Media Statements
Privacy Commissioner’s Office Reports on its Work in 2025 and Intervenes in Three Data Security Incidents
Date: 3 February 2026
Privacy Commissioner’s Office Reports on its Work in 2025 and
Privacy Commissioner’s Office Reports on its Work in 2025 and
Intervenes in Three Data Security Incidents
The Office of the Privacy Commissioner for Personal Data (PCPD) reported on its work in 2025 and three incidents involving the security of personal data today.
In addition, the PCPD received 1,163 enquiries relating to suspected personal data frauds in 2025, which was comparable to 1,158 enquiries in 2024.
The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. In 2025, there were 81 data breach incidents involving hacking (accounting for 33% of all data breach incidents). The figure represented an increase of 33% compared with 61 such cases in 2024 (accounting for 30% of all data breach incidents).
The PCPD initiated 435 compliance checks in 2025, representing an increase of 9% from 400 compliance checks in 2024.
Enforcement Actions in 2025
In 2025, the PCPD handled a total of 308 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure dropped by 30% compared with 442 cases in 2024. Of the 308 doxxing cases, 299 cases were doxxing complaints received by the PCPD. The nature of disputes leading to the doxxing acts included monetary disputes (45.2%), as well as family and relationship disputes (24.4%).
The PCPD initiated 147 criminal investigations in 2025 and referred 47 cases to the Police for further follow-up actions. The PCPD arrested a total of 18 suspects during the year. The suspected doxxers mainly engaged in doxxing through social media platforms and instant messaging applications (67%), while the remaining cases (33%) involved doxxing through posting leaflets and displaying banners. During the year, the PCPD issued 32 cessation notices to 13 online platforms to request the removal of 56 doxxing messages, with a compliance rate of over 98%.
Summary of Enforcement Actions under the New Anti-doxxing Provisions
From the commencement date (8 October 2021) of the anti-doxxing provisions to 31 December 2025, the PCPD handled a total of 3,634 doxxing cases. The PCPD also issued 2,104 cessation notices to 57 online platforms to request the removal of 33,743 doxxing messages. Notwithstanding most of the cessation notices were served on overseas operators of online platforms, the overall compliance rate on the removal of doxxing messages exceeded 96%. Apart from individual doxxing messages, 250 doxxing channels were also successfully removed by the cessation notices.
With the persistent and resolute enforcement, enhanced publicity and education efforts of the PCPD over the past four years, coupled with a more congenial atmosphere in the society, illegal doxxing acts have greatly ameliorated. In 2025, there were only nine doxxing cases uncovered by the PCPD’s proactive online patrols, representing a reduction of over 99% compared to 1,134 cases in 2022 (i.e. the first year after the commencement of the anti-doxxing provisions). The PCPD received 299 doxxing-related complaints in 2025, representing a decrease of over 50% (53%) compared to 630 complaints in 2022.
From the commencement date (8 October 2021) of the relevant provisions to 31 December 2025, the PCPD initiated criminal investigations into 519 doxxing cases and referred 150 cases to the Police for further follow-up actions. A total of 81 suspects were arrested (including three arrests made in the joint operations with the Police). 55 arrested persons were prosecuted, of whom 43 were convicted.
It is evident that the PCPD’s work on combatting doxxing acts has not affected freedom of speech of members of the public, nor has it impacted the lawful operation of online platforms in Hong Kong. The PCPD will continue to take resolute enforcement actions against doxxing acts to ensure that the personal data privacy of the public is adequately protected.
(2) Personal Data Security Incidents of Three Organisations (see Annex 1 for details)
The PCPD earlier intervened in three incidents involving the security of personal data. All of the organisations complained against in the cases were the employers of the complainants. Owing to various deficiencies of the organisations in the handling of employment data that resulted in the improper disclosure or unauthorised or accidental access, processing or use of personal data, the organisations in question were found to have contravened the relevant requirements of the PDPO.
