Direct answer: An AI policy template for schools and colleges should name permitted uses, barred data, human review, safeguarding checks, assessment rules, supplier evidence and board reporting. It is a control document: governors approve the rules, leaders evidence that practice follows them.
The template below deepens our education sector page and the companion guide to AI governance for school governors. It is written for England, where the Department for Education (DfE) guidance applies, but the board discipline travels: define the use case, name the accountable person, keep the evidence, and do not let a supplier policy stand in for your own.
Key takeaways
- A school or college AI policy should separate staff use, learner use, assessment use and supplier procurement, because each sits under a different duty.
- Governors, MAT trustees and college corporations approve risk appetite and evidence requirements; senior leaders decide the operational detail.
- The DfE supports careful use of generative AI, but tells schools and colleges to keep wider duties in view, including safeguarding, data protection and assessment integrity.
- Pupil-facing and learner-facing tools need a higher bar than staff-only drafting tools: filtering, monitoring, age restrictions, DPIAs and clear human supervision.
- JCQ assessment rules should be written into centre policy for coursework, non-exam assessment and internal assessment, not left as exam-office knowledge.
Who this applies to
Use this as a board-level policy skeleton for maintained schools, academies, multi-academy trusts, independent schools, sixth-form colleges and further education colleges that teach children or students under 18. It is not a university policy, and it is not an employer-only AI policy. Those settings have different governance, student-data and academic-freedom questions.
The governing body, trust board or college corporation should own the policy as a risk and assurance document. The headteacher, principal, trust executive or senior leadership team should own implementation. The data protection officer, designated safeguarding lead, exams officer and IT lead should each own the controls that sit inside their normal remit.
That distinction matters. A board should not approve individual prompts or classroom workflows. It should decide the boundary: what AI may be used for, what data may never enter it, when pupils may use it, which assessments are off limits, and what evidence comes back to the board each term.
AI policy template for schools and colleges: board decisions
The policy should open with five decisions that can be minuted.
- Scope. State whether the policy covers staff, pupils, students, governors, trustees, volunteers, contractors and suppliers. For MATs, state whether the approved-tools list is trust-wide or academy-specific. For colleges, state how the policy applies across 16 to 19 provision, adult learners and apprenticeship delivery where under-18 learners may be present.
- Permitted use. List approved categories, not just product names: lesson planning, resource drafting, administrative drafting, translation support, accessibility support, revision support, learning analytics, marking assistance and pupil-facing tutoring. A product can move category as its features change.
- Prohibited use. Ban entering personal, special category, safeguarding, SEND, health, behaviour, attendance or assessment data into unapproved tools. Ban AI as the sole decision-maker for exclusions, admissions, safeguarding triage, special educational needs support, predicted grades or learner progression.
- Human responsibility. Make the member of staff responsible for checking outputs before they reach pupils, parents, awarding bodies or another professional. The DfE says final content remains the responsibility of the professional and the organisation, regardless of the tool used.
- Evidence to the board. Require a register of AI tools, completed DPIAs where children's or learner data is processed, supplier evidence against the DfE standards, assessment integrity records, staff training records and safeguarding incidents involving AI.
If your existing policy is a generic acceptable-use note, use our guide to what a UK AI policy should include to widen it. Education needs the corporate controls, plus specific rules for children, assessed work and parental transparency.
Controls and evidence the policy must create
| Control | Evidence to keep | Owner |
|---|---|---|
| Approved AI use register | Tool name, purpose, user group, data entered, supplier, renewal date and risk rating | Senior leader for AI or digital strategy |
| Data boundary | Written rule on barred data, staff examples, DPIA where personal data is processed, privacy notice update where needed | Data protection officer |
| Safeguarding and online safety | Filtering and monitoring review, pupil-facing tool checks, incident route into the DSL process | Designated safeguarding lead |
| Assessment integrity | JCQ-aligned AI declaration process, candidate guidance, suspected malpractice process and retained evidence | Exams officer or quality lead |
| Procurement test | Supplier response mapped to DfE product safety standards, data-processing terms, retention and model-training answer | IT lead or procurement lead |
| Board assurance | Termly AI register summary, exceptions, incidents, training completion and new high-risk proposals | Clerk, governance professional or executive lead |
The right-hand column is the point. A policy that cannot name an owner becomes guidance. A policy that cannot produce evidence becomes a promise. The board should ask for artefacts it can read, not a verbal statement that the school or college is "being careful".
