AI Acceptable Use Policy for Philippine SMEs: What to Write and Why You Need One Now
Most Philippine organisations deploying AI tools in 2026 are doing so without a written policy governing how staff use them. This creates three specific risks: data privacy exposure (staff paste personal data into AI tools that log or train on inputs), compliance liability (AI-generated outputs contain errors that the organisation is responsible for), and reputational risk (AI tools used to generate external communications without review).
A written AI Acceptable Use Policy (AUP) is the first line of defence. It does not need to be long — a clear, practical policy that staff actually read and understand is more effective than a comprehensive document no one reads. Here is what it needs to cover.
Why the NPC Cares
The National Privacy Commission's guidance on the Data Privacy Act (RA 10173) is clear: personal information controllers must implement appropriate organisational, physical, and technical security measures. When a staff member pastes a client's SSS number, medical record, or financial information into a public AI tool, that data leaves the organisation's controlled environment.
Under RA 10173, the organisation — not the individual staff member — is the personal information controller responsible for that data. If the AI provider uses inputs for model training, or if the data is exposed in a breach, the organisation bears the compliance liability.
The NPC has not yet issued AI-specific guidelines (as of June 2026), but the Data Privacy Act's principles of purpose limitation, data minimisation, and organisational security measures apply directly to AI tool usage.
The Five Things Your AI AUP Must Cover
1. Approved Tools and Prohibited Tools
List which AI tools are approved for use and for what purposes. Be specific:
Approved:
- Microsoft Copilot (within Microsoft 365 tenant) — for drafting documents, summarising meetings, generating internal reports
- Google Gemini (within Google Workspace tenant) — for the same
- Ledgr's Aio Nica — for financial queries and accounting assistance within Ledgr
Requires approval before use:
- ChatGPT (OpenAI) — allowed for non-sensitive tasks only; requires IT approval for business use
- Claude.ai web interface — same
- Any AI tool that accepts image, document, or voice input from company devices
Prohibited:
- Any AI tool where company data (personal data, client data, financial data, proprietary business data) is submitted as input
- AI voice tools that record conversations without explicit consent from all participants
The distinction between tenant-managed tools (Microsoft Copilot within your M365 tenant) and public tools (ChatGPT web) is critical. Tenant-managed tools use your data under Microsoft's enterprise data processing agreement — data does not train Microsoft's models. Public tools may use inputs for training depending on their terms.
2. Data Classification and AI Input Restrictions
Align AI input restrictions with your data classification scheme:
| Data Classification | AI Tool Input Rules |
|---|---|
| Public | Any approved tool, no restriction |
| Internal | Tenant-managed tools only (M365 Copilot, Workspace Gemini) |
| Confidential (client data, financial records) | No AI tool input without prior approval |
| Highly Confidential (legal, M&A, executive) | No AI tool input — period |
This single table prevents the most common data exposure scenario: a staff member pasting a spreadsheet containing client personal data into ChatGPT to "clean up the format."
3. Output Verification Requirements
AI-generated outputs require human review before use. The policy must specify:
- All external communications (emails to clients, published content, official correspondence) generated with AI assistance must be reviewed and approved by a qualified human before sending
- Financial figures in AI-generated documents must be verified against source data
- Legal and regulatory claims in AI-generated documents must be reviewed by a qualified accountant, lawyer, or compliance officer
- AI-generated code must be reviewed by a developer before deployment to production
The rationale: under Philippine law, the organisation is responsible for the accuracy of its communications and documents, regardless of whether they were AI-generated. The AI tool is not the responsible party.
4. Prohibited Uses
State explicitly what AI tools must not be used for:
- Generating personal data about identifiable individuals without their consent
- Creating misleading or deceptive content
- Impersonating individuals or organisations
- Generating content that violates the Anti-Cybercrime Act (RA 10175) or other applicable Philippine law
- Making final decisions affecting individuals (hiring, credit, discipline) based solely on AI output without human review
- Processing personal data of minors without appropriate parental consent mechanisms
5. Incident Reporting
Staff must know what to do when an AI-related incident occurs:
- Accidentally submitted confidential or personal data to a prohibited AI tool → report to IT and Data Protection Officer within 24 hours
- AI-generated output contained incorrect information that was distributed externally → report to manager immediately; preserve records
- Received suspicious AI-generated content (deepfake, impersonation) → report to IT security
Microsoft Copilot and Google Gemini: Specific Governance Notes
Microsoft 365 Copilot
Microsoft Copilot operates within your M365 tenant. It respects your existing access controls — Copilot can only access data that the user already has permission to access in SharePoint, OneDrive, and Exchange.
Key governance actions:
- Audit SharePoint permissions before enabling Copilot — overly permissive sharing means Copilot surfaces documents to users who technically have access but should not practically see them
- Enable Microsoft Purview sensitivity labels — documents classified as Confidential or Highly Confidential can be restricted from Copilot interaction
- Review Copilot usage logs via the M365 admin centre to identify anomalous access patterns
Google Workspace Gemini
Google Workspace Gemini operates under Google's Workspace data processing terms — Workspace Customer Data is not used to train Google's AI models for Workspace Enterprise and Business plans.
Key governance actions:
- Confirm your Workspace plan tier — the data processing commitment applies to Business Standard, Business Plus, and Enterprise
- Enable Google Vault for Gemini interaction logging if required for compliance
- Configure Google Drive sharing policies before enabling Gemini — same oversharing risk as M365
Policy Template Structure
A functional AI AUP for a Philippine SME needs:
- Purpose and scope — what the policy covers and who it applies to
- Approved tools list — with permitted use cases
- Data input restrictions — table by classification
- Output verification requirements — by document type
- Prohibited uses — explicit list
- Incident reporting procedure — who to contact and when
- Training requirement — all staff must complete AI awareness training before using AI tools for work
- Review schedule — policy reviewed every 6 months given how rapidly AI tool capabilities and terms change
The policy should be signed by the Data Protection Officer (or equivalent), approved by senior management, and acknowledged by all staff who will use AI tools.
Common Gaps in Philippine SME AI Governance
No distinction between approved and prohibited tools. Staff assume any publicly available AI tool is usable for work.
No guidance on AI-generated external communications. Staff send AI-drafted emails to clients without review — accuracy, tone, and legal appropriateness are all at risk.
No incident reporting mechanism. When a staff member accidentally submits a client database to a public AI tool, they have no idea whether to report it, who to tell, or what the consequences are.
Policy exists but staff were never trained on it. A signed document in the HR folder does not constitute governance. Training is required.
For Philippine organisations building AI governance frameworks or deploying Microsoft 365 Copilot and Google Workspace Gemini, get in touch.
Talk to our Cloud & I.T. team →
