How is public sector AI readiness different from SME readiness?

The mechanics overlap, but the consequences do not. A public sector deployment carries FOI exposure, PSED obligations, ICO enforcement risk and parliamentary scrutiny that an SME does not face. Readiness in the public sector therefore weights data governance, equality impact, decision accountability and procurement compliance much more heavily than commercial ROI. The five standards — transparency, accountability, fairness, security, value for money — apply to every initiative before approval, regardless of how modest the use case looks.

Which UK GDPR articles matter most for public sector AI?

Article 5 sets the data principles every AI workflow has to respect, including data minimisation and accuracy. Articles 13 and 14 cover transparency obligations to data subjects when their data is processed. Article 22 governs solely automated decisions producing legal or similarly significant effects, which captures most consequential council use cases. A DPIA under Article 35 is required for high-risk processing, which the ICO treats most public sector AI as being. The DPO leads compliance review on every deployment.

What stops a vendor pilot becoming a stranded investment?

Three things. First, a written success criterion before procurement, agreed at board level, against which the vendor will be measured. Second, contract terms that require data portability, model documentation and an exit route — not platform-specific data formats that cannot be moved. Third, an independent evaluation of the pilot at the end, not a vendor-supplied report. Without those guardrails, pilots tend to slide into permanent contracts on weak evidence, and the council carries a six-figure liability with no usable system.

Can we use ChatGPT or Copilot in council work?

Only inside a defined approved tools list, and never with unpublished policy data, personal data or commercially sensitive information. Public AI tools route inputs through systems the council does not control, which is incompatible with UK GDPR for personal data and risks pre-decisional information leaking into model training. If staff need a generative AI tool, procure an enterprise-grade tenant with data processing terms that meet UK GDPR, and publish a clear acceptable use policy. Anything else is shadow IT.

How often should we review live AI systems?

Citizen-facing systems should be reviewed at minimum quarterly. The review covers output quality, drift in model behaviour, any incidents logged, frontline staff feedback and changes to legislation or ICO guidance since the last review. Non-citizen-facing administrative tools can run on a six-monthly cycle. Governance is not a one-time exercise: a system that performed well at launch may produce different outputs twelve months later as the underlying model updates or the data environment shifts.

Governance & Strategy · for UK councils & public sector

AI Readiness and Governance Framework for UK Public Sector Organisations

A UK public sector organisation is ready to adopt AI responsibly when AI use supports defined public outcomes, risks are identified and controlled, data governance is documented, decisions are auditable, and procurement is structured. This framework sets out twelve areas — strategy, use case prioritisation, data governance, people, technology, risk, procurement, compliance, delivery, measurement, funding and continuous oversight — built for UK GDPR, the Data Protection Act 2018, ICO obligations and the AI Act as it applies to public sector deployments.

The five standards every initiative must meet

AI in government is not about tools. It is about control, accountability, and public trust. Every AI decision in a public sector context carries weight that the private sector does not face in the same way. Get it wrong and the reputational, legal and political consequences are serious.

Before approval, every AI initiative is assessed against five standards. These set the floor for any deployment, regardless of size or risk classification.

Transparency: citizens and staff can understand how AI-influenced decisions are made.
Accountability: a named individual is responsible for each AI system and its outputs.
Fairness: systems are tested for bias across protected characteristics.
Security: data is protected in compliance with UK GDPR and departmental security policy.
Value for money: AI investment is justified by measurable public benefit.

Strategy, use cases and prioritisation

AI must serve defined policy objectives. Adopting AI because other departments are doing it is not a strategy. Every initiative requires a clear line of sight to a service improvement, an efficiency target, or a risk reduction outcome. Document the policy objective, the measurable indicators, the efficiency target tied to spending review commitments, and the public value outcome.

Not all use cases carry equal risk. A chatbot answering parking queries sits in a different risk category to an AI system scoring benefit eligibility. Prioritise on processing volume, citizen interaction risk, data sensitivity and implementation feasibility. Avoid starting with the most complex cases.

