Privacy Commissioner’s Office Expresses Deepest Condolences
to Victims of Tai Po Deadly Fire

The PCPD expresses our deepest condolences to the victims of the serious disaster in Tai Po, and to the firefighter who tragically lost his life in the line of duty. The PCPD wishes the injured a speedy recovery and extends our respect and gratitude to all rescue personnel and frontline firefighters. During this difficult time, we call on all sectors of the community to support one another and to extend care and assistance to those affected.

 Cast Your Vote on 7 December
Privacy Commissioner’s Task Force Promotes
Election-related Initiatives

To call on all sectors to cast their votes in the 2025 Legislative Council General Election on 7 December, the PCPD has earlier established a Task Force on the Legislative Council General Election (Task Force). The Task Force is chaired by the Privacy Commissioner Ms Ada CHUNG Lai-ling and composed of the PCPD’s senior management and division heads to plan, coordinate and promote election-related initiatives. The Task Force held its third meeting on 13 November.
 
The PCPD has been actively encouraging colleagues and members of the community to vote, including making appeals at various events hosted or attended by the PCPD and distributing leaflets. On 12 November, the Privacy Commissioner called on participants at the seminar on “How SMEs Should Respond to Data Breach Incidents” to cast their votes in the Legislative Council General Election.
 
The Privacy Commissioner has earlier issued letters to colleagues of the PCPD, members of the Personal Data (Privacy) Advisory Committee (PDPAC) and Standing Committee on Technological Developments (SCTD), as well as members of the Data Protection Officer’s Club (DPOC), urging them to cast their votes. She also reached out to the community with the PCPD Volunteer Team to engage with the public and visited the St. James’ Settlement Wan Chai District Elderly Community Centre, to urge members of the public to cast their votes on 7 December, the polling day, to fulfil their civic responsibilities.

 

The PCPD has produced a short video and its Volunteer Team visited St. James’ Settlement Wan Chai District Elderly Community Centre to urge members of the public to cast their votes on 7 December, the polling day, to fulfil their civic responsibilities. The short video is now available at the PCPD’s website, YouTube channel and other social media platforms. Please click here to watch it now.
 
The PCPD will continue its publicity efforts and provide all feasible conveniences to colleagues for casting their votes. The Privacy Commissioner and the PCPD Volunteer Team will continue to reach out to the community and urge members of the public to cast their votes to elect individuals who love the Country and Hong Kong to serve as members of the Legislative Council, thereby contributing to the good governance, economic development, and the well-being of our community!

The Privacy Commissioner Receives Silver Bauhinia Star

The 2025 Honours and Awards Presentation Ceremony (Ceremony) was held at the ballroom of the Government House on 15 November. Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Ceremony and was presented with the Silver Bauhinia Star (SBS) by the Chief Executive, Mr John LEE Ka-chiu, GBM, SBS, PDSM, PMSM.

 

Ms Ada CHUNG Lai-ling was awarded SBS in recognition of her meritorious and dedicated service to the Government and the Hong Kong community in the past 44 years. During her tenure as the Privacy Commissioner, she has made remarkable contributions by leading the PCPD in proactively strengthening the Personal Data (Privacy) Ordinance (PDPO) and the related publicity efforts with a view to raising the awareness of privacy, as well as assisting the Government in the innovative digital transformation of Hong Kong.

PRIVACY 101

Bring Your Own Device (BYOD): Balancing Convenience with Personal Data Protection

In today’s fast-paced digital environment, the practice of “Bring Your Own Device (BYOD)” is becoming increasingly popular in organisations, allowing employees to use their personal mobile devices to access and work with organisational information, including personal data collected by the organisation.

While BYOD offers flexibility and convenience, it also presents a dual set of challenges that organisations should address with care:

• Protecting employee private information: Organisations are reminded that BYOD equipment contains private information about employees. Any protective measures implemented by the organisations should also respect such private information; and
• Safeguarding organisation-collected personal data: By enabling BYOD, organisations are transferring collected personal data from secure corporate systems to employee-owned devices, which are typically less secure and subject to limited organisational control. It is important to note that even though the personal data is stored on a device owned by the employee, the organisation remains fully responsible for compliance with the PDPO.

Organisations should therefore ensure that employees are adequately reminded not to misuse organisation-collected personal data stored on BYOD equipment. Additionally, it is essential to implement sufficient technical measures that enable secure access to or storage of this data, while respecting employees' private information.

 

To responsibly adopt BYOD while upholding the standards of personal data protection, organisations are encouraged to follow these best practices:

• Establishing a BYOD policy describing its governance, such as roles and responsibilities of the organisation and the employees, and the approval procedure for deployment etc.;
• Conducting a risk assessment to ascertain the types of personal data to be accessible by, or stored in, the BYOD equipment, and the harm and likelihood of its loss or unauthorised disclosure;
• Applying technical solutions to reduce or contain the risks, such as implementing an independent and additional layer of password protection or access control, proper encryption of data stored and auto-erasure; and
• Devising a monitoring and review mechanism to ascertain compliance to the BYOD policy while keeping up with any business changes.

