Jump to section
Appendix A: Sample corporate policy for the use of generative artificial intelligence (version one)
Use of generative Artificial Intelligence (AI) large language models including ChatGPT
1. Purpose
The purpose of this policy document is to provide a framework for the use of Generative Artificial Intelligence Large Language Models (GenAI) such as ChatGPT, Bard, Bing or other similar tools by council employees, contractors, developers, vendors, temporary staff, consultants or other third parties, hereinafter referred to as ‘users’.
This policy is designed to ensure that the use of GenAI is ethical, complies with all applicable laws, regulations and council policies, and complements the council’s existing information and security policies.
The pace of development and application of GenAI is such that this policy will be in a constant state of development. Please share your feedback, suggestions and experiences to enable us improve the policy and to ensure that it continues to meet the needs of councils.
2. Use
This policy applies to all users with access to GenAI, whether through council-owned devices or BYOD (bring your own device) in pursuit of council activities.
Use of GenAI must be in a manner that promotes fairness and avoids bias to prevent discrimination and promote equal treatment, and be in such a way as to contribute positively to the council’s goals and values.
Users may use GenAI for work-related purposes subject to adherence to the following policy. This includes tasks such as generating text or content for reports, emails, presentations, images and customer service communications.
Particular attention should be given to Governance, Vendor practices, Copyright, Accuracy, Confidentiality, Disclosure and Integration with other tools.
Governance
Before accessing GenAI technology, users must first notify the council’s Information Governance Team of their intention to use, the reason for use, and the expected information to be input as well as the generated output and distribution of content.
Vendors
Any use of GenAI technology in pursuit of council activities should be done with full acknowledgement of the policies, practices, terms and conditions of developers/vendors.
Copyright
Users must adhere to copyright laws when utilising GenAI. It is prohibited to use GenAI to generate content that infringes upon the intellectual property rights of others, including but not limited to copyrighted material. If a user is unsure whether a particular use of GenAI constitutes copyright infringement, they should contact the legal advisor or Information Governance Team before using GenAI.
Accuracy
All information generated by GenAI must be reviewed and edited for accuracy prior to use. Users of GenAI are responsible for reviewing output, and are accountable for ensuring the accuracy of GenAI generated output before use/release. If a user has any doubt about the accuracy of information generated by GenAI, they should not use GenAI.
Confidentiality
Confidential and personal information must not be entered into a GenAI tool, as information may enter the public domain. Users must follow all applicable data privacy laws and organisational policies when using GenAI. If a user has any doubt about the confidentiality of information, they should not use GenAI.
Ethical use
GenAI must be used ethically and in compliance with all applicable legislation, regulations and organisational policies. Users must not use GenAI to generate content that is discriminatory, offensive, or inappropriate. If there are any doubts about the appropriateness of using GenAI in a particular situation, users should consult with their supervisor or Information Governance Team.
Disclosure
Content produced via GenAI must be identified and disclosed as containing GenAI-generated information.
Footnote example: Note: This document contains content generated by Artificial Intelligence (AI). AI generated content has been reviewed by the author for accuracy and edited/revised where necessary. The author takes responsibility for this content.
Integration with other tools
API and plugin tools enable access to GenAI and extended functionality for other services to improve automation and productivity outputs. Users should follow OpenAI’s Safety Best Practices:
- Adversarial testing
- Human in the loop (HITL)
- Prompt engineering
- “Know your customer” (KYC)
- Constrain user input and limit output tokens
- Allow users to report issues
- Understand and communicate limitations
- End-user IDs.
API and plugin tools must be rigorously tested for:
- Moderation – to ensure the model properly handles hate, discriminatory, threatening, etc. inputs appropriately.
- Factual responses – provide a ground of truth for the API and review responses accordingly.
3. Risks
Use of GenAI carry inherent risks. A comprehensive risk assessment should be conducted for any project or process where use of GenAI are proposed. The risk assessment should consider potential impacts including: legal compliance; bias and discrimination; security (including technical protections and security certifications); and data sovereignty and protection.
