Privacy Commissioner’s Office Welcomes Reappointment of
Ada CHUNG Lai-ling as Privacy Commissioner

The PCPD welcomes the reappointment of Ms Ada CHUNG Lai-ling by the Government of the Hong Kong Special Administrative Region as the Privacy Commissioner for Personal Data for a term of five years commencing from 4 September 2025.

Privacy Commissioner’s Office Publishes Two Investigation Reports on the Data Breach Incidents of (1) Kwong’s Art Jewellery Trading Company Limited and My Jewelry Management Limited and
(2) Adastria Asia Co., Limited

Upon completion of the investigations into the data breach incidents involving Kwong’s Art Jewellery Trading Company Limited (Kwong’s Art Jewellery) and My Jewelry Management Limited (My Jewelry), as well as Adastria Asia Co., Limited (Adastria), the PCPD published the investigation reports on 21 August.

 

(1) Data Breach Incident of Kwong’s Art Jewellery and My Jewelry

 

The investigation arose from a data breach notification submitted by Kwong’s Art Jewellery and My Jewelry to the PCPD on 11 November 2024, reporting abnormalities in their shared information systems and receipt of messages from a threat actor which claimed that the data stored in the information systems of Kwong’s Art Jewellery and My Jewelry had been stolen. Upon inspection, Kwong’s Art Jewellery and My Jewelry confirmed that the data stored in their database server had been stolen and deleted (Incident).

 

Kwong’s Art Jewellery is the parent company of My Jewelry and is engaged in jewellery manufacturing and wholesale, while My Jewelry is a jewellery retail company which operates the brand “My Jewelry”. Kwong’s Art Jewellery and My Jewelry have been jointly managing and using the affected information systems, including the servers, applications and databases.

 

The investigation revealed that the threat actor conducted a brute-force attack to obtain the credentials of an administrator account (Account). The threat actor utilised the Account to gain access to the information systems of the two companies and performed lateral movement within the network, which included implanting a Trojan Horse program on a desktop computer used for internal system development and programming. This allowed the threat actor to obtain the source code to control the database server, which led to the successful exfiltration and deletion of the personal data stored therein.

 

According to the information provided by Kwong’s Art Jewellery and My Jewelry, approximately 79,400 data subjects were affected by the Incident, including corporate customers and current and former employees of Kwong’s Art Jewellery, as well as retail customers and current and former employees of My Jewelry. The personal data affected included the names, Hong Kong Identity Card (HKID Card) numbers, dates of birth, telephone numbers, addresses and commencement dates of employment of employees, as well as the names, HKID Card numbers (first four alphanumeric characters), years and months of birth, telephone numbers, email addresses, and membership numbers of customers.

 

Following the Incident, Kwong’s Art Jewellery and My Jewelry implemented various improvement measures to enhance the security of their information systems, which included resetting login passwords for all users, updating operating systems of servers, antivirus software and firewall, as well as deploying “extended detection and response” tools for continuous monitoring of their information systems, etc. In addition, Kwong’s Art Jewellery and My Jewelry notified all affected data subjects after the Incident.

 

The PCPD conducted seven rounds of inquiries and reviewed the information provided by Kwong’s Art Jewellery and My Jewelry in relation to the Incident, and the follow-up and remedial actions taken by the two companies after the Incident. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of Kwong’s Art Jewellery and My Jewelry contributed to the occurrence of the Incident (See Annex 1 for details):

1. Failure to delete a former employee’s account in a timely manner;
2. Lack of effective security and detection measures in the information systems;
3. Outdated operating systems of servers;
4. Lack of policies and guidelines on information security; and
5. Absence of security assessments and audits of the information systems.

The Privacy Commissioner considered that Kwong’s Art Jewellery and My Jewelry failed to adopt adequate and effective security measures at the time of the Incident to safeguard the personal data in their possession. The Privacy Commissioner expressed profound regret that Kwong’s Art Jewellery and My Jewelry failed to recognise the security risks in their information systems, resulting in the failure to timely delete the former employee’s account, failure to implement effective security and detection measures, the use of outdated operating systems of servers, failure to formulate policies and guidelines on information security, and the absence of security assessments and audits of the information systems, which eventually led to the Incident.

 

Based on the above, the Privacy Commissioner found that Kwong’s Art Jewellery and My Jewelry had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.

 

The Privacy Commissioner has served Enforcement Notices on Kwong’s Art Jewellery and My Jewelry, directing them to take measures to remedy the contraventions and prevent recurrence of similar contraventions in future.

 

(2) Data Breach Incident of Adastria

 

The investigation arose from a data breach notification submitted by Adastria to the PCPD on 18 November 2024, reporting that its customer relationship management platform and e-commerce platform (collectively, the Affected Platforms) were accessed by an unauthorised third party, which resulted in the exfiltration of the personal data of Adastria’s customers (Adastria Incident).
 

