Guideline
Ensure your use of AI complies with data privacy laws and institutional policies, safeguarding personal, academic, and research data.
Responsible use of AI requires a basic familiarity with how AI technologies manage and store data (see AI Literacy). It is important to understand the information security risks associated with their use, especially AI tools that do not have FSU data agreements in place. Instructors should take all necessary precautions to safeguard protected data by limiting use of AI tools to those approved through the appropriate university channels (see Access to Tools and Applications).
Information Security Policy
FSU’s Information Security Policy outlines minimum standards for the protection of data and information technology resources.
Data Security Standard
FSU’s Data Security Standard classifies data by risk level (see examples) and can help instructors determine what can be shared using AI technologies, particularly those not managed by FSU.
Acceptable Technology Use
FSU’s Acceptable Use of Technology Policy prohibits use of third-party tools not approved by Procurement Services, Office of the General Counsel, and the Information Security and Privacy Office.
Beware of Training the Models
Before engaging with an AI tool, take precautions to ensure protected data is not used to train AI’s large language models (see AI Literacy). Tools that do not meet institutional policies for information security present significant data security risks and often retain the data shared with them (eg, intellectual property, personal health information, personally identifiable information). Sharing information with AI tools not licensed by the university (or approved through the appropriate university channels) can lead to unintended violations of data privacy laws such as FERPA, GDPR, and HIPAA.
Data Retention Laws & AI-Generated Content
Bear in mind that data retention laws apply to AI-generated content. For example, AI-generated meeting transcripts and recordings may be subject to a public records request or formal legal proceeding. In addition, many AI tools store prompts, making those prompts subject to data retention laws. Microsoft Copilot for the Web, which is licensed and managed by the university, does not store prompts.
Report Information Security Incidents
AI use must safeguard data, respect intellectual property, and comply with institutional privacy policies. Report suspected information security incidents as outlined in the university’s Information Security Policy and Incident Response Standard.
-
Example of Information Security Risk
AI Detection
Curious to learn if a student used a generative AI tool to complete their assignment, you upload the student's essay to an AI detection tool. However, the version you use is not licensed by the university and not compliant with data privacy laws or institutional policies. Because the AI tool retains a copy of the uploaded essay, the student's work is now publicly available without the student's permission.
-
Example of Information Security Risk
AI Transcription
You'd like to have AI-generated notes for a Zoom meeting you're attending, so you authorize a common AI transcription tool (eg, Read.ai) to access your calendar and record a Zoom meeting. The tool is now able to join any meeting on your calendar using the password included in the meeting invitation. The tool uses your name to attend a subsequent meeting without your knowledge, retaining a recording and transcript. Any private data shared in that meeting has now been compromised and, depending on the data shared, may be in violation of data privacy laws such as FERPA or HIPAA.