AI Policy
Template

This policy establishes guidelines for the responsible use of artificial intelligence (AI) tools and systems within [Organisation Name]. It aims to maximise the benefits of AI while managing risks related to data protection, quality, and compliance.

This policy applies to all employees, contractors, and third parties who use AI tools in the course of their work for [Organisation Name]. It covers both organisation-approved AI tools and personal use of AI tools for work purposes.

Only the following AI tools are approved for use with [Organisation Name] data: • [Tool 1 — e.g., ChatGPT Enterprise] • [Tool 2 — e.g., Microsoft Copilot] • [Tool 3 — e.g., Claude for Business] Tools not on this list must be assessed and approved by [role/department] before use.

To request approval for a new AI tool, submit a request to [role/department] including: the tool name, intended use case, data types involved, and the vendor's data processing terms.

Personal data (names, email addresses, phone numbers, national insurance numbers, financial information) must NOT be entered into any AI tool unless: a) The tool is on the approved list AND b) The tool's data processing terms are GDPR-compliant AND c) A Data Protection Impact Assessment has been completed

Trade secrets, financial projections, client lists, proprietary code, and internal strategy documents must not be shared with public AI tools. Use enterprise-tier tools with appropriate data agreements.

Review the AI tool's data retention policy. Do not assume data entered is deleted after your session. Where possible, use tools that offer session-based data handling.

All AI-generated content, analysis, and recommendations must be reviewed by a human before being used in client deliverables, public communications, or decision-making. AI is a tool to assist, not replace, professional judgement.

AI tools may generate plausible but incorrect information ("hallucinations"). Verify all facts, statistics, citations, and claims generated by AI before use.

Where appropriate, disclose to stakeholders (clients, partners, regulators) that AI tools were used in producing work product. Follow industry-specific disclosure requirements.

Use organisation-managed accounts for AI tools, not personal accounts. Enable multi-factor authentication where available. Do not share AI tool credentials.

Do not include passwords, API keys, access tokens, or other security credentials in AI prompts. Assume anything you type into a public AI tool could become public.

Do not use AI tools in ways that could discriminate against individuals based on protected characteristics (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation) under the Equality Act 2010.

Do not misrepresent AI-generated work as solely human-created when this would be misleading. Do not use AI to deceive or manipulate.

Follow this policy. Report any concerns or breaches to [role/department]. Use AI tools responsibly and exercise professional judgement.

Ensure team members are aware of this policy. Monitor AI tool usage within your team. Escalate concerns to [role/department].

Maintain the approved tools list. Conduct DPIAs for new AI tools. Handle policy breaches and data incidents. Review and update this policy annually.

[Organisation Name] reserves the right to monitor the use of AI tools on company devices and networks to ensure compliance with this policy.

Breaches of this policy will be handled in accordance with [Organisation Name]'s disciplinary procedure. Serious breaches, particularly those involving personal data, may constitute gross misconduct.