The investigation revealed that the Affected Platforms operated as a Software-as-a-Service (SaaS) which was provided by a third-party vendor (the Platform Vendor). In the Adastria Incident, the threat actor used the credentials of an administrator account of a current employee to connect to the Affected Platforms from an unknown overseas IP address and downloaded the order information stored therein.

 

Adastria is a Japanese multinational corporation engaging in fashion retail in various Asian countries. At the time of the Adastria Incident, Adastria was managing the sales of its affiliated brands (including GLOBAL WORK, “niko and …”, LOWRYS FARM, Heather, JEANASiS, studio CLIP, repipi armario, LEPSIM, PAGEBOY) in Hong Kong through its online platform “dot st HK”. The personal data of a total of 59,205 customers was affected by the Adastria Incident. The personal data affected included the names, telephone numbers and order information of customers (including the transaction reference numbers, order dates, membership numbers, delivery methods, deliver/pickup dates, delivery addresses, product names and descriptions, and price information).

 

During the course of investigation, Adastria discovered that the affected personal data was disclosed in the Dark Web approximately two months after the Adastria Incident and was made available for download.
 
Adastria notified all affected customers after the Adastria Incident. Adastria also implemented various remedial measures to address the deficiencies identified in the Adastria Incident, including enabling the security functions of the Affected Platforms, such as password measures, multi-factor authentication and IP address restriction function, and deploying an endpoint detection and response solution to detect and block any malicious activities on its information systems.

 

The PCPD conducted five rounds of inquiries and reviewed the information provided by Adastria in relation to the Adastria Incident, including two investigation reports provided by a third-party consultant engaged by Adastria, and the follow-up and remedial actions taken by Adastria after the Adastria Incident. Having considered the circumstances of the Adastria Incident and the information obtained during the investigation, the Privacy Commissioner found that the following deficiencies of Adastria contributed to the occurrence of the Adastria Incident (see Annex 2 for details):

1. Weak password management;
2. Failure to enable multi-factor authentication for access to accounts;
3. Lack of awareness to ensure the security of personal data; and
4. Failure to conduct proper security reviews on the Affected Platforms.

Given that Adastria is a well-known multinational fashion brand group and holds a large volume of the personal data of customers, the Privacy Commissioner regretted to note Adastria’s lack of awareness in data security and the absence of proper measures to protect the personal data in its possession. The Privacy Commissioner was of the view that had Adastria adopted appropriate and adequate organisational and technical security measures before the incident, the Adastria Incident could likely have been avoided.
 
Based on the above, the Privacy Commissioner found that Adastria had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) of the PDPO concerning the security of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on Adastria, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.

 

The Privacy Commissioner notes that both data breach incidents involved retail organisations which held significant amounts of customers’ personal data, with evidence suggesting subsequent disclosure of customers’ data in the Dark Web in one incident. These incidents demonstrate the link between data breach incidents and both the illicit sale of personal data for profit, as well as the use of personal data by fraudsters in different fraudulent activities. 

 

The Privacy Commissioner recommends organisations to adopt appropriate organisational and technical measures to safeguard their information systems that contain personal data. In particular, organisations should:

• Establish clear internal policies and procedures to safeguard the security of information systems and ensure thorough implementation of the same;
• Implement effective measures to prevent, detect and respond to cyberattacks, including conducting regular vulnerability scans and patching cybersecurity vulnerabilities in a timely manner;
• Cease the use of end-of-support software and upgrade software in a timely manner;
• Enhance password management of information systems and adopt multi-factor authentication;
• Conduct comprehensive security risk reviews and audits for information systems regularly;
• Configure appropriate security functions on service platforms provided by third-party vendors and conduct regular security review;
• Formulate a data breach response plan; and
• Provide appropriate training to employees to improve their data security awareness.

The PCPD encourages organisations to make reference to the “Guidance Note on Data Security Measures for Information and Communications Technology (ICT)” and the “Guidance on Data Breach Handling and Data Breach Notifications” issued by the PCPD to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. To assist enterprises in safeguarding data security, the PCPD has launched a Data Security thematic webpage, a data security hotline (2110 1155) and the “Data Security Scanner”, which is a self-assessment toolkit for enterprises to assess the data security measures for their ICT systems.

 

Please click here to refer to the Annexes. 

Enhancing AI Security and Data Security
Privacy Commissioner’s Office and Personal Data Protection Bureau, Macao, Together with Seven Privacy Protection Authorities in the Asia-Pacific Region,
Release “Guide to Getting Started with Anonymisation”

The PCPD and the Personal Data Protection Bureau, Macao, together with seven privacy or data protection authorities from Australia (Victoria), Canada (Federal and British Columbia), Japan, Korea, New Zealand and Singapore, unanimously approved the release of the “Guide to Getting Started with Anonymisation” (Anonymisation Guide) at the 63^rd Asia Pacific Privacy Authorities (APPA) Forum held recently.

