Governance & Strategy · for leaders & councils
Staff AI Acceptable Use Policy
A Staff AI Acceptable Use Policy sets out the rules and expectations for everyone in your organisation using AI tools at work. It defines what AI can be used for, what is strictly prohibited, what data must never be entered into AI tools, how to verify outputs, and how to report concerns. Without it, one staff member can create a serious compliance incident and you have no documented defence: SAP and Oxford Economics research published in February 2026 found 68% of UK organisations have staff using unapproved AI tools at least occasionally, and ICO fines reach £17.5 million for GDPR breaches caused by AI misuse.
Why your organisation needs this policy
Staff are already using AI tools - whether you know about it or not. ChatGPT, Copilot, Gemini. They are inputting client data, drafting contracts and responding to complaints. Without a formal policy, your organisation has no legal standing, no audit trail and no protection under UK GDPR.
68% of UK organisations have staff using unapproved AI tools at least occasionally - that figure comes from SAP and Oxford Economics research published in February 2026. The maximum ICO fine for GDPR breaches caused by AI misuse is £17.5 million. The number of UK legal defences available without a documented AI policy is zero. A clear, signed policy is the cheapest protection you can put in place.
What this policy covers
The policy is designed to be issued alongside AI literacy training and read before any staff member uses an AI tool for work. It is a practitioner document, not a legal disclaimer.
- What AI tools can be used for
- What is strictly prohibited
- Data you must never enter into AI
- How to verify AI outputs
- Reporting concerns and incidents
- Staff acknowledgement requirements
Permitted uses
The following uses of approved AI tools are permitted without requiring additional authorisation. The list is meant to give staff a clear green light for everyday productivity work.
- Drafting and editing documents using non-confidential information
- Summarising publicly available or internal-only documents
- Generating ideas, outlines and first drafts for review
- Formatting, proofreading and improving existing text
- Answering general knowledge questions for your own learning
- Creating meeting summaries from notes you have already anonymised
- Generating templates and frameworks for internal use
Strictly prohibited uses
These actions are prohibited and may result in disciplinary action. The list is short on purpose so staff can remember it.
- Entering client names, contact details or personal data into any AI tool
- Sharing confidential organisational strategies or financial data
- Using AI to make final HR decisions (recruitment, performance, dismissal)
- Publishing AI-generated content without human review and approval
- Presenting AI-generated work as your own expert opinion without verification
- Using unapproved AI tools for any work purpose
- Using AI to create deceptive, misleading or harmful content
Data you must never enter into AI tools
These categories must never be entered into AI tools unless the tool has been specifically approved for that data type and a DPIA has been completed.
- Personal data - names, addresses, email addresses, phone numbers, national insurance numbers, dates of birth, medical information, or any information that could identify a living individual.
- Client information - company names, contacts, contract details, commercial terms, pricing, strategic plans or anything provided in confidence by clients.
- Financial data - bank account details, payroll information, financial forecasts, unreported trading results or commercially sensitive financial information.
- Legal matters - details of ongoing litigation, legal advice received, settlement terms, regulatory investigations or commercially sensitive legal strategy.
- Staff information - performance records, disciplinary matters, salary information, health conditions or any HR data about named individuals.
- Passwords and access credentials - system passwords, API keys, access tokens, security codes or any authentication credentials for organisational systems.
Verifying AI outputs
AI tools can produce plausible-sounding information that is factually incorrect. This is known as hallucination. Staff are responsible for verifying any AI-generated content before using it.
Always verify statistics, research findings, legal or regulatory requirements, technical specifications, dates and any factual claims. Do not use AI-generated legal or medical advice, financial calculations, compliance statements or any externally published content without review by a qualified professional. For regulated activities, document that AI was used and that outputs were verified - keep records as you would for any other professional process.
Reporting concerns and incidents
If staff encounter any of the situations below, they must report it immediately. The point of the table is to remove ambiguity about who to contact and how fast.
| Situation | Who to contact | Timescale |
|---|---|---|
| You accidentally entered personal or confidential data into an AI tool | Your manager and the Data Protection Officer | Immediately (within 1 hour) |
| An AI tool produced output you believe is biased or discriminatory | Your AI Champion and HR | Within 24 hours |
| AI-generated content was used in a client deliverable without proper verification | Your manager | Within 24 hours |
| A colleague is using an unapproved AI tool or using AI in a prohibited way | Your AI Champion or manager | Within 48 hours |
| You are unsure whether a planned use of AI is permitted under this policy | Your AI Champion | Before proceeding |
Implementing the policy in five steps
A policy without implementation is just paper. The sequence below is the one Simon walks UK clients through; allow about five working days for the legal review cycle.
