Generative Artificial Intelligence Policy - March 2026

In this section

Print this page

6. Risks

6.1.     Using GenAI carries risks and requires a thorough risk assessment. Consider impacts like legal compliance, bias, security protections, certifications, and data sovereignty and protection. 
 
6.2.     Legal compliance 
 
Using public GenAI may result in data entering the public domain, potentially disclosing non-public information and violating regulatory requirements, customer or vendor contracts, or compromising intellectual property. Any release of private or personal information without the owner's permission could lead to breaches of relevant data protection laws. Additionally, using GenAI to generate content may infringe upon regulations protecting intellectual property rights. Users must ensure that their use of GenAI complies with all applicable laws and regulations, as well as the Council’s policies. 
 
GenAI can potentially produce inaccurate results, and outputs should be thoroughly verified for accuracy. Incorrect GenAI outputs can have substantial political, legal, and financial consequences for the authority.  
 
Examples include: 
 
In 2021, a UK local authority faced legal challenges after relying on AIgenerated data that incorrectly identified properties for council tax reassessment, leading to wrongful tax increases. 
 
Another public sector organisation used AI to screen job applicants, which inadvertently introduced bias and led to discriminatory hiring practices. 
 
6.3.     Bias and discrimination 
 
GenAI may make use of and generate biased, discriminatory or offensive content. Users should use GenAI responsibly and ethically, in compliance with council policies and applicable laws and regulations. 

6.4.     Security 
 
Public GenAI may store sensitive data and information, which could be at risk of being breached or hacked. If a user has any doubt about the security of information input into GenAI, they should not use GenAI. 
 
6.5.     Data sovereignty and protection 
 
Public GenAI platforms may be subject to data sovereignty laws, meaning information created or collected in a country remains under that country's jurisdiction. Conversely, information sourced from GenAI hosted abroad is subject to the country's laws.  
 
6.6.      Safeguarding

Use of GenAI in contexts involving children or vulnerable individuals must comply with safeguarding policies and the ICO Children’s Code. 
 
6.7.     Accessibility and Welsh Language 
 
GenAI tools and outputs must comply with WCAG 2.1 accessibility standards and meet Welsh Language Standards where applicable.