 

Anonymisation generally refers to the process of converting personal data into data that can no longer be used to identify an individual. In June 2024, the PCPD published the “Artificial Intelligence: Model Personal Data Protection Framework” to provide practical recommendations and best practices to assist organisations in procuring, implementing and using artificial intelligence (AI), including generative AI (Gen AI), in compliance with the relevant requirements of the PDPO. One of the recommendations is that organisations should anonymise personal data before feeding them into AI models, where appropriate. The Anonymisation Guide introduces basic anonymisation concepts and outlines the recommended steps for organisations to follow when anonymising data. It also provides a case study to illustrate how organisations can apply these anonymisation steps in practice. These recommended steps include: 

• Step one (Know Your Data): Before carrying out the anonymisation process, organisations must identify the nature of the data in question, including:
  • Direct identifiers: Data that can be used to directly identify an individual, such as name and Identity Card number;
  • Indirect identifiers: The data itself may not be unique, but it may be used to identify an individual when combined with other data, such as date of birth and gender;

• Step two (Remove direct identifiers): Remove direct identifiers from the dataset;
• Step three (Apply anonymisation techniques): Apply anonymisation techniques to indirect identifiers to prevent others from identifying an individual by combining the indirect identifiers with other data;
• Step four (Assess re-identification risks): Assess whether any risk of identifying an individual remains in the anonymised data, and determine whether the anonymisation is sufficient based on the assessment results. If the relevant requirements are not met, repeat the above steps; and 
• Step five (Manage re-identification risks): Address any residual risk following the application of anonymisation techniques by implementing corresponding risk mitigation measures, such as restricting the use of the data for intended purposes and access by intended personnel.

The “Guide to Getting Started with Anonymisation” can be downloaded here.

PRIVACY 101

Protecting Personal Data Privacy: A Guide for Small and Medium Enterprises

Protecting personal data is essential in today’s business environment. While many small and medium enterprises (SMEs) recognise its importance, they often lack dedicated legal or compliance teams. This can lead to unintentional breaches of the PDPO due to inadequate understanding of its requirements. Common SME activities, such as recruitment, order processing, service bookings and marketing may involve the handling of personal data and therefore fall under the scope of the PDPO.

 

In the digital age, many SMEs are shifting their focus online by launching e-commerce platforms or offering digital services. However, even when operating online, SMEs must remain compliant with the PDPO, particularly when collecting, displaying, or transmitting personal data via the Internet. Given the inherent vulnerabilities of online environments, SMEs are also strongly advised to implement robust security measures to safeguard personal data.

 

To help protect personal data privacy in online business scenarios, organisations are encouraged to adopt the following practices:

 

For Identity Verification:

• Instead of requesting a customer’s HKID Card number to verify identity when collecting pre-ordered goods, shops can issue a unique invoice number at the time of order placement. Customers can then present this number upon collection.

For Website Protection:

• Install anti-virus software, firewall and security patches to prevent attacks on network systems, servers and applications by viruses or malware;
• Encrypt sensitive information when transmitting, processing or storing personal data;
• Regularly adopt secure erasure methods to irreversibly delete or destroy personal data according to a pre-determined schedule; and
• If a contractor is engaged to maintain the website, ensure that a reputable and reliable service provider is selected.

For Online Cashless Transactions:

• Use secure online payment services, and as far as possible, adopt application programming interfaces and templates provided by official payment service providers;
• Closely follow the instructions and guidelines issued by the official payment service providers; and
• Remind customers of the potential risks involved in submitting personal data online (especially credit card information).

To learn more, please refer to the “Data Protection & Business Facilitation - Guiding Principles for Small and Medium Enterprises”.

 

 

PRIVACY COMMISSIONER’S FINDINGS

A Staff Member Transferred Personal Data Held by His Employer to His Personal Computer without Authorisation

Background

 

A financial institution reported to the PCPD that an administrative staff member copied more than 4,000 files from the office desktop computer to his personal laptop via his own USB flash drive without authorisation. Among those files, 51 of them contained personal data of around 6,600 customers, 30 staff members and unsuccessful job applicants. Personal data involved included financial account details of customers, human resources data of staff members and curricula vitae of unsuccessful job applicants. On knowing the incident, the PCPD initiated a compliance check.

 

In the compliance check process, the PCPD found that the staff member concerned was the only staff who was granted permission to use USB flash drive with read-and-write functions in discharging his duties. The files concerned, which were encrypted and password-protected, were stored on the local drive of his office desktop computer, which was not password-protected. The staff member explained that he had copied the files to his personal laptop with a view to cleaning up the space of the hard disk of his office computer which had been running slow at the material time.

 

After internal investigation, the financial institution considered that the staff member concerned had not disclosed any personal data of a data subject and that the staff member had no intent to obtain money or other property (for any person’s benefit) or to cause loss in money or other property to any data subject involved in this incident. In any event, the staff member concerned signed a Non-Disclosure Agreement specifying that he had not disclosed any data contained in the files to any third party and had deleted the files immediately and permanently.

