Policy for the use of generative artificial intelligence

Policy for the use of generative artificial intelligence

Authors and contributors: Anna Officer, Cath Ritchie, Chris Baker, Kevin Taylor, Kevin Woodcock, Dr. Kristina Khutsishvili, Kurt Frary, Mark Brett, Mike Manson, Trish Etheridge, Yasmine Hajji

Jump to section

Template file download

Download as a Word document

1. Policy purpose and objectives 

[Add, remove or amend as appropriate].

This policy template provides a framework to guide the responsible and accountable, ethical, secure, transparent and compliant use of generative artificial intelligence (GenAI) tools and services within [insert your organisation’s name].  

GenAI use must align with these principles:

  • Public benefit and organisational value: GenAI should not be adopted solely to achieve cost savings where this would reduce service quality or create unfair outcomes. Decisions to use GenAI must balance efficiency with maintaining appropriate professional standards, safeguarding, and public trust.
  • Responsible and accountable: GenAI must be used in a way that is fit for purpose and proportionate to risk, with clear human accountability, governance, defined responsibilities and approval processes. 
  • Ethical: GenAI use must be fair, socially responsible and respectful of user dignity and choice. This includes mitigating bias and discrimination, ensuring human oversight, maintaining accuracy, protecting copyright and considering environmental impact.
  • Secure: GenAI use should protect data privacy and security by never compromising the privacy or safety of individuals. 
  • Transparent: GenAI use should be clear, explainable, and accountable, with disclosure of its use and role in decisions to those affected where it is necessary and appropriate.
  • Compliant: GenAI use should align with applicable laws and regulations and organisational policies.  

The rapid advances in GenAI technology means that any policy governing its use will be in a constant state of development. See ‘Review’ section.

2. Policy rationale 

[Add, remove or amend as appropriate].

This policy supports the safe, confident and proportionate use of GenAI where it can deliver personal, organisational and public benefit. It sets clear guardrails to enable appropriate adoption, rather than discouraging use. The policy helps [insert your organisation’s name] to maximise the benefits of GenAI while managing risks and unintended consequences, ensuring use is ethical, responsible and accountable, explainable and transparent, secure and compliant, and aligned to [insert your organisation’s] values, goals and service outcomes, such as:

[Optional: Outline how GenAI supports your corporate plan, strategies or GenAI governance authority].

3. Policy scope 

[Add, remove or amend as appropriate].

Please note: This policy focuses on GenAI. Other AI types (e.g., predictive AI, ML, computer vision, robotics, agentic AI) may require additional controls. This policy may be extended accordingly.

This policy applies to all individuals permitted to use GenAI, as defined in the ‘Roles and responsibilities‘ section. This includes staff, elected members, contractors, authorised individuals, developers, vendors, suppliers and delivery partners, hereinafter referred to as ‘users’.

It covers GenAI access on organisation‑owned devices and BYOD (bring your own device) for work purposes. It applies to any GenAI use that processes data with a direct or indirect impact on residents, businesses, staff or operations.

This policy should be read alongside existing organisational policies (see ‘Related policies‘ section) including Acceptable use, Data protection, Equality and diversity, Information governance, Information security, Procurement. Where there is conflict, the stricter requirement applies.

[Optional: Specify departments, services or roles authorised to use GenAI].

4. Tools and services 

[Add, remove or amend as appropriate].

Users must only use approved GenAI tools and services as authorised by [insert GenAI authority within your organisation], including in‑house or supplier/vendor‑provided:

  • Public tools (e.g., OpenAI’s ChatGPT, Anthropic’s Claude, Microsoft’s Copilot, Google’s Gemini): May be used with caution and within a limited scope; no personal identifiable information (PII), confidential, sensitive or protected data unless explicitly authorised under ‘Data governance, privacy and security‘ section.
  • GenAI features in enterprise platforms (e.g., Microsoft 365 Copilot, Netcall, Oracle): Use in line with vendor terms and internal governance or security policies.
  • Internally developed tools / application programming interface (APIs) / (software development kit) SDKs (e.g. AI Search and Webchat, Hey Geraldine, Simply Readable): Must be authorised by [insert GenAI authority within your organisation] before use.
  • Procured tools (e.g. Agylisys EHCP tool, Beam Magic Notes, ICS.AI): Must follow ‘Procurement‘ section for further guidance and be authorised by [insert GenAI authority within your organisation].
  • Opensource models developed externally and deployed internally (e.g. Azure Sonic Brief, Consult, Minute): Must be reviewed and approved before use by [insert GenAI authority within your organisation].

