Need Expert IT Help? Call Our Team

0118 982 1444

What Should Schools Include in an AI Policy? | Steve’s Tech Tips

Artificial Intelligence is already in our schools, whether we are ready for it or not.

Pupils are using AI tools to help with homework. Staff are using AI to draft resources, write emails, simplify text, create lesson ideas and reduce administration. Many education platforms are also starting to include AI features by default.

The question for school leaders is no longer “Should we allow AI?”

The real question is:

“How do we make sure AI is used safely, legally, fairly and in a way that genuinely supports teaching and learning?”

That is why every school, academy and multi-academy trust should now have a clear, practical and regularly reviewed AI policy.

Why schools need an AI policy

AI can be extremely useful in education. Used properly, it can help reduce teacher workload, support planning, improve accessibility, generate ideas and help pupils develop digital skills for the future.

The Department for Education recognises that AI can support teachers and learners, but also makes clear that schools must consider risks around safety, reliability, safeguarding, data protection, copyright and appropriate use.

An AI policy gives staff and pupils clear rules. It also helps governors, trustees and senior leaders show that the school has considered the risks properly and is not simply allowing AI tools to be used without control.

A good AI policy should answer these questions:

  • What AI tools are allowed?
  • Who can use them?
  • What data can and cannot be entered?
  • Can pupils use AI for homework?
  • How should AI use be declared?
  • Who approves new AI tools?
  • What happens if AI is misused?
  • How does the school protect pupils, staff and confidential information?

1. Start with clear principles

Your AI policy should begin with a simple statement of intent.

For example:

“Our school recognises that Artificial Intelligence can support teaching, learning and administration when used responsibly. AI must not replace professional judgement, compromise safeguarding, misuse personal data, or undermine pupils’ own learning.”

The key principles should include:

Safety first
AI must never put pupils, staff or the school community at risk.

Human oversight
AI can support decision-making, but it should not make final decisions about pupils, staff, safeguarding, behaviour, assessment, SEND or exclusions.

Privacy and confidentiality
Personal, sensitive or confidential data must not be entered into public AI tools.

Fairness and inclusion
AI outputs should be checked for bias, stereotypes, discrimination or inaccurate assumptions.

Transparency
Staff and pupils should be clear when AI has been used.

Educational value
AI should support learning, not replace thinking.

2. Define what you mean by AI

Many people think of AI as ChatGPT, but schools should define AI more widely.

Your policy should cover:

  • Generative AI tools such as ChatGPT, Microsoft Copilot, Google Gemini and Claude.
  • AI image, audio and video generators.
  • AI transcription and meeting note tools.
  • AI marking or feedback tools.
  • Chatbots.
  • AI features inside Microsoft 365, Google Workspace, MIS systems and learning platforms.
  • AI tools used for safeguarding, attendance, behaviour, SEND, assessment or analytics.

This matters because AI is increasingly being built into tools schools already use. A member of staff may not think they are “using AI”, when in reality they are using an AI-powered feature inside an existing platform.

3. Create an approved AI tools register

Schools should not allow staff to use any AI tool they happen to find online.

Instead, create an approved AI tools register.

This should include:

Item What to record
Tool name Name of the AI product or platform
Purpose What the tool is approved for
Approved users Staff, pupils, admin team, SLT, governors, etc.
Age suitability Whether it is suitable for pupil use
Data allowed Whether personal data can be used
Data location Where data is stored or processed
Retention How long data is kept
Training use Whether entered data is used to train AI models
Approval owner Who approved the tool
Review date When the tool must be reviewed

This gives the school a proper audit trail and stops uncontrolled AI adoption.

4. Be very clear about personal data

This is one of the most important parts of the policy.

Staff and pupils should be told clearly:

Do not enter personal, sensitive or confidential information into public AI tools.

That includes:

  • Pupil names.
  • Staff names.
  • Parent names.
  • Behaviour records.
  • Safeguarding concerns.
  • Medical information.
  • SEND information.
  • Attendance data.
  • Assessment data.
  • Exam results.
  • Passwords.
  • Internal emails.
  • HR information.
  • Financial information.
  • Anything confidential to the school.

The ICO provides guidance on applying UK GDPR principles to AI and also provides tools to help organisations assess AI-related data protection risks.

For schools, the safest default position is simple:

If the information identifies a pupil, parent, member of staff or family, do not put it into an AI tool unless the tool has been formally approved and data protection checks have been completed.

5. Require DPIAs for higher-risk AI tools

A school AI policy should state when a Data Protection Impact Assessment, or DPIA, is required.

A DPIA should normally be completed before using AI tools that involve:

  • Pupil personal data.
  • Staff personal data.
  • Safeguarding records.
  • SEND information.
  • Attendance analysis.
  • Behaviour analysis.
  • Assessment or grading.
  • Biometric information.
  • Automated recommendations or profiling.
  • AI transcription of sensitive meetings.
  • Any tool connected to MIS, safeguarding, HR or assessment systems.

This is especially important because schools process large amounts of children’s data, and children are classed as requiring particular protection under data protection law.

