AI Policy

Optime Generative AI Company Use Policy

This document was last updated on [08/01/2024].


  1. Definitions

    • GenAI Systems: Sophisticated AI models capable of understanding and generating human-like text utilize extensive training data and deep learning methods. While proficient in tasks like natural language processing, content creation, and question answering, their comprehension relies on statistical patterns rather than true comprehension.
    • API: Means Application Programming Interface.
    • BYOD: Means Application Programming Interface.
    • CISO: CISO Accordingly Optime’s ISMS
    • Company Data: The term "Company Data" encompasses a broad range of information outlined in this Policy, including but not limited to: all Company business information and Personal Data of employees, executives, contractors, consultants, Customers, consumers, and users, accessed, collected, used, processed, stored, shared, distributed, transferred, disclosed, destroyed, or disposed of by any Company systems. It also includes proprietary information and intellectual property such as source code, designs, product roadmaps, financial information, and Customer-related data, across various formats and mediums
    • Customer Data: Any and all data that the third parties who contract as Customers with the Company provide to the Company to use, store, transmit, or process.
    • Customer(s): Any unique contracting entity listed within an active order form with the Company, including all individuals acting on the entity’s behalf.
    • DPO: DPO accordingly Optime’s ISMS
    • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    • IP (Intellectual Property): This refers to any asset subject to intellectual property rights, including computer code, text, graphics, logos, images, audio, video, databases, inventions, designs, trademarks, and trade secrets, among others, protected under relevant jurisdictional laws.
    • IP Rights (Intellectual Property rights): This encompasses all forms of intellectual property rights, including patents, inventions, trademarks, trade names, domain names, know-how, trade secrets, copyrights, related rights, moral rights, proprietary rights, rights of publicity or privacy, and similar protections, whether registered or unregistered, existing or prospective, under the laws of any jurisdiction.
    • Personal Data: This refers to personal data as defined by the GDPR, which includes any information relating to an identified or identifiable natural person ('data subject'). An identifiable person is someone who can be directly or indirectly identified, such as by name, identification number, location data, or specific factors related to their identity. This definition also encompasses Personally Identifiable Information (PII) under U.S. laws.
    • SSO: Means Single Sign-On.
    • Team Member(s): All employees permanent, contract and temporary and those under a contract for services with the Company

  2. Purpose

    Generative AI (the “GenAI”) is a form of artificial intelligence that creates new content like text, images, or analysis by learning from existing data. Models like ChatGPT and Google’s Bard exemplify GenAI.
    At Optime, we prioritize the responsible and ethical use of GenAI as an assistant, not a substitute. Our policy addresses legal and ethical considerations and sets decision-making principles for its use in the workplace. The policy aims to guide Team Members in responsibly utilizing GenAI, leveraging its potential for positive impact while minimizing harm. We embrace new technologies with a commitment to responsible application and awareness of associated risks.

  3. Scope

    This Policy sets ethical guidelines and best practices for GenAI use at Optime, ensuring compliance with laws and regulations and protecting Team Members, suppliers, Customers, and the Company. It applies to all Team Members using or engaging with GenAI, encompassing language models, plugins, and data-enabled tools, even for remote work using personal devices.