Any tool not listed is presumed unauthorised. If unsure or you require permission, contact [insert GenAI authority within your organisation].

5. Policy ownership 

[Add, remove or amend as appropriate].

[Insert GenAI authority within your organisation] owns this policy, and is accountable for enforcement, monitoring, and explainability of GenAI outputs.

[Optional: Add a short monitoring plan with checks, frequency and sign‑off].

Contact: [team or individual], Email: [team or individual email address]

6. Roles and responsibilities 

[Add, remove or amend as appropriate].

Senior leadership / extended leadership team:

  • Champion ethical GenAI adoption.
  • Allocate resource.
  • Provide strategic direction for GenAI initiatives.

GenAI governance authority within your organisation e.g. AI governance board, GenAI working group, Data ethics board, Technical design authority etc. Chaired by a senior leader, with representatives from service areas, IT, Data Protection/Information Governance, and Legal:

  • Maintain and enforce the GenAI usage policy, including periodic review informed by assurance, audit findings, incidents and regulatory change.
  • Review, approve and monitor GenAI proposals and deployments.
  • Oversee compliance with laws, regulations and organisational principles.
  • Coordinate training, awareness and stakeholder engagement.
  • Make decisions on reuse, procurement or development of GenAI capabilities.
  • Provide reporting and escalate issues to senior leadership.
  • Oversee algorithmic transparency recording standard (ATRS) submissions in line with GenAI managers.
  • Oversee responses to significant GenAI‑related incidents and support remediation and learning.

Senior information risk owner (SIRO):

  • Lead governance and management of information risks related to GenAI systems.
  • Ensure that proportionate risk management processes, controls and, policies are in place.
  • Collaborate with other stakeholders to address potential risks and mitigate any impacts arising from GenAI implementation, e.g. risk and ethical impact assessments.
  • Provide strategic oversight to support responsible and accountable use of GenAI technologies.

Data protection officer (DPO):

  • Oversee and ensure GenAI use complies with data protection regulations.
  • Review and approve Data Protection Impact Assessments (DPIAs) for GenAI projects.
  • Advise on data privacy risks and serve as the point of contact for data subjects and supervisory authorities regarding data protection concerns related to GenAI.
  • Contribute to and review the GenAI policy.

Information governance:

  • Support DPIA reviews and advise on data protection in GenAI contexts.
  • Ensure GenAI implementation aligns with legal and organisational obligations.
  • Provide advice to staff.
  • Contribute to policy development and review.

Legal and compliance:

  • Advise on legal and regulatory implications of GenAI use.
  • Ensure contracts and procurement activities align with legal requirements.
  • Contribute to and review the GenAI policy.
  • Participate in the organisation’s AI and information assurance policy review cycle to ensure continued legal compliance.

Equality, Diversity & Inclusion officer (EDIO):

  • Ensure GenAI use aligns with Equality Duty obligations.
  • Review and approve Equality Impact Assessments (EqIAs) where required.
  • Advise on equality impacts and mitigations.
  • Contribute to the ongoing review of the GenAI policy.

Finance, procurement, commissioners and contract managers:

  • Oversee and approve procurement of GenAI systems and tools.
  • Document decisions for audit.
  • Notify the GenAI governance authority, SIRO and other relevant stakeholders of GenAI procurement requests.
  • Ensure a DPIA is completed prior to implementation (this is a legal requirement for GenAI) followed by an ethical and risk assessment and EqIA where possible. All assessments must be assessed and approved by IG and IT.
  • Consider full lifecycle impacts, including model changes, retraining needs, supplier notifications and change control processes.

IT and security:

  • Manage and implement the secure deployment, configuration, integration and maintenance of GenAI systems with existing IT infrastructure.
  • Collaborate with vendors and other stakeholders to address technical issues and provide technical support for GenAI systems as required.
  • Undertake proportionate ongoing monitoring to detect misuse, inappropriate prompts, policy breaches or security risks.
  • Escalate issues to GenAI project leads and the governance authority.
  • Implement technical controls such as data loss prevention or Purview where available and proportionate.
  • Contribute to and review the GenAI policy.

GenAI project leads / managers:

  • Ensure GenAI projects comply with this policy and manage associated risks.
  • Implement assurance requirements defined by the GenAI authority, SIRO, DPO and IT.
  • Complete ATRS, DPIA, EqIA and risk and ethical impact assessments.
  • Define and document monitoring, testing and escalation arrangements during and after deployment.
  • Maintain logs or evidence of testing for higher‑risk or externally facing uses.
  • Document intended use, expected benefits, validation steps, failure modes and recovery routes.

