Privacy Commissioner’s Office Publishes 
(1) Checklist on Guidelines for the Use of Generative AI by Employees and (2) Investigation Findings on the Data Breach Incident of ImagineX Management Company Limited

The PCPD published (1) the Checklist on Guidelines for the Use of Generative AI by Employees and (2) the investigation findings of the data breach incident of ImagineX Management Company Limited on 31 March. 

(1)  Checklist on Guidelines for the Use of Generative AI by Employees (Guidelines)
 
As the use of generative AI (Gen AI) has become increasingly prevalent in Hong Kong, many organisations are exploring ways to use Gen AI to enhance their competitiveness and drive digital transformation.

The Guidelines recommend that organisations cover the following aspects when developing their internal policies or guidelines on the use of Gen AI by employees, with key elements as follows:

• Scope of permissible use of Gen AI: Specify the permitted Gen AI tools (which may include publicly available and/or internally developed Gen AI tools), the permissible purposes of use (for example, drafting, summarising information and/or creating textual, audio and/or visual content) and the applicability of the policies or guidelines;
• Protection of personal data privacy: Provide clear instructions on the types and amounts of information that can be inputted into the Gen AI tools (for example, whether to include personal data or other data), the permissible purposes for using the output information, the permissible storage of the output information, the applicable data retention policy and other relevant internal policies to comply with (for example, those on personal data handling and information security);
• Lawful and ethical use and prevention of bias: Specify that employees shall not use Gen AI tools for unlawful or harmful activities, emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking, and for correcting and reporting biased or discriminatory AI-generated outputs, as well as providing instructions on when and how to watermark or label AI-generated outputs;
• Data security: Specify the types of devices on which employees are permitted to access Gen AI tools (for example, work devices provided by employers) and the categories of employees who are permitted to use Gen AI tools (for example, those who have operational needs, have received relevant training, and have prior permission), require employees to use robust user credentials, maintain stringent security settings in Gen AI tools, and report AI incidents (such as data breach incidents involving the use of AI, unauthorised input of personal data into Gen AI tools, abnormal output results and/or output results that may potentially breach the law) according to the organisation’s AI Incident Response Plan; and
• Violations of policies or guidelines: Specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) for recommendations on establishing Gen AI governance structure and measures.

The Guidelines also provide practical tips on supporting employees in using Gen AI tools, which include:

• Enhancing transparency of the policies or guidelines: Regularly communicate the policies or guidelines to employees and keep employees informed of any updates in a timely manner;
• Providing training and resources for employees’ use of Gen AI tools: Educate employees on how to use Gen AI tools effectively and responsibly, including explaining the capabilities and limitations of the tools, providing practical tips and examples, and encouraging employees to read the privacy policies and terms of use of such tools, etc.;
• Providing a support team: Set up a designated support team to assist employees in using Gen AI tools in their work, provide technical assistance, and address employees’ concerns; and
• Establishing a feedback mechanism: Establish channels for employees to provide feedback to help the organisation identify areas for improvement and tailor internal policies or guidelines according to the circumstances.

Download the “Checklist on Guidelines for the Use of Generative AI by Employees”:

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidelines_ai_employees.pdf

Apart from publishing the Guidelines, the PCPD launched the “AI Security Hotline” (2110 1155) on 31 March for organisations to make enquiries and to assist organisations in adopting AI while safeguarding the personal data privacy of individuals.
 
In addition, as announced earlier, the PCPD has launched the “Data Security Training Series for SMEs”, which will include a seminar on “Understanding Data Security and Privacy Risks related to AI for SMEs”. The PCPD will also organise AI seminars to introduce the Guidelines and continue to explain the content of the Model Framework published by the PCPD last year.
 

Furthermore, the PCPD will continue to organise in-house seminars for organisations. Organisations may contact the PCPD (please click here for more details) to request the inclusion of the Guidelines and the Model Framework as part of the seminar content if necessary. In the first two months of 2025, the PCPD organised 31 in-house training sessions for a total of 28 organisations.

