Version: 1.0
Valid until: 2025-03-26
Classification: Low
Version Management
Version | Author(s) | Change(s) | Date approved |
1.0 | Stefan van Aalst Edward Robinson | Initiation document | 2024-03-26
|
Purpose & Background
anDREa B.V. (hereafter called anDREa) recognizes the potential of Artificial Intelligence (AI) and Large Language Models (LLMs) to improve efficiency, innovation, and decision-making across various business functions. This policy outlines the guidelines and principles for using AI/LLMs responsibly and ethically within the organisation.
This policy will be regularly reviewed and updated to reflect the evolving nature of AI/LLM technology and regulatory landscape.
Objectives
The objective of this document is:
- to ensure that anDREa employees are aware of these guidelines and principles for using AI/LLMs responsibly and ethically within the organisation.
Scope
- The use of AI/LLMs by anDREa employees in anDREa-related processes.
Support and Stimulation
anDREa actively supports and encourages their employees for the exploration and implementation of AI/LLM solutions to:
- Streamline processes: Automating repetitive tasks and improving operational efficiency.
- Enhance decision-making: Providing data-driven insights and supporting informed choices.
- Foster innovation: Identifying new opportunities and driving creative solutions.
Responsible Use
While promoting the use of AI/LLMs, anDREa BV prioritises responsible and ethical application, ensuring:
- Transparency: Users are aware of the capabilities and limitations of AI/LLMs.
- Fairness: AI/LLMs are used in a non-discriminatory manner, free from bias.
- Accountability: The organisation remains accountable for the actions and decisions influenced by AI/LLMs.
- Privacy: Personal data is only used by AI/LLMs specifically qualified for such purposes, adhering to ISO 27001 and GDPR requirements.
- Restriction: AI/LLMs should not process personal data unless explicitly authorised and qualified to do so.
- Security Impact Assessments: The AI/LLM should undergo a Security Impact Assessment (SIA) to assess whether the solution adheres to this policy. Please contact the Security Officer to conduct a SIA on the AI/LLM. The Security Officer maintains a list of assessed solutions.
- Implementation: Security measures will be implemented to safeguard all data used by AI/LLMs, including personal information, aligned with the requirements of ISO 27001 Annex A: Control Objectives and Controls.
- Compliance: AI/LLMs will be used in accordance with applicable laws and regulations, including ISO 27001 and GDPR, specifically:
- GDPR Article 5: Principles relating to processing of personal data: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1807-1-1
- GDPR Article 6: Lawfulness of processing: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1888-1-1
- GDPR Article 24: Responsibility of the controller: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3043-1-1
Training and Awareness
anDREa will provide training and awareness programs its employees to ensure employees understand:
- The capabilities and limitations of AI/LLMs, including how to prompt.
- The responsible use of AI/LLMs as per this policy.
- The importance of data security and privacy when using AI/LLMs, as outlined in ISO 27001:2017 A.7.2.2: Information security awareness, education and training.