2. Does Your Charity Need an AI Policy? A Plain-English Guide

If your charity doesn't have an AI policy, you're in good company. As recently as 2024, only 16% of UK charities had one. By 2025, that had tripled to 48%. And the 2026 Charity Digital Skills data shows 60% of charities now have a policy in place or in development.

But here's the thing that number doesn't tell you: most of those policies aren't very good.

The typical charity AI policy is one of two things. It's either a two-paragraph statement that says "use AI responsibly" without explaining what that means — or it's a fifteen-page document copied from a corporate template that covers enterprise deployment scenarios no small charity will ever encounter. Neither version actually helps staff know what they're allowed to do on a Tuesday morning when they want to use ChatGPT to draft a grant report.

This post is about what an effective AI policy actually looks like for a small or medium UK charity. Not the theory. The five decisions your organisation needs to make, and how to make them.

Why this matters now — not eventually

Two things changed in 2025 that moved AI policy from "nice to have" to "governance expectation."

First, the Charity Governance Code was refreshed in November 2025. For the first time, it explicitly includes technology and AI risk as something boards should consider. This doesn't mean you'll be penalised for not having a policy — the Code is a framework, not a rulebook. But it does mean that a trustee board that hasn't discussed AI is now visibly behind the sector's governance expectations.

Second, NCVO — the sector's primary governance voice — took a clear position: charities should "enable responsible use rather than prohibit all use." This is significant because it closes the door on the most tempting option: a blanket ban. Banning AI use doesn't work. Staff are already using it on personal devices. A ban just drives usage underground, where there's no oversight, no shared learning, and no data protection at all.

Your policy is how you move from "people are doing this anyway" to "people are doing this well."

Decision 1: Which tools are approved?

This is the starting point, and it's simpler than it sounds. You're not evaluating every AI tool on the market. You're answering one question: which tools can staff use for work purposes, and which are off-limits?

For most small charities, the approved list will be short. It might be just one tool — the free version of ChatGPT, or Claude, or Microsoft Copilot if you have Microsoft 365. The point isn't to be comprehensive. It's to be explicit.

Your policy should name the approved tools, note which plan or version (free plans have different data handling to paid plans — this matters), and state that any tool not on the list needs approval before use. That's it. One paragraph.

Why this matters: free-tier AI tools typically use your inputs to train their models. Paid tiers usually don't. If staff are using the free version of ChatGPT, your policy needs to acknowledge this and define what data can and cannot be entered. Which brings us to Decision 2.

Decision 2: What data can be inputted?

This is where most of the genuine risk sits, and where most policies are either too vague ("be careful with sensitive data") or too restrictive ("never input any personal information," which rules out half the useful applications).

A practical approach is to define three tiers:

Green — go ahead. Publicly available information, generic drafting tasks, internal communications that contain no personal data. Examples: drafting a newsletter about your services, summarising a published report, brainstorming fundraising ideas, writing social media posts. No additional approval needed.

Amber — proceed with caution. Anonymised or aggregated data where individuals cannot be identified. Examples: analysing service delivery trends from anonymised monitoring data, summarising survey results. Staff should remove all identifying details before inputting, and should use a paid tool tier where possible.

Red — do not input. Any data that identifies or could identify an individual. This means: beneficiary names, case notes, safeguarding records, health information, donor details, staff HR records, or anything covered by your existing data protection policies. If the task requires personal data, it must be done using a third-party AI tool unless you have a specific data processing agreement in place. Our use of must here is very deliberate, in that we are assuming the vast majority of organisations do not have the ability to have their own AI systems with specific guardrails.

Most charity AI use falls squarely in the Green tier. Making this explicit gives staff confidence to use AI where it's safe, while creating a clear boundary around genuinely sensitive information.

Decision 3: Who reviews AI outputs?