 

Remedial Measures

 

In the wake of the incident, the financial institution revoked the USB write-access rights of the staff member concerned. The institution also sent an email to all staff members, reminding them of the institution’s global policy on the secure use of removable storage devices, and arranged training sessions for all staff members on information security risks.

 

Lessons Learnt

 

In business environment, it is inevitable that staff members have access to personal data. In general, those who are responsible for administrative and human resources-related matters have to handle a large amount of sensitive personal data. Organisations should attach great importance to data governance and the culture of respecting and protecting privacy. To this end, organisations should regularly review and monitor their staff members’ access right to personal data to ensure that they would handle personal data on a “need-to-know” basis.

 

TECH TALK

Safeguarding Your Mobile Devices: Tips for Everyday Security

As mobile technologies continue to evolve, smartphones, tablets, and laptops have become indispensable tools in both personal and professional settings. These mobile computing devices, capable of storing and processing vast amounts of data, offer convenience and enhance productivity but also introduce significant security risks if not protected properly. Whether you are at home, in the office, or on the move, it is essential to adopt good security habits.

 

Below are two sets of practical tips to help you safeguard your mobile devices and the sensitive information they carry.

 

General Security Reminders: Stay Protected at All Times

• Keep your mobile devices in a safe location when not in use, especially in public or shared environments;
• Monitor for known security vulnerabilities and install the latest patches and updates as soon as they become available;
• Refrain from installing illegal or unauthorised software on the mobile devices; and
• Disable wireless connections from unknown or untrusted sources to prevent unauthorised access.

 When Using Your Mobile Devices: Be Vigilant on the Go

• Use robust authentication methods such as two-factor authentication for any accounts handling sensitive personal data;
• Do not leave the devices unattended, as even a brief moment of inattention can lead to theft or tampering;
• Only process confidential information when encryption is enabled or via a secure end-to-end connection;
• Avoid clicking on links in emails or messages from suspicious or untrusted sources, especially those with misleading URLs;
• Do not download or accept programmes or content from unknown sources; and
• Avoid accessing sensitive data unless adequate security measures are in place.

WHAT’S ON

Promoting AI Safety – Privacy Commissioner’s Office Organises Public Seminar on “How to Address New Privacy Challenges in the AI Era”

The PCPD organised a public seminar on “How to Address New Privacy Challenges in the AI Era” on 27 August, attracting almost 600 participants.

 

At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling explained the privacy risks posed by AI to the participants in an easily comprehensible manner using real-life cases, and shared practical tips on enhancing the protection of personal data. She also highlighted key recommendations and best practices for organisations to ensure the safe and responsible use of AI.

 

Please click here for the presentation deck (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain Investigation Reports on Two Data Breach Incidents

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today”, RTHK Radio 1’s “HK2000”, Commercial Radio’s “On a Clear Day” and Now News’ “News Magazine” on 22 August. In the interviews, she explained the investigation reports on two data breach incidents published by the PCPD.

The Privacy Commissioner stated that the two data breach incidents involved retail companies in the clothing and jewellery industries, with approximately 140,000 individuals affected in total. In one of the incidents, the leaked personal data was disclosed on the dark web and used for fraudulent purposes. She reminded the affected individuals to remain vigilant against fraud.

 

The Privacy Commissioner further noted that the PCPD had recently received several data breach notifications including those from high-end retail companies, involving hacker attacks targeting customer management systems of the companies concerned. She explained that these systems were targeted because of the large volume of customers’ personal data contained therein, which possesses significant commercial value. She reminded companies to strengthen their cybersecurity measures, including setting strong passwords, enabling multi-factor authentication and upgrading software in a timely manner, etc.

 

The interview by RTHK News’ “Hong Kong Today” can be listened here (50:13 – 55:17) (Chinese only).
The interview by RTHK Radio 3’s “Hong Kong Today” can be listened here (15:15 – 20:14).
The interview by RTHK Radio 1’s “HK2000” can be listened here (Chinese only).
The interview by Now News’ “News Magazine” can be viewed here (Part 1, Part 2) (Chinese only).

Promoting AI Security – Privacy Commissioner Speaks at an Internal Training Session of the Legislative Council Secretariat

Privacy Commissioner Ms Ada CHUNG Lai-ling attended an internal training session on “AI Development Trends and Applications” of the Legislative Council Secretariat on 18 August and delivered a speech titled “How Public Organisations Can Protect Personal Data Privacy in Using AI”.

In her speech, the Privacy Commissioner cited examples of AI applications by the Legislative Council and legislatures of other jurisdictions to discuss the privacy risks associated with the use of AI. She also introduced several guidelines published by the PCPD, including the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines) and the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework). 

