IRIS5
BlogDoes Your School Need an AI Policy? (Yes, Here's Why)
AI

Does Your School Need an AI Policy? (Yes, Here's Why)

Feb 5, 20266 min read

Here's a question worth putting to any school leadership team: do you have a written AI policy? Not a paragraph buried in your acceptable use agreement from 2019. An actual policy. One that covers staff, students, procurement, and data.

In the majority of cases, the answer is no. Where something exists, it's usually a hastily written addendum to the academic integrity policy that only mentions students. Staff use? Not covered. Data handling? Not mentioned. Procurement? Nowhere.

That gap is a problem. And it's getting wider every term.

The policy vacuum is already causing issues

AI tools aren't coming to schools. They're already there. Your teachers are using ChatGPT to draft lesson plans, write report comments, and generate assessment rubrics. Your admin team is probably using AI-powered scheduling or communication tools. Some of your students are submitting work that's partly or entirely AI-generated.

None of this is inherently bad. But without a policy, you've got no framework for deciding what's acceptable and what isn't. Every teacher makes their own call. Every department sets its own unwritten rules. And when something goes wrong -- a parent complains, a data breach occurs, an exam board raises questions -- you're responding without a foundation to stand on.

What an AI policy should actually cover

A good school AI policy isn't a single-page document. It needs to address at least five areas. Skip any of them and you've got a gap that will eventually cause trouble.

1. Acceptable use for students

This is where most schools start, and that's fine. But it needs to go beyond "don't use ChatGPT for homework." You need to be specific. Can students use AI tools for research? For brainstorming? For editing their own writing? Can they use AI in some subjects but not others? What about exams versus coursework?

A blanket ban doesn't work. Students will use these tools anyway, and a prohibition just means they'll hide it. Better to define what's allowed, what's not, and what the consequences look like when the line gets crossed.

2. Acceptable use for staff

This is the area most schools forget entirely. But think about it: a teacher uses an AI tool to write end-of-year reports. They paste student names, grades, behavioural notes, and SEND information into a prompt. Where does that data go? Who stores it? For how long?

Your staff policy needs to define which AI tools are approved for professional use, what data can and cannot be entered into them, and what review process applies to AI-generated outputs. A report comment written by AI and sent to parents without a teacher reviewing it properly is a real risk -- not a hypothetical one.

The biggest AI risk in schools right now isn't students cheating. It's staff entering sensitive data into tools nobody has vetted.

3. Data handling when using AI tools

This is where your AI policy meets your GDPR obligations. Every time someone at your school uses an AI tool with student data, you need to know: is that data being sent to a third-party server? Is it being stored? Is it being used to train models?

Most free AI tools use input data for training. That means student names, assessment results, and behavioural notes entered into a free chatbot could end up as training data. Your policy needs to explicitly prohibit entering personally identifiable information into unapproved AI tools. Full stop.

4. Academic integrity implications

Your academic integrity policy was almost certainly written before generative AI existed. It probably defines plagiarism as copying someone else's work. But is AI-generated text "someone else's work"? Your exam boards may have a position on this, but your internal policy needs one too.

Think practically. A student uses AI to generate an essay outline, then writes the essay themselves. Is that cheating? What if they use AI to improve their grammar? What if they use it to rewrite entire paragraphs? You need a spectrum, not a binary. And you need staff to apply it consistently, which means training -- not just a document.

5. Procurement guidelines for AI-powered platforms

Schools buy software all the time. But now that software increasingly contains AI features -- sometimes obviously, sometimes buried in an update. Your EdTech procurement process needs an AI-specific checklist. Where is data processed? Does the platform use student data for model training? Does it comply with UK GDPR and the Age Appropriate Design Code? Is there transparency about how AI-generated recommendations or assessments are produced?

Schools have adopted AI-powered assessment platforms without realising the tool sends student response data to servers in the US. That's a data transfer issue. It needs a DPIA. Nobody does one because nobody asked the right questions at procurement.

Three scenarios that expose the gap

Consider three scenarios that play out with regularity across the sector.

Scenario one: A secondary school teacher uses ChatGPT to write 120 report comments in an afternoon. They paste in each student's name, predicted grade, and key strengths. The comments are good. Parents are happy. But the teacher just sent personal data for 120 students to OpenAI's servers. No data processing agreement exists between the school and OpenAI. The school's DPO wasn't informed. There's no record of this processing in the school's ROPA.

Scenario two: A sixth-form student submits an extended essay that's suspiciously well-written. The teacher runs it through an AI detection tool. The tool says 87% AI-generated. The student says they wrote it themselves. The school has no policy defining what constitutes AI-assisted work versus AI-generated work. The appeals process takes three weeks. The student misses a university deadline.

Scenario three: The school's finance team purchases an AI scheduling tool that optimises staff timetables. It processes teacher employment data, availability, and contract terms. Nobody conducts a DPIA because the tool was marketed as a "timetabling solution," not an AI platform. Six months later, the ICO updates its guidance on AI in education, and the school discovers it's been non-compliant since day one.

All three of these are preventable. All three require a policy to prevent them.

Getting started isn't as hard as you think

You don't need to write 40 pages. Start with the five areas above. Get your DPO involved from the start -- this isn't just a teaching and learning issue. Consult your IT lead on which tools staff are actually using (you'll be surprised). Run a short staff survey to understand current AI use patterns.

Then write something clear and practical. Version it. Date it. Review it every term, because this space changes fast. What was true six months ago about AI capabilities and data practices may already be outdated.

The schools that get this right won't just avoid problems. They'll be in a much better position to use AI well -- because they'll have thought through the risks before the risks arrive at their door.

Related reading