Generative AI Usage Policy

1. Introduction

This Policy sets out the obligations of the ComponentSource Group, regarding the use of generative artificial intelligence (“AI”) models, tools, and systems (collectively, “Generative AI”), and the rules, regulations, procedures, and principles that must be followed by the Company, its employees, agents, contractors, or other parties working on behalf of the Company, when using Generative AI.

2. Scope

  1. The terms “artificial intelligence” and “AI” are not currently defined in the areas of the law that generally apply to the use of Generative AI.
    1. AI has been defined as “technology enabling the programming or training of a device or software to –
      1. perceive environments through the use of data;
      2. interpret data using automated processing designed to approximate cognitive abilities;
      3. make recommendations, predictions or decisions; with a view to achieving a specific objective”.
    2. Generative AI has no separate legal definition at present; however, it can be broadly defined as a type of AI which creates text, images, audio, video, or programming code in response to prompts input by users. This is made possible by the use of large amounts of training data combined with un-supervised and semi-supervised algorithms which understand natural language.
  2. Generative AI is not yet directly regulated, but other legal areas including intellectual property law and data protection law intersect with it. Other issues arising in connection with Generative AI include risks relating to accuracy, bias, misinformation, disinformation, and discrimination.
  3. ComponentSource is committed not only to the letter and spirit of the relevant laws, but also to ensuring that Generative AI is used in a way which minimises the risks stated above. Generative AI must be used by employees, agents, contractors, or other parties working on behalf of the Company with care and due diligence at all times and in accordance with this Policy.
  4. The Company believes that the innovative use of Generative AI has the potential to be of great value to the Company and its customers. This Policy aims to ensure that Generative AI is used to its full potential while also minimising the potential for intentional or unintentional misuse, unlawful outcomes, unethical outcomes, potential bias, inaccuracy, IP infringement, and the misuse (unlawful or otherwise) of personal data.
  5. The Data Protection Manager ("DPM") and the CIO are responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines:
  6. All managers are responsible for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company (“users”) comply with this Policy and, where applicable, must implement such practices, processes, controls, and training as are reasonably necessary to ensure such compliance.
  7. Any questions relating to this Policy or to the applicable laws, regulations, principles, or best practice should be referred to the DPM and/or the CIO.

3. Principles of Generative AI Application

  1. The following general principles should be kept in mind at all times when using Generative AI:
    1. Responsibility: Users of Generative AI tools are ultimately responsible for their use and for the outputs generated by such tools.
    2. Lawfulness: Generative AI should always be used in compliance with applicable laws including, but not limited to, data protection law (as further set out below in section 5 (Data Protection)) and intellectual property law (as further set out below in section 8 (Intellectual Property Rights)).
    3. Confidentiality and Privacy: Generative AI must always be used in a manner which protects and preserves the confidentiality and privacy of data, as further set out below in section 5 (Data Protection) and section 6 (Confidentiality).
    4. Impartiality: Where Generative AI is being used to generate outputs in which there is a risk of bias, appropriate steps must be taken to identify and mitigate such bias, as further set out below in section 10 (Identifying and Mitigating Bias in Outputs).
    5. Clarity and Transparency: The application and output of Generative AI should be clear and understandable by users and by customers and other recipients, as further set out below in section 11 (Transparency).

4. Evaluation & Approval of Generative AI Tools and Approved Tools

Any Generative AI tools approved for use within the Company are subject to the restrictions set out in this Policy, and subject to compliance with this Policy during use, the Generative AI tools listed therein may be used without further evaluation or approval by authorised users.

