Media Statements
Enhancing AI Security and Data Security PCPD, Hong Kong, and PDPB, Macao, Together with Seven Privacy Protection Authorities in the Asia-Pacific Region, Release “Guide to Getting Started with Anonymisation”
Date: 31 July 2025
Enhancing AI Security and Data Security
Enhancing AI Security and Data Security
Office of the Privacy Commissioner for Personal Data, Hong Kong, and
Personal Data Protection Bureau, Macao, Together with
Seven Privacy Protection Authorities in the Asia-Pacific Region,
Release “Guide to Getting Started with Anonymisation”
The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and the Personal Data Protection Bureau, Macao (PDPB), together with seven privacy or data protection authorities from Australia (Victoria), Canada (Federal and British Columbia), Japan, Korea, New Zealand and Singapore, unanimously approved the release of the “Guide to Getting Started with Anonymisation” (Anonymisation Guide) at the 63rd Asia Pacific Privacy Authorities (APPA) Forum held recently.
Anonymisation generally refers to the process of converting personal data into data that can no longer be used to identify an individual. In June 2024, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” to provide practical recommendations and best practices to assist organisations in procuring, implementing and using artificial intelligence (AI), including generative AI, in compliance with the relevant requirements of the Personal Data (Privacy) Ordinance. One of the recommendations is that organisations should anonymise personal data before feeding them into AI models, where appropriate. The Anonymisation Guide introduces basic anonymisation concepts and outlines the recommended steps for organisations to follow when anonymising data. It also provides a case study to illustrate how organisations can apply these anonymisation steps in practice. These recommended steps include: -
Hong Kong’s Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “As more and more organisations in Hong Kong and Macao begin to incorporate AI into their daily operations, anonymising personal data when using and/or sharing data not only enhances AI security and data security, but also preserves data utility. Therefore, the PCPD and the PDPB joined forces, together with other privacy or data protection authorities from seven jurisdictions, to develop the “Guide to Getting Started with Anonymisation”, with a view to offering practicable introductory guidance for organisations in Hong Kong and Macao seeking to anonymise personal data. For ease of reference, my Office and the PDPB have proactively translated the Anonymisation Guide into Chinese, with a view to helping readers better understand its contents.”
Director of the Macao PDPB, Mr Ken YANG Chongwei, said, “Personal data anonymisation measures help reduce the risk of data breaches to a certain extent and serve as a proactive approach to safeguard personal data security in the application of new technologies. The participation of the PDPB in the drafting and joint translation of the Anonymisation Guide demonstrates its commitment to international collaboration as the Chair of the Communications Working Group of APPA. It also showcases the deepened collaboration between the PCPD and the PDPB following the signing of the Memorandum of Understanding between the two authorities. We look forward to continuing in strengthening the co-operation between Hong Kong and Macao in the area of personal data privacy, and promoting personal data privacy protection in the Guangdong-Hong Kong-Macao Greater Bay Area.”
The “Guide to Getting Started with Anonymisation” can be downloaded here. (The Portuguese translation will be available at the PDPB’s website in due course.)
About the Personal Data Protection Bureau, Macao (PDPB)
The PDPB is set up in accordance with Administration Regulation No. 42/2023 on the Organization and Operation of Personal Data Protection Bureau. Being one of the public departments of the Macao Special Administrative Region (MSAR), it is the public authority responsible for implementing the legal obligations set out in the Personal Data Protection Act (PDPA; Law No. 8/2005). It has the legal competence to supervise and coordinate the compliance with and implementation of the laws on personal data protection. It operates under the authority of the MSAR Chief Executive. For more information, please visit https://www.dspdp.gov.mo/en/index.html.
About the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD)
The PCPD is a statutory body set up to oversee the implementation of and compliance with the requirements of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO). The PCPD strives to ensure the protection of the privacy of individuals in relation to personal data through monitoring and supervising compliance with the PDPO, enforcing its provisions and promoting the culture of protecting and respecting personal data. For more information, please visit PCPD.org.hk.
For media queries, please contact:
Anonymisation generally refers to the process of converting personal data into data that can no longer be used to identify an individual. In June 2024, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” to provide practical recommendations and best practices to assist organisations in procuring, implementing and using artificial intelligence (AI), including generative AI, in compliance with the relevant requirements of the Personal Data (Privacy) Ordinance. One of the recommendations is that organisations should anonymise personal data before feeding them into AI models, where appropriate. The Anonymisation Guide introduces basic anonymisation concepts and outlines the recommended steps for organisations to follow when anonymising data. It also provides a case study to illustrate how organisations can apply these anonymisation steps in practice. These recommended steps include: -
-
Step one (Know Your Data): Before carrying out the anonymisation process, organisations must identify the nature of the data in question, including:
- Direct identifiers: Data that can be used to directly identify an individual, such as name and Identity Card number;
- Indirect identifiers: The data itself may not be unique, but it may be used to identify an individual when combined with other data, such as date of birth and gender.
