1. Introduction
This policy encompasses the use of all AI technologies, with a particular focus on Limited Memory AI technologies, such as Generative AI, given that Generative AI represents the predominant form of AI currently in use. Some examples of common tasks that Generative AI may assist users with, include creating or editing:
• Emails and letters
• Sales and advertising materials
• Spreadsheet calculations
• Document or information sorting
• Coding development or debugging
• Blog posts, reports, and other publications
• Outlines or summaries of information
• Policies and job descriptions
• Memoranda and similar documents
There can be risks in using this technology, including uncertainty about ownership of the AI-created content and security and privacy concerns with inputting proprietary or confidential information about an employee, client, operations, etc. when interacting with the AI technology. Additionally, the accuracy of the content created by these technologies cannot be relied upon, as the information may be outdated, protected, misleading or fabricated. This policy is provided in support of County Administrative Policy 9-2 Information Technology Use and Security Policy.
2. Roles and Responsibilities
Administrative Policy 9-2: Information Technology Use and Security Policy describes roles and responsibilities related to technology use and security, which are also relevant to this policy, but below are additional responsibilities related to artificial intelligence (AI).
A. User Responsibilities
Users are all workforce members (employees or any other individual performing work on behalf of, or with approval of Local Agencies) authorized to access Local Agency IT resources and are responsible for:
1. Reviewing this policy to ensure that they understand the risks of using AI tools and how to use them in a safe, secure, and compliant manner; and
2. Using artificial intelligence in accordance with this policy.
B. Local Agency Department Head/General Manager
Local Agency Department Head/General Manager and/or Designee are responsible for:
1. Enforcing this Policy manual within their Local Agency;
2. Ensuring all Users of Local Agency IT resources and data are made aware of this policy and that compliance is mandatory;
3. Ensuring all Users receive education regarding their responsibilities before using artificial intelligence;
4. Determining how Artificial Intelligence (AI) should be utilized by Users within their Local Agency and establishing supplemental artificial intelligence policies, standards, procedures, or guidelines as needed for their business
purposes, provided they are not less restrictive than County policies. Prior to final approval, Local Agency Department Head/General Manager and/or Designee are responsible for:
a. Providing supplements to Human Resources for review;
b. Providing notice to employee organizations regarding any proposed
supplements; and
c. Providing supplements to Local Agency’s Local Information Service
Provider to review for consistency with County/Local Agency IT security
policies;
5. Provide training in support of established procedures and guidelines; and
6. Obtaining a signed acknowledgment from Users that they have had an opportunity to read, and will comply with, this Policy manual before using artificial intelligence.
3. Limited Use
Due to the inherent risks of this new and evolving tool, and the need to comply with this policy and other County Administrative Policies, including but not limited to 9-2 Information Technology Use and Security, use of AI technology while performing work for the County of Sonoma must be limited. For example, no County confidential, restricted, personal, proprietary, or protected data of any kind, including data that is not owned by the County, may be shared (copied, typed, interfaced, etc.) with these platforms without performing a due diligence and compliance review as described below, which includes a review by County Counsel, as it would be a violation of County Administrative Policy 9-2 Information Technology Use and Security and, depending on the information, it may violate state and/or federal law. This includes installing AI technologies on County owned and managed systems. One of the key features of AI is its ability to memorize and learn from the information and data that is shared with it so, when AI has access to County data, even self-contained AI technologies that run on County owned and managed systems, it may share the sensitive data that was used to train it with others.
The use of transcription or other tools that have access to phone calls, video conferences, or other recorded conversations shall not be used without guidance from County Counsel. Use of these tools may violate attorney-client privilege,
California State law regarding the recording of two-party conversations (which is a crime), or other regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) or Criminal Justice Information Systems (CJIS). If these services are not used properly then the individual using the technologies could violate the law, which could result in the individual being fined or imprisoned. For all of these reasons these technologies are discouraged although, for certain use cases, they may be appropriate when implemented with guidance from County Counsel.
