Guidelines for the use of AI

Guidelines for the use of AI

Guidance aimed at helping you use AI in a responsible and regular manner and follow KTH ethical principles.

Introduction

The purpose of this guidance is to clarify the responsibilities, regulations and ethical principles that govern the access of information within KTH. To make the information available means that information is made accessible for further use, sharing or processing. The guidance is aimed at coworkers who handle or distribute information and use AI tools.

Background and challenge

As AI tools and technological advances change the work environment, the risk of inadvertent sharing of sensitive information increases. In addition to potential interpretation problems in contract application and ambiguities around liability, ethical pitfalls can arise, for example when AI-generated data contains bias or lacks transparency. Particularly sensitive types of information such as personal data, research data, technical system descriptions, as well as internal strategies and collaboration data need careful handling. Incorrect handling here can lead to legal sanctions and damaged trust.

Governing principles

Before making information accessible, three principles should be considered: responsibility, laws and agreements, and ethics. These ensure consistent handling of all types of information – from research data and organisational compilations to technical system descriptions. By applying the principles, the work of making informed decisions about the scope, method, and recipients of information can be facilitated. At the same time, individuals are protected, the credibility of the organisation is preserved, and responsible information use is promoted.

Responsibility

The function or role that is formally responsible for information determines how the information may be used and shared. This applies to all information at KTH, such as personnel registers, memoranda, data coming from third parties, system configurations and includes decisions about input into AI tools, publication on external platforms or internal dissemination. If in doubt about responsibilities, guidance must be sought from the immediate manager, lawyer or other responsible function before any sharing takes place. Extra attention should be taken where many different functions are involved in different steps.

Laws and agreements

Completed self-produced documents are in principle considered public documents, but not automatically free to distribute.

There are several regulatory frameworks that can limit how information can be used and shared:

• General Data Protection Regulation (GDPR)  regulates the handling of personal data and sets requirements for legal basis, security and transparency.

• Public Access to Information and Secrecy Act (OSL) indicates which documents are public and which are confidential.

• Swedish Archives Act (arkivlagen) controls the preservation and disposal of documents.

• Export control  may limit sharing of technical data or research results.

In addition to laws, information management is regulated through agreements with external parties, for example:

• Collaboration agreements that may contain confidentiality clauses or restrictions on publication.

• Personal data processing agreements that specify how personal data may be processed in third-party systems.

To ensure compliance, agreements and terms should be checked, especially when multiple parties and legal systems are involved.
The IT department's system inventory provides an overview of approved platforms and associated guidelines.

Ethics

Anyone who makes information available is responsible for following KTH's ethical policy (can be downloaded from this page Core values at KTH ), good research practice and the state's core values. Ethical considerations are particularly important for AI-generated or AI-analysed information, as systems may contain bias or opacity in sources.

Guidelines for ethical handling:

• Consider that AI systems may have built-in biases or political biases by testing and validating the results to identify and address bias.
• Document data sources and processes for traceable transparency, including indicating when AI has been used.
• Keep humans in the loop when generating or reviewing content.
• Minimize data collection and protect privacy when handling personal data.
• Consider the environmental impact of AI use and whether trust in KTH may be affected.

Recommendation

Before information is shared, responsibilities, regulations and agreements should be verified, and ethical consequences assessed. In case of uncertainty about data, agreements, laws or responsibilities, guidance should be sought from KTH's lawyers, the Data Protection Officer (DPO), the IT department or the Security Department. In addition, risks with how third parties can use the information should be considered – for example, whether the data can be used for tracking, compiling KTH's routines or directed against the interests of the organisation or employees. To avoid mistakes, internal documents should not be copied into external AI services.

Summary

The central principles of these guidlines are the responsibility principle, the legal and contractual principle, and the ethical principle. By consistently establishing responsibility, following applicable regulations, considering ethical aspects, and seeking authorised guidance in cases of uncertainty, each employee contributes to maintaining KTH's credibility and security when handling information.