(2)  Investigation Findings on the Data Breach Incident of ImagineX

The investigation arose from a data breach notification submitted by ImagineX Management Company Limited (ImagineX) to the PCPD on 31 May 2024, reporting that ImagineX received a ransom note from a threat actor on 15 May 2024, who claimed to have stolen its data and threatened to sell the data (Incident).
 
The investigation found that the threat actor compromised a temporary user account (Account) on 4 May 2024 that ImagineX had created on its firewall on 24 April 2024. The Account was created for its vendor for urgent remote support. However, the threat actor utilised the Account to gain access to ImagineX’s network. After gaining access, the threat actor performed lateral movement within ImagineX’s network and exploited a vulnerability in an application server that was running an end-of-support operating system to further penetrate the domain controller and other servers containing personal data. The investigation revealed that the Incident resulted in the exfiltration of around 68GB of data from ImagineX’s network. In the Incident, a total of four servers and five system accounts of ImagineX were compromised.
 
ImagineX is a brand management and distribution company for international fashion and beauty businesses and manages membership programmes for its partnered brands. The Incident affected two loyalty programmes operated by ImagineX, namely the ICARD membership and the Brooks Brothers membership. A total of 127,268 individuals were affected by the Incident, which included 100,185 ICARD members, 27,069 Brooks Brothers members, and 14 current and former employees of ImagineX, etc. The personal data affected included the names, email addresses, telephone numbers, birth months, genders, and nationalities of the members, as well as the passport copies of the employees, etc.
 
Following the Incident, ImagineX notified all the affected data subjects and provided support to them, which included dark web monitoring and setting up designated emails to handle relevant enquiries. ImagineX also implemented various remedial measures to enhance system security after the Incident, which included deleting the compromised Account, replacing the end-of-support application server, as well as deploying endpoint detection and response solution for real-time detection and analysis.
 
The PCPD conducted six rounds of inquiries and reviewed the information provided by ImagineX in relation to the Incident, including an incident report provided by an external cybersecurity expert engaged by ImagineX, and the follow-up and remedial actions taken by ImagineX in the wake of the Incident. The PCPD thanked ImagineX for its cooperation and the provision of the information and documents requested in the investigation. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of ImagineX contributed to the occurrence of the Incident (see Annex 1 for details):

1. Failure to delete temporary account timely after system troubleshooting;
2. Use of end-of-support operating system;
3. Ineffective detective measures for information systems; and
4. Insufficient security risk reviews and audits for information systems.

Given that ImagineX, as a well-established brand management and distribution company for international fashion and beauty businesses, holds and processes a significant amount of personal data of customers and employees, Privacy Commissioner Ms Ada CHUNG Lai-ling considered that stakeholders (in particular, customers) have a reasonable expectation for ImagineX to implement a high standard of data security measures for its information systems. However, the investigation found that the Incident was caused by human oversight and inadequate security measures to safeguard information systems. The Privacy Commissioner was of the view that if ImagineX had timely deleted the Account and decommissioned the end-of-support operating system before the Incident, the Incident could likely have been avoided.
 
Based on the above, the Privacy Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on ImagineX, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling reminds all organisations which hold personal data to proactively adopt appropriate organisational and technical measures to strengthen the security of their information systems and defend against malicious attacks. In particular, organisations should:

• Adopt the “least privilege” principle and “role-based” access control mechanisms by regularly reviewing access rights and deleting unnecessary accounts;
• Cease the use of end-of-support software, or upgrade software timely;
• Implement effective measures to prevent, detect, and respond to cyberattacks to mitigate the risks of data breaches, including regular vulnerability scans and patching vulnerabilities timely; and
• Conduct comprehensive security risk reviews and audits for information systems regularly.

Please click here to refer to Annex 1 (Data Breach Incident of ImagineX Management Company Limited - Deficiencies that Contributed to the Incident).

PRIVACY 101

The Interplay of AI Security and Data Security: Essential Tips for Organisations

As AI continues to transform various sectors, its integration into organisational processes presents both opportunities and challenges. While AI systems enhance work efficiency, they often require a large amount of data for training, which can pose significant risks to personal data privacy. Consequently, the intersection of AI and data security is becoming increasingly critical. Organisations therefore should ensure that their data practices protect the privacy and integrity of personal data. This reliance on data underscores the necessity of enhanced security measures more than ever.

