WHEN AI OVERSHARES
The hidden personal data problem
Work-approved AI tools have quickly embedded themselves into day-to-day working life. From drafting emails to summarising documents, they are increasingly seen as just another tech tool. But beneath the surface, a new type of data protection risk is quietly emerging – one that employers may not even realise they are creating.
Employees are not just using these tools for work tasks. In practice, many are turning to AI assistants for a whole range of “life admin” questions: drafting difficult messages, exploring workplace dilemmas, sense-checking personal correspondence, or even asking for advice on health issues. In doing so, they may input significant amounts of personal data – their own and, often, that of others.
The result? Employers, as controllers of these enterprise AI tools, may be processing far more personal data than they ever intended – and of a far more sensitive and unpredictable nature.
This creates an unusual challenge. Unlike traditional data flows, this processing is not centrally designed or even particularly visible. It is driven by ad hoc employee prompts, often informal and unstructured. That means personal data may be:
Uploaded without any formal business purpose;
Related to third parties (colleagues, managers, family members or clients) who have no idea their data is being shared; and
Potentially sensitive or special category data embedded within wider queries.
For employers, this raises immediate questions about transparency and fairness. Privacy notices are unlikely to contemplate this kind of personal use of AI tools. Yet, strictly speaking, the organisation may still be responsible for the processing taking place within systems it provides.
There is also a clear data subject access request (DSAR) angle. If AI tools are retaining prompts or generating outputs that include personal data, those records may fall within the scope of a data subject access request. Employers could find themselves needing to locate and assess a new category of material – conversational, context-dependent, and often difficult to interpret in isolation.
More challenging still, some prompts may contain candid or speculative commentary about individuals, shared in the expectation that it is a “private” interaction with a tool. When disclosed in response to a DSAR, this could create employee relations issues or even disputes about accuracy and fairness.
So what should employers be doing now?
First, governance needs to catch up with reality. Accept that employees will use AI tools in ways that blur personal and professional boundaries, and design policies accordingly. Blanket prohibitions are unlikely to be effective; clear guidance and guardrails are more realistic.
Second, consider whether technical controls are appropriate. This might include limiting data retention, restricting certain types of input, or using tools that minimise storage of prompts altogether.
Third, update training and communications. Employees should understand that:
Inputs into work systems are not private in a legal sense;
Personal data about others should only be shared where appropriate; and
AI tools are not a confidential advice channel.
Finally, review DSAR processes to ensure they can capture and assess AI-generated content. This includes thinking carefully about how searches are conducted, how context is reconstructed, and how exemptions may apply where appropriate.
The key takeaway is simple: AI tools are not just processing business data – they are capturing snippets of human behaviour. And those snippets can be far more personal than employers expect.
Need support?
We can help you review AI governance, update your policies, and adapt your DSAR processes to reflect emerging risks. Get in touch to discuss how to stay ahead of the curve.
