Does an IT acceptable use policy count as an AI policy?

No. An IT acceptable use policy that mentions AI is not a Privacy Management Program and does not satisfy provincial requirements. The AI policy must document how personal information is handled across the organization, demonstrate leadership accountability, include staff training, and specify breach response — obligations an IT policy does not meet.

Municipal AI — Canada-wide

What a municipal AI policy
actually has to contain.

A compliant municipal AI acceptable use policy covers seven things: purpose and scope, sanctioned and prohibited uses, data handling grounded in provincial privacy law, breach reporting, assigned accountability, mandatory training, and plain-language framing for council adoption. It must govern how personal information is handled — not just which tools are allowed.

Request the Full Framework Start With an Assessment

Before you copy a template

A template is a structure, not a policy.

A downloadable template can show you the shape of a policy, but adopting one unedited is risky: it won't reflect your province's legislation, your tools, or your council's expectations, and it can create a false sense of compliance. Worse, an existing IT acceptable use policy that mentions AI is not a Privacy Management Program and does not satisfy provincial requirements.

The framework below is what a real municipal AI policy must contain. Use it to judge any template you're handed — and to scope the policy your municipality actually needs.

The framework

Seven parts of a compliant municipal AI policy

Each part is written to your province's privacy law — ATIA/POPA in Alberta, FOIPPA in BC, MFIPPA in Ontario, FIPPA in Manitoba, LAFOIP in Saskatchewan — and in language council can adopt.

Purpose and scope

Why the policy exists, who it applies to — all staff, contractors, and council — and which systems and data it governs.

Sanctioned and prohibited uses

The AI tools staff may use and for what, and the uses that are prohibited — above all, entering personal or confidential information into public AI tools.

Data handling rules

How personal information may and may not be used with AI, consistent with your provincial privacy legislation and any data-residency requirement (for example, FOIPPA's Section 30.1 in BC).

Breach reporting

How staff identify and report a suspected privacy breach involving AI, and who is accountable for the response.

Assigned accountability

The role responsible for the policy, for approving tools, and for ongoing oversight — the leadership accountability a Privacy Management Program requires.

Mandatory training

Staff training as a condition of AI use, covering safe handling of citizen data and effective use of sanctioned tools.

Council-ready framing

Plain language a non-technical council can review, approve, and direct administration to implement — not a technical document.

From framework to adopted policy

How SMC drafts it for your municipality.

Spencer Morley Consulting drafts your AI acceptable use policy from the ground up — grounded in your province's legislation, written for council adoption, and plain enough for a CAO carrying multiple files to implement. Where a readiness assessment hasn't been done yet, that's the recommended first step, so the policy reflects your actual exposure rather than a generic risk profile.

The same framework is what you can submit to a public municipal AI policy registry once adopted, contributing to — and being found in — the shared body of Canadian municipal AI policy.

Common questions

Municipal AI policy questions

What must a municipal AI policy contain?

Seven things: purpose and scope; sanctioned and prohibited uses; data handling rules grounded in provincial privacy law; breach reporting; assigned accountability; mandatory staff training; and plain-language framing for council adoption. It must address how personal information is handled, not just which tools are allowed.

Does an IT acceptable use policy count?

No. An IT acceptable use policy that mentions AI is not a Privacy Management Program and does not satisfy provincial requirements. The AI policy must document how personal information is handled, demonstrate leadership accountability, include staff training, and specify breach response.

Is a downloadable template enough on its own?

A template is a starting structure, not a finished policy. A generic template won't reflect your province's legislation, your tools, or your council's expectations, and adopting one unedited can create a false sense of compliance. The structure here shows what a real policy must contain; SMC drafts it to your jurisdiction.

Which provincial law does it need to reflect?

It depends on your province: ATIA and POPA in Alberta, FOIPPA in British Columbia, MFIPPA in Ontario, FIPPA in Manitoba, and LAFOIP in Saskatchewan. Each sets different obligations and oversight bodies, so the data-handling and breach-reporting sections must be written to your jurisdiction.

How long does it take to get a policy in place?

A focused engagement can produce a council-ready policy in weeks, not months. The timeline depends on your current state and council schedule.

Municipalities across Canada

Get a policy your council
can actually adopt.

Tell us your province and where you stand. We'll scope an AI acceptable use policy built for your legislation and your team.

Request the Full Framework

What a municipal AI policyactually has to contain.