6. Link AI to safeguarding and online safety

AI is not just an IT issue. It is also a safeguarding issue.

Your AI policy should link directly to the school’s:

  • Safeguarding policy.
  • Child protection policy.
  • Online safety policy.
  • Acceptable use policy.
  • Behaviour policy.
  • Filtering and monitoring policy.

The policy should cover risks such as:

  • AI-generated harmful content.
  • Deepfakes.
  • Fake images of pupils or staff.
  • Cyberbullying.
  • Impersonation.
  • Grooming risks.
  • Misinformation.
  • Inappropriate chatbot conversations.
  • AI-generated sexualised content.
  • Extremist or harmful material.
  • Pupils using AI to bypass filtering or monitoring.

Ofsted’s current position is that it does not inspect AI as a standalone area, but inspectors may consider the impact of AI on pupil outcomes, safeguarding, data protection, bias and discrimination where it is relevant.

In practical terms, that means schools do not need to panic about AI, but they do need to show sensible leadership, clear controls and good risk management.

7. Set rules for staff use

Staff should know what they can safely use AI for.

Reasonable uses may include:

  • Drafting lesson ideas.
  • Creating quiz questions.
  • Producing first drafts of letters or emails.
  • Rewording non-confidential text.
  • Creating differentiated worksheets.
  • Generating revision questions.
  • Summarising public information.
  • Producing CPD ideas.
  • Creating administrative templates.
  • Supporting accessibility, such as simplifying text.

However, the policy should make clear that staff remain responsible for checking:

  • Accuracy.
  • Age suitability.
  • Bias.
  • Copyright.
  • Tone.
  • Safeguarding risks.
  • Curriculum alignment.
  • Data protection.
  • Whether the content is appropriate for the school community.

AI can produce confident but incorrect answers. Staff should treat AI output as a draft, not as a finished professional judgement.

8. Set rules for pupil use

Pupils need clear guidance too.

The policy should explain when AI is allowed, when it is not allowed, and when it must be declared.

Acceptable pupil use may include:

  • Brainstorming ideas.
  • Revising topics.
  • Asking for explanations.
  • Practising questions.
  • Getting help with coding.
  • Improving accessibility.
  • Translating or simplifying text where allowed.
  • Using AI as part of a teacher-led activity.

Unacceptable use should include:

  • Submitting AI-generated work as their own.
  • Using AI in exams or controlled assessments where it is not allowed.
  • Using AI to write coursework without acknowledgement.
  • Using AI to create fake images, videos or audio of others.
  • Using AI to bully, impersonate or harass.
  • Entering other people’s personal information into AI tools.
  • Using AI to bypass school filtering or monitoring.

The tone should not be purely punitive. Pupils need to learn how to use AI responsibly, but they also need to understand that misuse has consequences.

9. Update homework and assessment rules

This is one of the most urgent areas for schools.

Your AI policy should link to homework, coursework and assessment policies.

The Joint Council for Qualifications makes clear that students who misuse AI so that submitted work is not their own have committed malpractice and could face severe sanctions. JCQ also states that students must make sure work submitted for assessment is demonstrably their own.

Schools should therefore define:

  • When AI can be used for homework.
  • Whether AI use must be declared.
  • How pupils should reference AI use.
  • Which subjects or tasks prohibit AI.
  • How teachers should respond to suspected AI misuse.
  • Why AI detection tools should not be the only evidence.
  • How staff will investigate concerns fairly.

A simple school rule could be:

“AI may support your learning, but it must not replace your learning. Any work submitted as your own must reflect your own understanding, effort and independent thinking.”

10. Make human oversight non-negotiable

AI should not make final decisions about children.

Your policy should clearly state that AI must not be used as the final decision-maker for:

  • Safeguarding concerns.
  • Behaviour sanctions.
  • Exclusions.
  • SEND provision.
  • Attendance interventions.
  • Predicted grades.
  • Exam marks.
  • Admissions.
  • Staff performance.
  • Complaints.
  • Welfare decisions.

AI may help organise information or suggest options, but accountability must remain with trained staff and school leaders.

This is especially important where decisions affect a child’s education, safety, wellbeing or future opportunities.

11. Consider bias and fairness

AI tools are trained on large amounts of data. That data may contain bias, stereotypes or inaccuracies.

Schools should require staff to check AI output for:

  • Gender bias.
  • Racial or cultural bias.
  • Disability-related assumptions.
  • Socio-economic assumptions.
  • Religious or cultural inaccuracies.
  • Inappropriate language.
  • Lack of accessibility.
  • Unsuitable reading age.
  • Inaccurate historical or scientific claims.

This is particularly important in teaching materials, behaviour analysis, SEND support, recruitment, safeguarding summaries and anything that may influence decisions about pupils or staff.

12. Address copyright and intellectual property

AI can create content quickly, but copyright is still a real issue.

Your policy should explain:

  • Staff should not upload copyrighted resources into AI tools unless permitted.
  • Pupil work should not be uploaded into AI tools without a clear lawful basis and approval.
  • School logos, photographs and branded materials should not be used in AI tools without permission.
  • AI-generated text, images and resources should be checked before publication.
  • Staff should not assume AI-generated content is automatically free from copyright risk.