  4. Principles of GenAI Use

    1. 4.1. Responsible Use: Team Members are required to use GenAI responsibly, avoiding harm, privacy breaches, and malicious actions. Usage should promote fairness, prevent bias and discrimination, and align with the Company’s values. GenAI may be utilized for work-related tasks such as generating content for reports, emails, presentations, images, and Customer service, provided that Policy guidelines are followed.
    2. 4.2. Ethical Use: GenAI must be used ethically, complying with laws and organizational policies. Team Members should not create discriminatory, offensive, or inappropriate content. If there are any uncertainties about the appropriateness of using GenAI in a particular situation, Team Members should consult with their supervisor or Information Governance Team.
    3. 4.3. Compliance with Laws and Regulations: GenAI must comply with all applicable laws, including data protection, privacy, and IP laws.
    4. 4.4. Transparency and Accountability: GenAI must comply with all applicable laws, including data protection, privacy, and IP laws.
    5. 4.5. Data Privacy and Security: Adhere to the Company’s data privacy and security policies when using GenAI. Anonymize and securely store any Personal Data or sensitive data used. At Optime we use these Anonymization methodologies:
      1. Removal of Identifiable Data: All identifiable data, such as names, addresses, phone numbers, and email addresses, will be removed before sending the data to generative AI platforms.
      2. Substitution with Fictitious Data: Identifiable data will be replaced with fictitious or randomly generated data. For example, real names will be replaced with generic names like "Person" or "Customer".
      3. Data Obfuscation: Data will be slightly altered to hide the individual's identity while preserving its utility. For example, dates or locations may be slightly modified.
      4. Tokenization: Identifiable data will be replaced with unique tokens that are not directly related to the original information. This will allow the data to remain useful for analysis while protecting the individual's identity.
      5. Generalization: The granularity of data will be reduced to make it less specific. For example, exact ages will be converted to age ranges, and specific addresses will be converted to broader location levels.
      6. Sensitive Data Suppression: Sensitive data that is not necessary for analysis or text generation will be completely removed.
      7. Data Masking: Portions of the original data will be hidden while preserving its general format. For example, the last digits of a credit card number will be masked.
      It is the responsibility of each employee handling data to ensure that these anonymization methodologies are followed before sending data to generative AI platforms. The data compliance and privacy team will oversee compliance with these guidelines and provide additional guidance as needed.
    6. 4.6. Bias and Fairness: Mitigate biases in GenAI to ensure fairness and inclusivity, avoiding discrimination.
    7. 4.7. Human-GenAI Collaboration: Use judgement when interpreting and acting on GenAI-generated recommendations. GenAI is a tool to augment human decision-making, not replace it.
    8. 4.8. Training and Education: Team Members must receive appropriate training for responsible GenAI use and stay informed about advancements and ethical concerns. All managers will be trained on the proper use of GenAI in the workplace. All Team Members using GenAI for work must attend training before doing so. For inquiries, contact isms@optimeconsulting.com.
    9. 4.9. Third-Party Services: When utilizing third-party GenAI services or platforms, Team Members must ensure providers adhere to the same ethical standards and legal requirements outlined in this Policy.
    10. 4.10. Governance: Before accessing GenAI technology, Team Members must notify the Information Governance Team of their intent, reasons, input information, generated output, and content distribution.
    11. 4.11. Vendors: Any use of GenAI technology for work activities should acknowledge the policies, practices, terms, and conditions of developers/vendors.
    12. 4.12. Copyright: Team Members must adhere to copyright laws when using GenAI. Using GenAI to generate content that infringes on others’ IP rights, including copyrighted material, is prohibited. If unsure, contact the legal advisor or Information Governance Team.
    13. 4.13. Accuracy: All GenAI-generated information must be reviewed and edited for accuracy before use. Team Members are responsible for reviewing and ensuring accuracy. If in doubt, refrain from using GenAI.
    14. 4.14. Confidentiality: Confidential information and Personal Data must not be entered into a GenAI Tool to avoid potential exposure. Follow data privacy laws and organizational policies. If uncertain, avoid using GenAI.
    15. 4.15. Disclosure: Content produced via GenAI must be identified and disclosed as GenAI-generated.

    EXAMPLE FOOTNOTE

    This document contains content generated by Generative Artificial Intelligence (GenAI). GenAI-generated content has been reviewed by the company for accuracy. The company takes responsibility for this content.

