1. Purpose
The purpose of this policy document is to provide a framework for the use of Generative Artificial Intelligence Large Language Models (GenAI) such as ChatGPT, Bard, Bing or other similar tools by council employees, contractors, developers, vendors, temporary staff, consultants or other third parties, hereinafter referred to as ‘users’.
This policy is designed to ensure that the use of GenAI is ethical, complies with all applicable laws, regulations and council policies, and complements the council’s existing information and security policies.
The pace of development and application of GenAI is such that this policy will be in a constant state of development. Please share your feedback, suggestions and experiences to enable us improve the policy and to ensure that it meets the needs of councils.
2. Use
This policy applies to all users with access to GenAI, whether through council-owned devices or BYOD (bring your own device) in pursuit of council activities.
Use of GenAI must be in a manner that promotes fairness and avoids bias to prevent discrimination and promote equal treatment, and be in such a way as to contribute positively to the council’s goals and values.
Users may use GenAI for work-related purposes subject to adherence to the following policy. This includes tasks such as generating text or content for reports, emails, presentations, images and customer service communications.
Particular attention should be given to Governance, Vendor practices, Copyright, Accuracy, Confidentiality, Disclosure and Integration with other tools.
2.1 Governance
Before accessing GenAI technology, users must first notify the council’s Information Governance Team of their intention to use, the reason for use, and the expected information to be input as well as the generated output and distribution of content.
2.2 Vendors
Any use of GenAI technology in pursuit of council activities should be done with full acknowledgement of the policies, practices, terms and conditions of developers/vendors.
2.2 Copyright
Users must adhere to copyright laws when utilising GenAI. It is prohibited to use GenAI to generate content that infringes upon the intellectual property rights of others, including but not limited to copyrighted material. If a user is unsure whether a particular use of GenAI constitutes copyright infringement, they should contact the legal advisor or Information Governance Team before using GenAI.
2.3 Accuracy
All information generated by GenAI must be reviewed and edited for accuracy prior to use. Users of GenAI are responsible for reviewing output, and are accountable for ensuring the accuracy of GenAI generated output before use/release. If a user has any doubt about the accuracy of information generated by GenAI, they should not use GenAI.
2.4 Confidentiality
Confidential and personal information must not be entered into an GENAI tool, as information may enter the public domain. Users must follow all applicable data privacy laws and organisational policies when using GenAI. If a user has any doubt about the confidentiality of information, they should not use GenAI.
2.5 Ethical Use
GenAI must be used ethically and in compliance with all applicable legislation, regulations and organisational policies. Users must not use GenAI to generate content that is discriminatory, offensive, or inappropriate. If there are any doubts about the appropriateness of using GenAI in a particular situation, users should consult with their supervisor or Information Governance Team.
2.6 Disclosure
Content produced via GenAI must be identified and disclosed as containing GenAI-generated information.
Footnote example:
Note: This document contains content generated by Artificial Intelligence (AI). AI generated content has been reviewed by the author for accuracy and edited/revised where necessary. The author takes responsibility for this content.
2.7 Integration with other tools
API and plugin tools enable access to GenAI and extended functionality for other services to improve automation and productivity outputs. Users should follow OpenAI’s Safety Best Practices:
- Adversarial testing
- Human in the loop (HITL)
- Prompt engineering
- “Know your customer” (KYC)
- Constrain user input and limit output tokens
- Allow users to report issues
- Understand and communicate limitations
- End-user IDs.
API and plugin tools must be rigorously tested for:
- Moderation – to ensure the model properly handles hate, discriminatory, threatening, etc. inputs appropriately.
- Factual responses – provide a ground of truth for the API and review responses accordingly.
3. Risks
Use of GenAI carry inherent risks. A comprehensive risk assessment should be conducted for any project or process where use of GenAI are proposed. The risk assessment should consider potential impacts including: legal compliance; bias and discrimination; security (including technical protections and security certifications); and data sovereignty and protection.
3.1 Legal compliance
Data entered into GenAI may enter the public domain. This can release non-public information and breach regulatory requirements, customer or vendor contracts, or compromise intellectual property. Any release of private/personal information without the authorisation of the information’s owner could result in a breach of relevant data protection laws. Use of GenAI to compile content may also infringe on regulations for the protection of intellectual property rights. Users should ensure that their use of any GenAI complies with all applicable laws and regulations and with council policies.
3.2 Bias and discrimination
GenAI may make use of and generate biased, discriminatory or offensive content. Users should use GenAI responsibly and ethically, in compliance with council policies and applicable laws and regulations.
3.3 Security
GenAI may store sensitive data and information, which could be at risk of being breached or hacked. The council must assess technical protections and security certification of GenAI before use. If a user has any doubt about the security of information input into GenAI, they should not use GenAI.
3.4 Data sovereignty and protection
While a GenAI platform may be hosted internationally, under data sovereignty rules information created or collected in the originating country will remain under jurisdiction of that country’s laws. The reverse also applies. If information is sourced from GenAI hosted overseas, the laws of the source country regarding its use and access may apply. GenAI service providers should be assessed for data sovereignty practice by any organisation wishing to use their GenAI.
4. Compliance
Any violations of this policy should be reported to the council’s Information Governance Team or senior management. Failure to comply with this policy may result in disciplinary action, in accordance with council’s Human Resources policies and procedures.
5. Review
This policy will be reviewed periodically and updated as necessary to ensure continued compliance with all applicable legislation, regulations and organisational policies.
6. Acknowledgment
By using GenAI, users acknowledge that they have read and understood these guidelines, including the risks associated with the use of GenAI.
This guidance has been prepared by ALGIM (Aotearoa – New Zealand) and Socitm (UK).
Please submit any comments, suggestions and experiences to: