Boise State University has a number of policies that safeguard institutional data, which university faculty, staff, students, and affiliates must follow. Those using generative AI in their work should consider what data they are using and whether or not such data usage is prohibited by university policy or otherwise generally cautioned against.
Boise State University supports the responsible use of AI tools and has approved the education editions of the following: Zoom AI Companion, Google Gemini (Education edition only), Gemini for Google Workspace, and OpenAI ChatGPT (Education edition only). These tools have been vetted to meet the University’s standards for security, privacy, compliance, and legal requirements. If you wish to use other AI tools, they must first be submitted for review through the appropriate University processes, including Procurement, SARB, and legal review, and receive approval in accordance with those procedures. To ensure the safety and integrity of University data and systems, please avoid using unapproved AI tools on the University’s network, devices, or with your Boise State credentials (your Boise State username and password).
Even if your use is authorized, you should not enter personally identifiable information, confidential, sensitive, private, or restricted data into any generative AI tool or service.
As with everything you do at the university, you must follow Idaho State Board of Education and University policies when using generative AI tools and services.
It is recommended that faculty and staff complete the self-paced Boise State University AI Training prior to using any university-endorsed AI tool.
General Policies Relevant to AI Use
Policy No. | Policy Name | What to Note |
---|---|---|
8000 | Information Technology Resource Use | Prohibitions on using university IT resources to intentionally damage, disrupt, or expose IT resources or data to unauthorized access or harm. |
8060 | Information Privacy and Data Security | Explanation of the need to classify data as part of the university’s obligation to protect sensitive information Data classifications Requirement for all information to be kept in a manner consistent with appropriate controls, and standards commensurate with its data classification and the protections outlined in UWSA 1031.B, Information Security: Data Protection Standard |
Prohibited Use and Relevant Policies
Prohibited Use | Explanation | Relevant Policy |
---|---|---|
Unless you have specific authorization and the data has been properly de-identified, you may not enter any sensitive, restricted, or otherwise protected data into any generative AI tool or service. This information includes, but is not limited to: 1. FERPA-protected information, such as: – Bronco card ID photos – University non-directory data such as student ID numbers – Work produced by students to satisfy course requirements – Student names and grades – Student disability-related information 2. Health information protected by HIPAA 3. Information related to employees and their performance 4. Intellectual property not publicly available 5. Material under confidential review, including research papers and funding proposals 6. Information subject to export control | The university is obligated to protect sensitive information to comply with applicable state and federal privacy and security laws and regulations and with university and Idaho State Board of Education policies. Access to protected institutional data must be authorized and managed to protect individual privacy, maintain promised confidentiality, and ensure appropriate access and use. | University Policy 1090 (Intellectual Property) University Policy 1150 (HIPAA Hybrid Entity Designation) University Policy 2080 (Equal Access for Students with Disabilities) University Policy 5120 (Export Control and Controlled Data) University Policy 7530 (Employee Files) University Policy 8000 (Information Technology Resource Use) University Policy 8060 (Information Privacy and Data Security) |
You may not upload any data that could be used to help create or carry out malware, spam and phishing campaigns or other cyber scams. | System IT resources may not be used to disseminate unauthorized email messages. | University Policy 8000 (Information Technology Resource Use) |
You may not direct AI tools or services to generate or enable content that facilitates sexual harassment, stalking or sexual exploitation or that enables harassment, threats, defamation, hostile environments, stalking or illegal discrimination. | University policy 1060 prohibits discrimination or harassment on the basis of protected class. University Policy 1065 prohibits sexual harassment, stalking, dating violence, and domestic violence. University Policy 1075 prohibits discrimination on the basis of disability. | University Policy 1060 (Non-discrimination and Anti-harassment) University Policy 1065 (Sexual Harassment, Sexual Misconduct, Dating Violence, Domestic Violence, and Stalking) University Policy 1075 (Non-discrimination on the Basis of Disability) |