Summaries of the Three Data Security Incidents
In the above cases, having considered the circumstances of the individual incidents and the information obtained, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the organisations concerned had contravened DPP 3(1) of the PDPO concerning the use (including disclosure) of personal data, or DPP 4(1) of the PDPO concerning the security of personal data. The Privacy Commissioner has respectively served Enforcement Notice or warning letter on the three organisations, directing them to remedy and prevent recurrence of their respective contraventions.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, urges employers to formulate clear policies to protect employees’ personal data in order to prevent security lapses caused by human error or insufficient awareness. The Privacy Commissioner said, “Employers should regard the protection of employees’ personal data privacy as an integral part of the organisations’ data governance. This demonstrates the organisations’ commitment to safeguarding employees’ personal data and ensures compliance with the requirements of the PDPO, thereby creating a win-win situation for both employers and employees.”
Employers’ protection of employees’ personal data privacy is closely related to daily lives and forms part of employers’ statutory responsibilities. The PCPD encourages organisations to work hand in hand with employees to create a working environment that safeguards personal data privacy and data security. The PCPD offers the following five recommendations to employers:
(1) PCPD’s work in 2025
- Complaint Cases
- Enquiries
In addition, the PCPD received 1,163 enquiries relating to suspected personal data frauds in 2025, which was comparable to 1,158 enquiries in 2024.
- Personal Data Breach Incidents
The data breach incidents involved hacking, loss of documents or portable devices, inadvertent disclosure of personal data by email, post or fax, employee misconduct and system misconfiguration, etc. In 2025, there were 81 data breach incidents involving hacking (accounting for 33% of all data breach incidents). The figure represented an increase of 33% compared with 61 such cases in 2024 (accounting for 30% of all data breach incidents).
The PCPD initiated 435 compliance checks in 2025, representing an increase of 9% from 400 compliance checks in 2024.
- Anti-Doxxing Regime
Enforcement Actions in 2025
In 2025, the PCPD handled a total of 308 doxxing cases (including doxxing-related complaints received and doxxing cases uncovered by the PCPD’s proactive online patrols). The figure dropped by 30% compared with 442 cases in 2024. Of the 308 doxxing cases, 299 cases were doxxing complaints received by the PCPD. The nature of disputes leading to the doxxing acts included monetary disputes (45.2%), as well as family and relationship disputes (24.4%).
The PCPD initiated 147 criminal investigations in 2025 and referred 47 cases to the Police for further follow-up actions. The PCPD arrested a total of 18 suspects during the year. The suspected doxxers mainly engaged in doxxing through social media platforms and instant messaging applications (67%), while the remaining cases (33%) involved doxxing through posting leaflets and displaying banners. During the year, the PCPD issued 32 cessation notices to 13 online platforms to request the removal of 56 doxxing messages, with a compliance rate of over 98%.
Summary of Enforcement Actions under the New Anti-doxxing Provisions
From the commencement date (8 October 2021) of the anti-doxxing provisions to 31 December 2025, the PCPD handled a total of 3,634 doxxing cases. The PCPD also issued 2,104 cessation notices to 57 online platforms to request the removal of 33,743 doxxing messages. Notwithstanding most of the cessation notices were served on overseas operators of online platforms, the overall compliance rate on the removal of doxxing messages exceeded 96%. Apart from individual doxxing messages, 250 doxxing channels were also successfully removed by the cessation notices.
With the persistent and resolute enforcement, enhanced publicity and education efforts of the PCPD over the past four years, coupled with a more congenial atmosphere in the society, illegal doxxing acts have greatly ameliorated. In 2025, there were only nine doxxing cases uncovered by the PCPD’s proactive online patrols, representing a reduction of over 99% compared to 1,134 cases in 2022 (i.e. the first year after the commencement of the anti-doxxing provisions). The PCPD received 299 doxxing-related complaints in 2025, representing a decrease of over 50% (53%) compared to 630 complaints in 2022.
From the commencement date (8 October 2021) of the relevant provisions to 31 December 2025, the PCPD initiated criminal investigations into 519 doxxing cases and referred 150 cases to the Police for further follow-up actions. A total of 81 suspects were arrested (including three arrests made in the joint operations with the Police). 55 arrested persons were prosecuted, of whom 43 were convicted.
