ChatGPT security guidance

May 4, 2023
Dewight Kramer
Chief Information Security Officer
Information Technology Solutions
May 4, 2023

With the emergence of ChatGPT, many members of our community are racing to explore its use in the academic, research, and administrative mission of the University. The Information Security Office wants to provide guidance on its appropriate use through university policy and risk mitigation.

At present, any use of ChatGPT should be with the assumption that no personal, confidential, or otherwise sensitive information may be used with it.

Licensing Agreements

University of California (UC) policy requires that all software licensing agreements with suppliers (and other entities), particularly those that will host UC data as part of its services, require the supplier to follow a variety of data security and privacy practices. These include the protection of all UC data against loss, unauthorized access and use, the indemnification of UC, and compliance with all software-related UC insurance requirements. The data security and privacy provisions contained in these agreements are a critical part of UC’s ongoing efforts to ensure the protection of the data and information related to its operations and the personal information of its staff, faculty, and students.

However, there is currently no agreement with OpenAI, the developer of ChatGPT, or its licensees that would provide these types of protections with regard to ChatGPT or OpenAI’s programming interface.  Consequently, the use of ChatGPT at this time could expose the individual user and UC to the potential loss and/or abuse of highly sensitive data and information. This issue is currently under analysis with the UC Office of the President, with whom we work closely.  We hope to see this addressed in the near future.

ChatGPT Use

Do not use ChatGPT with protected information such as student information, health information, confidential financial information, personnel conduct data such as performance reviews, etc. In general, any data classified by UC as Protection Level 3 or 4 should not be used. Please note that OpenAI states that how it uses or does not use your information is different when using its API services from the consumer ChatGPT interface. 

 

Please be advised that in the absence of a UC agreement covering UC’s (including its staff, faculty, and students) use of ChatGPT, your use of ChatGPT constitutes personal use and obligates you, as an individual, to assume responsibility for compliance with the terms and conditions in OpenAI’s own Terms of Use.

Prohibited Use

Please also note that OpenAI explicitly forbids the use of ChatGPT and their other products for certain categories of activity. This list of items can be found in their usage policy document.

Further guidance on ChatGPT and similar artificial intelligence (AI) will be forthcoming as soon as it is available.