6-3003: Artificial Intelligence (AI)

Purpose

This policy establishes a comprehensive governance structure to ensure that artificial intelligence (AI) systems are developed, deployed, and managed responsibly by the County of Sacramento (County). It aims to maximize the benefits of AI systems that are utilized for the benefit of the community while safeguarding against potential harm, with a focus on privacy, transparency, accountability, equity, and security.

Authority

Duties of the Chief Information Officer, Sacramento County Code 2.20.030.

Scope

This policy applies to all County departments and users who may be purchasing, configuring, developing, operating, maintaining, or decommissioning Sacramento County’s AI systems or leveraging AI systems to provide services to Sacramento County.

Definitions

Artificial Intelligence: A machine-based system that can make predictions, recommendations, summarizations, or decisions influencing real or virtual environments.
Algorithm: A series of logical steps to turn inputs into outputs.
AI System: Any system, software, sensor, or process that automatically generates outputs, including predictions, recommendations, summarizations, or decisions, to augment or assist in human decision-making.
Deep Learning: A subset of machine learning, which is essentially a neural network with three or more layers.
Generative AI (GenAI): A subset of AI that focuses on creating new content. This can include text, audio or video generated in response to a prompt or input data.
Machine Learning: A set of techniques that can be used to train AI algorithms to improve performance on a task based off data. •
User: Includes any employee (permanent or temporary), contractor, consultant, vendor, volunteer, student or other person who uses County resources.

Policy

County encourages the adoption of AI innovation while protecting sensitive County information and constituents’ privacy. AI tools may be incorporated into a user’s work where it can be beneficial for making services better, more equitable, and more efficient. Users are required to verify Al-generated content to ensure quality, accuracy, and compliance with County guidelines and policies.

Users are solely responsible for ensuring the quality, accuracy, and regulatory compliance of all AI generated content utilized in the scope of employment. The County will regularly monitor and evaluate approved AI products to ensure they meet security and risk management criteria.

Public Facing Services

When AI systems are used to provide a public facing service, the purpose, scope, and functionality of such AI system must be clearly communicated to the public. Members of the public must be afforded the opportunity to opt out of interacting with an AI tool upon request.

Data Privacy and Security

Each user is responsible for using generative AI tools in a manner that ensures the security of sensitive information and aligns with County policies. Users are required to comply with all data privacy and security standards to protect Personally Identifiable Information (PII), Protected Health Information (PHI), or any sensitive data in generative AI prompts. Users must treat AI prompts as if they were publicly visible online to anyone, and must treat all AI prompts, data inputs, and outputs as if they are subject to the Freedom of Information Act and Public Records Act.

Data privacy and security standards include but are not limited to:

Health Insurance Portability and Accountability Act (HIPAA)
Criminal Justice Information Systems (CJIS)
Internal Revenue Service (IRS)
California Consumer Privacy Act (CCPA)

Use of County Email Address

When creating accounts with AI providers, County users must use their official County email address for security and accountability.

Prohibited Uses

Certain AI systems are prohibited due to the sensitive nature of information processed and potential risks they pose. These prohibitions are in place to protect individuals and society from harm and to ensure ethical standards are upheld.

Only AI systems that align with human values, County values, and social good are permitted for use. AI systems used by County staff must not perpetuate biases or discrimination.

Reporting Requirements

The following uses of AI systems cause harm, are prohibited, and must be reported immediately to a supervisor and the Information Security Office:

The use of AI systems or tools to fully automate decisions without any human intervention or oversight to correct any errors or flaws.
The use of AI systems or tools to target individuals and negatively manipulate their behaviors.
The use of AI systems or tools for any illegal, harmful, or malicious activities. This includes activities that perpetuate unlawful bias, automate unlawful discrimination, and produce other harmful outcomes.
The use of AI systems or tools to enter internal, sensitive, personally identifiable information (PII) or restricted data into any AI tool or service that has not been vetted for safety and security by the Department of Technology (DTech).

Procurement of AI Systems

When purchasing, configuring, developing, operating, or maintaining AI systems, the County of Sacramento will:

Uphold and comply fully with this policy
Obtain technical documentation about AI systems using the AI Fact Sheet or create equivalent documentation if internally developing the AI system. The Finance Department and Purchasing Office or appropriate purchasing authority is responsible for requiring vendors to complete the AI Fact Sheet.
Require contractors to comply with the County of Sacramento’s Artificial Intelligence (AI) Policy.
In the event of an incident involving the use of an AI system, the County of Sacramento Incident Response Plan will be initiated.
The Chief Information Security Officer (CISO) is responsible for overseeing the security practices of AI systems used by or on behalf of Sacramento County departments.

Decommissioning of AI Systems

When an AI system is no longer needed, it must be decommissioned in a manner that ensures data security. All data stored within the AI system, including backups, must be securely erased using methods that comply with the County’s data destruction standards. If the data qualifies as an official record, it must be retained according to the department's record retention policy.

Exceptions

Departments requesting an exception to this policy must follow the Information Technology Risk Acceptance Process. Requests can be submitted using the Risk Acceptance Request form.