Generative AI @ UW–‍Madison: use & policies

Version 2, published January 2, 2024

This page outlines existing policies governing what you may and may not do when using generative artificial intelligence (AI) tools and services. These policies safeguard institutional data, which everyone in the university is legally and ethically obligated to protect. All university faculty, staff, students and affiliates must follow these policies.

Entering data into most non-enterprise generative AI tools or services is like posting that data on a public website. By design, these AI tools collect and store data from users as part of their learning process. Any data you enter into such a tool could become part of its training data, which it may then share with other users outside the university. For this reason, university faculty, staff, students and affiliates may enter institutional data into generative AI tools or services only when:

As with everything you do at the university, you must follow UW–‍Madison, UW System Administration (UWSA) and UW System Board of Regents policies when using generative AI tools and services. Read on for more about those policies and tips for using AI safely.

General policies relevant to AI use

Policy No. Policy Name What to Note
UW-523 Institutional Data
  • Definition of “institutional data”
  • Provisions related to protecting individual privacy, maintaining promised confidentiality, and ensuring appropriate access and use
  • Requirement for institutional data to be classified in accordance with applicable university data classification policy
UW-504 Data Classification
  • Explanation of the need to classify data as part of the university’s obligation to protect sensitive information
  • Data classifications
SYS1031 Data Classification and Protection
Regent Policy 25-3 Acceptable Use of Information Technology Resources
  • Prohibitions on using UW System IT resources to intentionally damage, disrupt, or expose IT resources or data to unauthorized access or harm

Prohibited use and relevant policies

Here are some examples of generative AI use that are not allowed under UW–‍Madison, UWSA and board of regents policies:

Prohibited Use Relevant Policy Explanation
You may not enter any sensitive, restricted or otherwise protected data into any generative AI tool or service.

This information includes, but is not limited to:

  • FERPA-protected information, such as:
    • Wiscard ID photos
    • University Directory Service data
    • Work produced by students to satisfy course requirements
    • Student names and grades
    • Student disability-related information
  • Health information protected by HIPPA
  • Information related to employees and their performance
  • Intellectual property not publicly available
  • Material under confidential review, including research papers and funding proposals
  • Information subject to export control
The university is obligated to protect sensitive information to comply with applicable state and federal privacy and security laws and regulations and with university, UW System and board of regents policies. Access to protected institutional data shall be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use.
You may not upload any information from electronic files you are not authorized to access and use. No one but an authorized user of an electronic file may intentionally access that file.
You may not upload any data that could be used to help create or carry out malware, spam and phishing campaigns or other cyber scams. System IT resources may not be used to disseminate unauthorized email messages.
You may not upload aerial photographs or scaled drawings of UW–‍Madison areas or utilities-related data. Disclosure of certain facility, data, documents and graphics could compromise the safety and security of UW–‍Madison and its students, faculty, staff, visitors or physical infrastructure.
You may not use AI-generated code within institutional IT systems or services without having it reviewed by a human to verify it doesn’t have malicious elements. Use of malicious code in IT systems or services may threaten or increase the vulnerability of systems and the university data such systems store or transmit.
You may not direct AI tools or services to generate content that facilitates sexual harassment, stalking or sexual exploitation. UW-146 prohibits sexual harassment, stalking and sexual exploitation. Regent Policy 25-3 prohibits the use of System IT resources for harassment and stalking, as well as for storage, display, transmission, or intentional or solicited receipt of material that is or may reasonably be regarded as obscene, sexually explicit, or pornographic.
You may not use AI tools or services to generate content that helps others break federal, state or local laws; institutional policies, rules or guidelines; or licensing agreements or contracts. System IT resources may not be used to violate laws, policies or contracts.
You may not use AI tools or services to generate content that enables harassment, threats, defamation, hostile environments, stalking or illegal discrimination. UW-146 prohibits stalking. Regent Policy 25-3 prohibits the use of System IT resources to perpetrate harassment or stalking or to violate laws or policies.
You may not use AI tools or services to infringe copyright or other intellectual property rights. System IT resources may not be used to violate copyright or other intellectual property laws. Entering copyrighted material into a generative AI tool or service may effectively result in the creation of a digital copy, which is a copyright violation. Feeding copyrighted material into a generative AI tool or service could “train” the AI to output works that violate the intellectual property rights of the original creator. In addition, entering research results into a generative AI tool or service could constitute premature disclosure, compromising invention patentability.

In addition to violating UW policies, many of the above uses also violate generative AI providers’ policies and terms.

Incident reporting policies

Any member of the UW–‍Madison community who learns of a potential breach of data protection or confidentiality—including through the use of generative AI—must report the incident.

Trustworthy AI

For uses of generative AI that are not prohibited, UW–‍Madison faculty, staff, students and affiliates can help protect themselves and others by choosing tools and services that exhibit the National Institute of Standards and Technology’s (NIST’s) characteristics of trustworthy AI.

Additional AI resources

Get your questions answered

Questions about classifying data? Contact the relevant data steward.

General questions about AI use and policies? Contact Heather Johnston, IT policy writer & analyst, Office of Cybersecurity.