Generative Artificial Intelligence Policy - March 2026

In this section

1. Introduction to Artificial Intelligence (AI) and Generative AI
2. Purpose
3. Scope
4. Policy Statement
5. Usage Principals

5. Usage Principals

5.1. GenAI must be used fairly, avoiding bias to promote equality and support the council’s goals. Users may use GenAI for work-related tasks such as creating reports, emails, presentations, images, and customer service communications, following the usage principles of this policy.

5.2. Governance

Before accessing GenAI technology, users must be fully aware of this policy. Any queries should be discussed with the Information Governance Team. You must consider the reason for use, and the expected information to be input as well as the generated output and distribution of content. This must be clearly specified in any quotation or tender document.

5.3. The procurement of Digital Systems using GenAI must be in accordance and comply with the Council’s procurement rules and regulations.

5.4. Suppliers

Any use of GenAI technology suppliers must provide documentation on fairness, bias mitigation, security certifications (such as ISO 27001 or Cyber Essentials), and data handling practices. The Council will assess these as part of procurement process.

5.5. Copyright

Users are required to comply with copyright laws when utilising GenAI. It is strictly prohibited to use GenAI to generate content that infringes upon the intellectual property rights of others, including but not limited to copyrighted material. If users are uncertain whether a particular use of GenAI constitutes copyright infringement, they should contact the Legal Services or Information Governance Team before using GenAI. Inquiries can be directed to legalservices@carmarthenshire.gov.uk

5.6. Accuracy

All information generated by GenAI must be reviewed and edited for accuracy prior to use. Users of GenAI are responsible for reviewing output and are accountable for ensuring the accuracy of GenAIgenerated content before it is used or released. If a user has any doubt about the accuracy of information generated by GenAI, they should not use it.

It is important to note that GenAI tools can produce “hallucinations”— outputs that appear plausible but are factually incorrect, misleading, or entirely fabricated. These hallucinations may arise due to the probabilistic nature of GenAI models and can have significant political, legal, and financial implications for the authority. Therefore, AI-generated content should never be assumed to be accurate and must always be subject to thorough verification.

5.7. Confidentiality

Confidential and personal information must not be entered into any public GenAI tools, as these are outside of the control of our organisation and information may therefore enter the public domain. Users must follow all applicable data privacy laws and Council’s policies, such as our Handling Personal Information policy, when using GenAI. Data Protection Impact Assessments (DPIA) should also be considered. If a user has any doubt about the confidentiality of information, they should not use GenAI.

Examples of information that should not be entered into public GenAI tools include personal identifiers (e.g., names, addresses, NI numbers), sensitive case details, unpublished reports or draft policies, social care records, safeguarding reports, internal audit findings, and legal case notes.

5.8. Ethical Use

GenAI must be used ethically and in compliance with all applicable legislation, regulations and Council’s policies. Users must not use GenAI to generate content that is discriminatory, offensive, or inappropriate. If there are any doubts about the appropriateness of using GenAI in a particular situation, users should consult with their line managers.

5.9. Disclosure & Human Oversight

Users must ensure that significant decisions assisted by GenAI are explainable and documented. Where GenAI is used to support decision making that affects individuals or communities, a clear rationale for the use and interpretation of GenAI outputs must be recorded. All outputs must be subject to human review before application.

In accordance with Article 22 of the UK GDPR, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.