Ceredigion County Council website

Contents

• Purpose

• 1 Scope
• 2 Use
• 3 Governance
  • Vendors
  • Copyright
  • Accuracy
  • Confidentiality
  • Ethical Use
  • Disclosure
  • Integration With Other Tools
  • Audit Logs
• 4 Risks
  • Legal Compliance
  • Security
  • Bias and Discrimination
  • Data Sovereignty and Protection
• 5 Compliance
• 6 Review

Purpose

The purpose of this policy document is to provide a framework for the safe and ethical use of Generative Artificial Intelligence, Machine Learning and AI Large Language Models (GenAI), by Ceredigion council employees and councillors. This includes tools such a CoPilot, Bard, Bing or ChatGPT but many other tools are also becoming available and being embedded in other product sets.

This policy is designed to ensure that the use of GenAI is ethical, complies with all applicable laws, regulations and council policies, and complements the council’s existing information and security policies.

The pace of development and application of AI is such that this policy will require regular review. If in doubt, staff should consult with the Senior Information Risk Officer (SIRO) or the Data Protection Officer (DPO).

This policy should be read in conjunction with the Information Security Policy v6.2 or greater.

1 Scope

This policy applies to all employees, contractors, and third-party individuals who have access to GenAI technologies or are involved in using GenAI tools or platforms on behalf of Ceredigion County Council whether through council-owned devices or not.

2 Use

Users may use AI for work-related purposes subject to adherence to the following policy. This includes tasks such as generating text or content for reports, emails, presentations, images and customer service communications.

3 Governance

Before accessing GenAI technology, users must first notify the council’s Information Governance and ICT Team of their intention to use, the reason for use, and the expected information to be input as well as the generated output and distribution of content.

A Data Protection Impact Assessment (DPIA) MUST be completed at the start of the project.

The following governance issues should be considered.

Vendors

Any use of GenAI technology in pursuit of council activities should be done with full acknowledgement of the policies, practices, terms and conditions of developers/vendors.

Copyright

Users must adhere to copyright laws when utilising Generative Artificial Intelligence, Machine Learning and AI Large Language Models (GenAI)It is prohibited to use AI to generate content that infringes upon the intellectual property rights of others, including but not limited to copyrighted material.

If a user is unsure whether a particular use of GenAI constitutes copyright infringement, they should seek legal advice or contact the ICT Service Desk before using GenAI.

Accuracy

All information generated by GenAI must be reviewed and edited for accuracy prior to use. Users of GenAI are responsible for reviewing output, and are accountable for ensuring the accuracy of GenAI generated output before use/release.

Confidentiality

Confidential and personal information must not be used in prompts or data used to train any public AI tool. The use of AI in any business process which deals with personal information must follow UK GDPR and Data Protection Act 2018 as well as all organisational policies.

Any new use or change of processing must undertake a full Data Protection Impact Assessment (DPIA), review of privacy notices and consultation of the Data Protection Officer.

Ethical Use

Generative Artificial Intelligence, Machine Learning and AI Large Language Models (GenAI) must be used ethically and in compliance with all applicable legislation, regulations and organisational policies. Users must not use AI to generate content that is discriminatory, offensive, or inappropriate.

If there are any doubts about the appropriateness of using AI in a particular situation, users should consult the ICT Service Desk.

Disclosure

Content produced largely by Generative Artificial Intelligence must be identified and disclosed as such.

Content produced with some support from AI which has been fully reviewed and significantly modified may be attributed to the owner and does not need attribution.

This is an area which will see best practice evolve over time, if in doubt disclose the use of AI and be transparent about how it was used.

Suggested footnote examples:

• • This image was generated by Artificial Intelligence (AI).
  • Artificial Intelligence (AI) supported the generation of this content. All AI content has been reviewed by the author and the author takes responsibility for this content.

Integration With Other Tools

API and plugin tools enable access to GenAI and extended functionality for other services to improve automation and productivity outputs. Users should follow industry best practice. For example, OpenAI’s Safety Best Practices:

• • Adversarial testing
  • Human in the loop (HITL)
  • Prompt engineering
  • “Know your customer” (KYC)
  • Constrain user input and limit output tokens
  • Allow users to report issues
  • Understand and communicate limitations
  • End-user IDs

API and plugin tools must be rigorously tested for:

• • Moderation – to ensure the model properly handles hate, discriminatory, threatening, etc. inputs appropriately
  • Factual responses – provide a ground of truth for the API and review responses accordingly

Audit Logs

Appropriate logging and auditing mechanisms MUST be in place to capture activities related to generative AI/ML usage.

4 Risks

Uses of AI carry inherent risks. A comprehensive risk assessment must be conducted with the Data Protection and ICT team for any project or process where use of AI is proposed. The risk assessment should consider potential impacts including: legal compliance; bias and discrimination; security (including technical protections and security certifications); and data sovereignty and protection.

Legal Compliance

Data entered into AI may enter the public domain. This can release non-public information and breach regulatory requirements, customer or vendor contracts, or compromise intellectual property. Any release of private/personal information without the authorisation of the information’s owner could result in a breach of relevant data protection laws. Use of AI to compile content may also infringe on regulations for the protection of intellectual property rights.

Security

AI may store sensitive data and information, which could be at risk of being breached or hacked. The council must assess technical protections and security certification of AI before use.

Any suspected or confirmed security incidents related to generative AI/ML usage MUST be reported immediately to the DPO or SIRO.

Bias and Discrimination

GenAI may make use of and generate biased, discriminatory or offensive content. Users should use GenAI responsibly and ethically, in compliance with council policies and applicable laws and regulations.

Data Sovereignty and Protection

While an AI platform may be hosted internationally, under data sovereignty rules information created or collected in the originating country will remain under jurisdiction of that country’s laws. The reverse also applies. If information is sourced from AI hosted overseas, the laws of the source country regarding its use and access may apply. AI service providers should be assessed for data sovereignty practice prior to their use.

5 Compliance

Any violations of this policy should be reported to the council’s IT Service Desk or senior management. Failure to comply with this policy may result in disciplinary action, in accordance with council’s policies and procedures.

6 Review

This policy will be reviewed annually by the SIRO and updated as necessary to ensure continued compliance with all applicable legislation, regulations and organisational policies.

The policy will be reported to Council on a 5 Yearly basis or when significant changes are made.