Generative AI and Use of College Data Policy

Generative Artificial Intelligence (“GenAI”) refers to an artificial intelligence technology that derives new versions of text, audio, or visual imagery from large bodies of data in response to user prompts. GenAI can be used in stand-alone applications, such as ChatGPT or Bard, or incorporated into other applications, such as Microsoft Bing or Microsoft Office Suite. The text based applications of GenAI are based on Large Language Models (LLM’s) and the landscape is continuously changing and rapidly advancing. Creating and maintaining policy around rapidly changing technology can be challenging. These policy guidelines should be considered minimum-level protections when using college information with GenAI. New policy guidelines may be introduced in response to new information. Questions regarding use of GenAI with college information can be directed to the Information Security Officer at security@lclark.edu.

For institutions such as Lewis & Clark, data security is a significant risk associated with the use of GenAI. The college has a number of policies intended to safeguard institutional data that faculty, staff, students, and affiliates must follow. For example, our Information Security Policy outlines data concerns to consider and our Data Custodianship and Access Policy outlines how to remain in compliance. Depending on the data at hand and your usage, other policies may also apply. Those considering the use of GenAI in their work should consider what data they are using and whether or not such data must be protected due to laws and regulations, such as federal research data requirements, FERPA, or college policy. Entering data into a GenAI tool or service is like posting that data on a public website. GenAI tools collect and store data from users as part of their learning process. Any data you enter into a GenAI tool may become part of its training data, which it may then share with other users. Because of that, personally identifiable, confidential, privileged or other protected or sensitive data or information shall not be entered into GenAI tools. Examples of such data and information can be found at the bottom of this policy.

When using these tools, we also ask that you consider some of the inherent weaknesses and known issues with GenAI. Some output is factually incorrect even if it looks otherwise. Because these tools are trained on public data from around the world, there are concerns about copyright infringement and ethical uses of that public data. As humans, we already exhibit bias and these models are known to amplify and include bias in the results. All of these factors indicate the output should not be fully trusted and should be reviewed before being used or shared.

Lewis & Clark does not have enterprise contracts or agreements with any GenAI tool or service provider. No GenAI tool has been identified that meets the college’s security, privacy, and compliance standards for handling anything besides public data. Therefore, employees may not enter college data that could be considered for only internal purposes, sensitive, or restricted into any GenAI tool or service. Only publicly available information that has no legal or other requirement for confidentiality, or falls outside of FERPA or research data requirements, may be used in GenAI tools and services. Questions about college data standards and security should be directed to the Information Security Officer at security@lclark.edu.

While we do not want to discourage the use of GenAI, it is important that we proceed with caution in all uses of college data. We should assume that any data put into a GenAI model becomes public.

Examples of personally identifiable, confidential, privileged or other protected or sensitive data or information include, but are not limited to:

Personally Identifiable Information (PII):

• Full names
• Social Security numbers
• Dates of birth
• Addresses
• Phone numbers
• Email addresses
• Student ID numbers
• Protected Health Information (PHI)

Medical records:

• Health insurance information
• Details of any medical treatments
• Psychological counseling records

Educational Records (as protected by FERPA):

• Grades
• Transcripts
• Class schedules
• Disciplinary records
• Student financial aid information, including federal tax information
• Any document that includes PII of students

Financial Information:

• Bank account numbers
• Credit card information
• Financial transaction records
• Tax return information

Confidential Employee Information:

• Employee records containing PII
• Payroll information
• Employment contracts
• Performance evaluations
• Background check results

Intellectual Property and Sensitive Research Data:

• Proprietary research data
• Unpublished research findings
• Intellectual property not yet protected by patents
• Confidential project proposals and reports

Legal and Compliance Data:

• Legal documents related to ongoing litigation
• Internal investigation reports
• Compliance audit reports
• Any information subject to attorney-client privilege

Sensitive Institutional Information:

• Strategic plans not yet public
• Security protocols and access codes
• Information about critical infrastructure
• Private budgetary data
• Agenda or sensitive meeting notes