AI Policy Template for Not-for-Profits: A Plain-English Starting Point

Does your NFP actually need an AI policy?

An AI Use Policy tells your staff three things: what AI tools they're allowed to use, what data they can put into those tools, and how to handle AI-generated outputs responsibly.

That's it. It doesn't need to be a lengthy legal document. For most Australian NFPs, one to two pages is sufficient.

The purpose of this article is to give you a starting-point template you can adapt for your organisation. This template is designed to be practical and readable - not to impress a compliance auditor, but to actually guide staff behaviour.

What should you check before adapting this template?

A few things to confirm before you finalise your policy:

• Identify which AI tools are currently in use across your organisation - both formally approved and informal personal use
• Confirm which version of each tool is being used (e.g. ChatGPT Free vs. Teams vs. Enterprise)
• Check with your IT support or Microsoft admin whether Copilot is already included in your Microsoft 365 licence
• Consider whether your major funders have any requirements or preferences regarding AI use
• Confirm that your board or appropriate governance body approves the final policy

What Does a Good AI Policy Actually Achieve for an NFP?

A well-written AI Use Policy does three things that generic compliance documents rarely do. First, it gives staff confidence - when people know what is allowed, they use AI more effectively and stop avoiding it out of caution. Second, it protects the organisation - a documented policy is evidence of reasonable steps taken if a privacy issue ever arises. Third, it builds funder and stakeholder trust - increasingly, major funders are asking how organisations govern AI use before approving grants, and a clear policy answers that question in one document.

What Australian NFPs Are Getting Wrong About AI Policies

The most common mistake is either doing nothing - waiting until something goes wrong - or downloading a generic enterprise template that staff will never read. Enterprise AI policies run to dozens of pages and cover scenarios that a 10-person NFP will never encounter. The template below is designed to be read in five minutes and understood by a program coordinator, not a legal team. That is the point. A policy your staff actually follow is worth more than a comprehensive document sitting in a shared drive nobody opens.

How This Template Differs From Generic AI Policy Templates

Most AI policy templates available online were written for corporate environments with IT departments, legal teams, and dedicated compliance staff. This template is written specifically for Australian not-for-profits - the tool recommendations reflect the Microsoft 365 and Google Workspace environments most NFPs already use, the data privacy rules reference the Australian Privacy Act rather than GDPR, and the oversight requirements are designed for small teams without a dedicated compliance function. It assumes you have limited time, limited budget, and a board that needs to approve something practical.

AI Use Policy Template - Your Organisation Name

Version: 1.0
Approved by: Board of Directors
Date: Month Year
Review date: 12 months from the date of approval

Purpose

This policy describes how Your Organisation Name uses artificial intelligence (AI) tools, and the standards we apply to protect our data, maintain our integrity, and uphold our responsibilities to the people we serve.

Principles

We approach AI use with these principles:

• Assistive only - AI supports our people; humans make decisions
• Privacy first - beneficiary, client, and community data is protected at all times
• Human oversight - any AI-assisted output shared externally is reviewed by a human
• Transparency - we are honest about how we use AI when asked

Approved Tools

The following AI tools are approved for use by staff and volunteers:

• Microsoft Copilot - for tasks using internal documents, email, and Teams (organisational account only)
• ChatGPT Teams - for individual drafting and research tasks (organisational account only)
• Add or remove tools to reflect your organisation's approved software

All AI tools must be used through an organisational account, not a personal account.

Data Privacy Rules

The following data must NEVER be entered into any AI tool without specific approval from your CEO or designated AI governance lead:

• Names, contact details, or identifying information of beneficiaries or clients
• Confidential funder information or financial data
• Personnel information
• Legally privileged or confidential documents

The following data may be used in approved AI tools:

• Internal draft documents and working notes
• Public information and research
• Non-sensitive administrative content
• Anonymised data and information

Human Oversight

Staff using AI tools are responsible for:

• Reviewing all AI-generated content for accuracy before use
• Not sending AI-generated content to external parties without human review and approval
• Being accountable for the content they send - the fact that AI drafted it does not reduce individual responsibility

Reporting

If you become aware of AI being used in a way that may breach this policy or create a privacy risk, report it to your CEO or designated AI governance lead immediately.

Review

This policy will be reviewed annually, or sooner if there are significant changes to AI technology or our organisation's AI use.

What sections of the template should you customise?

The sections that require your attention:

• Approved tools - replace the example tools with the tools your organisation actually uses or plans to use
• Data privacy rules - the examples given are common; review against your specific data categories and funder obligations
• Relevant role - fill in who is responsible for oversight and reporting
• Review process - decide who reviews the policy and how often

If you're unsure about any of these elements, this is the part where an AI governance consultant can add real value.

What should you do after the policy is approved?

A policy on its own isn't governance. Once approved:

1. Communicate it to all staff and volunteers - don't just upload it to SharePoint
2. Brief your management team on what it means in practice
3. Check that only approved tools and accounts are in use
4. Set a calendar reminder for your review date
5. Consider a brief training session - 30 minutes on what the policy means for daily work

Free Me Up AI can help you with the communication and training component if needed. Our AI automation for not-for-profits service includes policy development and staff training as standard.