Direct answer
Privacy determines whether you should collect, use, retain, or share data for a stated purpose. Security protects that data and the system from unauthorized access or change. Consent makes a person's informed choice clear where consent is the appropriate basis for the activity. A threat model identifies valuable assets, possible actors, attack paths, consequences, and controls. You need all four before exposing a workflow to real users.
Do not begin with “Which security product should I buy?” Begin with a data-flow diagram and a purpose statement. If the workflow does not need a CNIC number, private document, exact address, or full conversation history, the safest design is not to collect it.
This lesson is engineering guidance, not a claim that a checklist satisfies every Pakistani or international law. For real personal, financial, employment, education, or health data, obtain qualified legal and security review for your organization, sector, users, vendors, and hosting locations.
Map the data before the threats
For each field, document:
- what it is and whether it is personal, sensitive, confidential, or public;
- why the workflow needs it;
- who provides it and what notice they see;
- where it travels and which vendors process it;
- who may read, change, export, or delete it;
- how long it remains in input, state, logs, backups, and indexes;
- how correction, access, deletion, and incident requests are handled;
- what happens if the field is missing.
Minimize at every boundary. A support summarizer may need an order ID and issue category but not a complete payment credential. A portfolio demo can use synthetic records. A trace can store an opaque user ID and input-length bucket instead of the raw message.
Read current provider data controls rather than relying on a social-media summary. OpenAI's current API data guide distinguishes abuse-monitoring logs from application state and explains available controls. The fact that API data is not used for training by default does not mean no data is stored, no vendor processes it, or that your own application may keep it indefinitely.
Worked build: a customer-support summarizer
A home-appliance seller wants a tool that summarizes support tickets and suggests the correct team. Tickets may contain names, phone numbers, addresses, order IDs, product serials, and free-text complaints. The tool should not need complete payment details, passwords, or identity documents.
Draw the flow:
customer form -> application API -> redaction/validation -> model provider
-> encrypted job state
-> restricted support dashboard
-> short-retention operational logs
At the form, explain the purpose, what not to submit, whether AI assists the process, the human escalation route, and the relevant privacy contact. A single pre-ticked “I agree to everything” box is not meaningful design. Separate optional uses, such as using a message to improve the service, from the necessary processing of the support request.
Redact common secrets before model or log processing. This small Python example is deliberately limited; production detection needs tests, domain patterns, and review:
import re
PATTERNS = {
"email": re.compile(r"\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b", re.I),
"phone": re.compile(r"(?<!\d)(?:\+?92|0)?3\d{9}(?!\d)"),
"card_like": re.compile(r"(?<!\d)(?:\d[ -]?){13,19}(?!\d)"),
}
def redact(text: str) -> str:
for label, pattern in PATTERNS.items():
text = pattern.sub(f"[REDACTED_{label.upper()}]", text)
return text
print(redact("Call 03001234567 or email person@example.com"))
Regex can miss alternate formats and can over-redact legitimate numbers. It is one layer, not a guarantee. Prevent prohibited fields in the UI, validate on the server, minimize the prompt, restrict logs, and let staff correct the summary against the original authorized ticket.
Build the threat model
List assets: customer records, source documents, API keys, tool permissions, approval state, logs, model outputs, and organizational reputation. Then list actors: ordinary user, careless employee, malicious user, compromised account, former contractor, vulnerable dependency, and an external service outage. Avoid assuming the only attacker is a stranger.
For each data flow, ask:
- Can someone spoof identity or role?
- Can someone tamper with input, state, retrieved documents, or tool output?
- Can a person deny an action because audit evidence is missing?
- Can sensitive information be disclosed through output, citations, logs, or error messages?
- Can traffic or loops deny service or exhaust the budget?
- Can a low-privilege user trigger a higher-privilege tool?
One threat entry might read:
| Threat | Path | Impact | Prevent | Detect | Respond |
|---|---|---|---|---|---|
| Prompt injection in ticket | Free text tells model to expose other tickets | Cross-user data leak | Tenant-scoped retrieval, no broad search tool, output filtering | blocked-tool and canary tests | disable tool, investigate trace, rotate affected access |
Assign an owner and residual risk. “Use AI safety” is not a control. “The server filters retrieval by authenticated tenant before any result reaches the model” is testable.