In today's digital landscape, where data breaches and cyberattacks are growing more sophisticated, organisations should prioritise data security. The dual challenge of harnessing AI's potential while safeguarding personal data privacy necessitates a proactive approach to data governance.

Here are some key recommendations for improving data security measures:

• Data Governance and Organisational Measures: Include the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure sufficient training is provided for staff members; 
• Risk Assessments: Conduct assessment on data security for new systems and applications before launch, as well as periodically thereafter; 
• Technical and Operational Security Measures: Implement a recommended series of technical and operational security measures; 
• Data Processor Management: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor; 
• Remedial Actions: Establish actions to be taken in the event of data security incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals; and
• Monitoring and Evaluation: Regularly monitor, evaluate, and improve compliance with data security policies.

To learn more about these recommended measures, please refer to the “Guidance Note on Data Security Measures for Information and Communications Technology”.

PRIVACY COMMISSIONER’S FINDINGS

Unauthorised Access of Personal Data Held by a Clinical Centre

Background

A clinical centre reported to the PCPD that its servers containing patients’ personal data were attacked by ransomware, resulting in the malicious encryption of files containing personal data of around 100,000 patients. The hacker demanded ransom for the file decryption. The affected personal data included names, identity document numbers, telephone numbers, dates of birth, addresses, and medical records.

The incident was likely caused by the use of firewall firmware that was not up to date, which allowed the hacker to exploit an unpatched vulnerability in the firewall to remotely execute commands or programs through Secure Sockets Layer Virtual Private Network (SSL VPN) to acquire the credentials of an administrative account, and subsequently deployed ransomware and encrypted the files containing patients’ personal data. At the time of the incident, there were no policies or procedures in place relating to vulnerability and patch management.

Remedial Measures

Upon receiving notification from the clinical centre, the PCPD commenced an investigation against the clinical centre regarding the incident and served an Enforcement Notice on the clinical centre. In response to the incident, the clinical centre implemented remedial measures, including upgrading the firewall firmware, patching the vulnerability in question, and implementing a series of security enhancements on its information systems. To comply with the Enforcement Notice, the clinical centre devised policies and procedures related to application vulnerability and patch management, and implemented multi-factor authentication for all remote access users accessing personal data.

Lessons Learnt

Healthcare organisations generally possess a vast amount of sensitive patient data, which inevitably makes their information systems targets for hackers. The incident highlighted that timely updates of security devices and software are crucial for maintaining information security. Software and device updates often involve patching vulnerabilities and weaknesses in previous versions to enhance system security. Organisations should devise clear security policies and procedures and implement measures to ensure compliance of staff members.

TECH TALK

Ensuring Data Security: Responsibilities for Personal Users

In an age where our lives are becoming increasingly digital, data security is more important than ever. Ensuring data security is not solely the responsibility of organisations; individuals also play a crucial role in safeguarding their personal data by enhancing their data security systems.

For instance, when setting up a new personal computer, implementing security measures is more critical than one might realise. Simply connecting to the internet can expose your computer to various security threats, including malware infections, spam emails, denial of service attacks, and the potential unauthorised disclosure of personal data.

To ensure your computer is well protected before connecting to the online world, take the following precautions: 

• Set Up the Administrator Account and Other User Accounts: Assign a strong password to the administrator account, as this account is often used for configuring the system settings; 
• Install and Configure Anti-malware Software: Keep the software updated with the latest definition files, scan your computer regularly, and enable real-time threat detection; 
• Install and Enable a Personal Firewall: Use a personal firewall to protect your computer from unauthorised access; 
• Secure the Wireless Network: Configure and set up the wireless network properly and in a secure way to prevent unauthorised access;
• Configure Your Web Browser: Enable the pop-up blocker except for trusted sites, and regularly clear cache and temporary files from the browser to enhance your personal data privacy; and
• Apply the Latest Patches: Ensure that auto-update features for your anti-malware software and operating system are enabled. 

WHAT’S ON

Reaching Out to the Commercial Sector – Privacy Commissioner Speaks at a Meeting of the New Territories General Chamber of Commerce

Privacy Commissioner Ms Ada CHUNG Lai-ling delivered a keynote speech at a meeting of the New Territories General Chamber of Commerce on 29 April and met with members of the Chamber on the occasion.