You may not use AI tools or services to generate content that helps others break federal, state or local laws; institutional policies, rules or guidelines; or licensing agreements or contracts. | System IT resources may not be used to violate laws, policies or contracts. | University Policy 8000 (Information Technology Resource Use) |
You may not use AI tools or services to infringe copyright or other intellectual property rights. | System IT resources may not be used to violate copyright or other intellectual property laws. Entering copyrighted material into a generative AI tool or service may effectively result in the creation of a digital copy, which is a copyright violation. Feeding copyrighted material into a generative AI tool or service could “train” the AI to output works that violate the intellectual property rights of the original creator. In addition, entering research results into a generative AI tool or service could constitute premature disclosure, compromising invention patentability. | University Policy 1130 (Use of Copyrighted Works) University Policy 1090 (Intellectual Property) University Policy 8000 (Information Technology Resource Use) |
You may not use AI tools to engage in illegal activity in violation of federal, state, or local law, including but not limited to Idaho Code § 67-6628A (Electioneering Communications – Use of Synthetic Media), Idaho Code § 18-6606 (Disclosing Explicit Synthetic Media), and Idaho Code § 18-1507C (Visual Representations of the Sexual Abuse of Children). | System IT resources may not be used to violate laws such as distributing certain deepfakes (realistic AI-generated videos or audio) without consent if it causes harm or is used for fraud; deceptively representing through synthetic media a political candidate’s action or speech in an electioneering communication; and using generative AI to produce, distribute, receive, or possess visual depictions of a child engaging in explicit sexual conduct. | University Policy 1065 (Sexual Harassment, Sexual Misconduct, Dating Violence, Domestic Violence, and Stalking) University Policy 7030 (Reporting Waste and Violations of Law, Regulation, or University Policy) University Policy 7070 (Employee Political Activity) University Policy 8000 (Information Technology Resource Use) |
Students may not present the work or ideas produced from the use of generative AI as their own without specific and proper acknowledgment and/or citation. | Failure to properly acknowledge and/or cite work or ideas produced through generative AI is considered plagiarism under the Student Code of Conduct and students found responsible may be sanctioned up to and including expulsion from the university. | University Policy 2020 (Student Code of Conduct) |
In addition to violating university policies, many of the above uses also violate generative AI providers’ policies and terms.
Incident Reporting Policies
Any member of the university community who learns of a potential breach of data protection or confidentiality—including through the use of generative AI—must report the incident.
- University Policy 2020 (Student Code of Conduct) – Suspected plagiarism for failing to properly acknowledge or cite works or ideas produced through the use of generative AI may be reported through the Student Conduct Report form.
- University Policy 2250 (Student Privacy and Release of Information) – Suspected FERPA violations should be reported to the Office of Institutional Compliance and Ethics at complianceandethics@268297.com or (208) 426-1258. Reports may also be made through the university’s Compliance Reporting Hotline.
- University Policy 7030 (Reporting Waste and Violations of Law, Regulation, or University Policy) – Employees may report, in good faith, any violation of law, regulation, or university policy without fear of adverse action or reprisal using the reporting guidelines outlined in University Policy 7030.
- University Policy 8060 (Information Privacy and Data Security Policy) – Suspected security breaches as defined in University Policy 8060 should be reported to the Help Desk at (208) 426-4357. The Information Technology Incident Response Procedure must also also be followed.
Trustworthy AI
For uses of generative AI that are not prohibited, university faculty, staff, students, and affiliates can help protect themselves and others by choosing tools and services that exhibit the National Institute of Standards and Technology’s (NIST’s) characteristics of trustworthy AI.
Additional AI Resources
- Artificial Intelligence in Education – AI in Education
- Chat GPT Terms of Use
- Google Gemini Terms of Service (references Google’s Terms of Service)
- Generative Artificial Intelligence and Copyright Law (Congressional Research Service)