  5. Guidelines for GenAI Use

    1. 5.1. Required Actions:
      1. Before using any GenAI Tool for any Company business, opt out of allowing GenAI Tools to use data for training their models.
      2. Consult the Company’s policies to classify data intended for GenAI use and ensure it is not too sensitive to share.
      3. Carefully review GenAI-generated material for accuracy, completeness, and protection of third-party rights and Company Data.
    2. 5.2. Approved GenAI for Corporate Use:
      1. Approved GenAI for Company is OpenAI API, ChatGPT and Copilot.
      2. The use of GenAI not approved by Optime list is strictly prohibited.
      3. Submit a request to IT Procurement for using new GenAI not allowed by the Company, following provided instructions.
      4. The Company shall evaluate the security of any GenAI Tool before allowing the use of it, including security features, terms of service, and privacy policy. Check the reputation of the GenAI Tool developer and any third-party services used by it and report concerns to the IT Procurement team.
    3. 5.3. How You May Use GenAI:
      1. Comply with this Policy, other internal policies, rules, and confidentiality obligations in employment documentation.
      2. Use legally obtained data with GenAI Tools and obtain necessary permissions.
      3. Use only non-confidential, non-highly confidential, or non-restricted data, as per Company policies.
      4. Use vendor integrations or products featuring GenAI approved by the Legal and Security teams.
      5. Report security incidents or suspected breaches to isms@optimeconsulting.com.
    4. 5.4. Rules for Acceptable Use Must Be Followed:
      1. Sign up for GenAI System using a corporate account and the Company’s corporate SSO (if available).
      2. Use GenAI solely for work-related purposes aligned with respective tasks.
      3. Consider GenAI outputs as preliminary and verify for accuracy and potential bias before publication or decision-making.
      4. Exercise caution as anything entered into a GenAI Generator may become publicly accessible.
      5. Use only drafts of source code during interaction with GenAI (applicable for ChatGPT).
      6. Review and edit any public-facing creatives generated by GenAI prior to publication to protect copyright.
      7. Use only drafts of documents without identifying Company Group information during interaction with GenAI.
      8. Disable chat history and training in GenAI System (applicable for ChatGPT).
      9. Obtain approval from the manager and Security Team before training GenAI on Team Member data.
      10. Report any potential data breaches, unauthorized access, or suspicious activities to the Security Team at isms@optimeconsulting.com.
      11. Apply standard security practices for all Company and Customer Data, including strong passwords, up-to-date software, and data retention and disposal procedures.
    5. 5.5. Prohibited GenAI Use:
      1. Do not use personal accounts with GenAI Tools for Company-related purposes.
      2. Do not use Customer Data with GenAI Tools.
      3. Do not use any Company Data classified as confidential, highly confidential, or restricted (as defined in our policies).
      4. Do not use GenAI Tools for Company-related purposes without opting out of letting them use data you feed to train their models.
    6. 5.6. Restrictions on GenAI Tools Usage
      At all times, each Team Member must:
      1. Avoid sharing non-public information with GenAI, including confidential and sensitive corporate information, Personal Data, Company IP, and regulatory protected information.
      2. Consider the sensitivity of information before uploading it to GenAI Tools and consult managers if unsure.
      3. Ensure compliance with Optime’s ISMS and other data protection laws by refraining from entering Personal Data or protected/confidential information into GenAI Tools or search engines powered by GenAI.
      4. Avoid using ‘Browse with Bing’ and third-party plugins for GenAI Tools.
      5. Refrain from using GenAI Tools for unethical, illegal, or malicious activities that may harm the Company, its Group, Customers, Team Members, or third parties.
      6. Avoid installing unauthorized third-party GenAI-based browser plugins for video call voice transcripts, even with ChatGPT.
      7. Not use code that has already been committed to corporate repositories (GitLab, GitHub) for interaction with GenAI (applicable for ChatGPT).
      8. Not share access to GenAI Tools.

      The Company reserves the right to monitor and audit GenAI Tool usage by Team Members to ensure strict compliance with this Policy and investigate concerns regarding inappropriate use. This includes verifying the use of approved GenAI Tools, their correct usage, and proper data access and storage.

  6. Enforcement

    The CISO, DPO and Security Team will ensure compliance with this Policy through various methods, including business tool reports and internal/external audits. Any exceptions must be pre-approved by the CISO, DPO and General Counsel, or their designees. Violation of this Policy may result in disciplinary action, up to termination of employment or legal action if warranted.

  7. Change to this privacy notice

    This policy is effective from 08/01/2024
    Any changes we may make to this policy will be posted on this page. If changes are significant, we may notify you by email or clearly indicate on our home page that the policy has been updated.