Published 25 March 2026 · 8 min read

How to Write a School AI Acceptable Use Policy

Generative AI tools are already in use across most schools — by staff for lesson planning and administration, and by students for research and homework. Yet many schools still rely on a single paragraph in their existing ICT acceptable use policy to cover AI. That is no longer sufficient.

The DfE's Generative artificial intelligence in education guidance makes clear that schools should assess the risks of AI tools, choose suitable use cases, and ensure AI use aligns with wider statutory obligations including data protection, safeguarding, and assessment integrity. This article sets out what a dedicated school AI acceptable use policy should contain, and the common mistakes to avoid.

Why a separate AI acceptable use policy?

Traditional ICT acceptable use policies were written for a world of web browsers, email, and school networks. They do not address the specific risks that AI tools introduce:

  • Data leakage: Staff or students entering personal data, safeguarding information, or confidential details into AI tools that process data externally
  • Hallucination and inaccuracy: AI tools generating plausible but incorrect content that is then used without verification
  • Professional responsibility: Lack of clarity about who is accountable when AI-generated content is used in reports, communications, or assessments
  • Assessment integrity: No clear rules on when and how students may use AI in assessed work, creating inconsistency across departments

A dedicated AI acceptable use policy addresses these risks directly. It also gives staff the confidence to use AI tools productively, because the boundaries are clear rather than implied.

What should a staff AI AUP contain?

A well-structured staff AI acceptable use policy typically covers the following areas.

Scope and applicability

Define who the policy covers (all staff, governors, volunteers, visiting professionals) and when it applies (using school devices, personal devices for school work, and any use of AI tools in a professional capacity). Be explicit that this covers both school-provided and personal AI tool accounts.

Approved tools and review process

Maintain a list of AI tools approved for use, with any conditions attached to each (for example, "approved for lesson planning only, not for processing pupil data"). Include a process for staff to request new tools and for the school to review and approve them. The ICO expects organisations to understand what tools are processing personal data and on what basis.

Permitted uses

Set out what staff can use AI for. Common permitted uses include:

  • Lesson planning, resource creation, and differentiation
  • Administrative tasks such as drafting communications, summarising meeting notes, or generating report comments
  • Research and professional development
  • Marking support — with the explicit requirement that all AI-assisted marking is reviewed and finalised by the teacher

Prohibited uses

Equally important is what staff must not do:

  • Enter pupil names, dates of birth, SEN information, safeguarding concerns, or any personal data into AI tools
  • Use AI as the sole basis for marking, grading, or assessment decisions
  • Share confidential school information (financial data, HR matters, disciplinary details) with AI tools
  • Use AI-generated content in external communications without review and approval

Data handling rules

This section should be specific and practical. Staff need concrete guidance, not abstract principles. For example: "Do not enter any information into an AI tool that you would not be comfortable seeing published. If a prompt requires pupil-specific context, anonymise it first — remove names, replace with generic identifiers, and strip any identifying details."

Reference the school's data protection policy and, where relevant, the ICO's guidance on AI and data protection (currently under review following the Data (Use and Access) Act 2025 — citations may need updating during 2026). If the school has completed a Data Protection Impact Assessment (DPIA) for specific AI tools, note that here.

Professional responsibility

Make explicit that staff remain professionally accountable for anything they produce, communicate, or submit — regardless of whether AI was used in its creation. AI is a tool; the professional judgement sits with the teacher. This is particularly important for reports, references, EHCP contributions, and safeguarding records.

Reporting and escalation

Include a clear process for reporting concerns: a colleague using an unapproved tool, a data breach involving AI, or a student misusing AI in a way that raises safeguarding concerns. Name the responsible person (typically the DPO for data issues, DSL for safeguarding, and a named AI lead or SLT member for general policy questions).

Review cycle

AI tools and guidance are evolving rapidly. The policy should be reviewed at least annually, ideally aligned with the start of the academic year when JCQ publishes its updated regulations. Build in a mid-year review point if significant new guidance is published (as has happened in each of the last three years).

