Published: January 2025

This note aims to provide some practical guidance and next steps for organisations that are starting to explore /or implement the use of generative AI tools.

General questions to consider below include:

1. Who can you connect with?

2. What tasks can generative AI tools help with?

3. How will you create senior leadership buy in and set up appropriate governance?

4. How to develop an organisational generative AI use policy for publicly available tools.

Connecting with others

Connect within your organisation: Some organisations use an internal messaging channel, webpage or network when encouraging exploratory generative AI use or roll out specific tools. This allows staff to exchange their learning, experiences and questions, and creates a community of practice.

Connect with external peer groups: There are a number of external peer groups that connect research funders and charities interested in AI to discuss related opportunities, challenges and best practice, as well as exchanging learning in this space.  These include: 

• AI for Grantmakers – organised by the Centre for Acceleration of Social Technology, with meetings taking place every two months. Participation is free.
• AI4C – organised by the Worshipful Company of Information Technologists, with meetings taking place four times a year alongside additional workshops and events. Participation is free for charities.

Identify the task or process and identify the tool that can help complete it

Consider what specific routine task or process AI can help with and identify the tool that can help complete it.

It is important to check the tool’s T&Cs to understand how it will process data and carry out a risk assessment based on the information that will be shared with it. For example, consider the data protection risks associated with using an AI plug-in to create written summaries of meetings with third parties or where confidential content is being discussed. Many tool developers retain the data or use it for further model training.  Is this appropriate in your context?  Organisations that have an in-house Data Protection Officer may wish to consult them on the use of generative AI.

Involve senior leadership and governance

Consider how to create senior leadership buy in and set up appropriate governance: This might require consultation with senior leadership and/or trustees. Consider developing a generative AI use policy or guidance to cover experimental and routine use of tools.  This could cover public and/or proprietary tools to help employees understand what can be used and how. The next section contains some guidance on how to develop a policy for publicly available tools.

Creating an organisational generative AI use policy

This section provides some general guidance on creating an organisational generative AI use policy that covers publicly available, web-based generative AI tools that are trained on and/or interrogate external data sources (including information from the internet) to respond to user prompts. Examples would include ChatGPT or Google Gemini.

It is important to note that generative AI tools that are available as plug-ins for browsers or existing applications such as Zoom AI Companion, Grammarly AI or Microsoft 365 Copilot will all have different policies around data privacy and retention, as well as potentially having access to internal user data. As such, these tools should be evaluated case-by-case and may require separate and individual use policies based on their specific data security and retention T&Cs. The below guidance does not cover creation of these types of individual policies.

Introduction

• Set the tone of the policy
• Outline why the policy is needed
• State how generative AI ties into the organisation’s values. 
  • For example, are you looking to actively encourage exploration of this technology, or to simply ensure that staff already using generative AI are aware of how to do so responsibly? 
• Orientate the reader
  • Set out what generative AI is, the opportunities and challenges associated with its use,
  • Provide definitions for some of the common generative AI terms.

Example wording for definitions to include on common Generative AI terms

Artificial intelligence (AI) – The ability of a computer or machine to mimic human thinking processes to solve problems and carry out tasks.  Generative AI – A type of AI that can generate novel content such as text, images, music and code by predicting statistically probable patterns and outcomes based on the data set that it was trained on.  Prompt – User input shared with a generative AI tool instructing it to carry out a specific task. This could take several forms, with text being the most common. An example of a prompt is “Suggest a first draft of an email asking a team member for an update on a project”.  Hallucination – A tendency of generative AI to sometimes convincingly present the user with content that is false, nonsensical or inaccurate.

Policy/guidance scope

• Make clear that this policy specifically covers publicly available, web-based generative AI. 
  • It would therefore exclude other types of AI such as machine learning, and AI tools designed for the organisation and/or already approved for use.
    • Any out-of-scope tools already approved for use, such as Microsoft 365 Copilot, could be included in an itemised list.
• Outline who the policy applies to (employees, external contractors, or both)
  • State that staff should use their work email address to create accounts where needed for organisational use of generative AI.

Alignment with existing organisational policies and positions and wider regulation

• Assess how the risks and ethics associated with generative AI use relate to other organisational policies or positions, such as those on environmental sustainability, and determine if this will restrict generative AI use.
• State in the policy that any use of generative AI tools must comply with existing data regulations.
  • UK GDPR and Intellectual Property rights such as copyright restrict how an organisation can use generative AI tools and what data they can share in prompts. For example, personal data or third party content can’t be shared in prompts without consent from the individual or organisation it pertains to.
  • Organisations that have an in-house Data Protection Officer, may wish to consult them when creating this type of generative AI use guidance.
• Consider and state what types of data and information can be shared with generative AI tools, to ensure the sharing of confidential, sensitive or personal information is limited and secure and only done where in line with individual T&Cs that have been reviewed and agreed between necessary parties. 
  • It is important to remember, there is limited oversight over how the data is processed once it enters the model, and any data could be retained by the tool owners depending on the T&Cs.  Some online generative AI tools may use information shared by users in prompts to further train and refine their models as well as to respond to another user.

Responsible use and human oversight

• Highlight the limitations of the technology and make it clear that, as with any other tool, a human must have  oversight over the use and outputs of generative AI. It should also outline the following limitations of the technology.
  • AI tools should not be used for fully automated decision making, particularly about individuals as this may result in a potential breach of UK GDPR.

Example wording for the limitations of Generative AI technology

Generative AI tools work by predicting statistically probable patterns and outcomes based on the data they were trained on, which means that they cannot apply critical thinking, understand contexts, or verify if the information they generate is true in a way that a human can. This causes generative AI tools to produce different responses to the same prompt if asked multiple times. They can also convincingly present the user with content that is false, nonsensical or inaccurate, which is referred to as hallucination. Finally, publicly available generative AI tools are generally trained on vast amounts of information available from the internet, including content that may include biases or be false, inaccurate, offensive, harmful, or personally identifiable. This creates a risk that these qualities will be reflected in their outputs.

Referencing AI use

• Mention when staff need to reference AI use to demonstrate transparency. 
  • Tasks to reference could include generation of images or novel text.
  • Consider whether staff need to reference generative AI use for routine tasks, such as refining spelling and grammar or generating first drafts of emails, and include this in the policy
  • The reference itself should include the name of the tool and the full prompt used to generate the output.

Policy owner and review period

• Identify who is responsible for keeping it up to date, and how often it should be reviewed.
  • As generative AI is a rapidly developing field, this should be at least every year. Policy owners often include organisations’ IT departments or a Data Protection Officer.

Further information and resources

• Generative AI: Opportunities for charities
• Generative AI: Ethics for charities
• Generative AI: Risks for charities
• Generative AI: Research application and assessment