  1. Purposes not evaluated and approved must not be undertaken for Company-related activities, on any Company-owned or Company-issued devices, or in conjunction with any software provided by the Company.
  2. When using Generative AI, users should ensure that they read, understand, and follow the terms of use (also known as terms and conditions), privacy policy, and any other terms or documentation relating to that Generative AI.
  3. When using Generative AI, users should be mindful of the data on which the Generative AI has been trained and what that data is being used to produce. Particular attention should be paid to the ownership of intellectual property rights subsisting in the training data, any confidential or proprietary information which may be included in the training data, and any personal data which may be included in the training data. Users should also consider any biases or inaccuracies that may be inherent in the training data, including how up to date that training data is. For further information on these issues, please refer to the following sections of this Policy:
    1. Section 5 (Data Protection);
    2. Section 6 (Confidentiality);
    3. Section 8 (Intellectual Property Rights);
    4. Section 9 (Identifying and Mitigating Bias in Outputs); and
    5. Section 10 (Verifying Accuracy of Outputs).
  4. In addition, users should ensure that they are aware of and in compliance with any other applicable laws, regulations, best practices, or similar, which apply to their given purpose for using Generative AI.

5. Data Protection

  1. Data protection laws consist of a range of legislation applying to data protection and privacy and include (but are not limited to) the EU GDPR, the UK GDPR, the UK Data Protection Act 2018 and Privacy and Electronic Communications Regulations 2003, and the California Consumer Privacy Act (CCPA).
  2. The terms “AI” “artificial intelligence” are not currently defined in data protection law; however, when personal data is used with AI, the law applies. It may apply at any stage, including development, deployment, and use. In some cases, the training data used for Generative AI may include personal data and/or a Generative AI tool may be subsequently used to process personal data.
  3. Parties using personal data may be “controllers”, “processors”, or “joint controllers”. When using personal data in conjunction with Generative AI, it is important to determine in which of these capacities you are acting, as different legal obligations may apply in each case.
  4. The UK  and EU GDPRs set out core principles with which any party handling personal data must comply. All personal data must be:
    1. processed lawfully, fairly, and in a transparent manner in relation to individuals (“data subjects”);
    2. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
    3. adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
    4. accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of data subjects; and
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  5. When using a Generative AI tool that has been trained with personal data and/or processing personal data using a Generative AI tool, users must first ensure that they read, understand, and follow the ComponentSource Data Protection Policy and the terms of use (or terms and conditions) and privacy policy for that Generative AI tool.
  6. The ComponentSource Data Protection Policy applies to all uses of personal data within, for, and on behalf of the Company. It sets out the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. When using personal data in conjunction with Generative AI, the procedures and principles set out in the Data Protection Policy must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
  7. The following questions should be asked whenever Generative AI is used to process personal data. For full details, users must refer to the Company’s Data Protection Policy:
    1. What lawful basis will you be relying on for processing the personal data?
    2. Are you/we acting in the capacity of a controller, joint controller, or processor? (A developer training AI using personal data will likely be a controller. As a user of Generative AI developed by another party, you/we may be a controller, joint controller, or processor. If necessary you should consult with the DPM or the CIO for further assistance.
    3. Have you conducted a Data Protection Impact Assessment?
    4. How will individual data subjects be kept informed, and transparency ensured?
    5. How will security risks be mitigated?
    6. How will the processing be kept limited and relevant?
    7. How will you comply with requests made by individuals to exercise their legal rights (e.g., data subject access requests)?
    8. Will you be using Generative AI to make solely automated decisions which have legally or similarly significant effects?
  8. Users should ensure that they fully understand how the Generative AI tool uses data inputs before inputting any personal data. If the Generative AI adds input data to its training data and/or shares that data with third parties, Personal Data must not be used in conjunction with that Generative AI tool without the express written consent of persons from whom the personal data has been obtained (subject to the purposes for which the personal data was obtained which may permit such processing and sharing, and the information provided to data subjects).
  9. Where personal data also incorporates confidential information and/or proprietary information protected by intellectual property rights, the provisions of section 6 and section 8 of this Policy may also apply.
  10. Any questions regarding personal data or data protection law, including those relating to training data, inputs into a Generative AI tool, or in outputs produced by Generative AI should be referred to the DPM.

