Advice on using AI services at work

Last changed: 14 June 2024

AI (Artificial Intelligence) is a rapidly evolving technology and more and more AI-based services are appearing on the market. AI can be a useful tool for many tasks, but it needs to be used responsibly to minimise the risks it poses. To support you in using AI tools, SLU’s Legal Affairs Unit has compiled the following advice, which should be taken into account when using AI services in your work.

Sharing information with AI services

Many AI services learn more from the information users give them. This can lead, among other things, to non-compliance with legislation such as the General Data Protection Regulation and the Public Access to Information and Secrecy Act. You therefore need to be careful about the information you give when using AI services.

Individual words and expressions may appear harmless, but it may be possible to map SLU's future plans, strategies and decisions based on what you choose to search for. This information can then be shared with other users of the AI service. Therefore, keep the following in mind:

  • Do not enter sensitive personal data or data subject to confidentiality.

  • Do not enter internal code, source code, passwords or other internal information that is inappropriate to share openly.

  • Do not enter information that cannot be shared with anyone, as it may be disseminated by the AI service.

NB. Common personal data, such as name and address, may only be shared in an AI service with which SLU has a data processing agreement. If you want to use an AI service with which SLU does not have an agreement, the information you provide to the AI service must be completely anonymous. For example, you can replace names with Person 1 and Person 2.

Critically review the results of AI services

You must scrutinise and check the results provided by an AI service, as they may be incomplete or inaccurate. Keep in mind that you are responsible for the work you do, even if it is the output of an AI.

Be transparent about using AI services

SLU should be transparent about using AI services. This means sharing our experiences and telling when and how we used the service in our work. Examples of how to do this:

If an AI service is part of a process where personal data is processed, data subjects must be informed.

If you use a text generated by an AI service, there should be information about this in connection with the text, for example by adding ‘AI-generated text. May contain errors.’

Same rules as for other digital services

AI services are usually provided by foreign companies in the form of cloud services. The same rules and legislation apply as for other digital services. Therefore, if SLU is going to acquire an AI service, the following must be considered, in addition to what is said above. This way, we can ensure that we comply with legislation as well as SLU policies and rules.

  • Assess whether the AI service you are looking at is the most appropriate for the purpose, i.e. what you want to achieve.

  • An information security classification, risk assessment and data protection impact assessment may need to be done for the service.

  • For example, even if you do not actively submit personal data to an AI service, it may store the user's IP address, which is personal data. Therefore, you need to take into account any transfers to third countries. This means that the company providing the AI service must be based in an EU/EEA country or be authorised by the EU.

  • Make sure that contracts and data processing agreements are in place for the service.