Student AI acceptable use policy

Students need their own AI AUP, separate from the staff version. The key differences are:

Student-friendly language

Write the policy in language appropriate to the age group. A sixth-form student can understand nuanced guidance about academic integrity; a Year 7 student needs simpler, more direct rules. Some schools produce two versions — one for Key Stage 3 and one for Key Stage 4/5.

Clear rules on AI in assessed work

This is where the student AUP connects directly to JCQ requirements. Students must understand:

  • When AI use is permitted in coursework and non-examined assessments (and under what conditions)
  • When AI use is prohibited
  • What constitutes malpractice — submitting AI-generated work as their own is treated the same as any other form of plagiarism under JCQ's AI Use in Assessments guidance (Revision 2, April 2025) and associated malpractice procedures
  • How to acknowledge AI use when it is permitted (JCQ expects centres to have clear processes for this)

Acknowledgement requirements

Require students (and, for younger pupils, parents or carers) to sign an acknowledgement that they have read and understood the policy. This is standard practice for ICT AUPs and should extend to the AI policy. It also supports the school's position if a malpractice investigation arises.

Consequences for misuse

Link the AI AUP to the school's behaviour policy and, for assessed work, to the assessment integrity policy. Students should understand the consequences of misuse, from internal sanctions through to JCQ malpractice procedures for examination-related work.

Common mistakes schools make

Having reviewed AI policies from a range of schools and trusts, these are the most frequent problems:

  1. Being too vague. "Use AI responsibly" is not a policy. Staff and students need specific, actionable rules. What counts as responsible? Which tools? In which contexts?
  2. No approved tools list. Without a defined list, every AI tool is implicitly permitted — or implicitly banned, depending on who you ask. Neither position is workable.
  3. Not distinguishing between staff and student use. Staff and students have fundamentally different responsibilities, risks, and permitted uses. A single policy trying to cover both ends up being unclear for everyone.
  4. Not connecting to assessment integrity. The AI AUP should reference the school's assessment integrity policy (and vice versa). JCQ's requirements on AI and malpractice are specific and consequential — the Head of Centre is personally accountable for having adequate processes in place.
  5. Not reviewing annually. An AI policy written in 2024 is already out of date. Guidance from DfE, JCQ, ICO, and Ofsted has been updated multiple times. A policy that is not reviewed at least annually risks being misaligned with current published guidance.

How the AI AUP connects to other policies

An AI acceptable use policy does not exist in isolation. It should be explicitly cross-referenced with:

  • Assessment integrity policy: Covers JCQ malpractice procedures, candidate declarations, and the Head of Centre's responsibilities for preventing and investigating AI misuse in assessed work
  • Safeguarding policy: Addresses risks of students interacting with AI chatbots, generating inappropriate content, or disclosing concerns to AI tools instead of trusted adults. Should reference Keeping Children Safe in Education 2025 (KCSIE)
  • Data protection policy: Covers the legal basis for processing data through AI tools, DPIA requirements, and staff obligations under UK GDPR. Should reference ICO guidance on AI and data protection
  • Behaviour policy: Defines consequences for student misuse of AI tools, aligned with the school's existing sanctions framework

Taken together, these documents form a coherent framework for AI governance in the school. Gaps between them — where one policy assumes another covers a particular issue — are where risks emerge.

Getting started

Writing an AI acceptable use policy from scratch takes time, particularly if you want it to be properly aligned with current published guidance from DfE, JCQ, ICO, and Ofsted. Many schools find it helpful to start with a structured checklist to identify where their current policies have gaps.

We offer a free AI Policy Checklist for School Leaders that covers governance, staff use, assessment integrity, safeguarding, and data protection — with source references to the published guidance behind each item.

If you need the actual policy documents — a Staff AI AUP, Student AI AUP, and Assessment Integrity Policy, all source-referenced and ready to adapt — see the AI Policy Starter Pack.

Related articles