Service or business owners:

  • Define how GenAI is incorporated into service‑specific frameworks or practice models e.g. social care.
  • Ensure GenAI use aligns with statutory duties, safeguarding requirements and professional standards.
  • Participate in reviews of GenAI systems and contribute to risk, ethical and equality assessments.

Human resources (HR):

  • Support change management and people impact assessments for GenAI adoption.
  • Manage staff and union engagement.
  • Support policy enforcement through existing HR procedures.

Staff, elected members, contractors and other authorised individuals:

  • Use GenAI in line with this policy and existing established guidelines and protocols.
  • Review outputs for accuracy and appropriateness.
  • Safeguard data and comply with IG requirements.
  • Disclose GenAI use where required and appropriate.
  • Seek approval before deployment and report issues or concerns.
  • Complete required training.
  • Provide feedback and insights on the effectiveness, usability, and impact of AI technologies.
  • Report any incidents or concerns related to GenAI system performance or safety to the GenAI authority.

Developers, vendors, suppliers and delivery partners:

  • Design, configure and supply GenAI systems in line with this policy and applicable laws.
  • Support transparency, auditability, security, data protection and explainability requirements.
  • Cooperate with DPIA, EqIA and risk assessments.
  • Notify the organisation of material model, data or system changes.
  • Meet contractual obligations for monitoring, assurance and exit arrangements.

[Optional] Learning and development team, digital champions:

  • Deliver training and awareness on safe, ethical, responsible and accountable GenAI use.
  • Ensure learning materials reflect current policy requirements.
  • Promote capability building and peer learning through communities of practice, show and tells or internal guidance.
  • Support staff confidence and critical awareness of GenAI limitations and risks.

Related resource

7. Use of GenAI 

[Add, remove or amend as appropriate].

Users may use GenAI tools as outlined in ‘Tools and services‘ section. If a tool is not listed, it is unapproved. Before using any unapproved GenAI tools, systems or products for the first time, users must seek permission from the [insert GenAI authority within your organisation] with the following information:  

  • The tool intended for use. 
  • The purpose of use. 
  • The type and classification of data to be input. 
  • The nature of the expected output. 
  • How the output will be used or distributed. 

[Optional: Specify how (procedure/process) to make this notification to the relevant GenAI authority within your organisation].

7.1. Permitted uses 

GenAI tools may be used for work-related tasks, provided they comply with this policy and support the organisation’s values and objectives. All use must reflect principles of fairness and non-discrimination. Approved uses include: 

  • Drafting, summarising or editing documents and communications.
  • Generating content for reports, emails, presentations, images.
  • Writing or reviewing code.
  • Brainstorming and supporting idea generation.
  • Automating repetitive tasks.
  • Enhancing productivity within approved workflows.
  • Improving accessibility by translating content into plain English, producing alternative formats or generating more inclusive communication materials.
  • [Add organisation‑specific approved uses].

7.2. Prohibited uses 

Users must not: 

  • Enter personal, sensitive, special category, confidential or protected information without authorisation and a completed DPIA.
  • Rely on GenAI for critical decisions (e.g., employment, legal, financial, life‑impacting) without human oversight.
  • Generate content that is discriminatory, offensive, misleading or inappropriate.
  • Present outputs as final or authoritative without human validation.
  • Deploy unapproved or untested tools in live environments.
  • Access tools without approved authentication or via personal logins unless permitted.
  • [Add organisationspecific unapproved uses].

If there are any doubts about the appropriateness of using GenAI in a particular situation, users should consult with their manager or [insert GenAI authority within your organisation]

7.3. Procurement (working with vendors or suppliers) 

[Add, remove or amend as appropriate]. 

All GenAI procurements must be approved and managed through [insert your organisation’s procurement or finance process] and overseen by [insert GenAI authority within your organisation]. This ensures compliance with organisational governance, financial controls, and ethical standards.

Where material changes occur after procurement that could affect accuracy, bias, ethical considerations or overall risk, these must be subject to appropriate change control, review and, where necessary, reassessment in line with this policy. This may include reviewing contractual change mechanisms, supplier notifications and the need for updated assurance, testing or impact assessments.

Commissioning must follow existing procurement policies and should address GenAI specific challenges, including:

Use a vendor checklist where available to assess:

  • Ethical compliance.
  • Security and resilience measures.
  • Accessibility and inclusion features.
  • Terms and conditions, including liability and loss clauses.

Any use of GenAI technology in pursuit of [insert your organisation’s name] activities must acknowledge vendor policies, practices, and contractual terms.

