Similar to a search engine, people will submit questions to the chatbot. However, unlike a search engine that just returns links to more information, the AI chatbot can actually take the information submitted and provide a much more thorough response, in some cases actually doing all the requested work for you. Information submitted to the AI chatbot can range from a simple question to full datasets or published works.
This can tempt people to submit more information into a chatbot in order for it to do more accurate work for them. We must balance the utility of AI chatbot services with inherent risks to information security and privacy. Not only does a third-party (those running the chatbot) have a copy of the information that is submitted, but also the AI large language model may be further trained on that information. Data submitted may be used in future responses to others using the AI chatbot.
Procurement and Licensing
Any software or service where a third-party supplier has access to University information needs to be reviewed as an approved vendor and use case for security, privacy, legal, and risk. Before using AI chatbot services, review the data that will be submitted to the chatbot. High risk use cases (see below) must have contracts that include UC Appendix DS.
Available Services and Appropriate Data Use Cases
Below is a list of services and the appropriate data that can be used with them based on protection level. Using UCI contracted and supported services are always preferred. Duplicate copies of P4 data should never be made unless there is a very strong business reason for it, so by default it not acceptable for any of these services, however if you have a strong business reason contact securityrisk@uci.edu to discuss.
| AI Chatbot Service | Allowed Data Protection Level(s) |
| UCI ZotGPT Chat | P1, P2, P3 |
| UCI Microsoft Copilot | P1, P2, P3 |
| UCI Google Gemini | P1, P2 |
| OpenAI ChatGPT | P1 |
| Microsoft Copilot (Non-UCI) | P1 |
| Google Gemini (Non-UCI) | P1 |