This is particularly important for school websites, newsletters, prospectuses, social media posts and teaching resources.

13. Include cyber security risks

AI is also changing cyber security.

Attackers can use AI to create more convincing phishing emails, fake invoices, impersonation messages, deepfake voice notes and malicious content.

Your AI policy should link to your cyber security policies and explain that staff should be alert to:

  • More convincing phishing emails.
  • Fake supplier requests.
  • Impersonation of senior leaders.
  • AI-generated scam messages.
  • Deepfake audio or video.
  • Malicious links generated through AI tools.
  • Prompt injection risks.
  • Accidental data leakage.

This should be supported by regular cyber awareness training.

14. Put procurement controls in place

Before a school buys or enables a new AI tool, it should go through a proper approval process.

Questions to ask suppliers include:

  • Where is the data stored?
  • Is data used to train AI models?
  • Can training use be switched off?
  • Is the tool suitable for children?
  • What age restrictions apply?
  • Is there a UK GDPR-compliant data processing agreement?
  • How long is data retained?
  • Can data be deleted?
  • Are audit logs available?
  • Does the tool support school safeguarding duties?
  • Does it integrate with Microsoft 365, Google Workspace or MIS systems?
  • What happens if the supplier changes its terms?

Schools should be particularly careful with free AI tools. Free often means the data is valuable to the provider.

15. Train staff properly

An AI policy is only useful if staff understand it.

Schools should provide regular training covering:

  • What AI is.
  • What tools are approved.
  • What data must not be entered.
  • How to check AI output.
  • How to spot bias and hallucinations.
  • How AI affects assessment.
  • How to handle pupil misuse.
  • Safeguarding risks.
  • Cyber security risks.
  • Copyright and intellectual property.
  • How to report an AI-related concern.

Training should be practical, not theoretical. Staff need real examples of what is safe, what is risky and what is prohibited.

16. Create an incident reporting process

The AI policy should explain what staff and pupils should do if something goes wrong.

Examples of AI-related incidents include:

  • A member of staff entering pupil data into an unapproved AI tool.
  • A pupil submitting AI-generated coursework.
  • A pupil creating a fake image of another pupil.
  • AI producing harmful or discriminatory content.
  • A chatbot giving inappropriate advice.
  • AI-generated phishing targeting the school.
  • An AI tool exposing confidential information.
  • A parent complaint about AI use.

The policy should say who incidents are reported to, such as:

  • Designated Safeguarding Lead.
  • Data Protection Officer.
  • IT lead.
  • Headteacher.
  • Exams Officer.
  • Senior Leadership Team.

17. Use a simple traffic light model

Schools often need simple rules that staff can remember.

A useful model is Green, Amber, Red.

Green: generally acceptable

These activities are usually acceptable with professional judgement:

  • Creating lesson ideas.
  • Drafting non-confidential text.
  • Producing quiz questions.
  • Simplifying text.
  • Creating revision prompts.
  • Generating admin templates.
  • Rewording public information.

Amber: approval needed

These need approval, checks or risk assessment:

  • AI tools used directly by pupils.
  • AI marking or feedback tools.
  • AI transcription tools.
  • AI connected to Microsoft 365 or Google Workspace.
  • AI used with pupil work.
  • AI used for assessment support.
  • AI tools involving images, audio or video.

Red: prohibited unless formally approved

These should not happen without formal approval:

  • Uploading safeguarding records.
  • Uploading SEND or medical information.
  • Uploading behaviour logs.
  • Using AI to make final decisions about pupils.
  • Allowing unsupervised pupil use of public AI tools.
  • Creating AI images of pupils.
  • Using AI detection tools as sole evidence of cheating.
  • Uploading confidential school documents to public AI platforms.

18. Keep the policy under review

AI is changing quickly. A policy written today may need updating within months.

Schools should review their AI policy:

  • At least annually.
  • When DfE guidance changes.
  • When ICO guidance changes.
  • When JCQ assessment guidance changes.
  • When new AI tools are introduced.
  • After any AI-related incident.
  • When safeguarding or online safety risks change.

The AI policy should not sit in isolation. It should become part of the school’s wider digital strategy, safeguarding culture and information governance framework.

Steve’s final thought

AI is not something schools can ignore. It is already being used by pupils, staff, suppliers and software platforms.

The schools that handle AI best will not be the ones that simply ban it or blindly embrace it. They will be the schools that take a calm, structured and sensible approach.

That means:

  • Clear rules.
  • Approved tools.
  • Strong data protection.
  • Safeguarding oversight.
  • Staff training.
  • Pupil guidance.
  • Human judgement.
  • Regular review.

AI can support education, reduce workload and help pupils learn in new ways. But it must be introduced carefully, with the right policies, controls and leadership in place.

At Elmdale IT, we believe schools should treat AI in the same way they treat cyber security, safeguarding and cloud technology: with confidence, but also with proper governance.

The aim is not to stop innovation.

The aim is to make sure innovation is safe, responsible and genuinely improves outcomes for pupils.