General Note

NHS Fife acknowledges and agrees with the importance of regular and timely review of policy statements and aims to review policies within the timescales set out. New policies will be subject to a review date of no more than 1 year from the date of the first issue.

Reviewed policies will have a review date set that is relevant to the content (advised by the author) but will be no longer than 3 years.

If a policy is past its review date, then the content will remain extant until such time as the policy review is complete and the new version published, or if national policy or legislative changes are made.

1.  INTRODUCTION

1.1 Artificial Intelligence (AI) broadly refers to any system that can demonstrate human intelligence capabilities like reasoning and learning. This could include visual perception, speech recognition or translation between languages

1.2 This policy only focuses on Generative AI (Gen AI), which represents a more specific subfield of AI focused entirely on content creation such as text, images, music, audio, and videos. Examples of generative AI tools include web based available products such as Microsoft Copilot, Google Gemini and Open AI’s Chat GPT.

1.3 This policy does not focus on bespoke AI technologies that may be developed to provide a particular clinical capability or business use. The adoption of such a platform would be subject to a robust assurance process and will be covered under a global AI framework (Currently under IG&S development), be introduced as new business and assessed through existing NHS Fife digital and clinical governance and assurance processes.

1.4 Unlike other AI types that focus on analysis or classification, Generative AI models create content by recognising patterns and structures in training data obtained from the World Wide Web and other open-source available content. They use this understanding to generate results that enhance productivity by automating tasks like drafting emails, generating reports, and writing codes.

1.5 The outputs from generative models are remarkably realistic and difficult to distinguish from content created by humans. They can augment human creativity by quickly producing abundant content variations from very little prompting.

2.  FUNCTION

2.1 The purpose of this policy is to set clear ethical and operational standards, ensuring responsible use and preventing harm or discrimination. It will help protect sensitive data and secures AI systems from cyber threats and unauthorised access, ensuring compliance with laws and industry standards. It will promote transparency in Gen AI operations and hold users accountable for their actions and the outcomes of Gen AI applications. It also provides a framework for educating employees about ethical and secure AI use, fostering a culture of responsibility.

2.2 Please note that this Gen AI policy is not exhaustive and may need periodic updates as technology advances, regulatory requirements change, and best practices in AI governance evolve. NHS Fife is committed to leading in responsible AI implementation to ensure the ethical and effective use of all AI technologies.

3.  LOCATION & SCOPE

3.1 This policy is intended for all NHS Fife staff and to maintain robust information security across the organisation.

In the interests of clarity all references to ‘staff’ includes:

• all staff within NHS Fife
• all volunteer staff directly engaged with NHS Fife operations
• all 3^rd party employees directly engaged in service provision or embedded with NHS Fife departments
• all staff who are employed, engaged or partners within primary care settings (contracted to NHS Fife).

4.  RESPONSIBILITY

4.1  Responsibilities of the User

• Ensuring ethical and lawful use of Gen AI systems.
• Understanding Platform Limitations: Recognising that Gen AI platforms may produce incorrect or biased outputs and ensuring proper validation of all generated content.
• The protection of data privacy and maintaining security protocols. The inputting of sensitive data, including personal, patient healthcare and business sensitive data is strictly prohibited. Complying with all relevant Data Protection laws and organisational policies.
• Staying informed about Gen AI best practices and report any issues.
• Reporting Issues: Promptly reporting any security breaches, misuse, or contravention of NHS Fife policies via Datix and/or the IT Service Desk.
• Following the guidance released in July 2024 on InfoSec Note for guidance for responsible use.

4.2 Responsibilities of the Line Manager

• Ensure that teams that use Gen AI do so in compliance with ethical guidelines, legal requirements, and follow organisational policies.
• Provide necessary training and resources to their team members on ethical and secure use of Gen AI. AI training material is available through Turas and the IG&S Professional Development Programme has a module dedicate to AI and is open for all to enrol.
• Ensure staff are direct staff to the D&I directorate who are available for advice and guidance where required

4.3 Responsibilities of The Information Governance & Security Department

• Monitoring Gen AI systems and use for compliance with security standards and regulations.
• Assessing, implementing and maintaining robust security protocols to protect systems from threats and vulnerabilities raising from using Gen AI.
• Ensuring that personal and sensitive data processed by Gen AI systems is protected in accordance with organisation policies and data protection legislation including, DPA 2018 and UK GDPR.
• Conduct and regularly review risk assessments to identify and mitigate potential security vulnerabilities in AI systems.

4.4 Responsibilities of The Digital and Information Directorate

• Overseeing the integration of Gen AI systems with existing digital infrastructure and ensure seamless operation.
• Continuously monitoring the performance and effectiveness of AI systems, making improvements as necessary.
• Ensuring the quality, integrity, and accessibility of data used by Gen AI systems.
• Restrict access to platforms where it identifies any elevated cyber, data protection or other risk that may impact NHS Fife.
• New platforms for AI use are appearing almost daily, NHS Fife reserves the right to block access where there is an elevated cyber, data protection or other risk factor that could impact NHS Fife.