It is evident that the PCPD’s work on combatting doxxing acts has not affected freedom of speech of members of the public, nor has it impacted the lawful operation of online platforms in Hong Kong. The PCPD will continue to take resolute enforcement actions against doxxing acts to ensure that the personal data privacy of the public is adequately protected.
(2) Personal Data Security Incidents of Three Organisations (see Annex 1 for details)
The PCPD earlier intervened in three incidents involving the security of personal data. All of the organisations complained against in the cases were the employers of the complainants. Owing to various deficiencies of the organisations in the handling of employment data that resulted in the improper disclosure or unauthorised or accidental access, processing or use of personal data, the organisations in question were found to have contravened the relevant requirements of the PDPO.
Summaries of the Three Data Security Incidents
- The complainant worked for a security service company. The complainant’s supervisor sent a notice of termination of employment containing the complainant’s HKID card number to a work-related chat group in an instant messaging application. This resulted in the disclosure of the complainant’s personal data to other staff members in the group.
- The head of the security department of a hotel stored annual performance appraisal forms of departmental staff members in a desk drawer. As the desk was shared among staff members of the department and the department head did not lock the drawer in accordance with the hotel’s guidelines, the complainant (an employee of the hotel’s security department at the material time) inadvertently read the appraisal forms that contained the personal data of all the departmental staff members stored in the drawer while searching for other documents.
- An administrative staff member of a social welfare organisation was responsible for scanning a dismissal document relating to the complainant. During the process, the staff member mistakenly saved the scanned copy in the department’s shared folder. As a result, the complainant’s personal data contained in the document was accessible to other staff members of the department.
In the above cases, having considered the circumstances of the individual incidents and the information obtained, the Privacy Commissioner, Ms Ada CHUNG Lai-ling, found that the organisations concerned had contravened DPP 3(1) of the PDPO concerning the use (including disclosure) of personal data, or DPP 4(1) of the PDPO concerning the security of personal data. The Privacy Commissioner has respectively served Enforcement Notice or warning letter on the three organisations, directing them to remedy and prevent recurrence of their respective contraventions.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, urges employers to formulate clear policies to protect employees’ personal data in order to prevent security lapses caused by human error or insufficient awareness. The Privacy Commissioner said, “Employers should regard the protection of employees’ personal data privacy as an integral part of the organisations’ data governance. This demonstrates the organisations’ commitment to safeguarding employees’ personal data and ensures compliance with the requirements of the PDPO, thereby creating a win-win situation for both employers and employees.”
Employers’ protection of employees’ personal data privacy is closely related to daily lives and forms part of employers’ statutory responsibilities. The PCPD encourages organisations to work hand in hand with employees to create a working environment that safeguards personal data privacy and data security. The PCPD offers the following five recommendations to employers:
- Introduce a Personal Data Privacy Management System and formulate clear data security policies that embed personal data privacy protection into the core values of the organisations, so as to promote a top-down culture that prioritises personal data privacy and data security;
- Develop robust workflows and procedures, and regularly remind staff of the key points of work procedures and policies to ensure compliance;
- Implement ongoing monitoring mechanism to ensure consistent enforcement of personal data security policies by employees through technical checks or regular inspections, and conduct periodic reviews to optimise oversight procedures and maintain effective monitoring;
- Provide training to employees: Provide targeted training to employees (particularly the employees responsible for handling sensitive data) to enhance their awareness and capability in safeguarding privacy;
- Actively engage with employees and work with them to examine the workflow involving the handling of personal data in order to understand their concerns and challenges, so as to effectively develop policies, procedures and training programmes tailored to the daily operations and needs.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2025.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, elaborated on the PCPD’s work in 2025.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left), and the Assistant Privacy Commissioner (Complaints & Criminal Investigation), Ms Rebecca HO Kan-yeuk (right), elaborated on the PCPD’s work in 2025 and explained the details of three data security incidents relating to employees’ personal data.
The Assistant Privacy Commissioner (Complaints & Criminal Investigation), Ms Rebecca HO Kan-yeuk, explained the details of three data security incidents relating to employees’ personal data.
