West Lothian AI policy prioritizes human oversight and tenancy bound governance

A new draft policy on the use of artificial intelligence (AI) tools in council services will go before West Lothian Council’s Executive in January, placing human oversight and transparency at the centre of how the authority intends to adopt machine learning, natural language processing and generative AI across its operations. The paper—described by the council’s IT services manager as “a proactive step” to realise efficiency gains while staying within legal and regulatory bounds—explicitly flags human review, disclosure of AI use, and the preference to operate AI within the council’s existing Microsoft 365 tenancy as primary safeguards.

Background / Overview​

Across Britain and Europe, local authorities have moved swiftly from exploratory pilots to formal governance documents for AI. The West Lothian draft policy follows a familiar arc: after pilot work and cross-council reviews, a consolidated “AI playbook” is drafted, balancing the promise of productivity with statutory obligations — especially around data protection, freedom-of-information rules and equality duties. The council’s papers say the policy is the product of roughly a year of work and draws on other councils’ experience as AI tools become mainstream in public services. The headline commitments in West Lothian’s draft are straightforward and align with common municipal practice:

• Treat AI outputs as drafts requiring named human verification before being used for decisions or public-facing material.
• Disclose where AI systems materially support processes or decisions.
• Define acceptable technologies and set boundaries for what data can be included in prompts.
• Prefer an enterprise-bound AI option integrated with the council’s Microsoft 365 tenancy rather than relying on consumer-grade public chatbots.

These measures reflect the same risk-first logic adopted by smaller councils that have already moved from policy to deployment: permit enterprise-grade assistants under strict governance and block unsanctioned consumer endpoints for official business until procurement, technical configurations and training are in place. The approach aims to preserve productivity gains while limiting data leakage, records ambiguity and legal exposure.

---

What West Lothian’s draft policy actually says​

Scope and headline principles​

The draft sets out a broad scope covering types of AI from classical machine-learning models to generative AI systems such as ChatGPT and Microsoft Copilot. It states that human oversight is essential, requiring staff to check AI outputs for bias, discrimination and factual accuracy, and obliges disclosure when AI materially contributes to decisions. The policy also makes users responsible for ensuring AI-generated content is not discriminatory, offensive or otherwise inappropriate.

Why Microsoft?​

A recurring practical point in the council papers is the choice of an enterprise Microsoft option. Councillors questioned vendor selection, and the council’s IT manager explained the Microsoft path was chosen because it integrates with the existing Microsoft 365 tenancy—allowing councils to keep prompts and contextual data within the tenant’s administrative boundary rather than sending information out to third-party consumer endpoints. That tenancy-bound posture is presented as a technical control to reduce exposure while governance and procurement safeguards are finalised.

Transparency and disclosure​

The draft requires the council to publish information about where AI is used, the types of data processed and the decision-making processes that AI supports. It explicitly references the need to be able to explain, in plain language, how AI is used in operations and which stakeholders may be affected. This emphasis mirrors growing public-sector expectations of a “social licence” for automated assistance: transparency reduces the perception of a black box and makes remediation paths clearer for residents.

---

How this fits with municipal best practice — what the documents say​

Local-government playbooks and recent municipal policies converge on a number of concrete controls that West Lothian’s draft echoes, and where it diverges the differences are instructive.
Key elements municipal playbooks recommend include:

• A tiered “whitelist” of approved tools (enterprise Copilot-style assistants first, consumer chatbots explicitly restricted).
• Mandatory role-based training for anyone granted AI access, with licence issuance conditional on training completion.
• Technical verification: tenant audits, Purview/DLP checks, and red-team configuration reviews to ensure administrative settings actually enforce the intended protections.
• Procurement clauses that demand non-training guarantees, deletion rights, audit access and breach notification timelines; marketing claims are not a substitute for contract language.

Past municipal cases show the sequence that produces defensible adoption: define policy; lock down tenant/configuration; harden procurement; deliver mandatory training; maintain audit trails and periodic review. Where councils have succeeded, they pair policy text with immediate technical and contractual steps so the words become enforceable controls rather than aspirational guidance.

---

Why the Microsoft tenancy approach matters — and its caveats​

The West Lothian draft explicitly chooses a Microsoft-integrated option because it can be bound to the council’s Microsoft 365 tenancy. That has two practical benefits:

• It allows the council to use enterprise governance features — data loss prevention (DLP), Purview retention, tenant logging and role-based access — to limit what is sent to AI services and to keep telemetry and logs inside the organisation’s control plane.
• Microsoft’s documentation and public statements say that Copilot for Microsoft 365 does not use customer data to train its foundation models (for tenants that are not opted-in to training). That contractual/technical stance is a major selling point for councils worried about prompts being incorporated into a vendor’s broader training pipelines.