Promoting AI Security – Privacy Commissioner Delivers Speech at Hong Kong News-Expo Seminar

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a speech on 2 August at the seminar entitled “AI Safety Matters: Addressing New Privacy Challenges in the AI Era” organised by the Hong Kong News-Expo. The seminar attracted approximately 90 participants, both on-site and online.

During the seminar, the Privacy Commissioner highlighted that with the rapid development of AI, the use of AI has become increasingly prevalent. At the same time, privacy risks have emerged, including data breaches, excessive data collection, unauthorised use of personal data and issues related to data accuracy. She urged all sectors to remain vigilant and manage AI systems responsibly.

In her speech, the Privacy Commissioner cited several real-life cases to underscore the importance of protecting personal data privacy when using AI. These included the use of AI deepfake technology for fraud relevant purposes, data breaches by AI chatbot platforms, and the use of patients’ medical records for AI training by technology companies without consent. In addition, she also introduced the PCPD’s publications to the participants, including “10 TIPS for Users of AI Chatbots”, the “Guidelines”, and the “Model Framework”.

Please click here for the presentation deck (Chinese only).

Reaching Out to IT Sector – Privacy Commissioner Attends the Rotary Club of Smart Hong Kong Installation Ceremony 2025-26

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Rotary Club of Smart Hong Kong Installation Ceremony 2025-26 on 1 August and exchanged views with its members.

Members of the Rotary Club of Smart Hong Kong mainly come from industries related to information technology. They are dedicated to leveraging technology to enhance education and improve the quality of life for the elderly and the disadvantaged groups, with the aim of promoting societal progress.

Reaching Out to the Community – Acting Assistant Privacy Commissioner Interviewed by Media to Explain Privacy Issues Relating to the Use of Drones

Acting Assistant Privacy Commissioner for Personal Data (Legal) Ms Fiona LAI Ho-yan was interviewed by TVB News’ “A Closer Look” to discuss privacy issues relating to the use of drones.
 
The Acting Assistant Privacy Commissioner stated that strong justification is needed for using drones equipped with recording functions to conduct surveillance and less privacy-intrusive alternative means should be considered. She added that if the footage is not intended to be used for identifying individuals, data users may consider using automated detection methods to blur facial features. She reminded members of the public that whenever personal data is collected, data users must comply with the requirements of the PDPO.
 
The interview by TVB News’ “A Closer Look”, which was broadcast on 19 August, can be viewed here (Chinese only).

Reaching Out to the Community – Assistant Privacy Commissioner Interviewed by Media to Explain Anti-Fraud Promotional and Educational Activities

Assistant Privacy Commissioner for Personal Data (Corporate Communications and Operations) Ms Joyce LAI was interviewed by RTHK Radio 3 “Backchat” on 14 August to elaborate on a series of anti-fraud promotional and educational activities launched by the PCPD, which primarily target tertiary students.
 
With the new academic year approaching, the Assistant Privacy Commissioner pointed out that the PCPD has released an anti-fraud animated video targeting tertiary students. The video will also be disseminated to tertiary institutions for on-campus screening. In addition, the PCPD is organising a school tour featuring anti-fraud educational talks and will collaborate with other organisations to host exhibitions, with a view to raising awareness of preventing fraud and protecting personal data privacy among tertiary students.
 
In the interview, the Assistant Privacy Commissioner further mentioned that the PCPD has launched the “Anti-Fraud Tips” thematic webpage to help members of the public learn more about fraud prevention.

Promoting Cyber Security – Assistant Privacy Commissioner Speaks at the “CUHK LAW – Tencent Research Institute Cyberlaw Forum”

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended the “CUHK LAW – Tencent Research Institute Cyberlaw Forum” (Forum) on 6 August and delivered a keynote speech titled “Exploring the Legal Liabilities and Compliance Requirements of Cyber Activities from the Perspective of the Personal Data (Privacy) Ordinance”.

In her speech, Ms WONG outlined the relevant requirements of the PDPO and provided an overview of the PCPD’s efforts in combating doxxing, handling data breach incidents, as well as promoting cyber security and data security on the international and local fronts.

The Forum was jointly organised by the Faculty of Law of the Chinese University of Hong Kong and Tencent Research Institute.

Please click here for the presentation deck (Chinese only).

Discharging Social Responsibility – PCPD Continues to Fully Support the “Strive and Rise Programme”

Following last year’s efforts in organising an educational talk for participants of the Second Cohort of the “Strive and Rise Programme” (the Programme), the PCPD organised another educational talk on 8 August for around 20 participants of the Third Cohort. The talk covered the roles and responsibilities of the PCPD, as well as its work in handling complaints, combatting doxxing offences, and promoting the protection of personal data privacy, followed by a guided tour of the PCPD’s office.
 
The PCPD is one of the supporting organisations of the Programme, which aims to support secondary school students from underprivileged families by broadening their horizons, reinforcing their self-confidence, helping them develop a positive outlook on life and set future goals, and encouraging their pursuit of upward mobility. The Programme is led by the Government and seeks to achieve its objectives through tripartite collaboration among the Government, the business sector, and the community.