-End-
-End-
Annex 1
Personal Data Security Incidents of Three Organisations
Case Summaries
Case Summaries
Case (1) - A security service company sent a notice of termination of employment of an individual employee to a chat group of an instant messaging application
The complainant worked for a security service company and was assigned to work at a leisure facility. When the complainant’s supervisor issued a notice of termination of employment to the complainant, he sent the notice to an instant messaging chat group (“the Group”) set up for work purposes. This resulted in the disclosure of the complainant’s personal data contained in the notice, including her name, HKID card number and information relating to the complainant’s dismissal to other staff members of the Group.
The company explained that considering the need for members of the Group to know that the complainant should no longer enter staff-only area of the relevant venue or have access to internal information of the company upon departure, the complainant’s supervisor sent the notice to the Group. The supervisor acted hastily and without due consideration, and failed to redact personal data that should not have been disclosed to third parties.
The PCPD commenced an investigation into the case. After investigation, the Privacy Commissioner considered that disclosing the HKID card number and dismissal information of the complainant contained in the notice to the other members of the Group was beyond the original purpose of use of the data (namely, to handle the complainant’s employment matters). As such, the disclosure of personal data was not for the original purpose or a directly related purpose and amounted to using the data for a new purpose. Given that the company did not obtain the complainant’s prescribed consent for such use, the company had contravened the requirements of DPP 3(1) as regards the use of personal data in the present case.
The Privacy Commissioner has served an Enforcement Notice on the company, directing it to request members of the Group to delete the relevant notice from the Group and all other copies of the notice (if any), formulate policy for handling personal data related to employment contracts and incorporate the same into staff training.
Case (2) - The security department of a hotel failed to lock the work desk drawer where staff annual performance appraisal forms were stored
While working in the security department of a hotel, the complainant inadvertently discovered annual performance appraisal forms of all departmental staff in an unlocked drawer when searching for other documents at the desk of the department head in the control room. The appraisal forms contained the personal data of the departmental staff including their names, dates of joining and performance appraisals.
According to the hotel, the desk was primarily used by the head of the security department. However, when the department head was on leave, the security staff on duty could use the desk to handle paperwork. The hotel explained that the incident happened because the department head had forgotten to lock the desk drawer after placing the relevant appraisal forms inside. Upon learning the incident, the hotel had taken disciplinary actions against the head of the security department for failing to properly safeguard confidential documents in accordance with the relevant rules and guidelines, and had also imposed requirements on the safekeeping of such documents by the security department head.
The PCPD commenced an investigation into the case. As a result of the investigation, the Privacy Commissioner found that the hotel had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the hotel, directing the hotel to implement monitoring measures to ensure compliance with and execution of the policies and guidelines on personal data privacy protection by staff members and to formulate a concrete training plan to strengthen staff awareness of personal data privacy protection.
Case (3) - A social welfare organisation mistakenly saved a scanned copy of a document relating to staff dismissal in a shared folder
The complainant was formerly employed by a social welfare organisation. When processing the written record of the complainant’s dismissal, an officer of the organisation scanned the document but mistakenly saved the scanned copy in a departmental shared folder in the organisation’s internal information network. As the document was not encrypted with a password, the relevant document which contained the complainant’s name, date of joining, salary, performance appraisal and reasons for dismissal was accessible by all staff members within the department.
The organisation admitted that the incident stemmed from human error of an administrative officer, who mistakenly selected to store the document in the shared folder during scanning. The document was deleted immediately upon discovery of the incident. The organisation stated that the document remained in the shared folder for about half an hour and there was no record of other staff accessing it.
Upon the PCPD’s intervention, the organisation had attended to the matter immediately and debriefed the relevant administrative officer. The department in question disabled the function of saving scanned documents in the shared folder. The organisation also reminded all staff to handle documents containing sensitive personal data with care during departmental staff meetings and arranged regular training sessions on the protection of personal data privacy.
Having considered the circumstances of the case and the information provided by the organisation, the Privacy Commissioner found that the organisation had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data. As a result, the Privacy Commissioner issued a warning letter to the organisation, requesting it to duly implement measures for protecting personal data privacy and monitor the compliance of which by its employees.
