Using AI with HMC data

The following guidelines are offered to the HMC community to help with decisions about what AI can be used with what data.

Step 1. Understand data classification.

“P3 and P4 data can only be used in systems that are approved by the college.

Data classification is the process of classifying data according to levels of confidentiality and the protection that it requires.  The HMC Data Classification Standard breaks college data down into “P” (for “protection”) levels based on the consequences to the college of unauthorized access or modification of that data. 

There are four protection levels specified in the standard, from “P4 – High” down to “P1 – Public”.   The protection levels are heavily driven by the potential consequences to the college of unauthorized disclosure or modification.   The higher the protection number, the more serious the consequences and the more stringent the protections.  For example, P4 includes Social Security Numbers, P3 covers personnel records, P2 non public emails that don’t contain P3 or P4, and P1 is essentially “public”. 

There are more details about the data classification standard in the Questions and Answers section.

Step 2. Understand which AI is approved for which data.

“Only Google Workspace for Education, Microsoft 365 for Education and Workday can be used on P3 and P4 data.”

Table explaining the relationship between AI tools and HMC data protection levels. (Requires HMC Credentials)

Step 3. Understand the approval process.

“Make sure you know whether the AI you’re interested in is on the college approved list or not.  If it is not, you cannot use it with P4 and P3 data but you can still use it with P2 data and P1 data. “

The college has an approval process for software purchases that includes contract review, cyber-security assessment, risk management and accessibility review.  When any given academic or administrative department is interested in purchasing a software application, several other departments/offices at the college carry out a review. The offices that perform this review work include the Office of Financial Affairs, Computing and Information Services, Risk Management and Legal Affairs, and Communications and Marketing.

The following are our current AI requirements for systems that may be used on P3 and P4 data:

  • A formal contract between the software vendor and the college must be signed by an authorized signer and in accordance to HMC’s contract procedures.
  • The vendor must not use HMC data to train its AI models.
  • The vendor’s employees must not review HMC data.
  • HMC must control whether data leaves the college “tenant”.
  • The vendor’s service must meet the college’s privacy, security and compliance requirements.
  • The vendor must agree to promptly destroy the tenant data at the end of the contract.