AI Governance

DRAFT — pending legal review. MyEdMentor uses AI to assist educators in authoring learning content. This page describes how that processing is governed. AI output is always a draft for human review, never an autonomous decision about a person.

Pseudonymisation before processing

Before any text is sent to an AI provider, a server-side step replaces identifiable personal data with stable placeholders. The default patterns cover email addresses, phone numbers, UK National Insurance numbers, card-like numbers and postcodes. Patterns are deliberately high-precision; free-text name detection is not attempted (it is low-precision and risks both leakage and corruption), so callers are expected to pseudonymise known identity fields before composing a prompt.

Metadata-only logging

Each AI call records provider, model, purpose, input/output sizes and token counts, and whether redaction was applied — and nothing else. The prompt, the response, and any personal data are never stored in the processing log, which is append-only.

Provider controls

Approved provider/model/purpose combinations are configurable, so a model can be restricted from a given processing purpose. The provider register is reviewable by administrators.

Human oversight

Generated content moves through explicit review stages (AI-generated → human-reviewed → moderator-reviewed → approved or rejected) recorded in an append-only provenance trail. Publication is a deliberate human action attributed to the approver. An in-product notice informs users when a feature is AI-assisted and that output should be verified before reliance — see Academic Integrity.

Subprocessors & transfers

AI providers are listed in the subprocessor register. Some are US-based; appropriate transfer safeguards apply (DRAFT — to be confirmed with legal). Institutions remain the Controller for the decision to use AI-assisted features.