The complainant worked for a security service company and was assigned to work at a leisure facility. When the complainant’s supervisor issued a notice of termination of employment to the complainant, he sent the notice to an instant messaging chat group (“the Group”) set up for work purposes. This resulted in the disclosure of the complainant’s personal data contained in the notice, including her name, HKID card number and information relating to the complainant’s dismissal to other staff members of the Group.
The company explained that considering the need for members of the Group to know that the complainant should no longer enter staff-only area of the relevant venue or have access to internal information of the company upon departure, the complainant’s supervisor sent the notice to the Group. The supervisor acted hastily and without due consideration, and failed to redact personal data that should not have been disclosed to third parties.
The PCPD commenced an investigation into the case. After investigation, the Privacy Commissioner considered that disclosing the HKID card number and dismissal information of the complainant contained in the notice to the other members of the Group was beyond the original purpose of use of the data (namely, to handle the complainant’s employment matters). As such, the disclosure of personal data was not for the original purpose or a directly related purpose and amounted to using the data for a new purpose. Given that the company did not obtain the complainant’s prescribed consent for such use, the company had contravened the requirements of DPP 3(1) as regards the use of personal data in the present case.
The Privacy Commissioner has served an Enforcement Notice on the company, directing it to request members of the Group to delete the relevant notice from the Group and all other copies of the notice (if any), formulate policy for handling personal data related to employment contracts and incorporate the same into staff training.
Case (2) - The security department of a hotel failed to lock the work desk drawer where staff annual performance appraisal forms were stored
While working in the security department of a hotel, the complainant inadvertently discovered annual performance appraisal forms of all departmental staff in an unlocked drawer when searching for other documents at the desk of the department head in the control room. The appraisal forms contained the personal data of the departmental staff including their names, dates of joining and performance appraisals.
According to the hotel, the desk was primarily used by the head of the security department. However, when the department head was on leave, the security staff on duty could use the desk to handle paperwork. The hotel explained that the incident happened because the department head had forgotten to lock the desk drawer after placing the relevant appraisal forms inside. Upon learning the incident, the hotel had taken disciplinary actions against the head of the security department for failing to properly safeguard confidential documents in accordance with the relevant rules and guidelines, and had also imposed requirements on the safekeeping of such documents by the security department head.
The PCPD commenced an investigation into the case. As a result of the investigation, the Privacy Commissioner found that the hotel had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data.
The Privacy Commissioner has served an Enforcement Notice on the hotel, directing the hotel to implement monitoring measures to ensure compliance with and execution of the policies and guidelines on personal data privacy protection by staff members and to formulate a concrete training plan to strengthen staff awareness of personal data privacy protection.
Case (3) - A social welfare organisation mistakenly saved a scanned copy of a document relating to staff dismissal in a shared folder
The complainant was formerly employed by a social welfare organisation. When processing the written record of the complainant’s dismissal, an officer of the organisation scanned the document but mistakenly saved the scanned copy in a departmental shared folder in the organisation’s internal information network. As the document was not encrypted with a password, the relevant document which contained the complainant’s name, date of joining, salary, performance appraisal and reasons for dismissal was accessible by all staff members within the department.
The organisation admitted that the incident stemmed from human error of an administrative officer, who mistakenly selected to store the document in the shared folder during scanning. The document was deleted immediately upon discovery of the incident. The organisation stated that the document remained in the shared folder for about half an hour and there was no record of other staff accessing it.
Upon the PCPD’s intervention, the organisation had attended to the matter immediately and debriefed the relevant administrative officer. The department in question disabled the function of saving scanned documents in the shared folder. The organisation also reminded all staff to handle documents containing sensitive personal data with care during departmental staff meetings and arranged regular training sessions on the protection of personal data privacy.
Having considered the circumstances of the case and the information provided by the organisation, the Privacy Commissioner found that the organisation had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data. As a result, the Privacy Commissioner issued a warning letter to the organisation, requesting it to duly implement measures for protecting personal data privacy and monitor the compliance of which by its employees.