Procurement and Use Matrices Based on the Classifcation of the Data
Below are guidelines regarding the purchasing and use of AI applications based on the classification of the data being used. These matrices determine the type of AI platform that can be used (public or private) and what actions are needed. For example, if you want to use Level 2 data, which is data that is not regulatory or highly confidential, but is still private to UT Health Science Center, it can only be used in a private AI environment unless it has been vetted by ITS executive review and approved for use.
The AI platorm purchased or used must conform to the security control requirements for the data classification level or the data used, like any other system. If a technology review is required, here is where you can start the process in TechConnect.
Definitions:
-
- Public AI – Public AI refers to any kind of publicly available artificial intelligence algorithm that trains on a wide set of data, typically pulled from users or customers. ChatGPT is an example of public AI.
- Private AI – Private AI refers to the practice of training algorithms on data specific to one user or organization and is used only in that organization.
- Executive Review – The executive leadership of ITS
- Technology Review – ITS has a Technology Review Team (TRT) that reviews purchasing requests for any resource for compatibility with our network and security concerns.
Procurement
Data Classification | AI Type (Public or Private) | Executive Review | Technology Review | Further Actions |
Level 3 (highest) | Private | No | Yes | |
Public | Yes | As Directed | Executive review will determine the type and scope of any review(s) required | |
Level 2 | Private | No | No | |
Public | Yes | As Directed | Executive review will determine the type and scope of any review(s) required | |
Level 1 | Private | No | No | |
Public | No | No |
Using an AI Application
Data Classification | AI Type (Public or Private) | Can it bu used? |
Level 3 (highest) | Private | Yes |
Public | No, unless vetted by Executive Review | |
Level 2 | Private | Yes |
Public | No, unless vetted by Executive Review | |
Level 1 | Private | Yes |
Public | Yes |