�պ�����

If you use, have used, or think you might use generative AI such as OpenAI’s ChatGPT, Google’s Gemini, Meta’s Llama, Microsoft’s Copilot, or any other similar models, READ THIS!

The term “Artificial Intelligence” or “A.I.” is a broad term that encompasses many different types of technology. Generative AI or Foundation Models are one form of AI that are becoming more and more popular. As advanced technologies like these evolve and generative AI usage becomes more common, it is crucial that you and all members of the �պ����� community including faculty, staff, and students, be aware of how your use of these models could intersect with university privacy and information security policies. You must also recognize that if used incorrectly, you put yourself at risk of violating any number of state, federal, and international laws. 

To protect yourself, to protect those who have trusted you and �պ����� with private, confidential, and sensitive information, and to protect the University, it is imperative that everyone recognize how the use of generative artificial intelligence intersects with university policy and with the law.

Here are some important guidelines to follow:

How can I properly use generative AI?

1. Understand �պ����� Policies: Familiarize yourself with �պ�����'s Information Security Policy, Procedures, Computer, Communication, and Network Technology Acceptable Use Policy, and Privacy Policy. These documents outline the requirements for handling different types of data and the necessary precautions to protect it.
2. Data Classification: Review �պ�����’s Data Classification Matrix (PDF)  before copying & pasting or otherwise inputting Moderate Risk, High Risk, or Restricted data into a generative AI model. If you don’t want the data to be publicly available, don’t put it in one of these tools.
3. Do Not Input Non-Public Protected Data (NPPD): Before inputting any data into a generative AI tool, ensure that the data you are entering IS NOT classified as NPPD. NPPD includes student education records regulated under FERPA, protected health information regulated under HIPAA, personal data regulated under DHHS, non-public information regulated under GLBA, personally identifiable information regulated under Vermont state law, and personal data regulated under GDPR. In addition, it includes any information that is confidential, sensitive, and proprietary. Some common examples are provided at the end of this Privacy Matters newsletter. In addition, a full list of what constitutes NPPD is in �պ�����’s Privacy policy. 
4. Anonymize/Deidentify NPPD: If you have removed all identifiers and there is no way that the information used can be used to reidentify an individual, risk is greatly reduced. However, it is important to note that anonymized or deidentified means more than just removing the person’s name. If the data can be used either alone or in combination with publicly available data to reidentify it, it is still a violation. HIPAA prescribes how to  in order for the data to be exempt from HIPAA requirements.
5. Report Incidents: If you suspect any misuse or data breach involving generative AI, report it immediately to the Information Security Office (iso@uvm.edu). Even if you, yourself, have entered it and you think later that, perhaps you shouldn’t have, report it. The sooner it’s reported, the sooner we can take steps to mitigate potential risks.
6. Use Approved Platforms: If/when the university approves a platform (as of this writing, there is no approved institutional license for a generative AI tool), make sure you are only using the �պ����� version of that tool (e.g. do not download one from the Google store). �պ����� is continuing to evaluate tools and will update the community if an institution-wide solution that meets �պ�����’s security and privacy standards becomes available.

What are the risks if I do enter Non-Public Protected Data (NPPD) into a generative AI tool?

1. Data Breaches: If the tool is compromised or if data is mishandled, there is risk for a data breach.  Personnel entering NPPD must always follow �պ�����'s procedures for protecting non-public, protected university information.
2. Unauthorized Access: Ensure that only authorized personnel have access to NPPD. There is a risk of unauthorized access to NPPD if proper security protocols are not followed. 
3. Regulatory Violations: Improper use of generative AI tools can result in violations of data privacy regulations, leading to legal and financial repercussions. Adhere to �պ�����'s policies to avoid such violations.
4. Misuse of Data: Always operate under the assumption that data could be exposed or misused as NPPD entered into generative AI tools can be used for unintended purposes, potentially leading to privacy violations. 

Always remember that if the data relates to a person, if it is otherwise confidential, proprietary, or sensitive, or if the data is protected under a sponsored research project, there is a really good chance that entering it into a generative AI tool is a violation of the law. If not the law, then likely a contract or a �պ����� policy. These tools are not secure and the companies that run them make no guarantees of protecting the data. If you enter any type of NPPD into a generative AI model, you are basically sharing it with the world.