Data governance and people

Public sector data governance is non-negotiable. Failures here carry ICO enforcement risk, ministerial accountability and public trust damage. This work is led by the Data Protection Officer. Before any AI deployment, establish data ownership, classification, role-based access with audit logging, and retention policies aligned to AI system lifecycles. Compliance covers UK GDPR Articles 5, 13, 14 and 22, the Data Protection Act 2018, ICO guidance on AI and departmental information security policy.

AI literacy cannot be optional. Staff who do not understand what AI can and cannot do will either over-trust outputs or refuse to use them. Both waste the investment. Train at two levels: broad AI literacy for all affected staff, and specialist capability for those owning or procuring systems.

Technology, risk and procurement

Shadow IT is the single biggest governance risk in public sector AI adoption. Staff finding and using AI tools without authorisation creates data handling risks that cannot be retrospectively managed. Maintain an approved tool list and prohibit use of public AI tools — ChatGPT, Copilot, Gemini — with unpublished policy data, personal data or commercially sensitive information.

Every AI deployment needs a governance owner accountable for the system performing as intended and for any decisions it influences. Procurement uses compliant routes such as G-Cloud and Crown Commercial Service frameworks where applicable, with vendor due diligence, model transparency, exit risk assessment and contract terms covering data ownership, liability and audit rights.

Compliance, delivery and measurement

AI deployments in the public sector face scrutiny from internal audit, external inspectorates, parliamentary questions and FOI requests. Legal compliance review happens before any deployment goes live. A DPIA is completed for all personal data processing. An equality impact assessment is required where AI affects service access or eligibility.

A phased approach is the only responsible way to introduce AI into public services. Pilot for four to eight weeks with a defined user group, strict monitoring and clear success criteria. Evaluate independently. Scale only on pilot evidence. Measure cost savings, service improvement and risk reduction in plain English — the metrics citizens and stakeholders can understand.

Funding, business case and continuous oversight

AI investment in the public sector must survive spending review scrutiny. A business case built on vendor claims will not hold up. Build yours on measurable baselines, realistic efficiency projections and honest risk assessment. Include current cost and performance, projected savings with evidence from comparable deployments, full implementation cost and a realistic payback period.

AI systems drift. A system that performs well at launch may produce different outputs twelve months later as the underlying model updates or the data environment changes. Schedule reviews at minimum quarterly for citizen-facing systems. Update governance to reflect legislative and ICO changes. Track output quality and flag drift. Frontline staff often spot AI failures before monitoring systems do.

Government AI readiness checklist

Use the checklist as the standing agenda for your AI steering group. Each item maps to one of the twelve framework areas and to a specific evidence artefact you should be able to produce on request.

Area	What good looks like
Strategy	AI initiatives aligned to policy objectives and spending review planning, with measurable outcomes per initiative.
Use cases	Prioritised on impact and risk, feasibility assessed, risk classification assigned to each.
Data governance	Data ownership defined, classification documented, UK GDPR and DPA 2018 confirmed, DPIAs completed for personal data processing.
People and skills	Broad AI literacy delivered to affected staff, specialist capability identified, acceptable use policies communicated.
Technology	Infrastructure assessed, security posture confirmed, approved tools list maintained.
Governance and risk	Approval processes per risk level, AI risk framework, audit capability tested, bias assessment process defined, incident response in place.
Procurement	Compliant routes identified, vendor due diligence applied, contracts cover ownership, liability and audit rights.
Compliance and assurance	Legal review before deployment, internal audit alignment confirmed, external scrutiny readiness assessed.
Delivery	Phased pilot approved, success criteria documented, outcomes tracked and reported.
Value and measurement	Metrics defined before deployment, reporting in place, value expressed in citizen terms.
Funding	Business case based on measurable baselines, cost projections independent of vendor claims, realistic payback documented.
Continuous oversight	Scheduled reviews for live systems, governance updated to legislative changes, staff feedback loops embedded.

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Free AI Readiness Checklist

Frequently asked questions

Related resources

Governance & Strategy

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895