FAQ Task force AI

AI may be used as support for preparatory, drafting and organisational activities: generic drafts, outlines, summaries, checklists, reformulations, language corrections, tables, communication templates and simplification of texts.

It must not, however, replace decisions, assessments, preliminary checks, office responsibilities or checks on data, documents and procedures. Any generated content must be checked before operational use.

An effective prompt is a clear and complete request. To build one, it is useful to follow a simple structure: role, context, task, format, constraints and verification.

The role serves to indicate the point of view or tone that the AI should adopt. For example: "Act as support for administrative drafting" or "Use a clear and institutional tone".

The context serves to briefly explain the situation, without including personal data or confidential information. For example: "I work in a university administrative office and need to prepare a general communication for users".

The task indicates precisely what you want to obtain. For example: "Prepare a draft email", "summarise the text", "create a checklist", "reformulate the paragraph".

The format specifies how the response should be returned. For example: "in the form of an email", "in a table", "as a bulleted list", "with a title and short paragraphs".

The constraints indicate the safeguards to be observed. For example: "Do not include personal data", "do not formulate definitive decisions", "do not invent regulatory references", "flag the aspects to be verified".

Verification serves to ask the AI to indicate which elements must be checked by the office before use. For example: "At the end, indicate the aspects that the competent office must verify before sending".

Example of a complete prompt:

"Act as support for administrative drafting. I work in a university office and need to prepare a general communication for users on [topic]. Prepare a draft email with a clear, concise and institutional tone. Do not include personal data, do not assume definitive decisions and do not invent regulatory references. At the end, indicate the aspects that the office will need to verify before sending."

Another example:

"Act as operational support. I need to build a general checklist to verify [type of activity/procedure]. Return the output as a bulleted list. Indicate only the elements that an operator should check, without replacing the competent office and without formulating definitive assessments."

It is possible to ask the AI to use a formal, administrative or institutional tone, but not to impersonate an official, a manager, an office or a real person. The content produced must always be verified before operational use.

Personal data, names, surnames, student or employee identification numbers, tax codes, IBANs, email addresses, telephone numbers, credentials, passwords, tokens, PINs, health data, data relating to minors, individual economic data, confidential documents, non-public internal information or references to sensitive procedures must not be included.

Where possible, the case should be described in general terms, using fictitious data or placeholders.

You may use AI on administrative documents only if they do not contain personal data, confidential information, preliminary/investigative content or elements that are not necessary for the request.

Before uploading or pasting a document, names, contact details, identification codes, economic data, banking data, protocol numbers, references to cases and any information that could make persons, procedures or specific situations recognisable must be removed or obscured.

Particular caution is required for internal documents, unpublished drafts, protocolled acts or meeting transcripts.

All identifying and unnecessary data must be removed: names, surnames, student or employee identification numbers, tax codes, emails, telephone numbers, addresses, economic data, banking data, references to cases, protocol numbers and information that allows a person to be identified indirectly.

Aggregated or genuinely anonymised data are preferable, but it is necessary to verify that the data subjects cannot be traced through combinations of variables, small groups, dates, roles or other details.

It is not prudent to upload a complete document containing personal data and ask the AI to anonymise it. Anonymisation must be carried out before using the tool.

Pseudonymisation reduces risk, but does not necessarily amount to anonymisation.

Initials, codes or abbreviations may still make a person recognisable if combined with role, office, course, date, case file or other information present in the text. Before using AI, it is necessary to verify that there is no concrete risk of re-identification.

Health data, data relating to minors, information on disability, invalidity or personal vulnerability, judicial, disciplinary, trade union, political, religious, biometric or individual economic data, or data relating to family members, must not be entered.

This information requires special protection and must be processed only through authorised tools, channels and persons.

No. Passwords, tokens, PINs, certificates, API keys, credentials or access codes must never be entered.

System logs or error messages may be used only after removing personal data, IP addresses, internal paths, user names, tokens and confidential technical information.

AI may help draft a request to IT support or understand a generic error message, but it must not be used to bypass blocks, permissions or security measures.

Yes, AI may help prepare drafts of emails, certified emails (PEC) and institutional communications, improving clarity, tone and structure.

Before sending, it is necessary to verify the content, recipients, attachments, references, deadlines, personal data, commitments made and consistency with the office's position.

AI must not send automatic replies without human oversight.

AI may support the preparation of drafts, outlines, checklists and language reviews of administrative acts, such as determinations, resolutions, opinions, preliminary/investigative sheets or formal communications.

However, it may not replace the preliminary investigation, the statement of reasons, verification of prerequisites, competence checks, regulatory references, amounts, budget coverage, annexes or office assessments.

The final text must be verified and validated by the competent persons.

Yes, AI may help organise notes and prepare draft minutes, agendas or action lists.

Before use, it is necessary to remove personal data, opinions attributable to individuals, confidential information and unnecessary content.

Decisions, responsibilities and actions extracted by the AI must be confirmed by the person taking the minutes or by the competent persons. Minutes that have already been approved must not be modified through AI without following the required procedures.

Yes, AI may help write, reorganise, simplify or make more accessible texts intended for the institutional website.

However, it must not autonomously decide what to publish, what to obscure or which publication obligations apply.

Before publication, it is necessary to verify correctness, currency, accessibility, institutional tone, links, regulatory references, personal data and consistency with official sources.