However, the technical assurances come with important caveats:

• Enterprise defaults are not automatically safe. Tenant-level protections must be correctly configured and periodically audited; misconfiguration is a common failure mode.
• Vendor marketing or public claims do not replace signed contractual commitments such as Data Processing Addenda (DPAs) and non-training clauses that survive renewals and product evolution. Municipal procurement teams must insist on enforceable terms.
• Even “tenant-contained” AI still generates prompt and response pairs that may be logged within a tenant and become subject to Freedom of Information (FOI) or records requests unless retention and redaction policies are clear. Councils must decide what AI interaction logs are retained, how they’re redacted and how they’ll be disclosed when asked.

Microsoft’s public security and privacy documentation reinforces the “qualified reassurance” position: the company states that enterprise Copilot does not use customer data to train foundation models and that tenant interactions are stored in Exchange Online with configurable retention controls — but the policy effect depends on how those features are implemented by the customer. Independent reporting and fact-checking have corroborated Microsoft’s public position while recommending customers validate these claims contractually.

---

Strengths and immediate opportunities for West Lothian​

• Measured, risk-aware stance: The draft’s emphasis on human-in-the-loop, disclosure and tenancy-bound adoption balances operational needs with legal and ethical responsibilities. That tiered approach captures productivity gains without locking the council into hazardous open-consumer use.
• Reuse of existing infrastructure: Leveraging Microsoft 365 tenancy reduces integration friction and allows the council to use existing identity, administration and DLP investments rather than performing a wholesale new-vendor onboarding. This reduces rollout time and complexity for low-risk pilots such as meeting summaries, template drafting and accessibility improvements.
• Alignment with Scottish transparency efforts: By committing to disclosure and referencing other Scottish public-sector initiatives (for example, the Scottish AI Register and regional council policies), West Lothian positions itself within an emerging ecosystem of accountability rather than as an outlier.

---

Risks, blind spots and what to watch for​

West Lothian’s draft reduces many risks but does not eliminate them. Key issues to address before the Executive signs off:

• Tenant misconfiguration and operational drift: Administrative settings can be changed, subscriptions upgraded, or connectors introduced that change the data flows — all without wider council awareness. A one‑time policy without a sustained verification cadence risks silent exposure. Councils that have failed to operationalise their policies often did so because they treated the policy as a paper exercise rather than an ongoing program.
• Shadow AI behaviour: Banning consumer AI only for official devices is necessary but insufficient. Staff under time pressure will often turn to personal devices or accounts for convenience. Preventing “shadow AI” requires network and endpoint DLP controls, user-friendly sanctioned tools and rapid IT support when staff need AI capabilities.
• Records, FOI and discovery: Prompt-response pairs and AI-generated drafts may be discoverable under FOI or subject access regimes. Without explicit retention policies and redaction rules, councils risk unintentional disclosures or complex retrieval obligations. The draft must say how long AI outputs and prompts are retained, how they are redacted, and which records counts they fall under.
• Hallucinations and decision-making risk: Generative models can produce plausible-sounding but incorrect information. The council must identify use cases where the cost of an incorrect output is unacceptable (for example, social care assessments, enforcement letters) and exclude those from automated assistance unless robust human-review and DPIA processes are in place.
• Procurement and vendor lock-in: The draft should require enforceable legal language — non-training clauses, deletion and audit rights, data residency options — not only vendor assurances. Contracts should include exit plans and exportable data formats to prevent long-term lock-in.

---

Practical operational checklist (what West Lothian should require before full rollout)​

• Conduct a tenant configuration and Purview/DLP audit within 30 days and publish findings to the Executive. Verify EDP Shield, DLP rules, telemetry settings and connector permissions.
• Make AI access conditional on mandatory role-based training (90-minute modules for standard users; extended training for high-risk roles), and require an attestation before licence issuance.
• Insert procurement addenda with explicit non-training language, deletion/exit rights, audit access and breach notification timelines; require vendors to declare telemetry and subprocessors. Do not rely on vendor FAQs.
• Create an AI governance committee (IT/security, legal/records, communications and service leads) and designate departmental AI stewards to approve exceptions and oversee DPIAs for higher-risk uses.
• Define data-classification rules for prompts: list what must never be included (PII, health data, case details), what can be redacted and how synthetic/de-identified test data should be used.
• Instrument prompt and output logging with retention rules and redaction workflows and publish a one-page plain-English notice for residents explaining where AI is used and how they can request human review.
• Schedule third-party red-team/technical reviews and a legal audit of standard supplier contracts within the first 90 days of deployment.