The Privacy Commissioner delivered a keynote speech titled “Prevention of Cyber Attacks for Enterprises” and shared with participants some examples of real data breach cases caused by cyber attacks in recent years. She also introduced some practical measures to enhance cybersecurity capabilities, and the “Artificial Intelligence: Model Personal Data Protection Framework” and the “Checklist on Guidelines for the Use of Generative AI by Employees” issued by the PCPD.

Implementing the Spirit of Two Sessions – Privacy Commissioner Publishes an Article Titled “Promoting the Development of Artificial Intelligence while Reinforcing our Connectivity with Both the Mainland and the World”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article in Ta Kung Pao titled “Promoting the Development of Artificial Intelligence while Reinforcing our Connectivity with Both the Mainland and the World” on 29 April.

The Privacy Commissioner pointed out that the important documents published during the “Two Sessions”, such as the Report on the Work of the Central Government and the speeches made by the state leaders have set out a clear direction for Hong Kong to fully capitalise on its distinctive advantages under the “One Country, Two Systems” principle to reform and innovate. The Privacy Commissioner elaborated on how the PCPD implements the spirit of the “two sessions” from three perspectives, namely promoting the safe development of AI, facilitating the cross-boundary flow of personal information within the Guangdong–Hong Kong–Macao Greater Bay Area and strengthening international exchanges and cooperation.

Please click here to read the article (Chinese version only). 

Enhancing Data Security – Privacy Commissioner Publishes an Article on Hong Kong Lawyer 

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Safeguarding Personal Data Privacy in the Digital Age with PCPD’s Guidance on Cloud Computing” on Hong Kong Lawyer.

In the article, the Privacy Commissioner introduced the “Guidance on Cloud Computing” (Guidance) published by the PCPD earlier. In particular, the Privacy Commissioner emphasised the shared responsibility between organisations as data users and cloud service providers in ensuring data security in a cloud environment. The Privacy Commissioner also highlighted the recommended measures in the Guidance to help organisations better protect personal data privacy when using cloud computing. 

Please click here to read the article.

Privacy Commissioner Attends the Opening Ceremony cum Seminar of the “National Security Education Day”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Opening Ceremony cum Seminar of the “National Security Education Day” on 15 April.
 
On 1 July 2015, the National Security Law of the Country was passed at the 15^th meeting of the Standing Committee of the 12^th National People’s Congress, and the National People’s Congress designated 15 April of each year as the “National Security Education Day”. This year marks the 10^th “National Security Education Day”, fifth anniversary of the implementation of the Hong Kong National Security Law, as well as the first anniversary of implementation of the Safeguarding National Security Ordinance.

Promoting Digital Economy – Privacy Commissioner Attends the World Internet Conference Asia-Pacific Summit

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the World Internet Conference Asia-Pacific Summit (Summit) on 14 April. At the Summit, the Privacy Commissioner exchanged views with representatives from governments and businesses, international organisations, leading corporations, as well as experts and scholars from various countries and regions.

The Summit was hosted by the World Internet Conference, organised by the Hong Kong SAR Government and co-organised by the Innovation, Technology and Industry Bureau. The theme of the Summit was “Integration of AI and Digital Technologies Shaping the Future – Jointly Building a Community with a Shared Future in Cyberspace”. Attendees of the Summit discussed recent trends in technological fields including artificial intelligence, digital finance, e-government and smart living through in-depth exchanges of views and experience sharing, with a view to strengthening digital collaboration and creating new momentum and new advantages for the development of the Asia-Pacific region.

Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Special Meeting of the Legislative Council Finance Committee

The Secretary for Constitutional and Mainland Affairs (SCMA), Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, attended a special meeting of the Legislative Council (LegCo) Finance Committee on 9 April to elaborate on the estimated expenditure for the Constitutional and Mainland Affairs Bureau for 2025-26. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to answer questions raised by LegCo Members on the work of the PCPD.

