Privacy

The privacy of others must be respected when interacting with AI. Members of the Georgetown community must ensure that personally identifiable information is only used with systems that have been evaluated and approved by the university, or when individuals have provided their consent (unless permitted by applicable law or through an approved university process, such as IRB review). Personally identifiable information is often subject to international, federal, or state regulations (e.g. GDPR, HIPAA, FERPA, etc.) that govern its use by Georgetown. In addition to the obligations above, users of AI should not use moderate or high-risk Georgetown data as defined by the Georgetown Data Classification Guidelines, without:

1. Careful consideration and understanding of the AI tool’s use of Georgetown data and the service provider’s stated rights to the data, including, but not limited to whether the service provider offers the option to opt-out of using customer’s data to train the AI; and
2. Prior review by Georgetown’s University Information Services or, for human subject research, Georgetown’s Institutional Review Board, when personal information that is classified as moderate or high-risk data is involved.  

Applicable University Policies:

• HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Policies
• Georgetown University Privacy Policy
• Georgetown University Information Security Policy
• Payment Card Industry Data Security Standards Policy (PCI-DSS)
• Policy on the Use, Collection, and Retention of Social Security Numbers at GU 
• Student Records Policy