Regulations on Input Prompts for Large Language Models to Prevent Disclosure of Confidential Data

Fourteenth Parliament of Singapore – Second Session for the Sitting on 9 January 2024

Question

Dr Tan Wu Meng asked the Minister for Communications and Information whether the Government has plans to develop in-house artificial intelligence capabilities to ensure that input prompts for large language models need not be processed by private firms not under the purview of the Government, or by cloud computing units located in foreign territories or under foreign jurisdiction or control. 

Mr Gerald Giam Yean Song asked the Minister for Communications and Information (a) when using large language models owned by private or foreign companies, how does the Government ensure that confidential data is not disclosed in the input prompts; (b) whether the Government has signed any non-disclosure agreements (NDAs) with these companies; (c) what are the companies that the Government has signed NDAs with; and (d) how does the Government monitor compliance with such NDAs by these companies.

Answer

Written answer by Mrs Josephine Teo, Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity (for the Prime Minister)

Large language models (LLMs), such as those powering ChatGPT, have the potential to enhance the delivery of public services and the productivity of public officers. We adopt a risk-managed approach for LLMs, consistent with the existing public sector framework for the handling of classified information when using technologies such as internet-based applications and the commercial cloud.

Highly sensitive applications and data are not exposed to the Internet. Where use cases involve sensitive data, open-source models may be finetuned for use, but must be deployed on Government servers and computers.

For use cases involving less sensitive data, the AI models may be owned and managed by commercial and private companies. Our contracts with these companies are governed by service agreements which include clauses on data handling and security, such as the non-retention of data, and limitations on the use of data to train other products or models. Beyond contractual safeguards, the Government has also implemented technical measures to screen sensitive data, visual cues to remind users on data security practices, and governance measures to enforce compliance.

We continuously re-assess the adequacy of our measures as the technology evolves.