For more information on best practices to ensure that the use of BYOD aligns with personal data protection requirements, please refer to the information leaflet on “Bring Your Own Device (BYOD)”.

 

PRIVACY COMMISSIONER’S FINDINGS

Loss of Portable Storage Device Containing Personal Data

Background

 

A government department (the Department) reported to the PCPD that it had engaged a service contractor to assist in managing a community complex, and that a staff member of the service contractor had stored the reservation records on a USB storage device without authorisation. The device, which contained the names, contact numbers and names of employers of a few hundred applicants, was discovered to be missing the next day.

 

Remedial Measures

 

Upon receiving the relevant data breach notification, the PCPD initiated a compliance check. In response to the incident, the Department implemented various measures to prevent recurrence of similar incidents. These included replacing computers provided by the service contractor, with computers that restrict the use of USB ports and which internet access are disabled; formulating a guideline for its contractors regarding the safeguard of personal data, including advising them to avoid storing personal data on portable storage devices; and incorporating the said guideline into future quotation and tender exercises to ensure proper handling of personal data by contractors.

 

Lessons Learnt

 

While portable storage devices offer a convenient means to store and transfer data outside of an organisation’s system, they are susceptible to data security incidents. Organisations should avoid the use of portable storage devices to store personal data wherever practicable. If it is necessary to use portable storage devices, organisations should establish policies that set out the circumstances under which portable storage devices may be used, the types and amount of personal data that may be transferred, and the approval process of the use of portable storage devices, etc. Organisations should also keep an inventory of portable storage devices and track their uses and whereabouts, as well as erase data in portable storage devices securely after each use.

 

On the other hand, if organisations engage a third-party data processor, contractual or other means should be adopted to prevent unauthorised or accidental access, processing, erasure, loss or use of the personal data transferred to the data processor for processing.

TECH TALK

BYOD at Work: Boosting Productivity without Compromising Security 

With the rise of BYOD practices, employees can now access company emails and documents on their personal mobile devices anytime and anywhere. This flexible working model undoubtedly enhances productivity, but it also introduces new security risks for organisations.

 

While organisations continue to strengthen their cybersecurity frameworks, individual staff members also play a crucial role in safeguarding personal data and corporate information. Here are some practical tips across four specific areas to help you make the most of BYOD while protecting personal data privacy and security:

• Information Security Policies and Practice:
  • Understand and follow your organisation’s information security policies and procedures;
  • Ensure your personal device complies with corporate security requirements;
• Data Communication and Storage:
  • Use secure communication networks; avoid connecting to public Wi-Fi;
  • Encrypt your device’s storage and permanently erase all data before disposal or replacement;
  • Keep your device physically secure at all times;
• User and Device Authentication:
  • Set a strong screen lock password;
  • Avoid saving login credentials on your BYOD device;
  • Remove all company data and login settings from your device when you leave the organisation;
• Applications:
  • Install reputable anti-virus and security software;
  • Keep your operating system and applications up to date; and
  • Do not “jailbreak” or “root” your device, as this compromises system security.

WHAT’S ON

Reaching Out to IT Professionals – Privacy Commissioner Attends HKICC 2025 Opening Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Opening Ceremony of the Hong Kong International Computer Conference 2025 on 17 November and engaged with members of the information technology (IT) sector.
 
The annual conference, organised by the Hong Kong Computer Society, was themed “Scaling AI Transformation Beyond Experimentation” and attracted around 300 IT professionals, government officials and business executives.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the Inspection Reports on the Personal Data Systems of Two Educational Institutions and the Work of the Election Task Force

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “HK2000” on 14 November. In the interview, she explained the inspection reports issued by the PCPD following the inspections of the personal data systems of HKICC Lee Shau Kee School of Creativity and the Hong Kong College of Technology.

The Privacy Commissioner pointed out that the two institutions suffered from data breaches last year, consequent to which the PCPD conducted and concluded a compliance check and an investigation respectively. Subsequently, as there had been an upward trend in data breach incidents involving educational institutions in recent years, and given that educational institutions often have limited resources, the PCPD carried out the inspections with a view to assisting the institutions and the education sector in strengthening data security.

In addition, the PCPD has earlier established a Task Force on the 2025 Legislative Council General Election to plan, coordinate and promote election-related initiatives. Apart from mobilising the PCPD’s staff, efforts were made to encourage members of the PDPAC, the SCTD, as well as members of the DPOC to cast their votes. The Privacy Commissioner stressed that the work of the Legislative Council is of vital importance to the community and urged all Hong Kong residents to cast their votes on the polling day, 7 December.

