Why do we need a separate AI policy if we already have a data protection policy?

Because data protection policies were written before AI deployment was a daily reality. They cover lawful basis, retention and breach response, but they do not address what categories of data can be entered into which AI tools, how outputs must be verified, or how staff escalate an AI-specific incident. A standalone AI acceptable use policy sits alongside your data protection policy and references it. Without the AI-specific document, you are relying on individual staff judgement across your whole workforce, which is exactly how incidents happen.

How long does it take to roll this policy out properly?

Around four to six weeks for a typical UK organisation. Allow five working days for HR, Legal and DPO review, then a week or two to brief staff and run a 30-minute Q&A, then a fortnight to collect signed acknowledgements and integrate the policy into onboarding. Training the team on what good AI use actually looks like is a parallel workstream — staff-level, champion-level and board briefings can run concurrently. The bottleneck is almost always the legal review cycle, not the policy itself.

What counts as personal data we must never enter into AI tools?

Anything that could identify a living individual, directly or indirectly. Names, addresses, email addresses, phone numbers, national insurance numbers, dates of birth and medical information are obvious. Less obvious examples include staff performance notes, customer complaint details and the contents of internal HR cases. The rule the policy enforces is simple: unless the AI tool has been specifically approved for that data type and a DPIA has been completed, the data does not go in. It is easier to remember a hard line than a sliding scale.

Who should sign off the policy before we issue it?

HR, Legal and the Data Protection Officer at minimum. The policy intersects with employment law, data protection obligations and IT security controls, so all three need to review and approve. In a council or regulated business, add the relevant compliance officer. Allow five working days for the review cycle. Do not skip this step — without documented sign-off the policy carries less weight if you ever have to defend it to the ICO or in a tribunal.

How often should the policy be reviewed?

At least every twelve months, and immediately after any AI-related incident or material change to the tools you use. AI capabilities evolve faster than annual policy cycles can track, so a six-month informal review is sensible too. Update the version number and the redistribution date each time. Records of review and reissue are part of what an ICO investigator or external auditor will look for if anything ever goes wrong.

What happens if a member of staff breaches the policy?

The policy itself sets out that breach may result in disciplinary action, handled through your normal HR process. The more important question is whether the breach is also a UK GDPR data incident — entering client personal data into an unapproved AI tool almost certainly is. In that case the staff member reports immediately to their manager and the DPO, the incident is logged, and you assess within [72 hours whether ICO notification is required](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/). Disciplinary action does not transfer the regulatory liability away from the organisation.

Governance & Strategy · for leaders & councils

Staff AI Acceptable Use Policy

A Staff AI Acceptable Use Policy sets out the rules and expectations for everyone in your organisation using AI tools at work. It defines what AI can be used for, what is strictly prohibited, what data must never be entered into AI tools, how to verify outputs, and how to report concerns. Without it, one staff member can create a serious compliance incident and you have no documented defence: SAP and Oxford Economics research published in February 2026 found 68% of UK organisations have staff using unapproved AI tools at least occasionally, and ICO fines reach £17.5 million for GDPR breaches caused by AI misuse.

Why your organisation needs this policy

Staff are already using AI tools — whether you know about it or not. ChatGPT, Copilot, Gemini. They are inputting client data, drafting contracts and responding to complaints. Without a formal policy, your organisation has no legal standing, no audit trail and no protection under UK GDPR.

68% of UK organisations have staff using unapproved AI tools at least occasionally — that figure comes from SAP and Oxford Economics research published in February 2026. The maximum ICO fine for GDPR breaches caused by AI misuse is £17.5 million. The number of UK legal defences available without a documented AI policy is zero. A clear, signed policy is the cheapest protection you can put in place.

What this policy covers

The policy is designed to be issued alongside AI literacy training and read before any staff member uses an AI tool for work. It is a practitioner document, not a legal disclaimer.

What AI tools can be used for
What is strictly prohibited
Data you must never enter into AI
How to verify AI outputs
Reporting concerns and incidents
Staff acknowledgement requirements

Permitted uses

The following uses of approved AI tools are permitted without requiring additional authorisation. The list is meant to give staff a clear green light for everyday productivity work.

