AI Policy

Purpose

This policy establishes guidelines for using artificial intelligence (AI) technologies within our organisation. We aim to use AI technologies ethically, legally, and responsibly, in alignment with our ethical standards, legal requirements, and operational security measures. By providing these guidelines, we seek to leverage the benefits of AI while mitigating associated risks and fostering a secure and trustworthy environment for all stakeholders.

Scope 

This policy applies to all personnel (directors, employees, agents, affiliates, consultants, and contractors),  customers, and strategic third-parties who access company information. It encompasses all AI technologies and applications used within our organisation, ensuring their use is consistent with our standards and regulatory obligations.

Guidance

To create this policy, we sought guidance from the following documents:

  • European Union’s Artificial Intelligence Act;
  • ISO/IEC 38507:2022 Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organisations;
  • ISO/IEC 23894:2023 Information technology — Artificial intelligence — Guidance on risk management;
  • ISO/IEC TR 24368:2022 Information technology — Artificial intelligence — Overview of ethical and societal concerns;
  • ISO/IEC TR 24027:2021 Information technology — Artificial intelligence (AI) — Bias in AI systems and AI aided decision making; and
  • King IV Report on Corporate Governance for South Africa.

Terminology

  • AI tools (Artificial Intelligence tools) refer to software and applications that use generative AI technologies to perform various tasks, including content creation, data analysis, and decision support.
  • AI products refer to the AIMs solution and the Enneagram Well.
  • Company information means information about us, our personnel, prospects, customers, or other stakeholders. It includes personal information and our proprietary information and intellectual property. The information can take any form: physical, electronic, or otherwise.
  • Generative AI means AI capable of producing or creating new text, images, audio videos, data, or code that resembles human-generated content.
  • Personal information refers to any information relating to an identified or identifiable natural person (or juristic person in some jurisdictions) and includes data that can directly or indirectly identify an individual.

Principles

Our organisation commits to abiding by the following principles when using generative AI:

  • Lawfulness. We commit to complying with all applicable laws governing the use of AI.
  • Transparency and explainability. We commit to using AI transparently and explainably.
  • Accountability. We take responsibility for the outcomes of using AI systems and remain accountable for any adverse consequences within our control.
  • Data protection. We’ll protect the privacy and security of personal information used in AI systems in line with our Privacy Policy and Information Security Policy.
  • Fairness. We’ll work hard to ensure that our use of AI does not discriminate against individuals or groups, especially the marginalised and vulnerable.
  • Safety. We’ll prioritise the safety of individuals and take steps to avoid creating harm through AI.
  • Human-in-the-loop. We’ll check AI-generated content for mistakes, missing or inaccurate information, and violating someone else’s rights. We’re in charge of all AI content as if we made it ourselves. We’ll let our stakeholders know where we sourced the AI-generative content if needs be.

Compliance and legal considerations

We will comply with all applicable laws and regulations governing AI use, including data protection laws. Compliance measures will include

  • adherence to data protection laws, ensuring lawful, fair, and transparent processing of personal information;
  • compliance with industry-specific AI regulations and guidelines in sectors such as healthcare; and
  • ensuring cross-border data transfers comply with relevant laws, obtaining necessary consents, and implementing appropriate safeguards.

Guidelines for using AI 

Personnel must follow these guidelines when using generative AI:

Before using generative AI

  • You must use accounts created with our organisation’s credentials to do your job using AI. In other words, you may not use personal accounts with AI tools for work-related tasks.
  • Only use vendor integrations or products with AI that the IT team has given the green light to.
  • If you use generative AI tools to work, you must opt out of letting them learn from the data you feed them.

Acceptable use of AI 

  • We will use AI tools exclusively for tasks that further our objectives. We will use these tools to enhance decision-making, automate routine tasks, and provide valuable insights. 
  • We will ensure that AI tools complement human judgment.
  • We will use AI for acceptable business purposes including, but not limited to, content creation, document review, data analysis, customer support, and product development.
  • We will establish and maintain an authorisation process for all AI technology access and use.
  • We will take best efforts to ensure transparency in AI operations by maintaining comprehensive documentation of AI systems, regularly communicating with stakeholders about AI use, and implementing audit trails to track AI tool usage.
  • We will make sure that the AI tools used do not infringe on any intellectual property rights.
  • We will ensure that all the data used by AI tools is handled in accordance with our privacy and security policies. This includes
  • data minimisation;
  • anonymisation of personal data;
  • implementation of strong encryption measures, and
  • establishment of clear data retention policies.

Prohibited use of AI 

  • We will not upload or share confidential, proprietary, sensitive, or personal information with AI tools without proper authorisation. 
  • We will not allow unauthorised access to sensitive data, permit data leakage through AI tools, or share sensitive data with third parties without explicit permission and appropriate safeguards. To enforce these prohibitions, we will 
  • implement robust access control mechanisms; 
  • conduct regular security assessments and audits; and 
  • maintain strict data handling protocols to protect all forms of sensitive information within the organisation.
  • We will not use AI to impersonate others, create or distribute deepfake content, generate false identities, or produce misleading content that deceives others about its origin, authenticity, or intent. To prevent such misuse of our AI tools, we will implement safeguards to ensure AI tools are not used for creating deceptive content, impersonating users of our AI products for fraudulent purposes, or engaging in any activities that could mislead or deceive others regarding the nature or source of AI-generated material.
  • We will not use or develop AI tools that generate harmful or inappropriate material, including content that is offensive, discriminatory, or otherwise harmful to individuals or groups. To enforce these prohibitions, we will establish and adhere to clear guidelines that prevent the creation and dissemination of such offensive content through our AI systems.

Governance and oversight 

Our board is the governance and oversight structure to ensure compliance with this policy and to address any issues related to the use of generative AI.

Implementation

  1. We will review and update this policy annually or as needed.
  2. All personnel must be trained on this policy during onboarding and at least annually.

Monitoring and compliance

All personnel must comply with this policy and any related policies, guidelines and procedures. Failure to comply may result in disciplinary action, including termination of employment or contract.

We will conduct regular reviews and audits to ensure compliance with our AI Acceptable Use Policy. This will include scheduled audits, ongoing tracking of AI tool use, and the documentation of any findings or necessary corrective actions to address potential misuse or policy violations.

Review and update

This policy will be reviewed and updated regularly to remain relevant and practical.

Questions

Please contact your team leader if you have any questions about this policy.