This document outlines the internal policy for using ChatGPT, an AI language model developed by OpenAI. The purpose of this policy is to provide guidance on the responsible and secure use of ChatGPT within our organization while mitigating the risk of exposing sensitive information.
This policy applies to all employees who access and use ChatGPT for work-related purposes, including but not limited to communication, data analysis, document generation, and research.
Employees are permitted to use ChatGPT for work-related purposes, provided that they adhere to this internal policy and any other applicable guidelines and protocols.
To prevent the inadvertent disclosure of sensitive or confidential information, employees must:
4.1. Refrain from inputting, sharing, or discussing any sensitive or confidential information, including but not limited to financial data, personal information, intellectual property, trade secrets, or strategic plans, with ChatGPT.
4.2. Review any content generated by ChatGPT to ensure that it does not contain or imply sensitive information before sharing it with others, both internally and externally.
4.3. Immediately report any instances of accidental disclosure of sensitive information to the IT Security Department or designated supervisor.
To ensure that the content we share with ChatGPT is not used by OpenAI to further train their language models, employees must enable the feature that restricts data usage for model training. Follow the steps below (from https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance):
5.3. Enter the Organization ID (for your account). It can be found at https://beta.openai.com/account/org-settings.
5.5. Solve the Captcha, and the data opt-out form will be submitted to OpenAI. A copy of the form will also be mailed to your user account with ChatGPT.
All employees who use ChatGPT must receive training on this policy and related best practices. The IT Security Department or designated supervisor is responsible for providing the necessary training and support.
Violations of this policy may result in disciplinary action, up to and including termination of employment. The IT Security Department is responsible for monitoring compliance with this policy and investigating any reported violations.
This policy is subject to periodic review and update to ensure its continued relevance and effectiveness. Any changes will be communicated to all employees in a timely manner.
In the event of a ChatGPT-related security incident, employees should follow the organization's incident response plan, which includes:
9.2. Assisting with the investigation by providing relevant information and cooperating with the incident response team.
9.3. Complying with any remedial measures or recommendations provided by the incident response team.
10.1. Employees should avoid using ChatGPT for personal purposes during working hours or on company devices. Any usage of ChatGPT for personal purposes should be limited to non-sensitive topics and must not involve the disclosure of company-related information.
11.1. Employees must ensure that any content generated by ChatGPT is accessible and inclusive, adhering to the organization's guidelines on diversity, equity, and inclusion. This includes avoiding biased language, stereotypes, or offensive content.
12.1. Employees should be aware that any content generated by ChatGPT may be subject to copyright laws and the intellectual property policies of the organization. Employees must properly attribute the source of the content, and when in doubt, consult the Legal Department for guidance.
13.1. Employees must use ChatGPT ethically and responsibly, avoiding the use of the AI for purposes that may harm others or breach the organization's code of conduct. This includes, but is not limited to, generating false or misleading information, harassment, or any other activities that may be considered unethical or illegal.
14.1. The IT Security Department, in collaboration with other relevant departments, shall conduct periodic audits and monitoring of ChatGPT usage within the organization to ensure compliance with this policy and identify any areas for improvement.
15.1. Any exceptions to this policy must be approved by the IT Security Department or other designated authority. Requests for exceptions should be submitted in writing, detailing the reasons for the exception and the potential risks associated with it.
16.1. Employees must exercise caution when integrating ChatGPT with third-party applications, tools, or platforms. Ensure that the integration complies with the organization's security and privacy guidelines, as well as any applicable laws and regulations.
16.2. Employees should consult with the IT Security Department or designated supervisor before implementing any third-party integration involving ChatGPT to assess potential risks and validate the security measures in place.
17.1. All data generated through ChatGPT usage, including input and output, must adhere to the organization's data retention and deletion policies. Employees must ensure that any content generated by ChatGPT is properly stored, archived, or deleted according to the applicable guidelines.
18.1. In the event of a system failure or data loss involving ChatGPT, employees should follow the organization's backup and disaster recovery procedures to restore normal operations as quickly as possible.
18.2. The IT Security Department is responsible for ensuring that appropriate backup and recovery mechanisms are in place and regularly tested for ChatGPT-related data and systems.
19.1. The organization must conduct periodic risk assessments for ChatGPT usage, including an evaluation of potential vulnerabilities, threats, and impacts on the organization's operations, reputation, and compliance.
19.2. Based on the risk assessment, the organization should implement appropriate security measures and controls to mitigate identified risks and ensure the secure and responsible use of ChatGPT.
20.1. Employees are encouraged to provide feedback on the effectiveness of this policy and suggest improvements to ensure its continued relevance and effectiveness. Feedback should be submitted to the IT Security Department or designated supervisor for review and potential implementation.
21.1. The IT Security Department is responsible for overseeing the implementation, enforcement, and ongoing management of this policy.
21.2. Department heads and supervisors are responsible for ensuring that employees within their respective departments are aware of and comply with this policy.
21.3. Employees are responsible for adhering to this policy and its guidelines, participating in relevant training, and reporting any policy violations or security incidents.
22.1. This policy should be read in conjunction with other relevant organizational policies and procedures, including but not limited to:
- Data Protection and Privacy Policy
- Acceptable Use Policy
- Security Incident Response Plan
- Intellectual Property Policy
- Code of Conduct
- Data Retention and Deletion Policy
- Backup and Disaster Recovery Policy