AI tools produce text that sounds authoritative whether or not it's accurate. This is not a minor issue. An AI-generated grant report that contains fabricated statistics, or a board paper that misrepresents regulatory requirements, could damage your charity's reputation, finances and funder relationships.

Your policy should state clearly: no AI-generated content is published, submitted, or shared externally without review by a named person. For a small charity, this doesn't need to be a complex approval process. It might simply mean: "Any content produced with AI assistance must be reviewed for accuracy before it goes to a funder, trustee, beneficiary, or the public."

The key word is "assistance." AI is a drafting tool, not a publishing tool. Your policy should frame it that way.

Decision 4: How do you tell people?

Transparency is both a regulatory expectation and a trust issue. The ICO's guidance on AI and data protection — currently under review following the Data (Use and Access) Act 2025 — emphasises that organisations should be transparent about how they use automated tools.

For most charities, this doesn't require a public statement on your website (though there's no harm in one). It means:

Being honest with funders. If AI assisted in drafting a grant application, and your funder asks, you should be able to say so. Some funders are beginning to ask explicitly. Check your grant terms.

Being transparent with your board. Trustees should know which AI tools are in use and what governance is in place. This is now an expectation of the Charity Governance Code.

Being open with staff and volunteers. People need to know that the organisation supports AI use within defined boundaries. This is how you create a culture of responsible use rather than secretive workarounds.

Your policy should include a simple transparency statement — something along the lines of: "We use AI tools to assist with administrative and communication tasks. All AI-assisted content is reviewed by a staff member before use. We do not input personal or sensitive data into AI tools."

Decision 5: What happens when something goes wrong?

Every policy also needs a response plan. For AI, "something going wrong" most likely means one of three things: someone accidentally inputs personal data into an AI tool, an AI-generated output contains a significant error that wasn't caught, or a new tool is adopted without going through the approval process.

Your policy doesn't need an elaborate incident response framework. It needs to answer: who do you tell, and what happens next? For most small charities, the answer is: tell your line manager (or the CEO, if you are the line manager), log what happened, and assess whether it constitutes a data breach under your existing data protection procedures.

The most important thing is that staff feel safe reporting mistakes. If your AI policy creates a culture where people are afraid to admit they used a tool incorrectly, they simply won't report it — and a minor incident becomes a hidden problem.

What your policy doesn't need

It doesn't need to be long. A page and a half is enough for most small charities.

It doesn't need to cover every possible scenario. You're not writing legislation — you're giving staff a clear framework for everyday decisions.

It doesn't need to address artificial general intelligence, sentient robots, or the future of humanity. It needs to address what your team is doing with AI this week.

It doesn't need to be perfect before you publish it internally. The 2025 Charity Digital Skills data showed that 71% of charities wanted more guidance on responsible AI. Your staff are waiting for permission and structure. Give them something practical now and refine it over time.

A starting point

If you're reading this and thinking "I need to do this but I don't know where to start," here's a one-paragraph version you could have in place by the end of this week:

"[Charity name] supports the use of AI tools to improve efficiency and reduce administrative burden. Staff may use [approved tool(s)] for drafting, summarising, and brainstorming tasks. No personal, sensitive, or beneficiary data should be entered into any AI tool. All AI-assisted content must be reviewed for accuracy before external use. Staff should report any concerns about AI use to [named person]. This policy will be reviewed [annually/quarterly]."

That's not perfect. But it's infinitely better than nothing, and it gives your organisation a foundation to build on.

Going further

If you want a comprehensive AI policy pack built specifically for the charity sector — including staff guidance notes, a trustee briefing template, a data classification guide, and a review checklist — that's what Module 4 of the Third Sector AI Toolkit provides. It's designed for small and medium charities, written in plain English, and costs £400 for all six modules covering everything from readiness assessment to a 12-week implementation roadmap.

Or if you want to understand where your charity currently stands before making any decisions, start with our free AI Readiness Audit. It takes five minutes and gives you a personalised report reviewed by a real person — not an automated score.