6. Confidentiality

  1. “Confidential information” is defined by the Company as any information designated by ComponentSource as confidential, and any other information as follows:
    1. any and all confidential or proprietary information relating to:
      1. the Company’s business, customers, clients, or suppliers;
      2. the Company’s operations, processes, product information, trade secrets, know-how, or technical information; and
    2. further information, data, analysis, or findings derived from such Confidential Information.
  2. The definition of confidential information set out above will also apply to qualifying information of that nature which is received from third parties and designated as confidential (for example, confidential information which is subject to a non-disclosure agreement, which may also incorporate further restrictions on the use of such information).
  3. The definition of confidential Information set out above will apply whether or not the confidential information is of a commercially (or other) sensitive nature, and in whatever tangible or intangible form the confidential information exists or is communicated.
  4. When using any confidential information in conjunction with a Generative AI tool, users must adhere to any specific policies or the terms of any specific contracts (e.g., non-disclosure agreements) which apply to that confidential information. If any such policy or contract prohibits the use of the confidential information in such a manner, it must not be used in conjunction with Generative AI.
  5. Users should ensure that they fully understand how the Generative AI tool uses data inputs before inputting any confidential information. If the Generative AI tool adds input data to its training data and/or shares that data with third parties, confidential information must not be used in conjunction with that Generative AI tool without the consent of the party from whom the confidential information has been obtained.
  6. Where confidential information also incorporates personal data and/or proprietary information protected by intellectual property rights, the provisions of section 5 and section 8 of this Policy may also apply.
  7. Any questions regarding confidential information, whether in relation to training data, inputs into a Generative AI tool, or in outputs produced by Generative AI should be referred to the DPM and/or the CIO.

7. Security

  1. The following ComponentSource policies apply to users of Generative AI for Company-related activities, on any Company-owned or Company-issued devices, or in conjunction with any software provided by the Company. When using Generative AI tools, the procedures and principles set out in these policies must be followed at all times:
    1. Cyber Security Policy;
    2. Data Protection Policy.
  2. As set out above in section 4 of this Policy, Generative AI tools must be evaluated and approved before use.
  3. As set out above in section 5, the use of personal data in conjunction with Generative AI must take place only in accordance with the principles and requirements of section 5, the Company’s Data Protection Policy, and applicable data protection law.
  4. As set out above in section 6, the use of confidential information in conjunction with Generative AI must take place only in accordance with the principles and requirements of section 6 and only where (and to the extent) permitted by applicable policies and contracts.
  5. Users that are not authorised to use Generative AI for Company-related activities, on any Company-owned or Company-issued devices, or in conjunction with any software provided by the Company must not be given access to those tools by authorised users [without prior written approval from the Data Protection Officer, whether those users are employees of the Company, agents, contractors, or other parties working on behalf of the Company.
  6. The following security-related information should not be input into any Generative AI for any purpose:
  7. Any questions regarding security should be referred to the Data Protection Officer and/or the IT Department.

