Skip to main content

Data Privacy

UCF Data Privacy and Security Guidelines

There is no single “AI Policy” at UCF. Instead, several existing policies apply to the use of AI. Below are some guidelines and reminders about those existing policies.

  1. UCF’s contracted AI platform is Microsoft Copilot for web (or its corresponding mobile app). Users of this platform, when signed in with a UCF NID under the “work or school” account type, are offered enterprise data protection. This means neither the query nor the AI output are communicated back to Microsoft, and neither of them train the model. That said, it is recommended best practice to de-identify queries, uploads, and pastes to any AI platform, even when using the protected Copilot. UCF users looking to pay for advanced and embedded Copilot functionality should begin with a consultation with IT. All UCF faculty, staff, and students already have access to the protected Copilot for web when logged in with their NID.
  2. Existing UCF policies on data privacy and security continue to apply to AI and emerging technology tools.
  3. Sensitive materials include markers of identification such as Network IDs (NIDs), employee numbers, social security numbers, grades in class and other FERPA-protected materials, HIPAA-protected materials, export-controlled materials, sensitive or federally-protected research data, and intellectual property associated with UCF. Pending copyright and patent materials should not be made public via AI tools, nor is it always safe to use AI to assist with grant writing. See UCF Policy 4-0008.
  4. All software purchases by departments, faculty, and staff must be vetted by IT before the purchase is made, if the software is to have access to sensitive UCF data. This includes subscriptions to AI tools with access to sensitive UCF data, whether paid by procurement or expense card. First, check whether the planned software has already been vetted here. If it is not found on the list, the next step is to complete a security review with IT. See UCF Policy 4-014.
  5. Uploading or pasting materials to a public AI model should be considered the same as making the materials public on the Internet or social media. For this reason, you should not only avoid uploading or pasting UCF sensitive data, but also avoid uploading or pasting sensitive data owned by third parties, such as copyrighted material, patents, research data, etc. PDFs obtained through the UCF Libraries are copyrighted and should not be uploaded.
  6. Some advanced AI products are able to perform complex tasks because they access the organization’s software, hardware, and tools. Per IT rules, such external tools may be denied access if they have not undergone security review.