Guidelines for the use of Microsoft Copilot Premium at SDU
The purpose of this guideline is to operationalize SDU's AI policy in connection with the use of Microsoft Copilot Premium.
The guideline establishes specific frameworks, prerequisites, and limitations for the use of Microsoft Copilot Premium. This aims to ensure responsible, lawful, and consistent use of Microsoft Copilot Premium across SDU.
This guideline applies to employees at SDU who have access to Microsoft Copilot Premium via SDU's Microsoft 365 environment.
The guideline exclusively applies to work-related use for SDU employees (administration, research, and teaching) who are logged in with their SDU account.
The guideline supplements SDU's AI policy and any process-specific guidelines and does not replace them.
The guideline does not regulate the product Microsoft Copilot Studio and its possibilities for the use of connectors.
The guideline does not regulate the creation or use of independent AI agents (agentic AI), which are covered by separate frameworks in SDU's AI policy and upcoming guidelines.
The guideline does not cover the use of or the possibility to develop other AI tools outside of Microsoft 365 (M365), use via private accounts, or the use of unauthorized/experimental AI services outside of SDU's approved platforms.
It is SDU IT, the department head for Development & Solutions, who, as the system owner, is responsible for making the guideline accessible, updating it, and providing guidance, as well as developing any underlying instructions.
The management in the leadership chain, where Copilot Premium is used, is responsible for ensuring that employees are made aware of the guideline.
The employee is responsible for familiarizing themselves with and adhering to the guideline and any underlying instructions.
The employee is responsible for familiarizing themselves with and adhering to any process- or function-specific guidelines for the use of artificial intelligence in relevant main processes (e.g., recruitment processes, admissions, case processing).
Failure to comply with the guideline may result in restricted access to Copilot and, in extreme cases, may have employment-related consequences.
M365 Copilot with a premium license is an AI assistant integrated into the M365 environment and covered by SDU's data processing agreement with Microsoft.
The AI assistant is a functionality that follows the user throughout M365. The tool utilizes large language models (LLMs) and can, among other things, generate suggestions, summarize content, structure text, and assist in problem-solving.
Regardless of usage, Copilot in the premium version uses the data that the user already has access to within the M365 environment.
Copilot has access to all content that the employee can access via the M365 environment, such as SharePoint, Teams, and OneDrive – including shared files. This places significant demands on rights management and attention to the data exposed to the AI assistant.
Before using Copilot, the employee should therefore:
review their SharePoint, Teams sites, and OneDrive to ensure outdated data is deleted or moved, as outdated copies of documents may be included in responses.
ensure that private, confidential, or sensitive folders and files that Copilot must not access are deleted or moved to other appropriate storage services such as NextCloud and WorkZone, which Copilot cannot access.
review and adjust permissions and access to files to prevent inappropriate sharing.
ensure compliance with local guidelines for systems and main processes.
be aware of scenarios where laws may be violated, including general rules for copyright and licensing terms.
Access to and use of Microsoft Copilot Premium requires the following:
The employee is familiar with this guideline.
The employee has completed the mandatory online module “Responsible Use of AI at SDU” (awareness) in the use of Copilot.
The employee uses phishing-resistant multi-factor authentication (MFA), e.g., passkey or approved hardware token (YubiKey) on their SDU devices.
The employee has completed a general cleanup of documents for which the user is responsible in M365.
Microsoft Copilot Premium must be used as a support tool for work-related tasks, where usage complies with this guideline, SDU's AI policy, and applicable rules for data protection and information security.
Examples of use:
Drafting texts, e.g., emails, memos, presentations, and reports.
Improving language, rephrasing, and translating your own texts.
Summarizing and structuring existing documents.
Generating suggestions for meeting agendas, process descriptions, or communication drafts.
Supporting idea development and reflection in connection with planning, analysis, and dissemination.
Productivity support in administrative workflows.
Creating small agents in Copilot Chat that can be shared with other SDU employees who have the same license.
In research and teaching contexts:
Structuring and linguistically refining your own research drafts, abstracts, and applications.
Generating suggestions for teaching materials, e.g., slides, assignment formulations, or introductory texts.
Idea development and reflection in connection with research design, dissemination, or teaching planning.
Summarizing and providing an overview of existing texts, e.g., literature or teaching materials.
Usage must always be accompanied by a critical evaluation of the output and clear human accountability for the final result.
In certain situations, the use of Microsoft Copilot Premium may be permitted, but it requires special attention, heightened responsibility, and potentially managerial approval.
This is particularly relevant in the following cases:
Use in contexts where the output may be perceived as a basis for decisions, assessments, or recommendations with significant consequences.
Use in educational contexts where the application of Copilot is part of the evaluation and may influence the assessment of students' performance.
Use in connection with research data, e.g., particularly confidential or sensitive information or data governed by instructions via data processing agreements or collaboration agreements.
Use in peer reviews, assessments, or evaluations where Copilot must not replace professional judgment.
Use in the development of research articles for academic journals that have their own guidelines regarding the use of AI.
In these cases, it must always be ensured:
Human oversight and professional evaluation of the output.
Documentation of how Copilot has been used.
The following uses of Microsoft Copilot Premium are not permitted:
Prohibited practices under the EU’s AI Regulation (AI Act) - including social scoring, manipulative behavior control, unlawful biometric identification, or other uses that violate fundamental rights.
Use in contexts identified as high-risk scenarios under the AI Act - such as access or admission assessments related to study admissions. If there is a specific case falling under a high-risk scenario under the AI Act, a separate dialogue must be initiated with SDU IT and SDU RIO for potential exemption.
Use for making or automating decisions directed at physical persons, e.g., in connection with hiring, admissions, grading, or case processing (administrative decisions).
Use where Copilot generates assessments, recommendations, or decision bases without subsequent human evaluation and accountability.
Use in violation of applicable laws, including GDPR, copyright, and SDU’s policies on information security and data protection.
Use that replaces professional judgment, research ethics, and/or violates applicable rules for examinations and academic integrity.
For questions regarding the use of Copilot, data protection, information security, or interpretation of this guideline, employees can always seek advice from the local GDPR and information security coordinator or alternatively contact:
SDU IT, Servicedesk for technical support and access matters.
SDU RIO, Legal Services especially for research-related questions concerning the use of AI.
SDU IT, GRC for questions about information security, data classification, risk assessment, compliance, and interpretation of the AI policy.
Updated guidelines, FAQs, and contact information can be found on SDUnet.
The guideline must be read in conjunction with SDU's AI policy and other AI guidelines.
The guideline is updated as needed to ensure continued compliance with:
applicable legislation and regulations, including the EU's AI Regulation (AI Act).
changes in SDU's technological platforms and data processor agreements.
developments in the risk landscape and organizational needs.