What Data You Can and Can't Use
The most common AI governance failure in biotech is not malicious misuse — it's well-intentioned employees using protected data in ways they shouldn't, because no one told them clearly what's protected and what isn't.
The data classification question has a relatively simple answer. The governance failure is usually that the answer has never been written down clearly and communicated to the people doing the work.
The four data tiers
Tier 1 — Public. Information that is publicly available and not subject to confidentiality obligations. Scientific literature, publicly available regulatory guidance, ClinicalTrials.gov data, published FDA review packages. Can be used with any AI tool without restrictions.
Tier 2 — Internal. Proprietary business information that is confidential but not regulated. Internal strategy documents, financial projections, organizational structure, meeting minutes. Can be used with AI tools that have appropriate data processing agreements in place — typically your approved enterprise AI platform. Cannot be used with consumer AI tools (personal accounts on public AI services) because input data may be used for training.
Tier 3 — Confidential regulated. Proprietary scientific data that may be subject to export controls, trade secret protections, or regulatory data package confidentiality. Unpublished clinical data, proprietary compound structures and SAR data, manufacturing process details. Requires case-by-case evaluation before AI use; the default is your approved internal deployment.
Tier 4 — Protected personal data. Patient data, employee data, any data subject to HIPAA, GDPR, or equivalent privacy regulations. HIPAA applies to any individually identifiable health information. Using patient data in AI tools requires a HIPAA-compliant Business Associate Agreement (BAA) with the AI provider and explicit governance review. The default answer is no AI use without explicit approval.
The practical rule
If you're unsure which tier your data falls into, ask before using AI on it. The governance process should make asking easy and answering fast — not a bureaucratic obstacle, but a quick clarification that protects you and the organization.