MCI's response to PQ on Regulations on Input Prompts for Large Language Models

09 JAN 2024

Parliament Sitting on 9 January 2024

QUESTION FOR WRITTEN ANSWER

26. Mr Gerald Giam Yean Song: To ask the Minister for Communications and Information (a) when using large language models owned by private or foreign companies, how does the Government ensure that confidential data is not disclosed in the input prompts; (b) whether the Government has signed any non-disclosure agreements (NDAs) with these companies; (c) what are the companies that the Government has signed NDAs with; and (d) how does the Government monitor compliance with such NDAs by these companies.

27. Dr Tan Wu Meng: To ask the Minister for Communications and Information whether the Government has plans to develop in-house artificial intelligence capabilities to ensure that input prompts for large language models need not be processed by private firms not under the purview of the Government, or by cloud computing units located in foreign territories or under foreign jurisdiction or control.

Answer: 

  1. Large language models (LLMs), such as those powering ChatGPT, have the potential to enhance the delivery of public services and the productivity of public officers. We adopt a risk-managed approach for LLMs, consistent with the existing public sector framework for the handling of classified information when using technologies such as internet-based applications and the commercial cloud.

  2. Highly sensitive applications and data are not exposed to the Internet. Where use cases involve sensitive data, open-source models may be finetuned for use but must be deployed on Government servers and computers.

  3. For use cases involving less sensitive data, the AI models may be owned and managed by commercial and private companies. Our contracts with these companies are governed by service agreements which include clauses on data handling and security, such as the non-retention of data, and limitations on the use of data to train other products or models. Beyond contractual safeguards, the Government has also implemented technical measures to screen sensitive data, visual cues to remind users on data security practices, and governance measures to enforce compliance.

  4. We continuously re-assess the adequacy of our measures as the technology evolves.