ALL ACADEMICS, STAFF, AND STUDENTS (Including UC San Diego Health)
Data Protection and ChatGPT
With the emergence of ChatGPT, many members of our community are racing to explore the use of it in the academic, research, and administrative mission of the university. I would like to provide some guidance on its appropriate use through the lens of university policy and risk mitigation. At present, any use of ChatGPT should be with the assumption that no personal, confidential or otherwise sensitive information may be used with it.
Licensing Agreements
University of California (UC) policy requires that all software licensing agreements with suppliers (and other entities), particularly those that will host UC data as part of its services, require the supplier to comply with a variety of data security and privacy practices. These include, but are not limited to, the protection of all UC data against loss, unauthorized access and use, and the indemnification of UC and compliance with all software-related UC insurance requirements. The data security and privacy provisions contained in these agreements are a critical part of UC’s ongoing efforts to ensure the protection of the data and information related to its operations and the personal information of its staff, faculty and students.
However, there is currently no agreement with OpenAI, the developer of ChatGPT, or its licensees that would provide these types of protections with regard to ChatGPT or OpenAI’s programming interface. Consequently, the use of ChatGPT at this time could expose the individual user and UC to the potential loss and/or abuse of highly sensitive data and information. We are currently working with the UC Office of the President as this issue is under analysis right now. We hope to see this addressed in the near future.
ChatGPT Use
Do not use ChatGPT with protected information such as student information, health information, confidential financial information, personnel conduct data such as performance reviews, etc. In general, any data classified by UC as Protection Level 3 or 4 should not be used. A guide with many examples of P3 and P4 data is listed below in the References section. Please note that OpenAI states that how it uses or does not use your information is different when using their API services from the consumer ChatGPT interface.
Please be advised that in the absence of a UC agreement covering UC’s (including its staff, faculty and students) use of ChatGPT, your use of ChatGPT constitutes personal use, and obligates you, as an individual, to assume responsibility for compliance with the terms and conditions set forth in OpenAI’s own Terms of Use.
For further guidance on using ChatGPT please review the references listed below that address OpenAI’s own recommendations and policies on educational use, research and streaming of ChatGPT, and privacy, among others.
Prohibited Use
Please also note that OpenAI explicitly forbids the use of ChatGPT and their other products for certain categories of activity. This list of items can be found in their usage policy document.
Further guidance on ChatGPT will be forthcoming as soon as it is available.
Thank you,
Michael Corn Chief Information Security Officer UC San Diego
