JDCS
Get in touch
Start a conversation Or call 0418 858 937

jdcs.au · Mid North Coast, NSW

Lesson 2 of 5 · 8 min

What's safe vs risky.

Most AI mishaps in small businesses come down to one thing: someone put information into a tool that shouldn't have gone there. The good news is this is the easiest part of a policy to get right, because the rule fits on a sticky note. You sort your information into a few tiers, and everyone knows what's fine, what needs care, and what never leaves the building. Here's the scheme.

A simple three-tier scheme

Forget elaborate data-classification systems built for banks. For a small business, three tiers does the job, and people can actually remember it:

  • Green: public. Information that's already out in the world or that you'd happily publish. Marketing copy, your website text, a general "how do I word this politely?" question, a public template. Safe to use freely in any approved tool. This is where most everyday AI use sits, and it's genuinely low-risk.
  • Amber: internal. Information that's yours but not secret: a rough internal process, draft notes, an anonymised example, non-sensitive operational stuff. Fine to use in an approved, properly configured business tool, but not in a random free chatbot on someone's personal account. Strip out names and identifiers where you can.
  • Red: confidential or personal. Customer personal details, health information, financial records, anything under a confidentiality clause or NDA, employee records, your own commercial secrets. This is the tier that gets businesses in trouble. It does not go into a public, consumer-grade tool, full stop. If there's a genuine need to use AI on this kind of data, it's a deliberate decision made with the right setup, not something a staff member does on a Tuesday afternoon.

That's the whole scheme. Three colours, one clear rule for each. We turn it into a one-page cheat-sheet in the playbook so it can live on the wall by the kettle.

Why the red tier matters so much

It's worth being concrete about why personal and confidential data is the line you don't cross with public tools. When you paste into a free consumer chatbot, you're often handing that text to a third party whose retention and training settings you haven't checked and can't control. For green and amber material that's a minor matter. For a client's medical history or a deal under NDA, it can be a privacy breach, a breach of contract, or both, and "the AI did it" is not a defence anyone will accept.

This is also exactly where your existing obligations bite hardest. The Privacy Act, your duty of confidentiality, and any professional rules all care a great deal about personal and sensitive information leaving your control. If you want to go deeper on this, our guide on whether your data is safe with AI walks through where it actually goes. The three-tier scheme isn't a new compliance burden, it's a plain-English way of respecting the duties you already have.

The failure modes to warn people about

A good policy doesn't just say what not to do, it names the traps so people recognise them. Three come up again and again:

  • Confident but wrong answers. AI tools state things with total assurance, and they're sometimes flat wrong: a made-up figure, a misremembered rule, a fabricated reference. The fix isn't to stop using them, it's to keep a human checking anything that matters, which is the next lesson. For now, the warning is simple: confidence is not correctness.
  • Quiet data leakage. The classic slip is pasting a whole client email, contract or spreadsheet into a tool to "just summarise this", red-tier data included, without thinking. It's rarely malicious, it's just convenient. The cheat-sheet and a quick team chat fix most of it.
  • Shadow tools. People reaching for whatever app they saw on social media, on personal logins, with no settings checked. You can't govern what you don't know about. An approved-tools list, which we build next lesson, brings this into the open.

A quick gut-check anyone can use

When someone's unsure, give them one question to ask before they paste: "Would I be comfortable if this exact text turned up outside the business?" If the honest answer is no, it's red, and it stays out of public tools. That one habit, plus the three-tier cheat-sheet, prevents the large majority of the problems a small business is likely to hit. Simple, memorable, and it travels well to every member of your team.

The takeaway: sort information into green (public, use freely), amber (internal, approved tools only, strip identifiers), and red (confidential or personal, never in a public chatbot). The red tier is where privacy and confidentiality breaches happen, so guard it hardest. Warn your team about confident-but-wrong answers, quiet data leakage, and shadow tools. The gut-check: would you be fine if this text turned up outside the business? Next up: choosing and configuring the tools you'll actually approve.
Quick check

A few quick questions to lock it in. No marks recorded, just for you.

Q1.What's a sensible way to decide what can go into an AI tool?

A simple three-tier scheme tells people at a glance what's fine, what needs care, and what never goes near a public tool.

Q2.Which of these should not go into a public, consumer-grade chatbot?

Personal, health, financial and contractually confidential information is the high-risk tier. Keep it out of consumer tools entirely.

Q3.What's a common failure mode worth warning your team about?

Plausible-sounding mistakes and careless data sharing are the two that bite small teams most. Both are managed with a rule and a human check.

Pick up anywhere

Save your progress

Pop your email in and we'll send you a link to pick up where you left off, on any device. No account needed.

Just for the link to your progress. No spam, and I never share your details.