Skip to main content

Responsible Use of AI Tools in Line with Koç University Policies

The following principles apply to all members of the Koç University community:

Transparency: The use of AI tools must be clearly acknowledged in any text, presentation, or publication.
Ethical Responsibility: Users are personally responsible for the accuracy, academic validity, legal compliance, and ethical implications of content generated by AI systems.
Privacy and Security: Sensitive, personal, or identifiable information must never be entered into AI systems.
Academic Integrity: Contributions made through AI must be properly attributed, and any use that may compromise the learning process should be strictly avoided.

You can access more detailed information and institutional guidelines through the links below:

For any questions or further assistance, please contact the IT Directorate.

Data Security

Koç University considers data security, personal data privacy, and the protection of institutional information assets as fundamental priorities in the development and use of AI systems.
This article outlines the information security, data privacy, and legal compliance obligations related to the use of AI systems across all academic, administrative, and research processes.

Data Security Principles and Guidelines

1. General Security Standards

All data used in AI systems must be processed in accordance with Law No. 6698 on the Protection of Personal Data (KVKK), the University's Information Security Policy, Data Classification Policy, and other relevant regulations.

Data processing activities must always adhere to the principles of purpose limitation, data minimization, accuracy, timeliness, and limited retention periods.

2. Technical and Administrative Security Measures

To ensure data security, the following technical and administrative measures should be implemented to the extent possible:

  • Data anonymization and pseudonymization (use of masked data),

  • Data encryption, secure data transmission, and maintenance of log records,

  • Authorized user access and identity authentication processes,

  • Penetration testing, network firewalls, and monitoring systems,

  • Tracking and reporting of data security incidents.

3. Institutional Infrastructure and System Security

Under no circumstances should personal data or confidential/top secret institutional data be entered into external or unapproved AI systems.

Only University-approved Secure AI Systems by the IT Directorate should be used.

4. Use and Restrictions on Personal Data

Sensitive personal data (such as health information, ethnic origin, political opinions, etc.) must not be processed using external AI tools.

The processing of confidential or top secret institutional data is only permitted within approved systems and when predefined conditions are met (such as legal basis under KVKK, informed consent, or ethics committee approval).

5. Data Transfers to Third Parties

Any personal data may only be shared with third parties based on a legal basis and clear notification. When required, explicit consent must also be obtained.
All data transfer activities must be secured through appropriate data processing agreements.

6. Notification and Consent Procedures

In research or practice-based activities, data subjects must be clearly and understandably informed, and an informed consent process must be implemented.
Individuals must be given the right to withdraw their consent at any time, and these processes should be structured to be easily accessible.

7. Information Classification and Access Control

All institutional information assets must be classified. Confidential and top secret information should only be accessible to authorized staff and must not be input into AI systems.

8. Preventing Improper Use

The following types of data must not, under any circumstances, be used with publicly accessible AI systems:

  • Personal health data

  • Information classified as confidential or top secret under institutional data policies

  • Student grades, health records, personnel files, exam contents, strategic documents, etc.

In processes such as human resources or academic evaluation, final decisions must not be delegated to AI systems; meaningful human oversight must always be maintained.

9. Compliance Monitoring and Incident Reporting

Any suspected violations of information security must be immediately reported to: bilgiguvenligi@ku.edu.tr
Where necessary, disciplinary proceedings may be initiated.

Additional Considerations

1. AI System Approval Process

Before any new AI system is deployed, it must undergo a risk-based assessment conducted by the Information Technologies Directorate (ITD) and the AI Governance Committee. The system’s technical, ethical, and legal compliance must be verified.

2. Accountability

All users are directly responsible for the development, use, and accuracy of the outputs produced by AI systems.
Accountability mechanisms such as audit trails, log records, and defined roles must be maintained and followed.

3. Training and Awareness

Koç University provides regular training and awareness programs on data security, information privacy, and ethical use of AI systems for all stakeholders.
Participation in these programs is mandatory for specific roles.

4. Sanctions and Misconduct

Violations of the policies outlined here may result in legal and administrative consequences under applicable regulations.

The following violations, in particular, are subject to serious disciplinary action:

  • Unauthorized sharing or processing of data

  • Entering personal data into external AI systems

  • Use of data in violation of ethical principles or without explicit consent

  • Generation of uncontrolled content that compromises data security

In cases of severe violations, appropriate legal, administrative, and disciplinary processes will be carried out in accordance with:

  • Law No. 6698 on the Protection of Personal Data (KVKK)

  • Law No. 5846 on Intellectual and Artistic Works (FSEK)

  • Koç University’s relevant disciplinary regulations

In such cases, the Koç University Personnel Disciplinary Regulation will be applied. Where necessary, actions may include suspension from duty, disciplinary investigation, or referral to legal authorities.

Contact and Support

Subject

Contact Email

Reporting a Data Security Incident

bilgiguvenligi@ku.edu.tr

Approval for AI System Usage

bt@ku.edu.tr

Ethical and Governance Inquiries

ai-governance@ku.edu.tr

Disclaimer

The licensed software and services provided to Koç University employees for the use of artificial intelligence (AI) tools are made available under a pilot program. Within this scope:

  • The availability and features of these tools depend on the current technological infrastructure, licensing policies, and terms of use set by the respective service providers.

  • Quotas, functionalities, usage limits, and access periods may be updated by the service providers or the University at any time.

Accordingly, Koç University makes no guarantees regarding the continuity, availability, or performance of these tools and accepts no liability in this regard.

Additionally, during the use of these AI tools:

  • Users are legally and institutionally responsible for ensuring compliance with data security, personal data protection, copyright, and information confidentiality principles.

  • Under no circumstances may Koç University staff, students, or affiliates upload University-owned sensitive, confidential, or top secret data (e.g., research data, student information, strategic documents) to any AI tool using personal accounts (e.g., @gmail.com). Any breach of this rule will be considered the sole responsibility of the user. In the event of any data leakage, loss, or unauthorized access resulting from such use, the individual will bear all legal, administrative, and criminal liability. The user is deemed to have accepted full responsibility for any consequences and agrees to compensate the University for any damages incurred.

In all cases, the primary responsibility lies with the user. Koç University shall not be held liable for any legal, administrative, or disciplinary consequences arising from the use of these tools.

By using the tools, users are deemed to have accepted the above conditions and are expected to exercise due diligence accordingly.


Related Content

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.