During the meeting, the Privacy Commissioner pointed out that the PCPD has introduced various “Data Security” tools to support different industries, including: (1) launching a one-stop thematic webpage on “Data Security”, which has been visited by over 45,000 users as of end of March this year; (2) establishing the “Data Security Scanner” for organisations to evaluate the security level of their data security measures, which has over 1,100 users; (3) launching the “Data Security” Package for schools, non-profit-making organisations (NGOs) and small-and medium enterprises (SMEs) to raise their data security awareness, with around 200 schools, NGOs and SMEs joining the package; and (4) publishing various data security guidelines, covering topics such as data security, cloud computing, and data breach handling, and distributing the guidelines to over 500 organisations, chambers of commerce, government departments and public sectors, etc.

Please click here for the opening remarks of the SCMA (Chinese only).

Administrative Appeals Board Dismisses Appeal against Criminal Investigation Decision

The Administrative Appeals Board (AAB) recently dismissed an appeal lodged by a complainant against the decision of the Privacy Commissioner to terminate a criminal investigation against suspected doxxing act.

It was affirmed that the AAB does not have jurisdiction to hear the appeal. The AAB agreed with the Privacy Commissioner’s submissions that the ambit of the AAB’s jurisdiction is limited to the decisions listed in the schedule to the Administrative Appeals Ordinance and any other decision in respect of which an appeal lies to the AAB, and that the AAB is an institution responsible for handling appeals concerning administrative decisions. Since the decision relating to Section 66S of the PDPO regarding the obligation of the Privacy Commissioner to inform the complainant of the result of the specified investigation does not fall under the said schedule nor constitutes an administrative decision, it is beyond the jurisdiction of the AAB to hear the appeal.

Please click here to view “Decision of the AAB” (Chinese only).

Reaching Out to the Community – Privacy Commissioner Interviewed by Commercial Radio’s “Beautiful Sunday” to Explain the “Checklist on Guidelines for the Use of Generative AI by Employees”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Commercial Radio’s “Beautiful Sunday” on 6 April to explain the “Checklist on Guidelines for the Use of Generative AI by Employees” issued by the PCPD.

In the interview, the Privacy Commissioner said that as many organisations may use Gen AI in their business operations, the Guidelines was issued by the PCPD with the aim to assist organisations in developing internal policies or guidelines on the use of Gen AI by employees at work. To assist organisations in using AI while safeguarding the personal data privacy of individuals, the PCPD has also launched the “AI Security Hotline” (2110 1155), and will continue to organise in-house seminars for organisations.

The Privacy Commissioner also reminded organisations that the use of customer data to train AI models would be subject to the requirements of the PDPO, and that customers’ consent would be required for any change of purposes of use of personal data.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the “Checklist on Guidelines for the Use of Generative AI by Employees”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” and “Open Line Open View”, RTHK News’ “Hong Kong Today”, RTHK Radio 3’s “Hong Kong Today” and Commercial Radio’s “On a Clear Day” on 31 March, 1 and 2 April respectively, to explain the “Checklist on Guidelines for the Use of Generative AI by Employees” issued by the PCPD.

In the interviews, the Privacy Commissioner said that as many organisations will be using Gen AI in their business operations, the Guidelines was issued by the PCPD with the aim to assist organisations in developing internal policies or guidelines on the use of Gen AI by employees at work, thereby implementing the policy direction from the “two sessions” to promote “AI Plus” and to facilitate the safe and healthy development of AI in Hong Kong. The PCPD also launched the “AI Security Hotline” (2110 1155) for organisations to make enquiries and to assist organisations in using AI while at the same time safeguarding the personal data privacy of individuals.

The interview by RTHK Radio 1’s “Open Line Open View” can be listened here (Chinese only).
The interview by RTHK Radio 3’s “Hong Kong Today” can be listened here (00:10 – 04:21).

Promoting AI Safety – PCPD Organises a Seminar on “Good Practices in Privacy Protection in the Use of AI”

The PCPD organised a seminar on “Good Practices in Privacy Protection in the Use of AI” in hybrid mode on 24 April, which attracted about 300 participants.