Legal compliance
Data entered into GenAI may enter the public domain. This can release non-public information and breach regulatory requirements, customer or vendor contracts, or compromise intellectual property. Any release of private/personal information without the authorisation of the information’s owner could result in a breach of relevant data protection laws. Use of GenAI to compile content may also infringe on regulations for the protection of intellectual property rights. Users should ensure that their use of any GenAI complies with all applicable laws and regulations and with council policies.
Bias and discrimination
GenAI may make use of and generate biased, discriminatory or offensive content. Users should use GenAI responsibly and ethically, in compliance with council policies and applicable laws and regulations.
Security
GenAI may store sensitive data and information, which could be at risk of being breached or hacked. The council must assess technical protections and security certification of GenAI before use. If a user has any doubt about the security of information input into GenAI, they should not use GenAI.
Data sovereignty and protection
While a GenAI platform may be hosted internationally, under data sovereignty rules information created or collected in the originating country will remain under jurisdiction of that country’s laws. The reverse also applies. If information is sourced from GenAI hosted overseas, the laws of the source country regarding its use and access may apply. GenAI service providers should be assessed for data sovereignty practice by any organisation wishing to use their GenAI.
4. Compliance
Any violations of this policy should be reported to the council’s Information Governance Team or senior management. Failure to comply with this policy may result in disciplinary action, in accordance with council’s Human Resources policies and procedures.
5. Review
This policy will be reviewed periodically and updated as necessary to ensure continued compliance with all applicable legislation, regulations and organisational policies.
6. Acknowledgment
By using GenAI, users acknowledge that they have read and understood these guidelines, including the risks associated with the use of GenAI.
This guidance has been prepared by ALGIM (Aotearoa – New Zealand) and Socitm (UK).
Please submit any comments, suggestions and experiences to:
- Socitm: hello@socitm.net
- ALGIM: ceo@algim.org.nz
Appendix B: Detailed update and changes made to the GenAI usage policy version two
The updates and changes made to the GenAI usage policy reflect the growing maturity of the local government AI landscape, where councils now require comprehensive, lifecycle‑based governance rather than a simple acceptable‑use guide. They respond to the need to maintain public trust by embedding transparency, fairness and accountability as core principles, helping to avoid harm and retain legitimacy in the use of AI.
The revisions also ensure the policy meets evolving legal and regulatory expectations, recognising that national legislation and ICO guidance increasingly require structured and well‑evidenced governance arrangements.
At the same time, the approach supports safe and confident adoption by encouraging staff to use generative AI where it adds value, but within clear, proportionate and well‑understood guardrails.
The updated template also aligns with established cross‑council good practice, drawing on recognised frameworks such as Central Bedfordshire Council’s AI ethics policy, LOTI guidance, LGA procurement advice and Socitm’s work on AI governance.
Comparing version one and version two of the GenAI usage policy
Table 1. sets out the new additions and changes in version two of the policy compared to version one across each section of the policy. It clearly identifies where sections have been newly introduced, renamed, expanded, or removed entirely.
