Privacy and Artificial Intelligence - Checklist for 3.4: Employees and Internal Teams

Checklist for 3.4: Employees and Internal Teams

Objective

1. Uphold responsible, ethical, and privacy-conscious use of AI tools in daily work, ensuring compliance with organizational policies and legal requirements (Privacy Commissioner for Personal Data [PCPD], 2025a; Ezzell, 2023).
     Related to Part 2 Sub-Point: 2.1 Privacy and Security by Design; 2.10 Regulatory Compliance and Adaptive Governance.

Key Actions

1. Use only approved AI tools and follow organizational guidelines for permissible use.
     Example: Refer to internal policies specifying which generative AI tools are allowed and for what purposes (PCPD, 2025a; PCPD, 2025b).
     Related to Part 2 Sub-Point: 2.2 Data Minimization and Robust Access Controls.

2. Protect sensitive data by accessing AI tools only on authorized devices and using strong credentials.
     Example: Use work devices and maintain stringent security settings as outlined in organizational policy (PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.2 Data Minimization and Robust Access Controls.

3. Promptly report AI incidents, such as data breaches or abnormal outputs, according to the organization’s incident response plan.
     Example: Notify the designated team if unauthorized input of personal data or potential legal breaches occur (PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.7 Continuous Monitoring, Auditing, and Incident Response.

4. Participate in regular training on responsible and effective AI use, including privacy, ethics, and security best practices.
     Example: Attend workshops, review practical tips, and understand the capabilities and limitations of AI tools (Ezzell, 2023; PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.9 Cross-Functional Collaboration and Training.

5. Maintain transparency by disclosing when AI tools are used and verifying AI-generated outputs for accuracy and compliance.
     Example: Label AI-generated content and check outputs for bias or intellectual property issues (PCPD, 2025a; Ezzell, 2023).
     Related to Part 2 Sub-Point: 2.3 Transparency and Explainability.

Metrics for Success

1. Achieve 100% participation in mandatory AI privacy and security training sessions annually (PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.9 Cross-Functional Collaboration and Training.

2. Reduce the number of AI-related incidents reported by employees by 30% year-over-year (PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.7 Continuous Monitoring, Auditing, and Incident Response.

3. Maintain full compliance with internal AI use policies as verified by periodic audits (Ezzell, 2023).
     Related to Part 2 Sub-Point: 2.10 Regulatory Compliance and Adaptive Governance.

Common Pitfalls to Avoid

1. Using unauthorized AI tools or inputting sensitive data into unapproved platforms (PCPD, 2025a; GDPR Local, 2025).
     Related to Part 2 Sub-Point: 2.2 Data Minimization and Robust Access Controls.

2. Failing to report incidents or suspicious AI tool behavior in a timely manner (PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.7 Continuous Monitoring, Auditing, and Incident Response.

3. Ignoring updates to internal AI policies or neglecting required training (Ezzell, 2023; PCPD, 2025a).
     Related to Part 2 Sub-Point: 2.9 Cross-Functional Collaboration and Training.

References
Ezzell, A. (2023). Generative AI for organizational use: Internal policy checklist. Future of Privacy Forum. https://fpf.org/wp-content/uploads/2023/07/Generative-AI-Checklist.pdf

GDPR Local. (2025, January 20). How AI GDPR will shape privacy trends in 2025. https://gdprlocal.com/ga/how-ai-gdpr-will-shape-privacy-trends-in-2025/

PCPD. (2025a, April 15). Checklist on guidelines for the use of generative AI by employees. Privacy Commissioner’s Office. https://www.pcpd.org.hk/english/news_events/media_statements/press_20250331.html

PCPD. (2025b, May 14). Fostering AI security: The new checklist on guidelines for the use of generative AI by employees. Privacy Commissioner’s Office. https://www.pcpd.org.hk/english/news_events/newspaper/newspaper_20250514.html

Privacy Engineering Program, Carnegie Mellon University. (2024, April 24). What are the best practices for managing AI and privacy in the workplace? https://privacy-engineering-cmu.github.io/2024-04-24-Question-1-What-are-the-best-practices-for-managing-AI-and-privacy-in-the-workplace/