AI yes, data leak no: 7 rules on how employees can use AI in their day-to-day work - and for what not

Humans and robots talking about data protection and AI, surrounded by users with laptops and tablets.

March 30, 2026 | Heinz W. Süess

AI has long since arrived in teams - whether you like it or not. Employees use chatbots, translators and text generators to write, research or formulate emails faster. The question is no longer whether AI is being used, but whether it is: like - without compromising data protection and confidentiality (Team, 2026b).

Instead of banning shadow AI (which rarely works in practice), you need clear rules: Where AI is welcome, where it is taboo - and what applies in the gray area (AI Employee Usage Policy Template, 2026).

Rule 1: No real person and case data in generic AI tools

Principle: Anything that makes a real person identifiable does not belong in generic, publicly accessible AI chats (Inquira Health, 2025).

These include in particular

  • Name, address, telephone number, e-mail
  • Date of birth, AHV number, personnel number
  • Health data, diagnoses, treatment plans, HR cases, wages (Avinci, n.d.).

If employees type such content into free or freely available AI tools, you risk violating the GDPR, professional secrecy and internal guidelines (Inquira Health, 2025).

Rule 2: Anonymization is mandatory, not optional

If AI is to help with real cases (e.g. formulations, communication concepts), the following applies: first anonymize, then copy into the AI (Avinci, 2026).

This means:

  • Neutralize names and locations („Employee A“, „Patient B“).
  • Concrete figures and internal company information are alienating when they are not necessary.
  • Keep the context as general as possible (Inquira Health, 2025).

This reduces the risk that real people or organizations can be reconstructed from the entries (Avinci, 2026).

Rule 3: Only approved AI tools for productive work

Not every fancy AI link from the Internet is suitable for day-to-day business (Amati, 2025).

Therefore define:

  • One WhitelistWhich AI tools are officially permitted (e.g. certain chatbots, translators, typing assistants with EU/CH hosting or clear contracts) (Inquira Health, 2025)?
  • One BlacklistWhich tools are expressly taboo (e.g. free consumer services without clear data protection regulations) (AI Employee Usage Policy Template, 2026)?

Communicate the list visibly (intranet, onboarding, training) so that employees do not resort to shadow solutions out of uncertainty (Verduyn, 2025).

Rule 4: Do not upload confidential documents - not even „only for summarizing“

Many AI tools today can „read“ and summarize PDFs, presentations or Excel files. Practical - but dangerous when it comes to confidential content (Team, 2026b).

Taboo are e.g:

  • Employment contracts, HR dossiers, minutes of staff appraisals
  • Medical reports, laboratory findings, care plans
  • Strategy papers, budget documents, internal risk analyses (Inquira Health, 2025).

If you want to analyze such documents, you need internal or contractually secured AI solutions (e.g. on-premise or in the protected corporate tenant) (Amati, 2025).

Rule 5: AI results are suggestions, not decisions

AI outputs are always drafts, never final decisions(Be Careful What You Tell Your AI Chatbot | Stanford HAI, 2025).

In concrete terms, this means:

  • Employees check content for accuracy, bias and tonality.
  • Decisions with legal or reputational consequences (e.g. dismissals, diagnoses, treatment decisions) are never made solely on the basis of AI outputs (Inquira Health, 2025).
  • Where necessary, it is documented how AI was used in the decision-making process (Team, 2026b).

So the Responsibility clearly with humans - and not with an opaque model (Heer, 2024).

Rule 6: Transparency towards affected parties

If AI is used directly in processes that are felt by those affected (e.g. application screening, chatbots on the website), they need transparency (Inquira Health, 2025).

This means:

  • Disclose that AI is in use.
  • briefly explain why (e.g. pre-selection, answering standard questions).
  • show how data subjects can exercise their rights (information, rectification, objection) (Inquira Health, 2025).

Especially in the HR and healthcare context, loss of trust is more difficult to repair than technical problems (Inquira Health, 2025).

Rule 7: Training and reporting culture instead of apportioning blame

The best policy is useless if no one understands it - or if employees hide mistakes out of fear (Verduyn, 2025).

Therefore:

  • Short, practical training courses with real examples from HR and healthcare.
  • A clear point of contact for questions („May I use tool X for case Y?“) (AI Employee Usage Policy Template, 2026).
  • A culture in which AI mistakes can be reported early without the immediate threat of sanctions (Amati, 2025).

In this way, you learn as an organization - and reduce the risk of small incidents turning into major scandals (Heer, 2024).

Conclusion: Demystify AI - and use it consciously

AI will not disappear. Your employees will use it - with or without official permission. With clear rules, you can turn shadow AI into a controlled productivity lever: AI yes, data leak no( Be Careful What You Tell Your AI Chatbot | Stanford HAI, 2025).

