Version 1, published July 26, 2023
This page outlines existing policies governing what you may and may not do when using generative artificial intelligence (AI) tools and services. These policies safeguard institutional data, which everyone in the university is legally and ethically obligated to protect. All university faculty, staff, students and affiliates must follow these policies.
You may only enter publicly available information (classified as low risk) when you use generative AI tools and services. You may not enter internal, sensitive or restricted data into any generative AI tool or service.
Entering data into a generative AI tool or service is like posting that data on a public website. AI tools collect and store data from users as part of their learning process. Any data you enter into an AI tool becomes part of its training data, which it may then share with other users outside the university.
UW–Madison does not have enterprise contracts or agreements with any generative AI tool or service provider. No AI tool meets the university’s security, privacy and compliance standards for handling anything besides public data.
As with everything you do at the university, you must follow UW–Madison, UW System Administration (UWSA) and UW System Board of Regents policies when using generative AI tools and services. Read on for more about those policies and tips for using AI safely.
General policies relevant to AI use
|Policy No.||Policy Name||What to Note|
|SYS1031||Data Classification and Protection||
|Regent Policy 25-3||Acceptable Use of Information Technology Resources||
Prohibited use and relevant policies
Here are some examples of generative AI use that are not allowed under UW–Madison, UWSA and board of regents policies:
|Prohibited Use||Relevant Policy||Explanation|
|You may not enter any sensitive, restricted or otherwise protected data into any generative AI tool or service.
This information includes, but is not limited to:
||The university is obligated to protect sensitive information to comply with applicable state and federal privacy and security laws and regulations and with university, UW System and board of regents policies. Access to protected institutional data shall be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use.|
|You may not upload any information from electronic files you are not authorized to access and use.||No one but an authorized user of an electronic file may intentionally access that file.|
|You may not upload any data that could be used to help create or carry out malware, spam and phishing campaigns or other cyber scams.||System IT resources may not be used to disseminate unauthorized email messages.|
|You may not upload aerial photographs or scaled drawings of UW–Madison areas or utilities-related data.||Disclosure of certain facility, data, documents and graphics could compromise the safety and security of UW–Madison and its students, faculty, staff, visitors or physical infrastructure.|
|You may not use AI-generated code within institutional IT systems or services without having it reviewed by a human to verify it doesn’t have malicious elements.||Use of malicious code in IT systems or services may threaten or increase the vulnerability of systems and the university data such systems store or transmit.|
|You may not direct AI tools or services to generate content that facilitates sexual harassment, stalking or sexual exploitation.||UW-146 prohibits sexual harassment, stalking and sexual exploitation. Regent Policy 25-3 prohibits the use of System IT resources for harassment and stalking, as well as for storage, display, transmission, or intentional or solicited receipt of material that is or may reasonably be regarded as obscene, sexually explicit, or pornographic.|
|You may not use AI tools or services to generate content that helps others break federal, state or local laws; institutional policies, rules or guidelines; or licensing agreements or contracts.||System IT resources may not be used to violate laws, policies or contracts.|
|You may not use AI tools or services to generate content that enables harassment, threats, defamation, hostile environments, stalking or illegal discrimination.||UW-146 prohibits stalking. Regent Policy 25-3 prohibits the use of System IT resources to perpetrate harassment or stalking or to violate laws or policies.|
|You may not use AI tools or services to infringe copyright or other intellectual property rights.||System IT resources may not be used to violate copyright or other intellectual property laws. Entering copyrighted material into a generative AI tool or service may effectively result in the creation of a digital copy, which is a copyright violation. Feeding copyrighted material into a generative AI tool or service could “train” the AI to output works that violate the intellectual property rights of the original creator. In addition, entering research results into a generative AI tool or service could constitute premature disclosure, compromising invention patentability.|
In addition to violating UW policies, many of the above uses also violate generative AI providers’ policies and terms.
Incident reporting policies
Any member of the UW–Madison community who learns of a potential breach of data protection or confidentiality—including through the use of generative AI—must report the incident.
- UW-509 Incident Reporting and Response
- SYS 1033 Incident Response
- UW-131 Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured Protected Health Information
For uses of generative AI that are not prohibited, UW–Madison faculty, staff, students and affiliates can help protect themselves and others by choosing tools and services that exhibit the National Institute of Standards and Technology’s (NIST’s) characteristics of trustworthy AI.
Additional AI resources
- Exploring AI @ UW–Madison Webinar Series
- UW–Madison CISO Statement on Use of Generative AI
- Generative AI—Instructional Opportunities and Challenges
- Google Bard Terms of Service (references Google’s Terms of Service)
- GitHub Copilot Customer Agreement (references GitHub’s Terms of Service)
- Generative Artificial Intelligence and Copyright Law (Congressional Research Service)