The Department for Work and Pensions has reversed a policy implemented last year that barred the use of the likes of ChatGPT on official business or via government-issued devices.
The department’s Acceptable Use Policy – which formally sets out responsibilities and limitations for anyone accessing DWP IT systems or data – was amended last year to, effectively, entirely prohibit the use of common large language models (LLMs), which can generate content to specifications. That update outlined that users “can use approved private AI applications that sit within DWP systems… [but] must not attempt to access public AI applications – such as ChatGPT – when undertaking DWP business, or on DWP-approved devices”.
At the time, it was understood that the decision to prohibit the use of popular and publicly available LLMs was informed by the department’s caution concerning the volume and sensitivity of personal data handled by the organisation – which manages payments to more than 20 million citizens.
In 2024, DWP indicated to CSW's sister title PublicTechnology that, despite the ban on ChatGPT, it was “actively exploring how we can use AI” and, at the time, was experimenting with a potential internal tool based on Microsoft Copilot.
The formal Acceptable Use guidance – which is applied to all “DWP employees, agents, service providers, contractors and consultants” – was updated again last week, and now takes a noticeably more permissive stance on the use of common AI tools, albeit with one notable exception.
The section that previously explicitly outlawed the use of ChatGPT and its counterparts now reads: “Where accessible, users can use AI tools on DWP devices for official business, in line with the DWP Artificial Intelligence Security Policy. Users must not attempt to access DeepSeek AI on DWP devices.”
The DeepSeek LLM was developed in China. The platform’s recent rise to prominence comes after government has, in recent years, placed strict limitations on the use of tech created by other Chinese companies – including Huawei, ZTE, and TikTok – in public sector settings.
The Australian government earlier this year banned the use of DeepSeek on all public devices. In recent weeks, departments across Whitehall have faced parliamentary questions about whether they would implement a similar decision.
In answer to these questions, various ministers have not commented directly on the possibility of such a ban, but have repeatedly stated that “the UK government only uses corporately assured generative AI tools to process HMG information”.
The DWP thus appears to be the first department to explicitly prohibit the use of DeepSeek by its employees and contractors, and on department-managed devices.
In response to enquiries from PublicTechnology, a spokesperson for the department said: “AI and innovation can help DWP improve its ability to respond at pace, provide customers with a more personalised and seamless journey and access support how and when they choose. We are carefully accelerating its use, including by restricting some capabilities to ensure safe use.”
‘Business requirements’
As referenced in the update to the wider acceptable use document, the DWP earlier this year created a dedicated artificial intelligence security policy to complement its other user guides.
The AI-specific document advises users that “approved AI tools and online AI tools that can be accessed on DWP devices may be used where there is a business requirement to do so”.
Alongside this broad permission are a number of conditions and stipulations, and DWP staff and contractors are advised that they “must ensure that approval has been granted by the relevant governance board” for AI uses that require the processing of any sensitive or personal data, or use “non-public DWP code – for example, code relating to DWP systems which has not been cleared for the public domain”.
The policy – which reiterates the specific ban on DeepSeek – warns that anyone in scope of the guidance that does not comply with its requirements could face harsh consequences.
“Failure to report a security incident, potential or otherwise, could result in disciplinary action and, in the most severe circumstances, result in dismissal,” it says.
“A security incident is the attempted or actual unauthorised access, use, disclosure, modification, loss or destruction of a DWP asset – or a supplier asset that provides a service to the authority – in violation of security policy. The circumstances may include actions that were actual, suspected, accidental, deliberate, or attempted. Security incidents must be reported as soon as possible.”
Despite these potential repercussions, the guidelines state that “DWP promotes and advocates the use of artificial intelligence in a measured and controlled manner”.
“AI tools can enhance services by automating routine tasks, enhancing data analysis, speeding up information retrieval and aid creativity”, the document adds. “This policy has been created using a risk-based approach to ensure that the policy statements align with the organisational risk appetite.”