MEDIA STATEMENT

PCPD Launches a Series of Anti-Fraud Promotional and Educational Activities as the New Academic Year Approaches to Enhance Tertiary Students’ Awareness of Fraud Prevention

With the approach of the new academic year, the PCPD has launched a series of anti-fraud promotional and educational activities targeting tertiary students. The activities include producing an animated video and organising a school tour featuring anti-fraud educational talks and exhibitions, with a view to raising the awareness of preventing fraud and protecting personal data privacy among tertiary students.
 
The anti-fraud animated video aims to remind students to stay calm and avoid disclosing personal data casually when they receive suspicious calls or messages. Students are also reminded to verify the identity of the caller or the veracity of the relevant organisation through other means. Set against the backdrop of a university campus, the video portrays a student who receives a phone call from someone impersonating a Mainland security official, claiming to be investigating into a money laundering case. The scammer seeks to swindle the student out of personal data and money. The video, available in Cantonese, Mandarin and English, has been uploaded to the PCPD’s official YouTube channel and social media platforms, and will be disseminated to tertiary institutions for on-campus screening.
 
In addition, since February this year, the PCPD has conducted a school touring of anti-fraud educational talks for tertiary students. Up to the present, 10 talks in Cantonese, Mandarin or English have been conducted for (in alphabetical order) Hong Kong Baptist University, Hong Kong Metropolitan University, Lingnan University, The Chinese University of Hong Kong, The Education University of Hong Kong, The University of Hong Kong, and also Sunny House, a co-living space for tertiary students, reaching approximately 3,200 students. Speakers share examples of different fraud cases with the participants and offer practical tips on protecting personal data while using smartphones, instant messaging applications and social media. As part of orientation activities, the PCPD will deliver anti-fraud talks to (in alphabetical order) City University of Hong Kong, The Hang Seng University of Hong Kong and The Hong Kong Polytechnic University, and will continue to engage with other tertiary institutions in arranging talks on fraud prevention.
 
Separately, the PCPD will collaborate with the Office of the Communications Authority in the new academic year to organise exhibitions on fraud prevention and personal data privacy protection at the campuses of (in alphabetical order) Hong Kong Shue Yan University, The Education University of Hong Kong and The Hong Kong University of Science and Technology in order to deliver anti-fraud messages to students. The PCPD also collaborates with the Regional Crime Prevention Office, Kowloon East Region of the Hong Kong Police Force, to develop an anti-scam survey for freshmen at The Hong Kong University of Science and Technology to enhance their awareness.
 
To support the anti-fraud promotional and educational efforts in the education sector, Privacy Commissioner Ms Ada CHUNG Lai-ling recently attended the first anniversary ceremony of the Anti-Deception Alliance (Education) and spoke as a panellist at the panel discussion. The Privacy Commissioner pointed out that in the digital age, fraudsters deploy AI deepfake technology to perpetrate fraud, making it increasingly difficult for members of the public to guard against such threats. She reminded students to stay vigilant against various forms of fraudulent tricks to safeguard personal data privacy.
 
Members of the public can visit the PCPD’s “Anti-fraud Tips” thematic webpage to obtain more information on fraud prevention: www.pcpd.org.hk/english/anti_fraud. Anyone who suspects that his/her personal data has been leaked may make enquiries or lodge complaints with the PCPD (“Personal Data Fraud Prevention Hotline”: 3423 6611 or email: communications@pcpd.org.hk). If there is any suspicion of fraud on personal data which involves criminal offence(s), they should immediately report the case to the Police. Citizens may also use “Scameter” (www.cyberdefender.hk/en-us/scameter) to check suspicious phone numbers, email addresses and websites, etc.

 

Please click this link to watch the PCPD’s latest anti-fraud animated video.

A 57-year-old Male Arrested for Suspected Doxxing of a Taxi Driver Arising from Others’ Monetary Disputes

The PCPD arrested a Chinese male aged 57 in the New Territories on 7 August. The arrested person was suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.

 

The case involves a chat group on an instant messaging application for practitioners of the taxi industry (the Group). The PCPD’s investigation revealed that the arrested person was an administrator of the Group, and the victim was a taxi driver. When the victim joined the Group in April 2025, he sent a photo of his Taxi Driver Identity Plate to the Group’s administrator.

 

In mid-May 2025, the victim had a dispute with another person over whether there was any outstanding taxi rent. In late May 2025, messages containing the personal data of the victim were sent to the Group, alongside some negative comments against the victim, including the allegations that the victim owed taxi rent and other fees. Members of the Group were also encouraged to forward the relevant messages to others. The personal data disclosed included the victim’s Chinese name, mobile phone number, the vehicle registration mark of the taxi rented by the victim, and a photo of the victim’s Taxi Driver Identity Plate showing his Chinese name, English name, photo and his Taxi Driver Identity Plate number.

