Only approved tools can be used for data that is private, sensitive or restricted (includes PHI/PII, financial, etc. -- basically anything not public). Approval is by a committee including me, our VP for compliance and our VP for security. In general, to be approved a tool must:
Secure our data...