The AI Task Force is diligently working on providing more resources and information related to the use of generative AI. As resources are available, the Task Force will communicate those across campus.

The privacy and security risks are but one piece of the puzzle but by following these guidelines, we can use generative AI responsibly while ensuring compliance with the law and with the privacy and information security provisions in �պ�����'s contractual agreements, and policies. Thank you for your attention to this important matter.

For any questions or concerns, please contact the Office of Compliance and Privacy Services (email link) or the Information Security Office (email link). If your question relates to sponsored research or research data, you may also contact the Office of Research Integrity (email link).

Examples of NPPD

While it’s not possible to provide an exhaustive list, here are some common examples of NPPD that you might come across in your day-to-day:

1. Confidential Information:
   • Institutional Information: This could include login credentials, maps of facilities where high-risk areas are located (server rooms/closets, cash).
   • Contracts/Agreements: contracts, proprietary software programs, agreements that are marked as confidential.
     • CUI, or controlled unclassified information, is generally going to be information provided by a federal agency for research purposes. The federal agency is supposed to mark CUI so if you are working with it, the federal agency should be letting you know before they provide it to you.
2. FERPA:
   • Grades, Coursework, and Transcripts: This includes grades from individual courses, papers, tests, overall GPA, and official transcripts.
   • Class Schedules: Information about the courses a student is enrolled in, including times and locations.
   • Student Financial Information: This encompasses financial aid records, scholarship applications, and any financial transactions related to the student. Depending on the specific information, this may also be regulated under GLBA.
   • Disciplinary Records and Conduct Files: Records of any disciplinary actions taken against a student or records related to student conduct.
   • Student Health and Counseling Records: This includes records from student health services and counseling centers. In some cases, these records may also be governed by other privacy laws such as HIPAA.
   • Family Information: Information about a student's family, such as contact details and emergency contacts.
   • Internship and Employment Records: Records related to internships and employment that are dependent on the student's status, such as Federal Work-Study positions.
   • Class Lists and Attendance Records: Lists of students enrolled in classes and records of their attendance.
3. HIPAA:
   • Human Subjects Data: This includes patient protected health information obtained from a covered entity such as a hospital or physician practice that is used for research.
   • Clinical Trials Data: This includes any information gathered during clinical trials that identifies or could identify participants.
   • Patient Records: This includes medical records from a covered component and any personally identifiable information obtained for training/education or research purposes or under a Business Associate Agreement. NOTE: if the data is medical (physical or mental) or related to patient care, it is protected under a regulation even if it’s not HIPAA.
   • Health Insurance Information: This includes any health related (physical or mental) information obtained as part of �պ�����’s self-insurance program.
4. DHHS:
   • Human Subjects Data (not including protected health information): Any information gathered from human subjects during the conduct of a research study. 
5. GLBA:
   • Student Financial Data: This includes information provided to the university for student loans, scholarships, and tuition grants. It includes student and parent tax return information and all information provided under the Free Application for Federal Student Aid (FAFSA).
6. International & State Law:
   • Any data that can be tied back to an individual that is not already public, if not covered under one of the above laws, is likely going to be covered under one of these.
   • If the individual is from a country that has a privacy law or from a US state that has a privacy law,  the following information is going to be covered:
     • The individual’s name (first and last name or last name and first initial) in combination with:
       • Financial information such as bank account and credit card numbers.
       • Social Security Numbers.
       • Passport and immigration documents.
       • Health information.
       • Student information.
       • Demographics such as date of birth, address, phone number, email address unless this is publicly available
   • When it comes to international and state law, it’s important to realize that, while there are some common elements, they are all slightly different. Rather than try and parse it all out, think of it this way: if you are working with data that is not publicly available and/or if the information can be tied to an individual, do not cut and paste it or enter it into AI unless it has been deidentified first or unless you’ve confirmed that this is an allowable disclosure under �պ�����’s Privacy Policy, Information Security Policy, or applicable contract or agreement.