edtechagent.ai
Creating a Policy for LLM Input in Schools: Balancing Innovation and Data Protection

At a Glance

Large Language Models (LLMs) like ChatGPT place new demands on schools regarding data protection. Unlike traditional cloud services, input to an LLM can potentially be trained on and reused. Schools therefore need clear guidelines on what information may be entered into these tools, especially to protect student data and comply with GDPR.

Why Do Schools Need a Specific LLM Policy?

The Difference from Traditional Cloud Services

Traditional cloud services offer detailed settings for who can see and share documents. LLMs function differently:

  • Training Data: Many providers reserve the right to use input for model training.
  • Logging: Conversations are often saved for development and troubleshooting.
  • Traceability Issues: Information entered can be difficult to control or retrieve once processed.

GDPR and Legal Requirements

Schools must ensure that all AI usage complies with GDPR:

  • Article 5: Principles regarding processing of personal data (lawfulness, purpose limitation, data minimization).
  • Article 28: Requirements for data processors and agreements with LLM providers.
  • Article 35: Data Protection Impact Assessment (DPIA) is required for AI systems that may entail high risks for individuals.

Guidelines for Different Roles

School Leadership and Administration

Risk Analysis and GDPR Compliance: According to GDPR Article 35, you must conduct a Data Protection Impact Assessment (DPIA) for LLM usage that may pose a high risk to individuals. Ensure that the school's Data Protection Officer (DPO) is involved in the assessment.

Provider Selection: According to GDPR Article 28, schools may only use data processors that offer sufficient guarantees. Prioritize LLM providers that offer:

  • Robust data processing agreements with clear instructions.
  • The option to opt-out of data training.
  • Technical and organizational security measures.
  • EU-based solutions whenever possible.

Clear Communication: Draft a clear policy that is communicated to all staff and students.

Teachers

Absolute Ban on Personal Data: Never input:

  • Student names, personal ID numbers, or class designations.
  • Student essays or exam answers containing identifying information.
  • Personal data regarding colleagues or guardians.

Safe Use Cases:

  • Lesson planning without personal data.
  • Generating practice assignments and feedback templates.
  • Idea generation for teaching.

Anonymization: If student material is to be used, it must be fully anonymized so that no individual student can be identified.

Students

Awareness: Educate students on the importance of protecting personal data online.

Safe Use Cases:

  • Brainstorming and idea generation.
  • Language support and translation.
  • Improving writing skills.

Prohibited Input: No personal information about themselves or others.

The Difference Between Planning and Student Assignments

Lesson Planning

A lesson plan without personal data can be used relatively safely to:

  • Get feedback on teaching methods.
  • Generate supplementary material.
  • Gain new pedagogical ideas.

Student Assignments

Student assignments often contain personal data, both explicit and implicit:

  • Writing style that can identify the student.
  • Personal experiences and opinions.
  • Names and class details.

General Rule: Avoid inputting student assignments unless specific agreements and technical solutions guarantee data protection.

Implementation in Practice

Step 1: Pilot Project

Start with limited projects to test the policy and tools.

Step 2: Training

Regular professional development for all staff regarding AI usage and data protection.

Step 3: Technical Solutions

Investigate LLM solutions that can run locally or offer strong data protection guarantees.

Step 4: Continuous Evaluation

The policy must be regularly reviewed based on new technology and changing regulations.

Practical Tips for Teachers

  1. Read the School's Policy: Ensure you understand what applies to AI usage.
  2. Ask if Unsure: Contact the IT manager or Data Protection Officer.
  3. Focus on Processes: Use LLMs for teaching development rather than student data management.
  4. Share Experiences: Communicate with colleagues about safe use cases.
  5. Prioritize Anonymization: Learn effective anonymization methods.

Conclusion

By implementing a thoughtful policy for LLM input, schools can leverage the potential of AI while protecting the privacy of students and teachers. Balancing innovation and data protection requires continuous attention and adaptation as technology evolves.