Drafting and editing documents using non-confidential information
Summarising publicly available or internal-only documents
Generating ideas, outlines and first drafts for review
Formatting, proofreading and improving existing text
Answering general knowledge questions for your own learning
Creating meeting summaries from notes you have already anonymised
Generating templates and frameworks for internal use

Strictly prohibited uses

These actions are prohibited and may result in disciplinary action. The list is short on purpose so staff can remember it.

Entering client names, contact details or personal data into any AI tool
Sharing confidential organisational strategies or financial data
Using AI to make final HR decisions (recruitment, performance, dismissal)
Publishing AI-generated content without human review and approval
Presenting AI-generated work as your own expert opinion without verification
Using unapproved AI tools for any work purpose
Using AI to create deceptive, misleading or harmful content

Data you must never enter into AI tools

These categories must never be entered into AI tools unless the tool has been specifically approved for that data type and a DPIA has been completed.

Personal data — names, addresses, email addresses, phone numbers, national insurance numbers, dates of birth, medical information, or any information that could identify a living individual.
Client information — company names, contacts, contract details, commercial terms, pricing, strategic plans or anything provided in confidence by clients.
Financial data — bank account details, payroll information, financial forecasts, unreported trading results or commercially sensitive financial information.
Legal matters — details of ongoing litigation, legal advice received, settlement terms, regulatory investigations or commercially sensitive legal strategy.
Staff information — performance records, disciplinary matters, salary information, health conditions or any HR data about named individuals.
Passwords and access credentials — system passwords, API keys, access tokens, security codes or any authentication credentials for organisational systems.

Verifying AI outputs

AI tools can produce plausible-sounding information that is factually incorrect. This is known as hallucination. Staff are responsible for verifying any AI-generated content before using it.

Always verify statistics, research findings, legal or regulatory requirements, technical specifications, dates and any factual claims. Do not use AI-generated legal or medical advice, financial calculations, compliance statements or any externally published content without review by a qualified professional. For regulated activities, document that AI was used and that outputs were verified — keep records as you would for any other professional process.

Reporting concerns and incidents

If staff encounter any of the situations below, they must report it immediately. The point of the table is to remove ambiguity about who to contact and how fast.

Situation	Who to contact	Timescale
You accidentally entered personal or confidential data into an AI tool	Your manager and the Data Protection Officer	Immediately (within 1 hour)
An AI tool produced output you believe is biased or discriminatory	Your AI Champion and HR	Within 24 hours
AI-generated content was used in a client deliverable without proper verification	Your manager	Within 24 hours
A colleague is using an unapproved AI tool or using AI in a prohibited way	Your AI Champion or manager	Within 48 hours
You are unsure whether a planned use of AI is permitted under this policy	Your AI Champion	Before proceeding

Implementing the policy in five steps

A policy without implementation is just paper. The sequence below is the one Simon walks UK clients through; allow about five working days for the legal review cycle.

Adapt the policy to your organisation. Replace [Organisation Name] throughout, review each section against existing IT and HR policies, and add any sector-specific requirements (NHS DSP Toolkit, council procurement rules).
Get sign-off from HR, Legal and your DPO. The policy intersects with employment law, data protection and IT security, so all three need to review before issue.
Communicate to all staff with a briefing. Send the policy alongside a plain-English briefing note and host a 30-minute all-hands Q&A. Every employee acknowledges receipt in writing.
Train your team to use AI correctly. A policy without training is just paper. Cover staff-level, champion-level and board briefings.
Review annually or after any AI incident. AI evolves fast — set a calendar reminder for a 12-month review or trigger one immediately after any AI-related incident, and update the version number each time.

Staff acknowledgement

All staff with access to approved AI tools sign an acknowledgement confirming they have read, understood and will comply with the policy. The acknowledgement is renewed annually and after any material policy update, and records are retained by HR.

The standard wording is: "I confirm that I have read and understood the [Organisation Name] Staff AI Acceptable Use Policy. I understand my responsibilities regarding the safe, ethical and compliant use of AI tools in my work. I agree to comply with this policy and to report any concerns, incidents or breaches in accordance with the reporting requirements set out above."

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Frequently asked questions

Related resources

Governance & Strategy

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895