In the seminar, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG discussed the privacy risks brought by the prevalence of AI, shared recommendations and best practices in the “Artificial Intelligence: Model Personal Data Protection Framework” regarding governance of AI for the protection of personal data privacy, and introduced the PCPD’s newly published “Checklist on Guidelines for the Use of Generative AI by Employees”. In addition, Deputy Managing Director and Chief Cyber Security and Privacy Officer of Huawei International Co. Limited (Huawei) Mr Ambrose TANG also shared the practical experiences of Huawei in developing and using AI-driven technologies in a privacy-friendly manner, as well as the ways and means to protect personal data privacy while using AI.

Please click here for Ms Wong’s presentation deck (Chinese only).
Please click here for Mr Tang’s presentation deck (Chinese only).

Reaching Out to the Insurance Sector – Assistant Privacy Commissioner Speaks at a Webinar Entitled “Evolving Hong Kong Personal Data Privacy and Cybersecurity Risks and the Implications on Cyber Insurance”

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG delivered a keynote speech at a webinar entitled “Evolving Hong Kong Personal Data Privacy and Cybersecurity Risks and the Implications on Cyber Insurance” organised by the Professional Liability Underwriting Society on 23 April.

In her speech, Ms WONG provided an overview of the six DPPs under the PDPO and explained the latest trends in cyberattacks and data breach incidents. She also highlighted the personal data privacy risks posed by artificial intelligence and introduced the “Artificial Intelligence: Model Personal Data Protection Framework” and the “Checklist on Guidelines for the Use of Generative AI by Employees” published by the PCPD earlier. 

Please click here to download the presentation deck.

Two PCPD Officers Receive Commendation Certificates and Lapel Pins in the “Good Employee Recognition Campaign 2025”

Two officers from the PCPD were awarded Good Employee Commendation Certificates and lapel pins in the “Good Employee Recognition Campaign 2025” organised by the Labour Department, in recognition of their outstanding performance and contributions to the PCPD.
 
The two PCPD awardees are Personal Data Officer of the Complaints Division Ms Natalie YUNG Kit-ying and Assistant Personal Data Officer of the Legal Division Mr LEUNG Kin-keung.

Reaching Out to Universities – PCPD and Hong Kong Police Force Jointly Organise Seminars on Fraud Prevention for University Students

The PCPD and Hong Kong Police Force co-organised two seminars on fraud prevention for university students on 8 and 10 April at Sunny House to share some practical tips on fraud prevention and personal data protection with the participants.
 
During the seminars, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG and Head of Corporate Communications of the PCPD Ms Phoebe CHOW delivered talks titled “Beware of Scams: Protect Your Personal Data”, and shared with the students some examples of scams using AI deepfake technology, as well as practical tips on protecting personal data privacy when using smartphones, instant messaging software and social media. In addition, representative from the Hong Kong Police Force also shared the latest trends in telephone and online shopping scams, using real cases as examples.

Promoting Cross-Boundary Flow of Personal Information – PCPD’s Representative Speaks at the Briefing on Facilitation Measure Using the Greater Bay Area Standard Contract

Acting Senior Legal Counsel of the PCPD Ms Clemence WONG spoke at the briefing on facilitation measure relating to the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong)” (GBA SC) organised by the Hong Kong Federation of Insurers on 31 March.

At the briefing, Ms WONG introduced to the insurance sector the terms of the GBA SC and the relevant requirements for cross-border transfers of personal data from Hong Kong under the PDPO.

Please click here for the presentation deck (Chinese only).

Promoting AI Security – Assistant Privacy Commissioner Speaks at the 3^rd AI Rule of Law Forum

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended the 3^rd Artificial Intelligence Rule of Law Forum (Forum) on 29 March in Guangzhou and delivered a keynote speech titled “Protecting Personal Data Privacy in the AI Era: Hong Kong’s Perspective”.

During the speech, Ms WONG discussed the privacy risks associated with the use of AI and the relevant requirements under the PDPO. She also highlighted that the PCPD published various guidelines to foster the safe and healthy development of AI in Hong Kong, including the “Artificial Intelligence: Model Personal Data Protection Framework” published in 2024, and introduced the key recommendations of the guidelines.

