Safe Prompting
A Data Hygiene Guide for Law Firms. What counts as confidential information, the regulatory framework under DPDP Act 2023 and UK GDPR, the anonymised prompt technique, and a firm AI use policy template.
A Data Hygiene Guide for Law Firms
Why This Matters
Every piece of text you submit to an AI tool is processed on someone else’s infrastructure. Unless your firm has signed a Data Processing Agreement (DPA) with the provider, that data may be used to improve the model — and is outside your control.
For a law firm, the risk is not abstract. Client names, commercial terms, medical records, financial figures, and litigation strategy are all ‘personal data’ or confidential information. Their disclosure — even to an AI system — may trigger legal, regulatory, and professional consequences.
What Counts as Confidential Information?
- Client names, addresses, and identifying details
- Counterparty names and deal terms
- Financial figures, valuations, and forecasts
- Medical or health information (special category data)
- Criminal records or allegations
- Internal strategy, without-prejudice communications, or legal advice
- Any document marked confidential or provided under a retainer
Rule of thumb: If you would not email it to a third party without your client’s consent, do not paste it into a public AI tool without a DPA in place.
The Regulatory Framework
India: DPDP Act 2023
The Digital Personal Data Protection Act 2023 introduces consent-based obligations for the processing of personal data. Key implications for law firms using AI tools:
- A Data Fiduciary (your firm) must obtain valid consent before processing personal data.
- Significant Data Fiduciaries face additional obligations including data protection impact assessments.
- Cross-border transfers of personal data are subject to central government notification.
- Using a third-party AI tool to process client personal data is a processing activity — the Act applies.
UK: UK GDPR and SRA Guidance
- Processing of personal data requires a lawful basis (Article 6 UK GDPR).
- Special category data (health, criminal records, etc.) requires an additional condition under Article 9.
- Using a consumer AI tool without a DPA in place is likely to breach the accountability principle.
- The SRA has confirmed that existing confidentiality obligations apply fully to AI use.
Public Tools vs. Enterprise Tools
| Tool Type | Data Use | DPA Available? | Safe for Client Data? |
|---|---|---|---|
| Free consumer tier (ChatGPT free, Gemini free) | May be used for training | No | No |
| Enterprise / API tier with DPA (ChatGPT Enterprise, Claude for Enterprise) | Not used for training | Yes | With caution |
| Self-hosted / on-premise model | Stays on your infrastructure | N/A | Yes (with governance) |
| Legal-specific tools (Harvey, Luminance, etc.) | Contractually controlled | Usually yes | Check your contract |
The Anonymised Prompt Technique
You can retain almost all the utility of AI while eliminating most of the data risk. The technique is to anonymise your prompt before submission.
Instead of:
“My client Sharma Technologies Ltd has a dispute with Redwood Logistics Pvt Ltd under a supply agreement dated 12 March 2023. The contract value is INR 4.2 crore…”
Use:
“My client (a mid-size manufacturing company) has a dispute with a logistics supplier under a fixed-term supply agreement. The contract is worth approximately INR 4 crore…”
The AI produces output of equivalent quality. No identifying information has left your system. You add the specifics when you review and finalise the document.
Firm AI Use Policy — Template Elements
A minimum firm AI policy should cover:
- Approved tools — a list of AI tools approved for use, distinguishing between general and client-data tasks.
- Prohibited inputs — a clear statement that client personal data, special category data, and commercially sensitive information may not be input into non-approved tools.
- Anonymisation requirement — a requirement to anonymise prompts involving client matters where possible.
- Verification obligation — a requirement that AI-generated legal research is verified before use.
- File notation — a requirement to record AI use in client files where it materially contributes to a work product.
- Training — annual training on data hygiene and approved tool use.
- Review cycle — the policy should be reviewed at least annually as the tool landscape evolves.
Data Hygiene Quick Checklist
Before submitting any prompt involving a client matter:
- I am using an approved AI tool for this task
- A DPA is in place with the AI provider (if using client data)
- I have anonymised the prompt to remove client-identifying information
- I have not included special-category data (health, criminal records) in the prompt
- I have not included commercially sensitive figures unless essential and the tool is approved
- I will review and own the output before it leaves the firm
Part of the AI Foundations for Lawyers series.