Institutional Data and AI Guidance
Guidelines for the Use of Generative Artificial Intelligence (AI) Systems with Institutional Data
Effective Date:
02/28/2024
Title of Standard:
Institutional Data and AI Guidelines
General Statement:
East Carolina University recognizes that generative AI holds the promise of introducing advancements in the areas of research, development, and education. Generative AI is a type of AI that creates new content based on learned patterns from datasets retained by user input. Several well-known generative AI tools are Open AI’s ChatGPT and DALL-E, Microsoft’s Bing Chat and Copilot, and Google’s Bard. East Carolina University encourages exploration of these products or services, but individuals must remain cognizant of data being provided to these tools and abide by copyright laws, compliance regulations, as well as ECU’s Faculty Manual Academic Integrity Regulation, Employee Code of Conduct, and Student Code of Conduct.
Type of Institutional Data Approved for Use:
For “Level 1-Public” data, any generative AI products or services are allowed.
For levels 2, 3, and 4, protected institutional data (see reference chart below), only Generative AI products or services listed on the Sensitive Data Storage and Transmission website are approved. Use of protected data with other generative AI products or services could violate federal, state, and/or University regulations such as HIPAA and FERPA.
| ECU Classification Level | Permission |
|---|---|
| Level 1- Public | Use of publicly available generative AI products or services allowed. |
| Level 2- Internal Level 3- Confidential/Sensitive Level 4 Highly Restricted | Only generative AI products or services listed on the Sensitive Data Storage and Transmission website are allowed. Each generative AI product or service listed on the website will clarify its compatibility with various data levels. |
Best Practices for Faculty, Staff, and Students:
- ECU Passphrases must never be used with generative AI products or services that are not integrated with ECU’s single sign-on service.
- Most generative AI products or services should be considered public facing. Never share any sensitive, personal, or institutional data except that classified as “Level 1-Public.”
- Review and be familiar with ECU’s data classification standards: https://datagovernance.ecu.edu/ecu-data-classification/
- Faculty, staff, and students who work with institutional data must be aware of HIPAA, FERPA, GDPR, GLBA, and other federal, state, or university regulations.
- Generative AI is emerging as a prominent driver of phishing scams. These phishing threats are now more personalized and highly effective. ITCS Information Security Best Practices must be followed and any suspicious messages reported to phish@ecu.edu.
Teaching and Research:
Faculty must refer to the Office of Faculty Excellence’s Teaching and Research in the Age of Artificial Intelligence website’s Providing Guidance for Your Students on the use of AI for teaching. If faculty have questions about the website or wish to submit materials for it, please contact the Office of Faculty Excellence at ofe@ecu.edu.
Faculty must also refer to the ECU Libraries website’s Generative AI in the Classroom & Research: Research Best Practices on the use of AI for research.
Student Use:
Students must refer to their course’s syllabus and assignment instructions for guidance on the use of generative AI in coursework and assignments.
Acceptable Use & Ethics:
The use of generative AI products or services must comply with legal statutes and regulations and ethical standards. While using generative AI products or services, faculty, staff, and students must respect the privacy of individuals, review data for potential biases, and avoid discriminatory content and copyrighted material.
Approved Generative AI Products or Services Vendors:
As with any technology related products or services, acquisition of generative AI products or services must comply with the Software and Data Collection Services Acquisition Regulation. Vendors of any generative AI product or service who are approved to process ECU’s Level 2, 3, or 4 data must adhere to security industry best practices to safeguard and protect any data, documents, files, and other materials received from the university during the performance of any contractual obligation from disclosure, loss, destruction, or erasure. This includes all laws, ordinances, codes, rules, regulations, and licensing requirements that are applicable to the conduct of its business, including those of federal, state, and local agencies having jurisdiction and/or authority. The adherence to security industry best practices, laws, ordinances, codes, rules, regulations, and licensing requirements to safeguard and protect any data must also apply to the generative AI models trained with university data to prevent unauthorized access.
Termination of a vendor agreement must adhere to any applicable contracts.
Exceptions or Procurement of Generative AI Products or Services:
No exceptions to these guidelines will be approved until a contract is in place with the generative AI parent company.
Any procurement of a generative AI product or service must go through the Technology Purchase Process
Roles and Responsibilities:
All faculty, staff, and students are required to follow the Institutional Data and AI guidelines.
References:
- ECU Data Classification
- ECU Employee Code of Conduct
- ECU Faculty Manual
- Generative AI in the Classroom & Research
- Information Security Best Practices
- Licensed ECU Software Downloads, Apps, and Services website
- Sensitive Data Storage and Transmission
- Software and Data Collection Services Acquisition Regulation.
- Student Conduct Process
- Teaching and Research in the Age of Artificial Intelligence
- Technology Purchase Process