HomeMy WebLinkAboutWORKSHOP re Al Policy and products DRAFTDocument Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 1 of 9
JEFFERSON COUNTY ARTIFICIAL INTELLIGENCE DEVELOPMENT AND USAGE
POLICY
I. PURPOSE
The purpose of this policy is to establish guidelines for the ethical and responsible development,
deployment, and use of AI technologies in Jefferson County, ensuring they are in alignment with the
principles of transparency, fairness, accountability, and public trust.
II. POLICY STATEMENT
Jefferson County establishes this policy for use of generative AI systems which shall be created,
managed, and maintained in a manner consistent with current industry best practices and regulatory
compliance ……………………..
III. APPLICABILITY
This policy applies to all Jefferson County departments and agencies that develop, procure, or use AI
technologies.
IV. DEFINITIONS
a. Artificial Intelligence. The simulation of human intelligence processes by machines,
especially computer systems, using robust Datasets to enable problem solving.
b. Machine Learning. A branch of AI that enables computers to learn from experience
without being explicitly programmed.
c. Generative AI. An AI system capable of generating text, images, video, or other media in
response to prompts.
d. Non-generative AI. A branch of artificial intelligence that focuses on analyzing and
classifying existing data rather than creating new content.
e. Chatbot. A computer program that simulates human conversation through text or voice
interactions.
f. Data. Any digital representation of information, knowledge, facts, concepts, data
programs or instructions that are being prepared or have been prepared in a formalized
manner and are intended for use in a data network, data program, data services, or data
system.
g. Large Language Model. A class of AI deep learning models designed to process and
understand vast amounts of natural language data.
h. ChatGPT. Chat Generative Pre-Trained Transformer, a chatbot driven by a generative
AI/ML system developed by OpenAI and trained using their LLM.
i. Otter.ai. A speech-to-text transcription software that uses artificial intelligence to
convert spoken words into text.
j. County Approved Generative AI - Microsoft’s Enterprise Generative AI solution is the
only Generative AI solution allowed/approved for use by County “Users”.
Document Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 2 of 9
V. GUIDING PRINCIPLES
In alignment with the Washington State Artificial Intelligence Task Force, Jefferson County's AI
development, deployment, and use of artificial intelligence systems shall be guided by the following
principles:
a. Retain appropriate human agency and oversight;
b. Be subject to internal and external security testing of systems before public release for
high-risk artificial intelligence systems;
c. Protect data privacy and security;
d. Promote appropriate transparency for consumers when they interact with artificial
intelligence systems or products created by artificial intelligence; and
e. Ensure accountability, considering oversight, impact assessment, auditability, and due
diligence mechanisms.
VI. AUTHORIZED USE
County personnel will only use Generative AI for approved business-related purposes from County
approved devices, using IT approved Generative AI software tools. Use of Generative AI software
requires approval by Jefferson County IT.
a. AI Review Committee: Establish an AI Review Committee with department representatives
who will be responsible for oversight and guidance on AI initiatives within the county.
b. Training and Awareness: Conduct regular training sessions for county employees involved in
AI projects to ensure adherence to this policy.
c. Public Engagement: Engage with the public through forums, surveys, and other channels to
gather input and feedback on AI projects.
d. Regular Policy Review: The AI Review Committee will review and update this AI policy
periodically to reflect technological advancements and evolving community needs.
VII. PRIVACY AND SECURITY
Employees must maintain the confidentiality of all information either provided to or obtained through
the use of Generative AI or any AI service. This includes protecting the privacy of employees, customers,
clients, and any other individuals or entities whose information will be accessed, processed, or discussed
through the use of Generative AI or AI services.
Employees must comply with all applicable information laws, regulation, and County policies and take
appropriate security measures to safeguard County Data when using AI.
Document Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 3 of 9
Because of its limitations, Generative AI systems such as ChatGPT shall not be used interactively by the
public in a way as to represent Jefferson County, such as part of a Chatbot within a website or mobile
app.
The following information must never be submitted into any commercially available or County provided
Generative AI tool:
a. Financial Information. This includes credit card number, bank account number, PIN
numbers, and any other financial information.
b. Passwords or login credentials. Never give out passwords, login credentials, or other
authentication information.
c. Personally Identifiable Information (PII). This includes name, address, phone number, email
address, social security number, passport number, drives license number, and any other
information that can reasonably be used to identify an individual.
d. Medical information. This includes all Protected Health Information (PHI) and subject to
HIPAA such as medical history, medications, and any other personal health information.
e. Sensitive or confidential information. This includes any information that could be used or
disclosed to harm the County, staff, or residents such as information about political
affiliations, religious beliefs, membership in a protected class, criminal history, or
information related to County information system.
VIII. RECORDS COMPLIANCE
Any product created by Generative AI or any AI service will meet the definition of a public record. These
records must be managed in compliance with RCW 42.56.