5.  OPERATIONAL SYSTEM

5.1 Unacceptable Use

5.1.1 Certain uses of Gen AI are prohibited unless otherwise approved through existing NHS Assurance processes. Staff are to adhere to the following directives at all times:

• Do not enter any health data or sensitive information about individuals into any Gen AI system. ‘Sensitive information’ includes medical, personal, financial, political affiliations, racial or ethnic origins, religious beliefs, gender, sexual orientation, disability status, or any other content that may be considered sensitive. Particular to the NHS and the Healthcare environment, personal sensitive data can be defined as:
  • Name, address, full post code, date of birth.
  • Community health index (CHI) number
  • Staff Payroll Number.
  • Any other contact information that may allow them to be identified, for example, a phone number or email address.
  • A photograph, video or audio tape or other image that identifies an individual.
  • Anything else that may be used to identify them directly or indirectly, for example, rare diseases, drug treatments or statistical analyses within a small population.
  • Information relating to vulnerable persons’ health (e.g. child protection cases).
  • any information about an individual (i.e. anything clinical or non-clinical) that would cause distress, inconvenience or embarrassment.
  • Information if disclosed without authorisation, is likely to result in undermining confidence in the service.
• Engaging in political lobbying activities is prohibited. Lobbying is defined as any action intended to influence a government, government official, or government entity for any purpose.
• Do not enter business sensitive information, company intellectual property, confidential information, or personal data about any individual working in NHS Fife.
• Using a Gen AI system to obtain legal advice is prohibited. This includes, but is not limited to, creating policies for internal use or for distribution to third parties.
• The use of third-party Gen AI software functions such as meeting assistants, calendar managers, email managers are prohibited.
• Do not input or use any copyrighted material or other intellectual property without proper clearance or permission from the information owner.
• Do not use your NHS email to sign up for 3^rd party platforms. Certain functions of Co-pilot are available through M365 and will automatically use your credentials but for all other platforms (examples include ChatGPT, Google Gemini and Grok) this is a personal choice, and NHS does not mandate anyone using AI platforms. Therefore, nhs.scot credentials are not to be used.
• Do not misrepresent AI-generated content as entirely human-generated without proper disclosure.

Any concerns regarding misuse of AI should be reported to the employee’s line manager in the first instance. This may be investigated in line with the NHS Scotland workforce policies investigation process. If there is a potential conduct issue this may progress in line with NHS Scotland’s conduct policy.

5.2  Acceptable Use

5.2.1 The following is considered to be acceptable and safe use of Gen AI platforms:

• Employees can utilise Gen AI to enhance their productivity and efficiency in the workplace. Gen AI can assist with a variety of tasks, including conducting research, preparing emails, and writing reports templates. By leveraging Gen AI’s capabilities, employees can streamline their workflows, ensure accuracy in their communications, and access valuable information quickly and effectively. However, this is to be limited to benign information and to provide outlining structure or templates as per the direction in paragraph 5.1.
• When using Gen AI for research, employees should ensure that the information gathered is from reputable sources and is relevant to their work. Gen AI can help summarise complex data, generate insights, and provide references, making it easier for employees to stay informed and make well-supported decisions. Gen AI output is always to be validated by a human. AI models may produce inaccurate or unpredictable outputs, risking errors in any given process assisted by an AI response. cross-check the information provided by Gen AI to maintain the integrity and reliability of the work produced. Ensuring there is always a “Human” validation step and there is not excessive reliance on AI platforms that could lead to skill fade or poor operational practices.
• In preparing emails and writing reports, employees can use Gen AI to draft content, suggest improvements, and ensure clarity and professionalism in their communications. Gen AI can assist in organising thoughts, structuring documents, and refining language, which helps in presenting ideas more effectively.
• Employees should review and personalise the content generated by Gen AI to align with their unique voice and the specific requirements of their tasks.

5.3 Compliance Monitoring

5.3.1 NHS Fife’s Digital and Information Directorate monitors web activity carried out on NHS Fife systems. Any data entered or any responses that can be copied from Gen AI platforms can monitored by the D&I department and may be subject to investigation should any contravention of policy be identified. User should be aware the information processed by NHS Fife may be subject to a request under the Freedom of Information Scotland Act (FOISA) 2002.

5.4 Risk Management

5.4.1 NHS Fife Staff shall respect the confidentiality and privacy of individuals whose records they access; to observe any restrictions that apply to sensitive data; and to abide by legislation, policies, procedures, and guidelines with respect to access, use or disclosure of information.

5.4.2 The unauthorised disclosure of NHS Fife data out with, as required by an employee’s job responsibilities, is expressly forbidden. Additionally, the access or use of any NHS Fife data for one’s own personal gain, or profit, or to satisfy one’s personal curiosity or that of others.

5.4.3 It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

5.4.4 The Health & Social Care Partnership (H&SCP), the Integrated Joint Board (IJB) will continue to monitor the efficacy of the existing H&SCP Risk Management Strategy and NHS Fife Risk Management strategy 23/26, and review these to ensure they comply with any changes made to the partnership arrangements and to accommodate the requirements associated with developments in Health & Social Care Integration.

5.5 Training and Awareness

5.5.1 All employees have the responsibility to complete mandatory training on TURAS in Information Governance and Safe Information Handling. These training sessions will equip them to use Generative AI responsibly.

5.6 Review and Improvement

The use of all AI by NHS Fife is under constant review. This Gen AI policy is not exhaustive and will need periodic updates as technology advances, regulatory requirements change, and best practices in AI governance evolve.

6.  RELATED DOCUMENTS

• GP/I5 Information Security Policy
• GP/S8 Incident Management Policy
• GP/A4 Acceptable Use Policy
• GP/D3 Information Governance & Data Protection Policy
• GP/I3 - Internet policy
• GP/R4 - Records Management Policy 
• GP/O2 – Online communications Policy
• Appendix 1 - NIPCM Healthcare Infection Incident Assessment Tool

7.  REFERENCES

• Data Protection Act 2018
• General Data Protection Regulation (GDPR)
• Network and Information Systems Regulations 2018 (NIS Regulations)
• NCSC - Advice & Guidance – Artificial Intelligence
• Freedom of Information (Scotland) Act 2002 (FOISA)
• Public Records (Scotland) Act 2011
• Computer Misuse Act 1990