A one-page staff AI-use policy for Singapore charities
The biggest real-world AI risk in most organisations isn't the vendor — it's staff quietly using free consumer AI tools because the organisation gave them nothing official and no rules. (We explain why in Should your charity build its own AI?.) The fix costs one page and one afternoon: a sanctioned tool, and a policy everyone can actually remember.
Below is that page. Print it, replace the bracketed parts with your organisation's details, walk it past your DPO and leadership, and brief the team. It's written to sit alongside the PDPA obligations you already have — see our plain-English PDPA & AI guide for the background.
Staff AI-Use Policy
Why this policy exists. AI tools can save us real time — and used carelessly, they can expose the people we serve. This policy makes the safe path the easy path. It applies to all staff and volunteers, on work and personal devices, whenever the work involves [organisation name]'s information.
- Use the approved tools, signed in with your work account. Our approved AI tools are: [e.g. Claude for Work / ChatGPT Business — org account]. These run under business terms: our data is not used for model training by default. If a tool isn't on this list, ask before using it for work.
- Give the AI the minimum it needs. Draft the letter without the NRIC. Summarise the report without names where names aren't needed. Every detail you leave out is a risk that no longer exists.
- A human checks every output. AI drafts; you decide. Anything that goes to a client, a funder, a court, or the public is your work once you send it — review it as if you wrote it.
- Be transparent about use. If AI meaningfully helped produce a piece of work, your supervisor should be able to find that out by asking. No hiding, no shame — that's how we learn what works.
- Mistakes: report fast, no blame. If personal data goes into the wrong tool, tell [DPO name / role] the same day. Under the PDPA, notifiable breaches run on a three-day clock — speed protects everyone, and reporting will never be punished.
- Questions go to a person, not a guess. Unsure whether something counts as personal data, or whether a use is okay? Ask [DPO / designated owner] first.
How to roll it out (one afternoon)
- Fill in the blanks — organisation name, approved tools, DPO. If you have no organisation AI account yet, that's the first gap to close: the policy only works when there's a sanctioned option to point to.
- Get it approved — DPO review, then leadership or board sign-off. It's one page; don't let it become a committee project.
- Brief the team in 15 minutes — the one rule in the red box is the whole briefing. Everything else is detail people can read.
- Put the review date in the calendar — vendor terms and tools change; a six-monthly glance keeps the policy honest.
Want a second pair of eyes on your AI setup?
We'll give you an honest read on your tools, your policy, and whether your workflows need anything more than a subscription — including "you're fine, change nothing." No obligation, no jargon.
[email protected]