As [insert your organisation’s name] remains the data controller for decisions made by GenAI systems, all users and commissioners are responsible and accountable for ensuring vendor alignment with this policy and its clauses, and for upholding ethical and legal obligations throughout the GenAI solution lifecycle.

Where a new GenAI-enabled system, service or process is introduced, this policy must be shared with the supplier or partner, and assurance sought that their solution and practices align with its requirements.

Related guidance

8. Ethical and responsible use 

[Add, remove or amend as appropriate]. 

This section should be read in conjunction with any existing organisational ethics, data ethics or AI ethics frameworks.

Users must support ethical and responsible use of GenAI in such a way that improves the quality, accessibility, and efficiency of public services.

Users should not assume GenAI is the default solution. Its use must be justified and reported on an ongoing basis, considering need, suitability, and a clear assessment of benefits and risks. When assessing benefits, organisations should compare GenAI performance with current practice, rather than an ideal or theoretical standard. Improvements may still be meaningful even where limitations remain.

Users are advised to do the following:

  • Pre‑deployment: To assess fitness for purpose,complete a risk and ethical impact assessment (or equivalent), DPIA, and EqIA where applicable especially if using or implementing GenAI systems involving high-risk or life-changing decisions.
  • Deployment: See ‘Pre-deployment requirements‘ and ‘Pilot(s) and testing‘ sections.
  • Bias, fairness and inclusion: Classify use as restricted or sensitive (where applicable) based on potential impact on residents, staff and organisations. Document definitions and classification in the project’s impact assessment and review at least annually (see ‘Bias, fairness and inclusion‘ section).
  • Be transparent about GenAI use (see ‘Transparency and explainability‘ section). 
  • Apply human oversight to review or override outputs to ensure they are fair, accurate, and contextually appropriate (see ‘Human oversight‘ section).
  • Seek review from subject matter experts or community representatives where appropriate. 
  • All use of GenAI must be compliant with applicable laws and regulations and organisational policies, see ‘Legal and regulatory compliance‘ section and ‘Related policies‘ section.
  • Post-deployment: If the intended use of GenAI is not supported by evidence of improvement, benefit or savings, or if evidence comes to light that contradicts that GenAI is fit for purpose for the intended use then GenAI should not be further deployed and consideration given to withdrawing the tool or service entirely.

Related guidance

8.1. Bias, fairness and inclusion

[Add, remove or amend as appropriate]. 

Users should make sure that GenAI tools, systems, or products are used and designed in a way that treats all residents, staff, and stakeholders fairly and avoids social bias.

Users must make sure that GenAI does not harm different demographic groups and that everyone receives the same standard of service regardless of differences in demographics. See ‘Equality impact assessment (EqIA)‘ section.

Based on impact to users, [insert GenAI authority within your organisation] or GenAI project leads or managers must establish restricted use and sensitive use cases (e.g. health and social care provision, benefit or housing allocation etc.) for GenAI and if definitions are met these should be documented in an ethical and risk impact assessment.

GenAI tools, systems or products should be reviewed annually, as a minimum, against the definitions for sensitive uses and restricted uses. Definitions for restricted and sensitive use should be set locally by the [insert GenAI authority within your organisation] aligned to organisational risk appetite and statutory obligations.

Attention should be given to data sets to ensure completeness and accuracy and consideration given to further data collection to close gaps. Any data audit activity should be robustly documented. See ‘Documentation and audit logs’ section and ‘Data management’ section.

8.2. Equality impact assessment (EqIA)

[Add, remove or amend as appropriate]. 

To mitigate against bias, GenAI project leads or managers must complete an EqIA or equality analysis [link to your organisation’s EqIA template] to identify what impact or likely impact it will have on different groups within the community.

The assessment must consider if GenAI use poses any discriminatory or negative consequences for a particular group or sector of the community, and to identify areas where equality can be better promoted.

The EqIA applies regardless of whether the GenAI tool is: 

  • Developed in-house.
  • Procured externally.
  • Embedded within a broader system or service. 

It is not required for GenAI projects that: 

  • Do not involve any personal or sensitive data.
  • Are used solely for internal testing, non-personal content generation, or publicly available data.
  • Operate within a fully anonymised or synthetic data environment. 

The EqIA should be completed alongside other required assessments where relevant e.g. DPIA or ethical and risk assessment.

Completed EqIAs must be stored in the [insert your organisation’s appropriate location for EqIAs] and reviewed periodically, especially if the system changes.