Map the template to the rules
The DfE's generative AI in education guidance, updated 12 August 2025, gives the overall posture for England. Schools and colleges may choose their own use cases, but should assess risks, consult safeguarding guidance, consider filtering and monitoring, and avoid using personal data in generative AI tools unless it is strictly necessary and properly protected.
The DfE generative AI product safety standards, updated 19 January 2026, are a procurement checklist for edtech AI. They cover stated purpose, filtering, monitoring and reporting, security, privacy and data protection, intellectual property, design and testing, governance, cognitive development, emotional and social development, mental health and manipulation. They are written for suppliers, but schools and colleges should ask suppliers to evidence them.
Keeping Children Safe in Education 2025 is statutory guidance for schools and colleges on safeguarding children and young people under 18. In an AI policy, it belongs in the safeguarding section, not in an appendix. The practical test is whether filtering, monitoring, staff escalation and incident recording cover pupil-facing AI and AI-generated harmful content.
The JCQ AI use in assessments guidance applies to centres managing qualification assessments. It treats unacknowledged AI use as malpractice and tells centres to make students aware of appropriate and inappropriate AI use. For non-exam assessments, coursework and internal assessments, centre policy should state how AI use is declared, authenticated, investigated and recorded.
The ICO's children's code DPIA guidance says a data protection impact assessment should identify and minimise the data protection risks to children who are likely to access a service. The ICO's AI and data protection guidance covers accountability, transparency, lawfulness, accuracy, fairness, security, data minimisation and individual rights, although the page says it is under review after the Data (Use and Access) Act became law.
For automated decisions, do not rely on old Article 22 shorthand. The GOV.UK Data (Use and Access) Act factsheet says Section 80 replaces Article 22 of the UK GDPR with new Articles 22A to 22D. If an AI system makes or materially shapes a significant decision about a pupil or student, the policy should require information, challenge rights and human intervention before the system is approved.
If the institution already uses a wider AI framework, map this policy to the UK AI governance framework guide. The NIST AI Risk Management Framework 1.0 gives a useful assurance language: Govern for ownership, Map for use cases and context, Measure for testing and impact, Manage for controls and incidents.
Common mistakes to avoid
Treating staff-only and pupil-facing AI as the same risk. A teacher using an approved tool to draft a worksheet is not the same as a pupil using a chatbot that responds directly to them. The second needs age controls, supervision, filtering, monitoring, a DPIA and a safeguarding route.
Writing "do not enter personal data" without examples. Staff need examples that fit their working day: no names, no photos, no SEND detail, no safeguarding notes, no medical detail, no behaviour records, no parent correspondence and no assessment scripts in unapproved tools.
Letting assessment rules live outside the policy. Exams teams know JCQ rules. Pupils, teachers, governors and college board members often do not. Put AI declaration, authentication and malpractice handling in the policy, then reference the exams policy.
Accepting supplier claims as evidence. "Compliant with data protection law" is not enough. Ask whether pupil or student inputs train models, where data is stored, how long prompts are retained, how harmful outputs are filtered, how incidents are reported, and whether the product has been tested with SEND users and different age groups.
Missing the college governance line. A school governing body and a college corporation are not the same body. The policy should name the actual accountable forum, committee reporting route and senior owner for each setting.
Publishing a template without review. A draft helps leaders stop staring at a blank page. It does not know your MIS, safeguarding arrangements, assessment portfolio, suppliers, trust scheme of delegation or college committee structure.
Next step: move from template to evidence
Start with a working draft, then test it against live use. Treat the template as a board paper, not a finished policy: mark up the data boundary, add your approved-tools list, name the owner of each control and attach the evidence table above.
Then score the current position. The Board AI Scorecard gives governors, trustees and college board members a quick baseline across accountability, policy, risk, data and capability. If the board needs an external evidence review, the GovernIQ diagnostic maps actual AI use against the same duties and turns the policy into an implementation plan.
Sources: https://www.gov.uk/government/publications/generative-artificial-intelligence-in-education/generative-artificial-intelligence-ai-in-education; https://www.gov.uk/government/publications/generative-ai-product-safety-standards/generative-ai-product-safety-standards; https://www.gov.uk/government/publications/keeping-children-safe-in-education%2D%2D2; https://www.jcq.org.uk/knowledge-hub/ai-use-in-assessments-your-role-in-protecting-the-integrity-of-qualifications/; https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/2-data-protection-impact-assessments/; https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/; https://www.gov.uk/government/publications/data-use-and-access-act-2025-factsheets/data-use-and-access-act-factsheet-uk-gdpr-and-dpa; https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
