental skills.

Assignment Idea 1: The Terms of Service Audit

Task: Students identify the “Data Use” section of a popular AI tool’s Terms of Service (e.g., Google Gemini, ChatGPT, Grammarly).
Discussion Question:

What rights does the company gain over your content?
Is your data used for training?
Can you delete your history?

Goal: Transform students from passive users into critical evaluators of technology.

Assignment Idea 2: The Privacy Stress-Test

Task: Have students attempt to prompt an AI for information about a public figure versus a private individual (themselves or a peer).

Goal: Explore how much scraped data may exist about individuals and discuss topics like:

The “Right to Be Forgotten”
Consent
Data persistence and model training

4. Security Checklist for Faculty

Before launching your course, conduct this quick 5-point review:

✔ Tool Check

Is this an enterprise/university-approved tool? (e.g., UHS Microsoft Copilot)
Note: Vet any new third-party tools with IT before assigning them

✔ Data Check

Am I (or my students) entering sensitive reflections, assignments, research data, or PII?

✔ Syllabus Check

Do I have a clear policy on AI use and data privacy? AI platforms and policies evolve rapidly.
Note: Faculty should revisit their syllabus language and tool choices each semester to ensure compliance with updated institutional guidelines.

✔ Alternative Path Check

Do I have a backup plan for students who decline to sign up for third-party tools?

✔ IP Check

Have I ensured that my research, exam banks, and original teaching materials are not uploaded to public models?

5. Emerging Trends in 2026 and Beyond

Increased enterprise integration (AI assistance embedded directly inside LMS, Microsoft 365, Google Workspace, and publisher tools)
More regulations about educational data and AI (state-level AI bills, federal FERPA modernization proposals, DOE guidance)
Campus-wide AI governance models (AI committees, tool-approval workflows, mandatory risk assessments)
Growing student expectations for AI literacy and data privacy
AI hallucination and misinformation safeguards (required verification steps for any AI-assigned work)
Ethical and equity implications of AI-driven personalization