If you’re unsure whether an EqIA is required, please consult [insert GenAI authority within your organisation] or the EDIO before proceeding. 

8.3. Human oversight

[Add, remove or amend as appropriate]. 

Users must not rely solely on GenAI. All GenAI outputs must be reviewed and verified for accuracy, fairness, bias and appropriateness before they are used or shared. This is essential where GenAI informs decisions that have significant impact, for example in social care, housing or benefit allocation.

8.3.1. Reviewing and validating outputs

Users should:

  • Refrain from using GenAI outputs if there is any doubt about their reliability.
  • Apply human judgement to interpret results in context.
  • Seek expert input from subject matter specialists for complex or high‑impact cases.
  • Follow clearly defined override procedures where outputs are incorrect, inappropriate or potentially harmful.
  • Ensure that any decision supported by GenAI remains the responsibility of the human decision maker.

8.3.2. Escalation and challenge routes

There must be accessible and documented routes for staff or the public to raise concerns, request human review or challenge outcomes. These routes should align with existing organisational complaints, review or escalation processes.

8.3.3. Assurance and oversight methods

Where real‑time human oversight is not proportionate or feasible, [insert your organisation’s name] should define alternative assurance methods such as periodic sampling, post‑event review, or automated testing. These methods must be proportionate to the level of risk and potential impact.

8.3.4. Automated or agent‑based systems

As GenAI use evolves, including more automated or agent‑based systems, it may not always be practical for humans to review every output in real time. In these cases, [insert your organisation’s name] must ensure appropriate methods are in place to validate outputs, including planned post‑event review, sampling, testing or audit. Lower‑risk or high‑volume uses may rely on periodic checks, while higher‑risk uses require defined pre‑deployment testing, clear override routes and closer ongoing monitoring.

8.3.5. Skills and responsibilities

Operational stakeholders, such as system owners and service teams, must be trained to interpret system behaviour, understand limitations and know when and how to intervene or override. Users must understand their responsibilities and the intended purposes, constraints and behaviours of the systems they manage.

[Optional: Provide detail of procedures or guidance to support consistent implementation of validation, oversight and challenge processes for higherrisk or more automated uses].

[Add, remove or amend as appropriate]. 

Users must adhere to intellectual and copyright laws when using GenAI. Do not generate or use content that infringes upon the intellectual property rights of others.

If unsure, contact [insert your organisation’s name]’s legal advisor or [insert GenAI authority within your organisation] before proceeding. 

8.5. Environmental sustainability 

[Add, remove or amend as appropriate]. 

Use of GenAI should be purposeful and proportionate. Users should avoid unnecessary or excessive use of GenAI where simpler, less compute‑intensive approaches would meet the need, recognising the environmental impact associated with AI technologies.

Use of GenAI must align with [insert organisation sustainability strategies, policies or values e.g. actively contribute to reducing the organisation’s digital carbon footprint].

When implementing service changes, GenAI project leads or managers should thoroughly assess and document the overall environmental impact, prioritising approaches that minimise computational requirements and reduce officer time, travel, printing, and electricity consumption.

All users should avoid deploying GenAI for tasks where less compute-intensive methods would suffice, such as rule-based automation or traditional analytics. 

Preference should be given to energy-efficient hardware and model architectures, renewable-powered data centres, low carbon cooling or heat recovery systems, and careful consideration of lifecycle effects such as e-waste.

[Insert GenAI authority within your organisation] should seek clarity on the environmental footprint of GenAI services using available tracking tools, dashboards, or disclosures from vendors or suppliers. 

9. Transparency, explainability and accountability

9.1. Disclosure 

[Add, remove or amend as appropriate]. 

Disclosure should be proportionate to impact. Public-facing services, automated decision support and resident-facing interactions must clearly disclose GenAI use. Routine internal use, such as drafting emails or internal documents, does not normally require individual disclosure, provided organisational transparency about GenAI use is maintained.

Where GenAI use involves personal data or resident‑facing services, transparency should be supported through relevant organisational or service‑specific privacy notices published on the organisation’s website.

Where people interact directly with GenAI, for example through chatbots or automated decision support, the service must clearly disclose GenAI involvement, outline capabilities and limitations, and provide routes to human assistance.

As GenAI becomes more integrated across organisational processes, disclosure approaches must remain proportionate and practical. Where GenAI is used in fully or largely automated processes, or where no human is immediately involved, specific disclosure should be provided along with information on how decisions or outputs are documented and reviewed.

Where GenAI supports staff who remain directly involved in the process, [insert your organisation’s name] may choose to provide transparency through a general disclosure statement or webpage, reviewed and updated periodically, instead of including individual disclosures in every correspondence.