Table 1. Change‑log: Version one versus version two of the GenAI usage policy
| Version one | Version two | Type of change |
| N/A | 3. Policy scope | New addition |
| N/A | 4. Tools and services | New addition |
| N/A | 5. Policy ownership | New addition |
| N/A | 6. Roles and responsibilities | New addition |
| N/A | 8.2. Equality impact assessment | New addition |
| N/A | 8.3. Human oversight | New addition |
| N/A | 8.5. Environmental sustainability | New addition |
| N/A | 9. Transparency, explainabillity and accountability | New addition |
| N/A | 9.2. Documentation and audit logs | New addition |
| N/A | 9.3. Public communication and stakeholder engagement | New addition |
| N/A | 9.3.1. Algorithmic transparency (ATRS) | New addition |
| N/A | 10.1. Data management | New addition |
| N/A | 10.2. Data quality and labelling | New addition |
| N/A | 10.4. Data protection impact assessment | New addition |
| N/A | 11.1. Pre-deployment requirements | New addition |
| N/A | 11.2. Pilot(s) and testing | New addition |
| N/A | 11.3. Deployment and ongoing monitoring | New addition |
| N/A | 11.4. Withdrawal or pause conditions | New addition |
| N/A | 11.5. Operational readiness and handover | New addition |
| N/A | 14. Related policies and guidance | New addition |
| N/A | 15. Training and awareness | New addition |
| 1. Purpose | 1. Policy purpose and objectives 2. Policy rationale | Expanded and split |
| 2. Use | 7. Use of GenAI (plus permitted and prohibited use subsections) | Substantially expanded, restructured |
| 2.1. Governance | 5. Policy ownership 6. Roles and responsibilities | Repositioned and expanded into governance architecture |
| 2.3. Vendors | 7.3. Procurement (working with vendors or suppliers) | Renamed and expanded |
| 2.4. Copyright | 8.4. Intellectual property and copyright | Renamed and expanded |
| 2.5. Accuracy | Integrated across: 8.1. Bias and fairness 8.3. Human oversight 9.2. Documentation and audit logs | Removed as a standalone section |
| 2.6. Confidentiality | 10.3. Data protection and privacy | Expanded and renamed |
| 2.7. Ethical use | 8. Ethical and responsible use | Renamed and expanded |
| 2.8. Disclosure | 9.1. Disclosure | Expanded significantly |
| 2.9. Integration with other tools | Removed | Removed |
| 3. Risks | 11. Safety and risk management | Renamed and expanded |
| 3.1. Legal compliance | 12. Legal and regulatory compliance | Renamed and expanded |
| 3.2. Bias and discrimination | 8.1. Bias, fairness and inclusion 8.2 Equality impact assessment | Expanded and relocated |
| 3.3. Security | 10.5. Data security | Renamed and expanded |
| 3.4. Data sovereignty and protection | 10.6. Data sovereignty | Renamed and split from protection |
| 4. Compliance | 13. Monitoring and enforcement | Renamed and expanded |
| 5. Review | 16. Review | Similar purpose but expanded |
| 6. Acknowledgment | 17. Acknowledgment | Retained, lightly updated |
Rationale for changes made to version two of the GenAI usage policy template
The changes made to version two of the policy as outlined in Table 1. reflect the following rationale:
- Stronger governance and accountability: New sections on policy ownership, roles and responsibilities and GenAI authorities establish clear lines of accountability. This supports audit readiness and aligns with expectations that AI must be governed as a high‑risk technology.
- Clearer purpose, rationale and scope: The original single “Purpose” section is replaced with detailed content explaining why the policy exists, how it enables safe and confident use and who and what it applies to.
- Expansion of ethical and responsible use: Ethical use is reframed to include fairness, bias mitigation, inclusion, environmental sustainability, transparency, explainability and disclosure requirements.
- Introduction of risk and impact assessment requirements: Pre-deployment checks, post-deployment testing, DPIAs, equality impact assessments, and risk and ethical impact assessments ensure proportionate safeguards that were not present in the earlier version.
- More robust procurement lifecycle controls: Vendor engagement has been expanded into full lifecycle procurement guidance, covering model updates, retraining, auditability, contractual clauses and change control requirements.
- Expanded data management and privacy expectations: Data governance is now detailed across data management, quality, labelling, privacy, DPIAs, security and sovereignty, aligning with GDPR and the Data Use and Access Act.
- Transparency, documentation and auditability: The new policy requires councils to document and disclose AI use, maintain audit logs and potentially publish Algorithmic Transparency Records, reflecting public expectations and regulatory trends.
- Monitoring, enforcement and review: The strengthened compliance section addresses assurance, incident reporting and disciplinary routes. Annual review is now linked to regulatory changes, risk profile and public interest.
- Greater emphasis on organisational culture and capability: New training and awareness requirements acknowledge that safe AI use depends on skills, understanding and critical judgement, not just policy compliance.