The Forum was hosted by the China Law Society Cyber and Information Law Society and organised by the School of Law of the Guangdong University of Finance and Economics. The theme of this year’s Forum was “New Quality Productive Forces and Artificial Intelligence: the Integrated Development of the Rule of Law from a Global Perspective”.

PCPD Issues New Versions of Leaflet on “Legal Assistance for Civil Claims under the Personal Data (Privacy) Ordinance”

An individual who suffers damage due to a contravention of a requirement under the PDPO by a data user may be entitled to compensation as provided under section 66 of the PDPO. Eligible persons may also apply for legal assistance from the PCPD pursuant to section 66B of the PDPO in seeking compensation from the data user concerned.

On 17 April, the PCPD issued a new version of the information leaflet entitled “Legal Assistance for Civil Claims under the Personal Data (Privacy) Ordinance” to provide an overview of the legal assistance scheme to the public. The PCPD also encourages the use of alternative dispute resolution mechanisms (including conciliation and mediation) in negotiating settlements out of court.

Please click here to download the leaflet on “Legal Assistance for Civil Claims under the Personal Data (Privacy) Ordinance”.

Award-winning – PCPD Receives Fourth Consecutive Recognition as “Manpower Developer”

The PCPD has been awarded for the fourth time by the Employees Retraining Board (ERB) as a “Manpower Developer”. The award serves as a tremendous motivation for the PCPD’s efforts in manpower training and development.

Since 2018, the PCPD has been awarded as a “Manpower Developer” for four consecutive terms, with the current award valid until 31 March 2027.

MEDIA STATEMENT

A Male Arrested for Suspected Doxxing Arising from Repair Works Dispute

The PCPD arrested a Chinese male aged 61 in the New Territories on 7 April. The arrested person was suspected to have disclosed the personal data of a customer without her consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the arrested person operates an engineering company. In December 2024, the victim made an enquiry with the said engineering company regarding some household inspection and repair works, and the arrested person accepted the victim’s offered price in a telephone reply. However, the arrested person raised the quotation upon inspection at the victim’s residence on the same day, which led to a heated dispute between the two during which the arrested person took photos of the victim.

Soon after, two posts containing the personal data of the victim were published respectively in a public and a private discussion group on a social media platform, alongside some negative comments against her. The personal data disclosed included the victim’s photo, complete residential address and the homophonic character of her Chinese surname. The victim lodged a complaint with the PCPD subsequently.

The PCPD reminds members of the public that they should not dox others because of consumer disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

MAINLAND CORNER

Highlights of the “Measures for the Security Management of the Application of Facial Recognition Technology”

《人臉識別技術應用安全管理辦法》的重點

To regulate the processing of facial information using facial recognition technology and to safeguard individuals’ rights and interests over their personal information, the Cyberspace Administration of China issued the “Measures for the Security Management of the Application of Facial Recognition Technology” (Measures) on 21 March 2025. The Measures stipulates, amongst others, rules for processing facial information, security specifications for the application of facial recognition technology, and filing requirements, etc. The Measures will become effective on 1 June 2025. This article provides an overview of the Measures.

為規範應用人面識別技術處理人臉信息的活動及保護個人信息權益，國家互聯網信息辦公室（網信辦）於2025年3月21日發出《人臉識別技術應用安全管理辦法》）（《辦法》）¹。《辦法》對處理人臉信息的規則、人臉識別技術的應用安全規範，以及備案要求等作出了規定。《辦法》將會自2025年6月1日實施，重點摘錄如下：

適用範圍

《辦法》適用於在中國境內應用人臉識別技術處理人臉信息的活動，但不適用於為從事人臉識別技術研發、算法訓練活動應用人臉識別技術處理人臉信息的情況²。網信辦指出，此豁免為開展人臉識別技術的研究和應用創新預留空間，有利於推動相關產業安全健康發展，平衡創新與依法治理³。

人臉信息的處理規則

《辦法》對應用人臉識別技術處理人臉信息提出了多項規則。由於人臉信息屬於敏感個人信息，《辦法》中有關條文均呼應《個人信息保護法》⁴第二章第二節有關處理敏感個人信息的規定，包括：