8. Intellectual Property Rights

  1. In the context of this Policy, the term “intellectual property rights” means patents, rights to inventions, copyright and related rights, trade marks, business names, domain names, rights in get-up and trade dress, goodwill and the right to passing off actions, design rights, database rights, rights subsisting in software, rights to use confidential information and the right to protect the same, and any and all other intellectual property rights, whether registered or unregistered, including applications and the right to apply for (and be granted) renewals or extensions of, and rights to claim priority from, any such rights and any and all equivalent rights or other forms of protection subsisting now or in the future anywhere in the world.
  2. Generative AI tools may be used to create a wide range of works in which intellectual property rights subsist. Similarly, its training data may incorporate many different kinds of works protected by intellectual property rights and, in particular, copyright.
  3. Generative AI that is trained on pre-existing training data will generate outputs based on that data as processed by its internal algorithms. Generative AI which has been trained on data that is protected by intellectual property rights (e.g., copyright, which subsists in works such as text, images, photographs, and sound recordings) may produce outputs that incorporate that training data or elements of it to a greater or lesser degree. It is therefore important to be aware of the training data used, of the status of intellectual property ownership in the content of that training data, and the existence and terms of the licences granted to use it.
  4. Generative AI often does not provide references for materials in its training data in outputs. Users should remain aware of this at all times when using Generative AI tools and should not assume that the training data used has been correctly licensed unless such licenses are documented and available. During the evaluation and approval process for new Generative AI tools the training data will be evaluated, but users should nevertheless exercise due diligence.
  5. Outputs produced by Generative AI must, where applicable, be reviewed and checked by the user for compliance with any and all applicable licences. If it is not clear that the training data is correctly licenced or that the output does not infringe the intellectual property rights of a third party, the output must be modified to make it non-infringing or deleted, as appropriate.
  6. In the event that it is not clear that the training data is correctly licenced or that the output does not infringe the intellectual property rights of a third party, and the output has been used further (e.g., distributed to other parties or integrated into other work), appropriate action must be taken to amend the output to make it non-infringing or to remove, delete, or recall the output and to inform any party to whom it has been distributed.
  7. The ownership of intellectual property rights in the outputs produced by Generative AI may vary from one Generative AI tool to another and users must ensure that they read, understand, and follow the terms of use (or terms and conditions) and any other documentation relating to a particular Generative AI tool. In cases where the user of a particular Generative AI tool does own the rights in the work, the Company shall be the owner of all works generated by employees and shall require contractors to assign or licence ownership, as applicable, in the terms of the contract between the Company and each contractor.
  8. If the terms of use (or terms and conditions) of a particular Generative AI stipulate that any particular labelling, acknowledgement, or reference be applied to the output, users must ensure that those requirements are followed.
  9. Users should ensure that they fully understand how the Generative AI uses data inputs before inputting any information or content that is protected by intellectual property rights. If the Generative AI adds input data to its training data and/or shares that data with third parties, such information or content must not be used in conjunction with that Generative AI unless it is clearly licenced for such use.
  10. Any questions regarding the ownership of intellectual property rights, whether in training data, inputs into a Generative AI tool, or in outputs produced by Generative AI should be referred to the Data Protection Officer.

9. Identifying and Mitigating Bias in Outputs

  1. Generative AI that is trained on pre-existing training data will generate outputs based on that data as processed by its internal algorithms. As a result, biases present in the training data could also be present in outputs produced by that Generative AI.
  2. Generative AI often does not provide references for materials in its training data in outputs. Users should remain aware of this at all times when using Generative AI tools and should never assume that an output is unbiased or free of discrimination.
  3. Outputs produced by Generative AI tools must, where applicable, be reviewed and fact-checked before further use by the user using reliable and up-to-date alternative sources as would be used when carrying out similar tasks without the use of Generative AI. In the event that biases or other inaccuracies are present, outputs must be amended and corrected as appropriate.

10. Verifying Accuracy of Outputs

  1. Generative AI that is trained on pre-existing training data will generate outputs based on that data as processed by its internal algorithms. As a result, inaccuracies present in the training data could also be present in outputs produced by that Generative AI. For example, the training data could be accurate only up to a certain point in time.
  2. Generative AI often does not provide references for materials in its training data in outputs. Users should remain aware of this at all times when using Generative AI and should never assume that an output is correct.
  3. Outputs produced by Generative AI must, where applicable, be reviewed and fact-checked by the user using reliable and up-to-date alternative sources as would be used when carrying out similar tasks without the use of Generative AI. In the event that inaccuracies are present, outputs must be amended and corrected as appropriate.

11. Transparency

  1. All content created using Generative AI tools must be labelled as such.

12. Training

  1. All users using Generative AI shall receive training on the application of this Policy and the safe, responsible, and lawful use of Generative AI.

13. Reporting Misuse or Concerns and Referring Questions

  1. Any misuse of Generative AI (suspected or actual; intentional or accidental), other concerns relating to its use, or questions relating to topics including, but not limited to those covered by this Policy should be referred to one or more of the following, as appropriate:
    1. the DPM
    2. the CIO
    3. the CEO

14. Implementation of Policy

This Policy shall be deemed effective as of 1st November 2024. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.