Lesson 164 · The Grant Architect

164. Data Privacy and Policy

30 min

By the end you'll be able to

  • Identify which data categories cannot enter a consumer-tier AI tool.
  • Apply HIPAA, FERPA, and PII handling rules to AI drafting sessions.
  • Draft a one-page organizational AI policy covering approved tools and prohibited inputs.
  • Disclose AI use to funders that require it.

Every prompt you send to a hosted AI tool is a data transfer, and in grant work that data often includes information you do not own outright. Beneficiary stories, partner financials, draft budgets, unpublished evaluation data, and personally identifiable information about staff and clients all show up in grant drafting sessions. In this lesson you build the privacy and policy discipline that keeps those transfers defensible.

You will work through the categories that change the rules. Protected health information under HIPAA, student records under FERPA, personally identifiable information in federal applications, and confidential data covered by NDAs with partners or funders all require either a Business Associate Agreement, a contracted enterprise environment with zero-retention terms, or removal from the prompt entirely. Free consumer-tier AI tools, by default, retain inputs for training, which means a copied-and-pasted client narrative becomes part of a model you no longer control.

The output of this lesson is a one-page organizational policy you can adapt. It names the approved tools, the prohibited inputs, the redaction protocol for sensitive content, the disclosure standard for AI-assisted work (which several federal agencies and major foundations now require), and the escalation path when a staffer is unsure. With that policy in place, your team can move fast on AI without exposing the organization to a data breach or a funder compliance finding.

Common mistakes

These are the traps learners hit most often on this topic. Knowing them in advance is half the fix.

  • Pasting client stories into consumer-tier tools.

    Free-tier tools typically retain inputs for training. A client story pasted there is now part of a model you no longer control.

  • Treating disclosure as optional.

    Several federal agencies and large foundations now require AI use disclosure. Failing to disclose is a compliance issue, not a style preference.

Practice problems

Try each on paper first. Click Show solution only after you've made a real attempt.

  1. Problem 1
    Draft three lines of an organizational AI policy covering approved tools, prohibited inputs, and disclosure.
    Show solution

    Approved tools: the organization's enterprise Claude or ChatGPT environment with zero-retention terms in the executed contract. Prohibited inputs: client names, dates of birth, medical conditions, education records, or any PHI or FERPA-covered data, in any tool, at any time. Disclosure: every proposal package notes whether AI was used in drafting and which sections were AI-assisted, in the format the funder requires or, if no format is specified, in the cover letter.

Practice quiz

  1. Question 1
    Which input is most likely to create a privacy or compliance violation when pasted into a free consumer-tier AI tool?
  2. Question 2
    What kind of contractual arrangement is typically required before PHI can be processed in a hosted AI tool?
  3. Reflection 3
    In one or two sentences, explain why several federal agencies and major foundations now ask whether AI was used in a proposal.

Lesson 164 recap

Data privacy in AI-assisted grant work is about tool selection, input redaction, contractual safeguards, and disclosure. A one-page policy keeps the team aligned.

Coming next: Lesson 165 — Bonus AI Spotlight

Next, the bonus spotlight integrates the entire week into a single operating workflow you can run on Monday morning.

Saved in your browser only — no account, no server.