Knowledge Base

Table of Contents

• 1. Purpose and Scope
  
• 2. Core Technical Concepts
  
  • 2.1 Device Ownership vs Data Ownership
    
  • 2.2 How AI Tools Handle Data
    
  • 2.3 Shadow IT
    
• 3. IT-Managed Resources
  
  • 3.1 When to Contact IT
    
  • 3.2 Evaluation and Approval
    
  • 3.3 Exception Requests
    
• 4. Data Protection Essentials
  
  • 4.1 Never Share with Public AI Tools
    
  • 4.2 Compliance Requirements
    
  • 4.3 Safe Usage Examples
    
• 5. Incident Reporting
  
• 6. Getting Help
  
• 7. Policy Maintenance
  

1. Purpose and Scope

This document provides technical guidance for using generative AI tools on The Master's University (TMU) IT infrastructure. IT Services & Security maintains this policy to help faculty and staff use AI safely while protecting institutional data and systems.

What this policy covers: Technical requirements for AI tools on TMU-managed devices, networks, and accounts. Data protection requirements when using AI tools for TMU work.

What this policy does not cover: Ethical usage in coursework, academic integrity, or pedagogical decisions. These topics are addressed by department-specific policies and the broader TMU academic AI policy. Students and faculty should defer to their department's guidance for classroom and research ethics.

Related policies: This policy operates alongside existing TMU data security, acceptable use, and privacy policies. When questions arise about overlapping topics or matters requiring broader governance decisions, IT Services & Security will work with TMU executive leadership to address these concerns.

2. Core Technical Concepts

Understanding these concepts helps you make informed decisions about AI tool usage:

2.1 Device Ownership vs Data Ownership

Device ownership: TMU manages devices, email accounts, and network access. On TMU-owned endpoints, IT maintains administrative controls and software configurations.

Data ownership: TMU data belongs to the institution regardless of which device or AI tool accesses it. Using a personal laptop or personal AI subscription does not change data protection obligations when handling TMU information.

Key principle: If you're doing TMU work or handling TMU data, these guidelines apply whether you're using a TMU device or personal equipment.

2.2 How AI Tools Handle Data

Public AI tools store your inputs. Consumer services like free ChatGPT, Claude, or Gemini accounts permanently retain what you submit. This data may be used to train models or accessed by the company. Once entered, it cannot be fully retracted.

Enterprise tools provide stronger protections. Business agreements with AI vendors can include data processing agreements, opt-out from training, and enhanced security controls. These tools are appropriate for sensitive workflows.

TMU liability: When TMU data is exposed through AI tools, the institution faces regulatory consequences under FERPA, HIPAA, GDPR, or CCPA—regardless of whether the incident occurred on TMU or personal devices. IT Services & Security handles breach response and regulatory reporting.

2.3 Shadow IT

Shadow IT refers to tools deployed without IT awareness. While often implemented to solve immediate problems, unsanctioned tools create risk when they process TMU data or connect to TMU systems.

Why IT needs visibility: When tools cause security incidents, compliance violations, or data breaches, IT responds to regulatory agencies, manages notifications, and handles remediation. Early collaboration prevents problems and enables safer AI adoption.

3. IT-Managed Resources

IT manages TMU devices, @masters.edu email accounts, and network infrastructure. These resources require IT notification or approval for AI tool deployment.

3.1 When to Contact IT

Contact IT Services & Security before:

• Installing AI software on TMU-owned computers
  
• Signing up for AI services using @masters.edu email addresses
  
• Purchasing AI tools with TMU funds intended for deployment on TMU endpoints or networks
  
• Enabling AI features in existing software that connect to TMU systems
  

Why: IT maintains administrative controls on TMU endpoints to prevent security conflicts. Early notification during procurement prevents purchasing tools that cannot be deployed. AI services using @masters.edu credentials can access institutional data and require evaluation.

3.2 Evaluation and Approval

IT evaluates AI tools based on security, privacy, compliance, and technical integration requirements. Most requests are processed within 2-3 business days.

IT Administrative Authority: IT Services & Security reserves the authority to administratively review and block unsanctioned applications, including tools such as DeepSeek or other services that pose security, compliance, or data protection concerns. Evaluation criteria include NIST cybersecurity framework guidance, industry best practices, vendor security posture, data handling policies, and compliance with applicable regulations. Applications may be blocked pending review or permanently restricted based on risk assessment. Users requiring blocked tools must submit exception requests with appropriate risk mitigation and senior leadership approval.

3.3 Exception Requests

If you need a tool that IT cannot approve for general use, submit an exception request to GenAI@masters.edu with:

• Business justification and specific use case
  
• Description of data that will be processed
  
• Risk mitigation measures (e.g., data anonymization, isolated environment)
  
• Risk owner identification (department head or senior leader)
  

IT Services & Security will evaluate the request and work with appropriate TMU leadership to determine approval. Approved exceptions include documented conditions, time limitations, and ongoing oversight requirements.

4. Data Protection Essentials

These rules apply to all TMU data regardless of device or AI tool used. This is not an exhaustive data classification—for detailed guidance, consult TMU's data security policy or contact IT.

4.1 Never Share with Public AI Tools

• Student records, grades, or personally identifiable student information
  
• Social Security Numbers, student ID numbers, or government-issued IDs
  
• Medical information, financial records, or donor data
  
• Employee personnel files or sensitive HR information
  
• Confidential institutional documents, strategic plans, or legal materials
  

4.2 Compliance Requirements

TMU must comply with FERPA (student records), HIPAA (health information), GDPR (European residents), and CCPA (California residents). Mishandling data through AI tools can result in regulatory violations, significant fines, and institutional liability.

If unsure: Contact IT Services & Security (servicedesk@masters.edu) before entering potentially sensitive data into AI tools.

4.3 Safe Usage Examples

Public AI tools can be used for:

• General research using publicly available information
  
• Writing assistance for non-confidential communications
  
• Brainstorming and ideation without confidential details
  
• Educational content creation with hypothetical examples
  
• Code generation for non-proprietary projects
  
• Grammar and style checking for general documents
  

Key principle: If the information could identify individuals, affect privacy, or harm TMU if exposed, do not enter it into public AI tools. When in doubt, ask IT.

5. Incident Reporting

If you accidentally share sensitive data with an AI tool, discover an unauthorized tool deployment, or encounter unexpected AI behavior, contact IT Services & Security immediately.

No-fault reporting: Accidental incidents reported promptly will not result in disciplinary action. Early reporting enables faster response and reduces institutional risk.

6. Getting Help

General Questions

Exception Requests and Risk Assessment

Resources

President's Guidance on AI

President Abner Chou's Guide on AI Usage at TMU

Helpful reading for understanding TMU's institutional perspective on artificial intelligence and its role in Christian higher education.

7. Policy Maintenance

IT Services & Security maintains this policy and reviews it annually or more frequently as technology, regulations, or institutional needs evolve. For matters requiring broader governance decisions or campus-wide policy changes, IT works with TMU executive leadership and relevant steering committees.

Feedback: Submit suggestions to servicedesk@masters.edu