- Step two (Remove direct identifiers): Remove direct identifiers from the dataset.
- Step three (Apply anonymisation techniques): Apply anonymisation techniques to indirect identifiers to prevent others from identifying an individual by combining the indirect identifiers with other data.
- Step four (Assess re-identification risks): Assess whether any risk of identifying an individual remains in the anonymised data, and determine whether the anonymisation is sufficient based on the assessment results. If the relevant requirements are not met, repeat the above steps.
- Step five (Manage re-identification risks): Address any residual risk following the application of anonymisation techniques by implementing corresponding risk mitigation measures, such as restricting the use of the data for intended purposes and access by intended personnel.
Hong Kong’s Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “As more and more organisations in Hong Kong and Macao begin to incorporate AI into their daily operations, anonymising personal data when using and/or sharing data not only enhances AI security and data security, but also preserves data utility. Therefore, the PCPD and the PDPB joined forces, together with other privacy or data protection authorities from seven jurisdictions, to develop the “Guide to Getting Started with Anonymisation”, with a view to offering practicable introductory guidance for organisations in Hong Kong and Macao seeking to anonymise personal data. For ease of reference, my Office and the PDPB have proactively translated the Anonymisation Guide into Chinese, with a view to helping readers better understand its contents.”
Director of the Macao PDPB, Mr Ken YANG Chongwei, said, “Personal data anonymisation measures help reduce the risk of data breaches to a certain extent and serve as a proactive approach to safeguard personal data security in the application of new technologies. The participation of the PDPB in the drafting and joint translation of the Anonymisation Guide demonstrates its commitment to international collaboration as the Chair of the Communications Working Group of APPA. It also showcases the deepened collaboration between the PCPD and the PDPB following the signing of the Memorandum of Understanding between the two authorities. We look forward to continuing in strengthening the co-operation between Hong Kong and Macao in the area of personal data privacy, and promoting personal data privacy protection in the Guangdong-Hong Kong-Macao Greater Bay Area.”
The “Guide to Getting Started with Anonymisation” can be downloaded here. (The Portuguese translation will be available at the PDPB’s website in due course.)
The PCPD and the PDPB, together with seven privacy or data protection authorities in the Asia-Pacific Region, released the “Guide to Getting Started with Anonymisation”.
(Photo 1)
(Photo 2)
Hong Kong’s Privacy Commissioner, Ms Ada CHUNG Lai-ling (Photo 1) and the Director of the Macao PDPB, Mr Ken YANG Chongwei (Photo 2), presented the “Guide to Getting Started with Anonymisation”.
Hong Kong’s Privacy Commissioner, Ms Ada CHUNG Lai-ling (Photo 1) and the Director of the Macao PDPB, Mr Ken YANG Chongwei (Photo 2), presented the “Guide to Getting Started with Anonymisation”.
The five recommended steps for data anonymisation outlined in the “Guide to Getting Started with Anonymisation”.
| JOINTLY ISSUED BY THE OFFICE OF THE PRIVACY COMMISSIONER FOR PERSONAL DATA, HONG KONG AND THE PERSONAL DATA PROTECTION BUREAU, MACAO |
About the Personal Data Protection Bureau, Macao (PDPB)
The PDPB is set up in accordance with Administration Regulation No. 42/2023 on the Organization and Operation of Personal Data Protection Bureau. Being one of the public departments of the Macao Special Administrative Region (MSAR), it is the public authority responsible for implementing the legal obligations set out in the Personal Data Protection Act (PDPA; Law No. 8/2005). It has the legal competence to supervise and coordinate the compliance with and implementation of the laws on personal data protection. It operates under the authority of the MSAR Chief Executive. For more information, please visit https://www.dspdp.gov.mo/en/index.html.
About the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD)
The PCPD is a statutory body set up to oversee the implementation of and compliance with the requirements of the Personal Data (Privacy) Ordinance (Chapter 486 of the Laws of Hong Kong) (PDPO). The PCPD strives to ensure the protection of the privacy of individuals in relation to personal data through monitoring and supervising compliance with the PDPO, enforcing its provisions and promoting the culture of protecting and respecting personal data. For more information, please visit PCPD.org.hk.
-End-
For media queries, please contact:
|
Office of the Privacy Commissioner for Personal Data, Hong Kong Mr Eric Lam Press Secretary, Corporate Communications Division Tel: (852) 3423 6663 Email: media@pcpd.org.hk |
Personal Data Protection Bureau, Macao Ms Siu Chung Meng Press and Public Relations Officer Tel: (853) 6299 6232 Email: media@dspdp.gov.mo |