 

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

PCPD Offers 10 Tips to Users to Ensure Safe Use of AI Chatbots

The PCPD noted recent reports that a large-scale Gen AI platform shared the chat history between its users and AI chatbot externally, with such history made available for searching through online search engines.
 
With the increasing popularity of AI chatbots, the PCPD reminds users of the importance of safeguarding their personal data privacy when using new technologies. Users should be aware that, depending on the settings, the chat history between users and AI chatbots may be stored and used for training AI model, which is exposed to the risk of leakage of personal data. In view of this, the PCPD offers the following 10 tips to help users use AI chatbots safely in order to protect their personal data privacy:
 
(a) Before registration/use
Tip 1: Read the Privacy Policy, the Terms of Use and other relevant data handling policies of AI chatbots to understand how personal data would be collected, stored, used and shared
Tip 2: Beware of fake Apps and phishing websites posing as known AI chatbots
Tip 3: Adjust the settings to opt-out of sharing chat history (if applicable) to avoid conversations being saved and used for AI model training and to reduce the risk of data leakage
 
(b) When interacting with AI chatbots
Tip 4: Refrain from sharing your own personal data and others’ personal data.
Tip 5: If necessary, submit a correction or removal request to correct or remove any inaccurate personal data
Tip 6: Guard against cybersecurity threats
Tip 7: Delete outdated conversations from chat history. Delete unused AI chatbots accounts to reduce the risk of data leakage
 
(c) Safe and Responsible Use of AI Chatbots
Tip 8: Be cautious about using the information provided by AI chatbots. Beware of inaccurate, infringing copyright, biased or discriminatory information.
Tip 9: Refrain from sharing confidential information and files
Tip 10: Teachers/parents should provide guidance to students when they are interacting with AI chatbots

The PCPD published a leaflet entitled “10 TIPS for Users of AI Chatbots” earlier, please click here to download the leaflet for details of the tips.

MAINLAND CORNER

Highlights of the “Draft Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information in Electronic Food Ordering” 

《網路安全標準實踐指南 — 掃碼點餐個人信息保護要求（徵求意見稿）》的重點

The National Technical Committee 260 on Cybersecurity of Standardization Administration of China issued the “Draft Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information in Electronic Food Ordering” (the Draft Guidance) on 22 July 2025 for consultation. The Draft Guidance aims to address, among other concerns, the excessive collection of personal information by catering operators in the electronic food ordering process. It sets out, among others, the fundamental principles for processing personal information and the responsibilities of all parties involved. This article provides an overview of the Draft Guidance.

 

全國網絡安全標準化技術委員會於2025年7月22日發布《網路安全標準實踐指南 — 掃碼點餐個人信息保護要求（徵求意見稿）》（《徵求意見稿》）¹，以應對目前掃碼點餐過程中餐飲商家超範圍收集個人信息等問題，並提出了掃碼點餐服務個人信息處理的基本原則及各方的責任範圍等。《徵求意見稿》的重點摘錄如下：

 

基本原則及應避免的行為

 

《徵求意見稿》提出掃碼點餐服務處理個人信息時，應遵循四項原則及避免四項行為：

 

應遵循的基本原則²

1. 合法、正當、必要及誠信原則；
2. 公開、透明原則；
3. 目的明確原則；
4. 最小必要原則。

應避免的行為³

1. 強制收集或通過小程序頻繁彈窗提示收集非必要個人信息（附錄B詳細說明了收集哪些個人信息屬必要⁴及非必要⁵）；
2. 強制以關注公眾號或註冊會員等為由收集用戶手機號碼、生日、性別等信息；
3. 未經用戶同意處理個人信息；
4. 未提供個人信息刪除功能。

各方責任關係

 

掃碼點餐服務通常牽涉餐飲商家、其委託的第三方及小程序平台，擔任開發者、運營者等角色。《徵求意見稿》於附錄A提出了各方責任關係：

 

個人信息保護要求

具體而言，餐飲商家開發運營掃碼點餐小程序時需滿足的部分要求，包括⁶：

1. 制定掃碼點餐小程序個人信息處理規則；
2. 以彈窗的形式向餐飲用戶明示權限申請目的、使用場景，以及個人信息處理規則，並由餐飲用戶主動勾選同意規則；
3. 建立個人信息投訴舉報管理機制和跟蹤流程，並在不超過十五個工作日內對投訴進行響應。

若餐飲商家委托第三方開發、運營小程序，餐飲商家應遵守以下額外要求⁷：

1. 與受託人以簽訂委託協議等形式，約定委託處理的目的、期限、處理方式、個人信息的種類、保護措施，以及雙方的權利和義務等；
2. 要求受託人按照約定處理個人信息；
3. 監督受託人的個人信息處理活動；
4. 在委託合同無效或終止等情況下，要求受託人將個人信息返還委託人或者予以刪除。