AI tools are known for generating content that is not accurate or in some cases, the content is completely made up. This is referred to as AI hallucinations. For this reason, all AI generated content must be reviewed for accuracy. AI tools may also generate content that is the same or closely similar to content owned by others, including content that has a copyright, patent, or trademark. If any AI generated content is known to be or later discovered to owned by others, then immediately cease using the content and report the discovery to County Counsel for review.
Reliable sources for fact checking include official documents and statements, academic journals and publications, encyclopedia, and reference books (this does not include Wikipedia, or similar user-data driven websites), and government websites. Best practices for verifying data include but are not limited to checking multiple sources, critical thinking and context, peer-expert consultation, and checking for citations and references.
AI technology shall not be used for obtaining legal or other professional advice otherwise requiring licensure. AI technology shall not be used to create work product that requires a professional license or certificate e.g., legal, medical, engineering, surveying, etc. AI technology shall not be used as a replacement for required County Counsel review, or any review and certification by any other licensed professionals. Improper use of AI may constitute unlicensed practice of professional trades (e.g., unlicensed practice of law, unlicensed surveying, etc.), which is a crime.
4. Bias and Discrimination
AI technologies may produce biased or discriminatory results, so AI shall not be used for any type of decision-making activities that may exclude options from otherwise being considered.
Some activities that AI shall not be used for include, but are not limited to: Reviewing, narrowing down, or selecting potential new employees, employees for promotions, proposals submitted by potential vendors responding to request for proposals (RFP), decisions about health care, benefits, or any other type of activity that might exclude an option from otherwise being considered.
AI should only be used in a similar manner to a Google or Bing search, as part of an information gathering activity or to fine tune verbiage for a letter, email, or other document, where the final decision on how to proceed is left up to a human being.
Follow all applicable laws, regulations, and County policies when using AI.
5. Ethical Use
Each employee is responsible for using AI tools in a manner that ensures the security of sensitive information and aligns with County policies including, but not limited to, Sonoma County Administrative Policy 9-2 Information Technology Use and Security, Equal Employment Opportunity Policy, and Civil Service Rules. These technologies shall not be used to create content that is inappropriate, malicious, discriminatory, or otherwise harmful to others or the County.
Employees shall also comply with all data privacy and security standards such as those found in HIPAA, CJIS, the Internal Revenue Service (IRS), and the California Consumer Privacy Act (CCPA) to protect Personally Identifiable Information (PII), Protected Health Information (PHI), or any sensitive data in AI prompts. Employees must also treat AI prompts as if they were publicly visible online to anyone, and treat AI prompts, data inputs, and outputs as if they are subject to the California Public Records Act.
6. Transparency
The use of AI systems should be explainable to those who use and are affected by their use. To ensure transparency when using this technology, indicate when AI significantly contributed to a work product. When considering types of contributions, use the following guide as a template for citations:
1. Whole Document Example: [AI Assistance: This document was generated with the assistance of an Artificial Intelligence language model, OpenAI GPT-4, 2023.]
2. Whole Document Example: [Artificial Intelligence contributed to the development of this document using Google Bard, 2023.]
3. Specific Citation Example: OpenAI. (2023). ChatGPT (Mar 14 version) [Large language model]
4. In text example for specific information: (OpenAI, 2023)
7. AI Due Diligence and Compliance Review
Given the high risks associated with using AI, all AI technologies must be reviewed for security and compliance before they are implemented in order to ensure data protection, legal compliance, and adherence to County policies, covering the following key areas:
1. Data Access and Protection:
• Identification of the types of data AI technologies will access; and
• Assurance that data will be adequately protected against unauthorized access.
2. Vendor Data Usage:
• Clarification on the vendor's intentions with the County's data, including:
i. Utilization for AI platform training purposes; and
ii. Potential sale or use of insights derived from County data.
3. Legal and Regulatory Compliance:
• Evaluation of AI deployment against existing laws, regulations, and County policies to prevent legal violations.
4. Security Assessment:
• Completion of a security review by the County Information Security Officer to identify and mitigate potential vulnerabilities.
5. Contractual and Legal Safeguards:
• Review by County Counsel of all contracts or terms of use to ensure they contain adequate legal protections for the use and confidentiality of County data.
This comprehensive due diligence process is designed to safeguard both the County’s interests and users of AI technologies.
Back to top