[Optional: Detail the approach your organisation takes to raising awareness of GenAI use for the public and stakeholders, including what services use GenAI and who is responsible for governance and oversight].

Example disclosure wording:

“Note: This document contains content or information generated by [GenAI service]. AI‑generated content has been reviewed by the author for accuracy and edited or revised where necessary. The author is responsible for the final content. Where GenAI use involves personal data, further information is provided in the organisation’s relevant privacy notice.”

Disclosure approaches must be reviewed periodically to ensure they remain appropriate as use cases, risk levels and levels of automation change.

9.2. Documentation and audit logs 

[Add, remove or amend as appropriate]. 

Documentation and audit requirements should be proportionate to the risk and impact of the GenAI use. Routine, low-risk activities such as drafting text, summarising meetings or internal brainstorming will not normally require detailed logging.

Higher-risk, sensitive or life-impacting uses will require appropriate records to support transparency, audit, freedom of information (FOI) or data subject access requests (DSAR) obligations.

Users are required to document and keep records of their GenAI usage (interaction data) for purposes of auditing, compliance, and transparency, ensuring it is stored according to retention policies. This may include:

  • Purpose, logic and limitations of GenAI systems.
  • Inputs (prompts).
  • Generated outputs from the GenAI system.
  • Session metadata (timestamps, user IDs, device details).
  • User activity logs (edits, approvals, feedback).

9.3. Public communication and stakeholder engagement 

[Add, remove or amend as appropriate]. 

  • Users must inform and consult with residents and stakeholders where GenAI use impacts them (decisions or recommendations), including capabilities and limitations of GenAI systems, rationale for use and what safeguards are in place to mitigate risk.
  • [Insert GenAI authority within your organisation] or GenAI project leads or managers must provide contact routes for feedback, complaints, and requests for human review.
  • [Insert GenAI authority within your organisation] or GenAI project leads or managers must publish transparency reports on GenAI usage and impact assessments where feasible.

9.3.1. Algorithmic transparency recording standard (ATRS)

[insert GenAI authority within your organisation] or GenAI project leads or managers may wish to complete an ATRS for publication on the GOV.UK ATRS public repository. It is completely voluntary and exists to establish a standardised way for public sector organisations to publish information openly about how and why they are using algorithmic tools to support decisions.

Related resource: Algorithmic Transparency Recording Standard Hub (Government Digital Service)

10. Data governance, privacy and security

10.1. Data management

[Add, remove or amend as appropriate]. 

[Data management practises may be covered in existing data governance and management policies or guidance].

[Insert GenAI authority within your organisation alongside IT, information governance and relevant service leads] will establish robust mechanisms for the review and oversight of data usage to ensure compliance with legal requirements and responsible and accountable practices. This includes:

  • All GenAI systems must adhere to appropriate data governance and management practices [insert hyperlink to relevant guidance].
  • Data requirements for intended system uses must be approved by service areas or users and relevant stakeholders where the system will be deployed.
  • Procedures for data collection and processing must be clearly defined and documented. See ‘Documentation and audit logs’ section.
  • Data sets must be evaluated using methods specified in initial requirements, aligned with the intended purpose.
  • Where existing data sets are used, their quantity and quality must be endorsed and approved by relevant stakeholders and service area leads.
  • Data governance expertise will support privacy, transparency and contestability measures, including additional cyber security and governance controls to address heightened public interest and risk.

10.2. Data quality and labelling

Users must maintain data quality and labelling to ensure GenAI outputs remain reliable. To ensure, this, where GenAI is trained or fine-tuned on local datasets GenAI project leads or managers should:

  • Collect data lawfully, fairly and transparently.
  • Minimise data to what is strictly necessary.
  • Apply storage/retention limits to datasets and outputs.
  • Archive decision and access logs securely for auditability.

10.3. Data protection and privacy 

[Add, remove or amend as appropriate]. 

Users must not input confidential, sensitive, classified, or PII or special category data (e.g., health, ethnicity, biometrics) including business information referred to as ‘private data’ into GenAI tools unless explicitly authorised and compliant with GDPR, the Data Protection Act and internal policies.

If authorised, only anonymised or pseudonymised data should be used unless there is explicit consent or a valid legal basis. 

Users may only process private data within authorised GenAI environments if approved by [insert GenAI authority within your organisation]. 

If a user has any doubt about the confidentiality of information, they should not use GenAI and seek further guidance from IT security and information governance teams.  