AI may help write general communications, instructions, FAQs or explanations of procedures addressed to students.

However, individual career data, student identification numbers, exams, credits (CFU), ISEE, economic data, personal cases or information attributable to individual students must not be entered.

Responses on concrete cases must be verified by the competent office.

AI may help write general communications to staff or prepare templates and drafts.

However, it must not process individual data on absences, illnesses, leave, shifts, evaluations, performance or personal situations.

It may not formulate judgments, prepare individual assessments, assign shifts automatically or make decisions that affect employees.

Yes, AI may help create formulas, structure tables, suggest checks, write macros or design automations.

However, files containing personal data, names, student or employee identification numbers, economic data or confidential information must not be uploaded. It is preferable to use fictitious examples or column structures without real data.

Every formula, macro or code generated by AI must be tested on copies and verified before use on official data.

AI may help prepare general checklists or draft communications, but it must not receive invoices, payment orders, PagoPA notices, reimbursement requests or real accounting data with beneficiaries, IBANs, tax codes, individual amounts or identifying references.

It may not replace administrative-accounting checks or decide payments, liquidations, reimbursements or recoveries.

AI may help write drafts, checklists, neutral comparative tables, descriptions, requests for clarification or tender specification outlines.

However, it must not choose suppliers, evaluate bids, assign scores, decide requirements, establish reliability or replace the RUP, committees and competent offices.

Before using it, it is necessary to remove data of economic operators, identifiable bids, confidential amounts, non-essential CIG/CUP codes and non-anonymised tender documents.

AI may help guide research or suggest aspects to verify, but it is not an official source.

Rules, circulars, regulations, deadlines, internal procedures and references must be checked against official sources, updated documents or with the competent contacts.

If the AI cites a source that cannot be found or verified, that source must not be used.

No. AI must not make decisions, assign scores, formulate judgments, create rankings, evaluate candidates, students, employees, bids, complaints or applications.

At most, it may help prepare blank templates, checklists, outlines or general reminders.

Administrative decisions must remain human, reasoned, documented and verifiable.

AI may help prepare general drafts, checklists or verification outlines.

However, it must not decide acceptances, refusals, redactions, privacy compliance matters, DPIAs, data breaches or responses to the exercise of data subjects' rights.

Assessments must be carried out by the competent contacts. Real requests, documents or personal data must not be entered unless authorised and necessary.

Particular caution is required for disciplinary proceedings, litigation, whistleblowing, reports, audits, conflicts of interest and non-compliance.

Personal data, identifying facts, strategies, assessments, evidence, confidential reports or documents relating to the concrete case must not be uploaded.

AI may possibly assist with abstract templates or general checklists, but management must remain with the competent persons.

AI may support the creation of draft graphics, alternative texts, scripts or generic multimedia content.

Images, faces, voices or videos of real people must not be used without authorisation. Avatars or synthetic content that may be misleading should be avoided.

Before publication, it is necessary to verify rights, authorisations, accessibility, personal data and consistency with institutional communication.

AI may help translate drafts, notices or general texts, but the translation must be verified by competent staff, especially if the document has official value.

Real certificates or personal documents must not be uploaded.

AI must not complete certificates or attestations relating to real people; it may support only blank templates, general instructions or anonymised texts.

Responsibility for the operational use of the output remains with the operator and the competent office, according to internal roles and procedures.

AI may produce errors, omissions or plausible but unverified content. For this reason, every result must be checked, corrected and validated before being sent, published or included in a procedure.

It is not correct to justify an error by attributing it to the tool.

In case of doubt, it is preferable not to proceed independently and not to enter data, documents or confidential information.

Support should be requested when the case concerns personal data, internal documents, decisions about persons, payments, rankings, litigation, disciplinary proceedings, reports, health data, data relating to minors or other sensitive information.

For clarification, it is possible to contact the persons indicated by the University or use the contacts made available in the dedicated section.

The use of AI agents, plugins, connectors, APIs or tools capable of accessing documents, emails, calendars, databases or applications requires particular caution and must take place only if authorised, configured according to the principle of least privilege and subject to effective human supervision. Before activation, the purposes, data processed, permissions granted, traceability of operations, possibility of interrupting the action and risks to security, confidentiality and administrative correctness must be verified. Agents must not perform automatic actions with external effects or modify official data without control and confirmation by the competent operator.

Yes, AI may help write scripts and code, but the output must be considered a technical proposal to be verified. The code must not be run on official data, real archives, production systems or shared folders without review, testing on a copy, backup, validation and authorisation by the competent structure. Credentials, API keys, internal paths, unsanitised logs or confidential technical information must not be entered.

The use of AI must be transparent and traceable, especially when the result feeds into administrative, documentary or institutional activities. It is not necessary to declare every merely linguistic or preparatory use, but the user must be able to explain, if requested, for what purpose the tool was used, what data were entered, what safeguards were adopted and what human control was carried out on the output.

Before using AI, a minimum check must be applied to the following aspects:

a) what is the purpose;

b) what data are necessary;

c) are the data public or confidential;

d) are personal or special categories of data present;

e) can I use fictitious or anonymised data;

f) can the output affect persons or procedures;

g) who must verify it before use.

If even one answer highlights a significant risk, it is necessary to reduce the data entered, use an abstract case or request support from the AI Task Force.