Researchers using AI tools in the UK must understand how existing laws apply to both the input and output of AI tools, particularly around copyright and data protection when using generative AI. As regulations evolve, it's crucial to stay informed. For complex cases, consult your legal or data protection officer early in the process. And when in doubt, err on the side of caution: transparency, documentation, and consent go a long way. Copyright and Intellectual Property The Copyright, Designs and Patents Act 1988 (CDPA) protects original works (e.g. text, images, data, code). Using copyrighted material with AI can raise legal issues at several points:InputUsing someone else’s copyrighted content in a prompt may infringe copyright, especially if the material is substantial or confidential.Don’t input text or data you don’t have permission to use.Avoid using AI tools that retain or reuse inputted data without consent.Always vet your sources and dataset licences.OutputWho owns AI-generated content depends on the tool’s terms of use and the relevant legal framework. You may not own the output—or it may reproduce protected third-party content.Always check the tool’s terms.If AI-generated text copies part of a third-party work, it may infringe copyright.Be cautious when publishing or sharing outputs without review. Data Protection and Privacy (UK GDPR) If your AI use involves personal data, it must comply with the UK General Data Protection Regulation (UK GDPR).SecurityMost commercial AI tools store inputted data, violating GDPR’s data security principle.Do not input personal, sensitive, or identifiable data into AI tools that store or reuse it.Check your institution’s policies on AI use and data handling.Data TransfersMany AI tools are hosted outside the UK. Exporting personal data to these services without legal safeguards breaches GDPR rules.You must use a legal basis (e.g. consent or contractual clauses) to transfer personal data internationally.Many AI providers won’t enter into such agreements, making their use non-compliant.Below we’ve gathered a list of relevant AI regulations at international, UK, and university levels. Please always check for the latest version.International regulationsUNESCO’s non-binding recommendations on the ethics of artificial intelligenceEuropean Commission’s Living guidelines on the responsible use of generative AI in researchUK regulations UK's AI Regulation bill statusToolkit for assess risk when developing and using AI - ICOUniversity regulations Most university regulations target AI use in education and learning. For instance, the University of Edinburgh specifies that generative Artificial Intelligence stores and learns from data inputted, however AI systems are required by data protection law to process personal data fairly and lawfully. It is not currently always possible to delete data from an LLM neural net. Therefore these systems may not be complaint with relevant law like the UK GDPR and the Data Protection Act. To ensure the privacy of individuals, personal and sensitive data should not be entered into generative AI tools. Any data entered should not be personally identifiable and would be considered released to the internet. AI guidance and policies in other UK institutions (non-exhaustive) University College London, Generative AI HubUniversity of Manchester, AI (Artificial Intelligence) GuidelinesThe University of Sheffield, Principles for Generative AI in learning and teachingQueens University Belfast, DigiHubThe University of Birmingham, Generative Artificial Intelligence and its role within teaching, learning and assessmentUniversity of Oxford, Use of generative AI tools to support learningLondon School of Economics, Guidance on the use of Generative AI for research This article was published on 2025-06-27