最後，小程序平台應滿足以下要求⁸：

1. 在小程序開發者使用開發平台前審核其資質；
2. 在小程序上線前，審核小程序個人信息處理規則，並對小程序進行個人信息安全檢測；
3. 在小程序上線後，持續監督、定期抽查小程序；
4. 對違規小程序不予上架，並要求小程序運營者限期整改。情節嚴重或逾期未整改的，應採取永久下架、取消開發者資質等處置手段。

總結

 

在餐廳使用二維碼等電子方式點餐越見普及，《徵求意見稿》就掃碼點餐服務提供了清晰的個人信息保護要求，它既闡明了相關各方的責任，亦強調只可收集必要的個人信息。有關各方宜細閱當中的建議，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

¹ 全文：https://www.tc260.org.cn/front/postDetail.html?id=20250716164841

² 《徵求意見稿》第4.1章。

³ 《徵求意見稿》第4.2章。

⁴ 例如訂單信息（桌號、菜品總價等）和支付信息（支付狀態、交易單號等）。

⁵ 例如用戶平台賬號信息、手機號碼、位置信息和小程序賬號信息 （暱稱、頭像等）。

⁶ 《徵求意見稿》第5.1章。

⁷ 《徵求意見稿》第5.2.1章。

⁸ 《徵求意見稿》第5.2.2章。

 

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Human Resource Management 

Since job applicants, current and former employees may request access to their personal data kept by organisations from time to time, employers or human resource management professionals have to ensure compliance with the requirements of the PDPO when they collect and handle data of their employees. On the other hand, employers should meet public expectations to constantly protect and respect their employees’ personal data privacy. This workshop enables participants to learn how to handle different scenarios and strengthen their knowledge of data protection in human resource management.

 

Date: 3 September 2025 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Human resource officers, data protection officers, compliance officers, solicitors, administration managers, recruitment agents

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

 

Date: 10 September 2025 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese 

 

Fee: $950/$760*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

Professional Workshop on Data Protection and Data Access Request 

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.

 

This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

 

Date: 24 September 2025 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese 

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel

New Series of Professional Workshops on Data Protection in Oct to Dec 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Hong Kong Institute of Bankers Annual Banking Conference 2025

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2025 (Conference) is the premier event for banking professionals seeking to thrive in today’s rapidly evolving financial landscape. Organised by the HKIB, the Conference will bring together industry leaders, regulators, and experts to explore the latest trends, innovative strategies, and critical challenges shaping the future of banking.

Under the theme “NextGen Banking: Adapting, Innovating, Thriving”, the Conference will take place on 26 September at the Hong Kong Convention and Exhibition Centre. Through keynote speeches, interactive panels, and extensive networking opportunities, attendees will gain valuable knowledge and strategies to navigate change and lead their organisations into the next era of banking.

Please click here for the details and registration.

PCPD Supports the Cyber Security Summit Hong Kong 2025

With the theme “Future-Proofing Digital Infrastructure: Harnessing AI for Enhanced Security and Resilience”, the Cyber Security Summit Hong Kong 2025 (Summit) will delve into how the integration of AI and state-of-the-art cyber security technologies can bolster digital infrastructure against cyber threats.

 

The Summit will feature more than 20 speaking sessions, 3 panel discussions, covering a wide array of essential topics. Participants will have the opportunity to network and exchange ideas with the expert speakers, and gain valuable insights. 

 

Please click here for the details and registration.

PCPD Supports the HKIoD’s Directors' Symposium 2025

The “Directors’ Symposium 2025” organised by the Hong Kong Institute of Directors is now open for enrolment. The PCPD is pleased to be one of the supporting organisations of this event.

 

“Redefining Leadership for the New Era” is the theme of the “Directors’ Symposium 2025”.

 

Please click here for the details.

PCPD Supports the BugHunting Campaign 2025

The PCPD participates in the “BugHunting Campaign 2025” (Campaign) as a Strategic Partner. The Campaign is co-organised by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and a crowdsourced cybersecurity company, Cyberbay, which leverages a specialised crowdsourced vulnerability detection platform, recruiting experts through bounty rewards to provide participating organisations with free cybersecurity testing. The Campaign also employs AI-powered security assessments, which not only focuses on detects vulnerabilities within corporate systems but also carries out security audits on AI applications, to prevent data breaches and offer comprehensive protection against emerging cyber threats.

 

The Campaign is now open to organisations for registration. Please click here for the details.

PCPD Supports the Hong Kong Volunteer Award 2025

The PCPD is delighted to be one of the supporting organisations of the Hong Kong Volunteer Award 2025. It is a volunteer recognition scheme co-organised by the Home and Youth Affairs Bureau and the Agency for Volunteer Service, supported through “JC VOLUNTEER TOGETHER” Project which is funded by The Hong Kong Jockey Club Charities Trust. Dedicated to recognising the contributions and achievements of outstanding volunteers, corporations, organisations, estates and schools, it is open for applications now.

 

Please click here for more details.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.