10.4. Data protection impact assessment (DPIA)

[Add, remove or amend as appropriate]. 

A DPIA is not required for GenAI projects that: 

  • Do not involve any personal or sensitive data.
  • Are used solely for internal testing, non-personal content generation, or publicly available data.
  • Operate within a fully anonymised or synthetic data environment. 

All users must complete a DPIA [link to your organisation’s DPIA template] before using GenAI to process, collect or generate private data regardless of whether the GenAI tool is: 

  • Developed in-house.
  • Procured externally.
  • Embedded within a broader system or service. 

The DPIA should be completed alongside other required assessments where relevant e.g. EqIA or risk and ethical impact assessment.

Completed DPIAs must be stored in the [insert your organisation’s appropriate location for DPIAs] and reviewed periodically, especially if the system changes.

If you’re unsure whether a DPIA is required, please consult [insert GenAI authority within your organisation] or the DPO before proceeding. 

Related resource

10.5. Data security   

[Add, remove or amend as appropriate]. 

Users must ensure that data input into GenAI tools is secure and protected by using approved GenAI tools only (‘Tools and services’ section). GenAI integration with internal systems also require prior approval before use. 

[Insert GenAI authority within your organisation] and IT Security must assess the technical protections and security certification before use to ensure:

  • GenAI tools and datasets are protected against unauthorised access or tampering. 
  • Access rights are assigned based on role, responsibility, and the principle of least privilege. 
  • Regular security audits and penetration tests are conducted to identify and mitigate vulnerabilities. 

If a user has any doubt about the security of information input into GenAI, they should not use GenAI.  

10.6. Data sovereignty 

[Add, remove or amend as appropriate]. 

Users must comply with data sovereignty rules and ensure that any data created or collected using GenAI complies with the relevant laws of the originating country. 

Prior to use, [insert GenAI authority within your organisation] should assess GenAI service providers (e.g. Google, Microsoft, OpenAI) for data sovereignty practices before use. This includes: 

  • Regional hosting and enterprise-grade controls: Check whether the provider offers regional hosting options, data residency guarantees, or enterprise-grade governance tools.  
  • Data residency and storage location: Understand where data is stored and processed.  
  • Data access and control: Evaluate who can access your data and under what circumstances.  
  • Privacy commitments and regulatory alignment: Review how the GenAI provider aligns with privacy regulations.  
  • Security governance tools: Assess the availability of tools for managing data security.  
  • Shared responsibility model: Understand the division of responsibilities between the provider and the customer.  

Users may need to conduct a DPIA before deploying GenAI services if personal or sensitive data is involved.

11. Safety and risk management

[Add, remove or amend as appropriate]. 

GenAI project leads or managers must conduct a comprehensive risk and ethical impact assessment for any project or process proposing GenAI use. This assessment must identify and mitigate potential impacts on residents, staff or other stakeholders, and ensure operational readiness and resilience.

11.1. Pre-deployment requirements

Before any deployment of GenAI systems or tools, GenAI project leads or managers in partnership with the relevant individuals must complete all required assessments, including risk and ethical impact assessments, DPIAs and EqIAs where relevant. These assessments must establish intended uses, expected benefits, data requirements, risks, mitigation measures and the circumstances in which deployment would not be appropriate.

[Insert GenAI authority within your organisation] must define success criteria, guardrails and approval conditions to determine when GenAI deployments are suitable for use.

11.2. Pilot(s) and testing

Before moving to full deployment, GenAI project leads or managers must conduct pilot(s) to test accuracy, reliability, resilience and fitness for purpose. Pilot(s) must:

  • Use clearly defined success criteria.
  • Test input quality, validation steps and known failure modes.
  • Identify operational ranges in which the system performs reliably.
  • Document issues and remedies identified during testing.

GenAI Project leads or managers must maintain an appropriate audit trail of testing and assurance activity for higher‑risk, sensitive or externally facing uses. This includes test scenarios, results, decisions and any corrective actions taken.

Deployment must only proceed when evidence demonstrates that GenAI provides a benefit for the intended use. If evidence is insufficient, unclear or contradicts intended use, [insert your organisation’s name] must halt deployment and consider withdrawing the tool or service.

11.3. Deployment and ongoing monitoring

Monitoring arrangements must be proportionate to the potential impact of incorrect outputs and must be reviewed if the system, data or intended use changes. [Insert GenAI authority within your organisation] should track performance, monitor for unintended consequences and ensure that issues are escalated and addressed promptly.

Where model updates, data changes or configuration changes occur, project leads must review whether reassessment, additional testing or updated assurance is required.