IX. STANDARDS
The architectural and technical standards associated with the enterprise use of AI shall be maintained by
IT.
X. PROCEDURES
a. Attribution
The use of Generative Al and the resulting product(s) will need to be attributed, referenced, and
cited in any electronic or paper material produced and published.
Attribution should include a description of the source application, how it was used, how the
material was edited, by whom, and the date. For example:
Document Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 4 of 9
"Bing Chat for Enterprise Generative Ai was used to generate the charts and Data referenced
above. The content was reviewed and edited before being published by Sam Smith, DCA IT, on
06/1 5/2023."
b. Intellectual Property
Content produced by Generative Al systems will implicate intellectual property rights and will
include copyrighted material. Al systems will be "trained" using Data (text, images, etc.) that has
been sourced from the internet without regard for copyright or licensing terms. It is extremely
difficult to determine what content was used to train an Al system, and difficult to verify
whether Al-generated content is wholly original or only a slight stylization of existing
copyrighted material. Nevertheless, County employees are required to perform due diligence to
ensure that no copyrighted material is published by the County without proper attribution or
without obtaining proper rights.
c. Data Quality
Complex algorithms of Generative Al exponentially increase risk when incomplete or inaccurate
Data is involved. Al must be validated and regularly assessed to ensure completeness and
accuracy. Results from decisions, code, or research supported by Al models should consistently
align with those of a human subject matter expert.
All users have the responsibility to verify the accuracy of any information acquired through the
use of Generative Al before using that information in any final, published, or production
documents. If staff members are uncertain about the accuracy of the obtained information, they
should consult their supervisor or seek advice from a subject matter expert.
Users must independently verify any Al generated quotes or references. Do not assume that a
quote or reference is accurate, or real.
Verification will include cross-referencing sources included in the Al output, or independently
verifying dates, names and events in peer reviewed or authoritative published literature on the
internet or printed material.
d. Decision Making
County departments will utilize Generative Al to enhance efficiency and effectiveness.
Generative Al can be used for idea generation and as one source of information when
researching a topic. All Generative Al products must be human reviewed and edited before
usage in any final, published, or production documents. This is particularly important when the
content is Public facing. Employees are responsible for their use of Al and the application of Al
content/product in work tasks.
e. Equity and Inclusion
While Generative Al systems can reduce workloads, support capacity, and increase accessibility,
the generated content reflects the cultural, economic, and social biases of the source materials
used for training. The algorithms applied can be a source of bias as well. Applying principles
Document Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 5 of 9
from the equity and empowerment lens, employees should thoroughly review any content
generated by Generative Al to ensure that any instances of bias, or potentially offensive or
harmful material, is changed or removed.
When it comes to the adoption of Generative Al, the County's goal is to eliminate digital
disparities and ensure that individuals who belong to a protected class and those impacted by
language or other accessibility barriers have equal access to and benefit from Jefferson County
programs, activities, benefits, and services. To uphold this commitment, Jefferson County
applies the equity and empowerment lens to address race, color, national origin, disability,
religion, age, sex/gender, sexual orientation, gender identity and expression, marital status,
veteran status, source of income, or any other basis prohibited by federal, state, or local law.
f. Final Requirements
Under no circumstances is a County employee authorized to engage in any activity that is illegal
under local, state, federal, or international law while utilizing County owned resources.
Employees are accountable for compliance with all Security Policies and are required to read
and understand them. Please note that employees' responsibilities for protecting County
information do not end at the termination of employment. These responsibilities continue until
the information is reclassified to be public.
XI. Consequences for Noncompliance
Departments must ensure compliance with this policy and are accountable for any AI systems deployed.
Violations of this policy will be grounds for disciplinary action, up to and including termination of
employment; and enforcement action which will include civil or criminal penalties.
XII. Appendix A: References
• 45 CFR Part 164 (HIPAA)
Chapter 42.56 RCW
• Chapter 9.73.030 RCW
XIII. Appendix B: Relevant Compliance Requirements
This section provides references to applicable key regulations and standards. This section does not
replace the authoritative source and is just a reference to assist with further research. Please use the
Compliance Standard and Section No. to further research the entirety of the regulation, framework or
standard from the authoritative source.
Compliance
Standard Section No. Description
HIPAA 45 CFR 164
Subpart C
Security Standards for the Protection of Electronic
Protected Health Information
Document Code No.: FAKE 123456
Title: Jefferson County Acceptable Use Policy
Page 6 of 9
45 CFR
164.316
Policies and procedures and documentation
requirements.
PCI DSS v3.2 12.3.5 Acceptable Uses of the Technology
NIST CSF Information Protection Processes and Procedures
NIST 800-536 AC-8 System Use Notification
Policies and Procedures
PL-4 Rules of Behavior
PS-6 Access Agreements