- Adapt the policy to your organisation. Replace [Organisation Name] throughout, review each section against existing IT and HR policies, and add any sector-specific requirements (NHS DSP Toolkit, council procurement rules).
- Get sign-off from HR, Legal and your DPO. The policy intersects with employment law, data protection and IT security, so all three need to review before issue.
- Communicate to all staff with a briefing. Send the policy alongside a plain-English briefing note and host a 30-minute all-hands Q&A. Every employee acknowledges receipt in writing.
- Train your team to use AI correctly. A policy without training is just paper. Cover staff-level, champion-level and board briefings.
- Review annually or after any AI incident. AI evolves fast - set a calendar reminder for a 12-month review or trigger one immediately after any AI-related incident, and update the version number each time.
Staff acknowledgement
All staff with access to approved AI tools sign an acknowledgement confirming they have read, understood and will comply with the policy. The acknowledgement is renewed annually and after any material policy update, and records are retained by HR.
The standard wording is: "I confirm that I have read and understood the [Organisation Name] Staff AI Acceptable Use Policy. I understand my responsibilities regarding the safe, ethical and compliant use of AI tools in my work. I agree to comply with this policy and to report any concerns, incidents or breaches in accordance with the reporting requirements set out above."
Take the next step
Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.
Frequently asked questions
Because data protection policies were written before AI deployment was a daily reality. They cover lawful basis, retention and breach response, but they do not address what categories of data can be entered into which AI tools, how outputs must be verified, or how staff escalate an AI-specific incident. A standalone AI acceptable use policy sits alongside your data protection policy and references it. Without the AI-specific document, you are relying on individual staff judgement across your whole workforce, which is exactly how incidents happen.
Around four to six weeks for a typical UK organisation. Allow five working days for HR, Legal and DPO review, then a week or two to brief staff and run a 30-minute Q&A, then a fortnight to collect signed acknowledgements and integrate the policy into onboarding. Training the team on what good AI use actually looks like is a parallel workstream - staff-level, champion-level and board briefings can run concurrently. The bottleneck is almost always the legal review cycle, not the policy itself.
Anything that could identify a living individual, directly or indirectly. Names, addresses, email addresses, phone numbers, national insurance numbers, dates of birth and medical information are obvious. Less obvious examples include staff performance notes, customer complaint details and the contents of internal HR cases. The rule the policy enforces is simple: unless the AI tool has been specifically approved for that data type and a DPIA has been completed, the data does not go in. It is easier to remember a hard line than a sliding scale.
HR, Legal and the Data Protection Officer at minimum. The policy intersects with employment law, data protection obligations and IT security controls, so all three need to review and approve. In a council or regulated business, add the relevant compliance officer. Allow five working days for the review cycle. Do not skip this step - without documented sign-off the policy carries less weight if you ever have to defend it to the ICO or in a tribunal.
At least every twelve months, and immediately after any AI-related incident or material change to the tools you use. AI capabilities evolve faster than annual policy cycles can track, so a six-month informal review is sensible too. Update the version number and the redistribution date each time. Records of review and reissue are part of what an ICO investigator or external auditor will look for if anything ever goes wrong.
The policy itself sets out that breach may result in disciplinary action, handled through your normal HR process. The more important question is whether the breach is also a UK GDPR data incident - entering client personal data into an unapproved AI tool almost certainly is. In that case the staff member reports immediately to their manager and the DPO, the incident is logged, and you assess within 72 hours whether ICO notification is required. Disciplinary action does not transfer the regulatory liability away from the organisation.
Related resources
Governance & Strategy
Shadow AI Risk
68% of UK organisations have staff using unauthorised AI. The GDPR exposure, why blanket bans fail, and three actions you can take this week.
Governance & Strategy
Minimum AI Policy Set
The five governance documents every UK SME and council needs before scaling AI: acceptable use, data protection, vendor evaluation, incidents, register.
Governance & Strategy
AI Governance Policy Template
Without a written policy, you can't tell an auditor what's allowed, demonstrate Article 22 oversight, or fairly discipline staff who paste client data into a public chatbot. This template gives UK organisations eight core sections to adapt.
Governance & Strategy
Prompt Injection Risk
Prompt injection is an active attack on enterprise AI. Learn where your organisation is exposed and the technical and governance controls that contain it.
Governance & Strategy
Board-Level AI Policy Contents
The six elements a board-level AI policy must contain: scope, accountability, permitted use, risk classification, incident response and a real review cycle.
Find Out Where AI Can Save or Generate Money in Your Organisation
Book a free 30-minute call with Simon. Bring a real problem - staff time, governance worry, vendor proposal, failing pilot - and leave with a concrete first step you can take next week.
