Reason for Policy
Safeguard personal, private, and sensitive data and information stored, processed, or used at the College.
Prevent unauthorized access, disclosure or misuse of data and information.
Ensure the responsible and ethical use of information when using AI tools, services, and systems.
College Roles Affected by Policy
All employees who use data stored, processed, or utilized by the College with AI tools, services or systems.
This policy does not cover academic or personal use of AI, except when it involves internal, confidential, or restricted College data. Academic use of Artificial Intelligence is included in the Artificial Intelligence Institutional Statement that covers four overarching principles for academic coursework.
Use of Data with AI Tools
All use of AI tools, services, and systems must be in accordance with the Data Classifications and Protection Requirements Policy and the Information Security Plan.
CCS does not have data protection agreements in place with most AI vendors; therefore, use of these tools is restricted to Public Data as defined in the above policies.
As the College incorporates AI tools and services into its approved systems and services list, Information Technology Services will maintain a summary list of AI systems and the approved level of information access for each. Use of any systems not on this list will be restricted to public data only by default.
Any exceptions to this policy must be approved by the appropriate Vice-President, who will coordinate with ITS, College leadership, and/or other appropriate parties.
AI tools can produce inaccurate, incomplete, or biased results. Any results derived from AI must be vetted by an appropriately skilled human to ensure accuracy, appropriateness and relevancy. Any computer code generated by AI must be reviewed and tested by an appropriately skilled human prior to production use. An appropriately skilled human is one that has the knowledge and practical experience to develop and understand the code in question, including logic, applicable business practices, security concerns, and edge cases/testing.
As a best practice, always use the least amount of internal, confidential or restricted data as possible with any system, and anonymize data to the extent possible. Any suspected information exposure, compromise or abuse must be reported to the employee’s supervisor, appropriate data owner/custodian (as listed in the Information Security Plan), and Information Technology Service immediately.