AI Policy
Introduction
This policy outlines our approach to artificial intelligence (AI) systems used on our website, in compliance with the European Union's AI Act and AIMS (AI Model Safety) requirements. We are committed to responsible AI use that respects user privacy, promotes transparency, and ensures safety.
Scope
This policy applies to all AI technologies, systems, and applications deployed on our website, including but not limited to:
• Automated content generation
• User data analysis
• Personalization features
• Customer service chatbots
• Recommendation systems
• Decision-making algorithms
Compliance with Regulations and Standards
ISO 42001 Alignment and ISO 27001 Integration
Our organization has achieved ISO 27001 certification for our Information Security Management System (ISMS). Building on this foundation, we are working toward alignment with ISO 42001:2023 for our Artificial Intelligence Management System. This approach allows us to:
Leverage Existing ISMS: Extend our established information security practices to AI governance.
Risk-Based Approach: Apply our existing risk management framework to AI-specific risks.
Progressive Implementation: Adopt ISO 42001 principles within our certified ISO 27001 framework.
Integrated Controls: Ensure AI systems comply with information security requirements while addressing AI-specific considerations.
Continuous Improvement: Apply PDCA (Plan-Do-Check-Act) methodology from our ISMS to AI governance.
As we progress toward fuller ISO 42001 alignment, we commit to:
Risk-Based Approach: Systematically identifying, assessing, and managing AI-related risks.
Accountability: Clearly defined roles, responsibilities, and decision-making structures for AI governance.
Transparency: Documenting AI processes, decisions, and outcomes in a clear, accessible manner.
Continuous Improvement: Regular evaluation and enhancement of our AI management processes.
Stakeholder Engagement: Involving relevant parties in AI governance decisions.
Ethical Considerations: Integrating ethical principles into AI development and deployment.
EU AI Act Compliance
Risk Classification
Our AI systems have been assessed according to the EU AI Act's risk classification system:
Unacceptable Risk: We do not deploy any AI systems that pose unacceptable risks to users.
High-Risk: Any high-risk AI applications are subject to stringent requirements as outlined below.
Limited Risk: We ensure appropriate transparency measures.
Minimal Risk: We maintain responsible AI practices even for minimal risk applications.
For High-Risk AI Systems
When deploying high-risk AI systems, we commit to:
Risk Management: Implementing comprehensive risk assessment and mitigation measures throughout the system lifecycle.
Data Governance: Ensuring data quality, relevance, and representativeness in training, validation, and testing datasets.
Technical Documentation: Maintaining detailed documentation about the system's functioning, capabilities, and limitations.
Record-Keeping: Maintaining logs to enable monitoring and tracing of system operations.
Transparency: Providing clear information to users about the nature, purpose, and limitations of our AI systems.
Human Oversight: Ensuring appropriate human oversight and intervention capabilities.
Accuracy and Robustness: Ensuring systems meet appropriate levels of accuracy, robustness, and cybersecurity.
AI Model Safety (AIMS) and ISO 42001 Alignment
Safety Practices
Model Evaluation: Regular testing of AI models against established safety benchmarks.
Red Team Testing: Proactive identification and mitigation of potential harms.
Continuous Monitoring: Regular assessment of AI system performance and impacts.
Transparency
System Documentation: Clear documentation of AI capabilities, limitations, and intended uses.
User Notification: Explicit disclosure when users are interacting with AI systems.
Decision Explanation: Where feasible, providing explanations for AI-driven decisions that impact users.
Data and Privacy Protection
Data Minimization: Collecting only data necessary for system function.
Privacy by Design: Implementing privacy-enhancing technologies from the earliest stages of development.
User Control: Providing users with meaningful control over their data and AI interactions.
User Rights
Users interacting with our AI systems have the right to:
Know when they are interacting with an AI system
Understand how their data is being used
Contest automated decisions that significantly affect them
Opt out of AI-based profiling where appropriate
Request human intervention for significant decisions
Access clear explanations about how AI systems work
Governance and Accountability
Designated Responsibility: Clear assignment of responsibility for AI compliance.
Impact Assessments: Regular assessments of AI systems' impacts on users and society.
Incident Response: Procedures for addressing issues, biases, or harms that arise.
Regular Audits: Periodic independent audits of AI systems for compliance and ethics.
ISO 42001 Alignment Journey: Working toward alignment with ISO 42001 by:
Leveraging our existing ISO 27001 ISMS framework
Integrating AI governance into our established management systems
Conducting gap analysis between current practices and ISO 42001 requirements
Developing and implementing a phased approach to full alignment
Building on our information security expertise for AI risk management
Prohibited Practices
We do not engage in:
Manipulative Techniques: Using AI to exploit vulnerabilities or manipulate user behavior
Scoring Systems: Social scoring of individuals without transparency and legitimate purpose
Unwarranted Surveillance: Applying AI for surveillance beyond what is necessary and proportionate
Discriminatory Systems: Deploying AI that discriminates based on protected characteristics
Updates and Amendments
This policy will be reviewed and updated regularly to reflect:
Changes in relevant legislation and regulations (including the EU AI Act)
Updates to ISO 42001 and other applicable standards
Advancements in AI technology
Feedback from users and stakeholders
Emerging best practices in responsible AI
Findings from internal audits and management reviews
Results from our ISO 27001 certification and alignment efforts with ISO 42001