---

Legal, records and FOI considerations​

AI-generated content and the prompts that produced it may become part of the official documentary trail. That raises three legal points West Lothian must address explicitly in policy and process:

• Retention classification: Are prompt logs and AI outputs “records” under the council’s retention schedule? The policy should map AI artifacts to existing records classes and retention timelines, with redaction and export guidance for FOI responses.
• Accountability and decision provenance: When AI materially informs a decision, the policy should require the human reviewer to document what the AI did, who reviewed it, and what changes were made, and to publish a short assurance statement where decisions affect residents’ rights. This is vital to preserve legal defensibility and to comply with public-law standards of rationality and fairness.
• Data protection: DPIAs should be mandatory for high-risk AI applications, and procurement must require vendors to support deletion, audit rights and data locality requirements where legally necessary. Treat vendor marketing statements as starting points for negotiation, not as guarantees.

---

Cultural, workforce and inclusion implications​

AI is not just a technical project — it is an organisational change program. West Lothian must plan for:

• Workforce reskilling and realistic expectations about what AI can and cannot do.
• Accessibility and digital-inclusion safeguards so that residents who cannot use AI-mediated interfaces still get equivalent service.
• Clear internal guidance on acceptable uses, examples of “do not enter” prompts, and an exceptions route for legitimate business cases that require higher privileges.

Transparency to residents and staff builds trust; publishing simple FAQs and offering opt-out or manual alternatives where decisions materially affect entitlements will reduce friction and complaints.

---

Verifying vendor claims — the Microsoft case​

West Lothian’s choice of a Microsoft-integrated option offers practical advantages, but vendor claims must be contractually verified. Microsoft’s documentation states that prompts, responses and customer data accessed via Microsoft Graph are not used to train foundation models for Microsoft 365 Copilot, and that tenant interactions are stored under tenant-managed controls (e.g., Exchange Online retention) with configurable Purview policies. Independent reporting and fact-checking have repeatedly corroborated Microsoft’s public position — though they underline the need for councils to validate these claims in procurement documents rather than trusting marketing alone. Practical implication: West Lothian should require contractual assurances that echo Microsoft’s published commitments (and specify remedies if the vendor changes policy or service architecture), and ensure the contract contains robust Data Processing Addenda and audit rights.

---

Recommended next steps for the Executive and officers (concise)​

• Approve the policy in principle subject to a set of preconditions: tenant audit, procurement addenda and mandatory training rollout.
• Task the governance group to publish a one-page resident notice and a one-page staff summary within 30 days of adoption.
• Make licence issuance dependent on training completion and stewardship sign-off.
• Commission an immediate third-party review of tenant configuration and supplier contract language; report back within 60–90 days.

---

Final assessment — a cautious but workable path​

West Lothian’s draft policy is a measured, pragmatic document that adopts the sensible municipal default: enterprise-first, human-in-the-loop, contractually enforced. That stance preserves the possibility of real productivity gains (faster minutes, better accessibility, routine drafting) while limiting the most acute legal and privacy exposures that come from unfettered, consumer-tool usage. Success will not be achieved by the policy’s text alone. The crucial test is operational: tenant configurations must be audited and locked down; procurement must deliver enforceable non-training and deletion clauses; staff must be trained and licensed; and logs and retention must be managed with FOI and records obligations explicitly in mind. Councils that treat AI governance as a continuous program — with scheduled reviews, public reporting and a small governance committee keeping a close watch — capture the benefits while limiting harms. West Lothian’s draft gives the Executive a defensible framework; turning it into a durable capability will require urgent, concrete follow‑through in the technical, contractual and cultural dimensions.

---

Transparency note: public reporting and registers are becoming common; Scotland already operates an AI Register for public sector transparency and other Scottish councils are publishing formal AI policies and implementation notes. West Lothian’s draft sits clearly inside that national conversation — and if executed with technical rigor and clear contracts, it can deliver practical improvements to resident services without ceding accountability. Conclusion: Approving an AI policy is only the first and essential step. The real work starts after the vote: audits, procurement rewrites, staff certification, and a routine of public reporting that turns policy into action and makes AI governance visible, auditable and revocable when needed. If West Lothian can follow through on the operational checklist embedded in the draft and maintain a disciplined governance cadence, it will strike the difficult but necessary balance between innovation and stewardship in local government service delivery.

---

Source: Daily Record https://www.dailyrecord.co.uk/news/local-news/west-lothian-council-set-agree-36380892/