• 處理人臉信息應當具有特定的目的和充分的必要性，採取對個人權益影響最小的方式，並實施嚴格保護措施⁵；
• 個人信息處理者應當在處理人臉信息前履行告知義務，例如向個人清晰、準確地告知處理人臉信息的必要性以及對個人權益的影響⁶；
• 如基於個人同意處理人臉信息，應當取得個人在充分知情的前提下自願、明確作出的單獨同意⁷；及
• 處理不滿十四周歲未成年人的人臉信息，應當取得未成年人的父母或其他監護人的同意，並制定專門的處理規則⁸。

《個人信息保護法》規定個人信息處理者處理敏感個人信息前應進行個人信息保護影響評估，亦列明該評估應涵蓋的主要內容⁹。《辦法》除了重申這些規定，亦額外要求上述評估應包含發生人臉信息洩露、篡改、丟失、毀損或者被非法獲取、出售、使用的風險以及可能造成的危害¹⁰。

此外，《辦法》指出，除非法律法規另有規定或取得個人單獨同意外，否則人臉信息應當存儲於人臉識別設備內，不得通過互聯網對外傳輸，而人臉信息的保存期限亦不得超過實現處理目的所必需的最短時間¹¹。

安全規範

針對強制使用人臉識別技術驗證身份的問題，《辦法》規定若有其他方式可實現相同目的或者達到同等業務要求，不得將人臉識別技術作為唯一驗證方式；若個人不同意通過人臉信息進行身份驗證的，應當提供其他合理、便捷的方式¹²。任何組織和個人亦不得以辦理業務、提升服務質量等為由，誤導、欺詐、脅迫個人接受人臉識別技術驗證個人身份¹³。

《個人信息保護法》第二十六條規定在公共場所安裝圖像採集、個人身份識別設備，應當為維護公共安全所必需，並設置顯著的提示標識。《辦法》除了重申相關要求，亦進一步指出任何組織和個人不得在賓館客房、公共衛生間等公共場所中的私密空間內部安裝人臉識別設備¹⁴。《辦法》同時要求人臉識別技術應用系統應當採取數據加密、安全審計及訪問控制等措施保護人臉信息安全¹⁵。

備案要求

《辦法》規定，若應用人臉識別技術處理的人臉信息存儲數量達到10萬人，個人信息處理者應當在該日起30個工作日內向所在地省級以上網信部門履行備案手續¹⁶。《辦法》亦列出了申請備案所需的材料¹⁷。

總結

《辦法》提出規範應用人臉識別技術的原則，亦闡明了處理人臉信息的具體規則。應用人臉識別技術的個人信息處理者宜參閱當中要求，以妥善保障人臉信息安全。

¹ 全文： https://www.cac.gov.cn/2025-03/21/c_1744174262156096.htm

² 《辦法》第二條。

³ 《〈人臉識別技術應用安全管理辦法〉答記者問》： https://www.cac.gov.cn/2025-03/21/c_1744259774719484.htm

⁴  全文： https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm

⁵ 《辦法》第四條（對照《個人信息保護法》第二十八條）。

⁶ 《辦法》第五條（對照《個人信息保護法》第三十條）。

⁷ 《辦法》第六條（對照《個人信息保護法》第二十九條）。

⁸ 《辦法》第七條（對照《個人信息保護法》第三十一條）。

⁹ 《個人信息保護法》第五十五及五十六條。

¹⁰ 《辦法》第九條。

¹¹ 《辦法》第八條。

¹² 《辦法》第十條。

¹³ 《辦法》第十二條。

¹⁴ 《辦法》第十三條。

¹⁵ 《辦法》第十四條。

¹⁶ 《辦法》第十五條。

¹⁷ 《辦法》第十五條。

RECOMMENDED TRAININGS

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 7 May 2025 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities. 

Date: 21 May 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals.

New Series of Professional Workshops on Data Protection in Jun 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENT

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2025

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2025 (the Scheme). Co-organised by Hong Kong Internet Registration Corporation Limited (HKIRC) and ISACA China Hong Kong Chapter (ISACA), the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defence line, and to enhance organisations’ protection level by encouraging the organisations to raise staff awareness by multiple channels. Applications are now open for the upcoming round of the Scheme for 2025.

Please click here for the Scheme details and application.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.