Sources:

Clarke, D. (2025, October 23). Data Privacy in Business: Why the Chatbot Era Needs Responsible AI Governance. Truyo. https://truyo.com/data-privacy-in-business-why-the-chatbot-era-needs-responsible-ai-governance/

Team, S. P. (2026b, March 27). EU AI Act Playbook: How to Operationalize AI Compliance in 90 Days. https://secureprivacy.ai/. https://secureprivacy.ai/blog/ai-chatbot-data-governance-rag

(2026, February 28). How do I integrate AI tools into HR systems in compliance with data protection regulations? | avinci. https://www.avinci.ai/en/blog/how-do-i-integrate-ai-tools-into-hr-systems-in-compliance-with-data-protection-regulations-b1147

Amati, S. (2025, October 10). Using AI in your company, safeguarding data protection: Expert Council for Swiss SMEs. AXA Switzerland | Using AI in the company, safeguarding data protectionhttps://www.axa.ch/en/unternehmenskunden/blog/security-and-legal/ai-data-protection-companies.html

AI employee usage policy template. (2026). https://optro.ai/resources/ebook/ai-employee-usage-policy-template

Verduyn, M. (2025, October 21). AI Policy Template: What To Include and Why (Plus Free Template). AIHR. https://www.aihr.com/blog/ai-policy-template/
https://www.aihr.com/blog/ai-policy-template/   

Inquira Health. (2025, March 31). GDPR and HIPAA Compliance in Healthcare AI: What IT Leaders Must Know. Inquira Health. https://www.inquira.health/en/blog/gdpr-and-hipaa-compliance-in-healthcare-ai-what-it-leaders-must-know

Be careful what you tell your AI chatbot | Stanford HAI. (2025, October 15). https://hai.stanford.edu/news/be-careful-what-you-tell-your-ai-chatbot

Heer, A. (2024, May 15). Well-thought-out AI governance enables companies to better position themselves. Swisscom B2B Mag. https://www.swisscom.ch/en/b2bmag/data-driven-technologies/ai-governance-interview-morand/

Link to workshops on digitalization & AI in HR

Comment on the blog?

Embedded Recruiting im Abo-Modell Werbebanner mit Beratungsszene
Embedded Recruiting
creadmin

Warum Embedded Recruiting die Zukunft der Personalgewinnung ist

Der Arbeitsmarkt hat sich verändert – Recruiting muss nachziehen
Offene Stellen gehören heute zu den teuersten Herausforderungen vieler Unternehmen. Während Projekte liegen bleiben, bestehende Teams Überstunden leisten und die Belastung im Arbeitsalltag steigt, dauert die Suche nach geeigneten Mitarbeitenden oft Monate.
Besonders im Gesundheitswesen, in der Pflege sowie bei spezialisierten Fach- und Führungskräften hat sich der Arbeitsmarkt in den vergangenen Jahren grundlegend verändert. Die Zeiten, in denen Unternehmen eine Stellenanzeige veröffentlichten und innerhalb weniger Wochen aus zahlreichen qualifizierten Bewerbungen auswählen konnten, sind vielerorts vorbei. Heute sind die besten Talente meist bereits beschäftigt. Sie suchen nicht aktiv nach einem neuen Job, besuchen keine Jobportale und verschicken keine Bewerbungen.

Read more »
1. June 2026
Ärztin mit Tablet und KI-Visualisierung im Spital
Digitization
creadmin

KI-Assistenten für Schweizer Spitäler im Vergleich

Der Markt für KI-Assistenten wächst schnell – und die Unterschiede zwischen den Anbietern sind erheblich. Dieser Artikel vergleicht fünf führende Lösungen nach den für den Schweizer Spitalmarkt relevantesten Kriterien: Sprachunterstützung, Datenschutz, Integrationsrähigkeit und Preis-Leistung. Mit einer Entscheidungsmatrix für verschiedene Spitaltypen.

Read more »
25. May 2026
Ärztin mit Tablet und KI-Visualisierung im Spital
Digitization
creadmin

Warum KI-Assistenten jetzt auf die Agenda jeder Spitalleitung gehören

Künstliche Intelligenz ist keine Zukunftsmusik mehr – sie verändert Spitäler heute. Führungskräfte, die jetzt nicht handeln, riskieren, den Anschluss zu verlieren. Dieser Artikel erklärt, warum der Moment zum Handeln gekommen ist, welche konkreten Vorteile KI-Assistenten bieten und worauf Spitalleitungen bei der Einführung achten müssen.

Read more »
25. May 2026

Register for newsletter

(The newsletters are sent out approximately every two months)

WordPress Cookie Plugin by Real Cookie Banner