Core controls
Identity and authorization: authenticate users and authorize each object and tool call server-side. Apply least privilege. Separate production roles and remove access promptly.
Secrets: keep API keys and credentials in environment-specific secret storage, never browsers, prompts, repositories, or logs. Rotate and monitor them.
Data protection: encrypt transport, use appropriate storage encryption, limit exports, back up only what is needed, and test deletion across primary stores, caches, indexes, and backups according to policy.
Model boundaries: treat user input, retrieved text, websites, and tool output as untrusted data. Do not let document text redefine system permissions. Constrain tool schemas, validate arguments, and require approval for consequential writes.
Output controls: show uncertainty and sources, moderate where appropriate, prevent secrets from rendering, and keep a human in the loop for high-stakes use.
Operations: log access and security-relevant events with redaction, monitor anomalies and spend, rate-limit abuse, maintain an incident plan, and rehearse revoking a tool or key.
OpenAI's safety guidance recommends moderation, adversarial testing, and human oversight. Platform role-based access controls can help manage provider-side permissions, but your application still needs its own user and object authorization.
Consent and user control
Write notices in plain language and at the moment of collection. State the purpose, required and optional data, whether a third-party AI service processes it, important limitations, retention or deletion route, and human contact. Do not promise perfect confidentiality or accuracy.
Consent is not a substitute for safe design. A user cannot meaningfully consent to an undisclosed secondary use or an insecure public database. Make withdrawal or preference changes practical where relevant, and ensure the workflow still has an appropriate path for required service requests. Keep evidence of the notice/version shown without collecting excessive behavioural history.
Failure cases to test
- An API key is bundled into frontend JavaScript.
- A citation reveals the title of another client's confidential file.
- A prompt asks the model to decide authorization from a user-supplied role.
- Raw tickets and phone numbers enter debug logs.
- Deleted files remain searchable in a vector index or cache.
- A retrieved document contains instructions to call an external tool.
- A staff account retains production access after role change.
- An approval link can be reused by another person or after the payload changes.
- A privacy notice says “for support” while data is reused for marketing or portfolio screenshots.
- A redaction rule removes obvious phone numbers but misses spaced or international formats.
🇵🇰 Pakistan Angle
Pakistani users commonly share sensitive material through WhatsApp screenshots, voice notes, CNIC images, bank-transfer receipts, and courier labels because it feels convenient. Your interface should explicitly say what not to upload and offer a safer minimum-data route. Do not use real customer or student records in a public portfolio demo; synthetic Pakistani-context records prove the workflow without exposing anyone.
Provide notices in language the intended user can understand, including Urdu or Roman Urdu where appropriate, while preserving an authoritative policy version. Consider shared phones, cyber-cafe sessions, and family-accessed devices: do not leave sensitive results in URLs, browser history, or long-lived local storage. Plan for account recovery without asking users to send secrets in chat. For compliance claims, cross-border processing, biometrics, payments, children, health, or employment data, seek current local professional advice rather than copying a foreign template.
Hands-on deliverable
Create a privacy and threat-model pack for your capstone:
- a purpose statement and data inventory;
- a data-flow diagram covering vendors, state, logs, indexes, and deletion;
- a field-level minimization and retention table;
- a plain-language collection notice and optional-consent separation;
- at least ten threats with asset, actor, path, impact, preventive control, detection, response, owner, and residual risk;
- tests for authorization bypass, prompt injection, log leakage, deletion, key exposure, and changed approvals;
- an incident first-hour checklist and a contact/escalation role;
- synthetic data suitable for a public demo.
Completion rubric
- Every collected field has a necessary purpose, access rule, and retention decision.
- Secrets and authorization decisions remain server-side.
- Retrieval, tools, logs, caches, and backups are included in the data flow.
- Threats have specific preventive, detective, and response controls with owners.
- Retrieved and user-provided content cannot grant itself permission.
- Consent or notice is clear, specific, and separated from optional secondary use.
- Deletion and access revocation are tested rather than assumed.
- Public evidence uses synthetic or explicitly authorized data.
Key takeaway: The safest AI workflow is the one that collects less, grants less, exposes less, and can clearly show how every remaining risk is prevented, detected, and handled.