11.4. Withdrawal or pause conditions

Post‑deployment, if evidence shows the intended use is not supported by improvement, benefit or savings, or if risks emerge that cannot be mitigated, GenAI should not continue to be deployed. [Insert your organisation’s name] must be prepared to pause, adjust or withdraw GenAI systems where required.

11.5. Operational readiness and handover

Following successful pilot(s) and prior to deployment, GenAI project leads or managers, in collaboration with the [insert GenAI authority within your organisation], must ensure appropriate operational handover arrangements are in place. 

This must ensure that system owners and relevant service teams are able to use, manage and oversee the GenAI system in live environments. Handover must include: 

  • Clear documentation of system purpose, scope, limitations and expected outcomes. 
  • Defined roles and responsibilities for system ownership, oversight and escalation. 
  • Guidance on interpreting outputs, applying human oversight and managing exceptions. 
  • Instructions for monitoring performance, identifying issues and initiating corrective action. 
  • Established support arrangements, including contact points for technical, data protection and governance queries. 

Handover arrangements must be proportionate to the level of risk and complexity of the use case. For higher‑risk or externally facing systems, this must include structured walkthroughs, scenario‑based testing and confirmation that teams can operate the system safely and effectively prior to go‑live. 

Ongoing organisational training, awareness and capability development is addressed in the Training and awareness section.

Related resources

[Add, remove or amend as appropriate]. 

Given the recent emergence of GenAI technology, legal frameworks for GenAI are still being developed. However existing legislation should be considered when designing and using GenAI:

If unsure about compliance, contact [insert GenAI authority within your organisation].

[Insert GenAI authority within your organisation] must stay informed of evolving AI-specific regulations and guidelines, adapting policy and controls promptly. 

Relevant resource: Whilst not part of the UK legal framework, the EU’s AI Act is likely to influence providers and applications of AI across all industries and geographies.

13. Monitoring and enforcement  

[Add, remove or amend as appropriate]. 

Users must report any GenAI-related concerns, incidents, breaches or violations of this policy immediately to the [insert GenAI authority within your organisation] and [insert IT/Cyber/Information security team]. 

Regular audits of GenAI systems and projects will be conducted to assure compliance and performance.

  • Non-compliance may result in disciplinary action under HR policies and procedures.
  • Lessons learned will inform policy and process updates.

This policy should be read alongside existing organisational policies, strategies, standards and guidance relating to AI, data, digital, information governance and emerging technologies.

Where [insert your organisation’s name] already has AI specific policies, principles, standards, ethical frameworks or governance arrangements in place, these remain authoritative and should be applied alongside this policy. This policy is intended to complement and operationalise those arrangements for the use of GenAI, rather than replace them.

In the event of any inconsistency between this policy and other organisational policies or guidance, the stricter requirement applies.

Users should ensure that their use of GenAI also complies with the organisation’s existing policies and guidance, including, where applicable:

[Insert hyperlinks to your organisation’s relevant policies]: 

  • Artificial intelligence, automation or digital strategies, policies, standards or guidance
  • Codes of conduct and organisational ethics or data ethics frameworks
  • Data protection and privacy policy
  • Information governance policy
  • Records management and retention policy
  • Information security policy
  • IT acceptable use policy
  • Equality and diversity policy
  • Environmental sustainability policy
  • Procurement and contract management policy
  • Incident management and reporting policy

15. Training and awareness

[Add, remove or amend as appropriate]. 

Users will receive mandatory training (with periodic refresh) on safe, ethical, responsible, accountable and compliant GenAI use. For example, prompt writing, applying oversight, bias checks, disclosure and handling sensitive data.

Role specific training for GenAI project leaders or managers, developers, legal, HR and customer services on will also be required. For example, managing and interpreting outputs, when and how to override procedures and explaining AI assisted decisions.

Awareness campaigns will also keep staff informed of updates and best practises. For example, communities of practice, show and tells, prompt libraries and update bulletins.

Related resources

16. Review

[Add, remove or amend as appropriate]. 

This policy and all GenAI systems and associated DPIAs, EqIAs and risk and ethical impact assessments must be reviewed at least annually, and earlier where there are significant changes to models, vendors, data, uses cases or regulation.

The review process should involve relevant assurance functions, including information governance, the SIRO, data protection officer and legal, to ensure continued compliance and proportionality.

17. Acknowledgment

[Add, remove or amend as appropriate]. 

By using GenAI, users acknowledge they have read and understood this policy and accept responsibility for ensuring that GenAI assisted work complies with it.