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society of Hong Kong 118^th Annual Cocktail Reception

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Law Society of Hong Kong (Law Society) 118^th Annual Cocktail Reception on 10 November and met with members of the legal profession.
 
The Privacy Commissioner has been supporting the work of the Law Society. Over the past years, she has served as a member of the judging panel for its Pro Bono and Community Work Recognition Programme, and has published articles on its monthly magazine Hong Kong Lawyer.

Connecting with International Community – Privacy Commissioner Interviewed by GovInsider

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by GovInsider, an Asia-Pacific public sector media platform, to share her views on the intersection of law, technology and public service and reflect on the PCPD’s work on promoting artificial intelligence (AI) security.
 
The Privacy Commissioner highlighted that data protection authorities can be enablers of innovation, guiding technological change by cultivating a lawful, secure and supportive environment. She also introduced the various AI-related guidelines published by the PCPD, including the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) and the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines), and spoke about the PCPD’s international efforts in promoting AI governance, including being the co-chair of the Ethics and Data Protection in Artificial Intelligence Working Group and the International Enforcement Cooperation Working Group at the Global Privacy Assembly.
 
Please click here to read the interview.

Promoting AI Security – Privacy Commissioner Speaks at the Cyber Security Summit 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Cyber Security Summit 2025 (Summit) on 6 and 7 November as an officiating guest and delivered a keynote speech. The Summit was organised by the Hong Kong Productivity Council and the PCPD was a supporting organisation of the Summit.
 
In her keynote speech titled “AI and the Next Chapter in Privacy Protection”, the Privacy Commissioner discussed the development of AI security on international and national levels, and outlined the PCPD’s efforts in promoting AI security on the international and local fronts. She also introduced various AI-related guidance materials published by the PCPD, including the Guidelines and the Model Framework.
 
In addition, the Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG participated in a panel discussion titled “Safeguarding Privacy: The Intersection of Personal Information and IT Governance”.
 
Please click here for the Privacy Commissioner’s presentation deck.

Reaching Out to Accounting Professionals – Privacy Commissioner Attends HKICPA Annual Dinner 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Annual Dinner 2025 hosted by the Hong Kong Institute of Certified Public Accountants (HKICPA) on 7 November and met with members of the accounting profession. The theme of the Annual Dinner was “Sustainable Impact, Enduring Value”.
 
The HKICPA is one of the key stakeholders of the PCPD. The Privacy Commissioner has published articles in A Plus, the official magazine of the HKICPA, from time to time, discussing topical issues such as the challenges and opportunities that AI brings to the accounting profession.

Enhancing Cybersecurity – Privacy Commissioner Attends Cyber Security Staff Awareness Recognition Scheme 2025/26 Recognition Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Cyber Security Staff Awareness Recognition Scheme 2025/26” Recognition Ceremony on 6 November as the Guest of Honour and delivered an opening address.
 
In her opening address, the Privacy Commissioner cited a few data breach incidents to highlight the importance of a “human firewall” for organisations in safeguarding personal data.
 
Co-organised by the Hong Kong Internet Registration Corporation Limited and the ISACA China Hong Kong Chapter, the “Cyber Security Staff Awareness Recognition Scheme” aims to encourage more organisations to raise their staff’s awareness of cybersecurity, with a view to strengthening their abilities to prevent cyber-attacks. The PCPD is the Scheme Partner.

Reaching Out to the Media Sector – Privacy Commissioner Attends Seminar of the Hong Kong Press Council

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Closing Ceremony of the “Discerning Information and Rejecting Fake News” Information Literacy Programme for Inmates and Secondary School Students and spoke at the seminar on “How to Tackle Deepfake Information in the Age of AI” on 1 November. The event was organised by the Hong Kong Press Council.
 
During the seminar, the Privacy Commissioner highlighted that with the rapid development of technology, discerning the authenticity of information is no longer solely the responsibility of the media, but a vigilance that everyone in society must possess. She reminded members of the public to exercise caution when using AI, warning that acts such as manipulating or altering photos to publish intimate images may constitute a criminal offence under the Crimes Ordinance or the PDPO. She urged the public to stay vigilant and avoid inadvertently breaking the law.

Reaching Out to the Community – Privacy Commissioner Interviewed by Now News’ “News Magazine” to Explain New Guidance on the Use of CCTV Systems and Video Cameras on Drones and Vehicles

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by Now News’ “News Magazine” on 31 October. During the interview, she explained the “Guidance on the Use of CCTV Surveillance” and the “Guidance on the Use of Video Cameras on Drones and Vehicles” issued by the PCPD.

The Privacy Commissioner stated that the PCPD received 995 enquiries and 160 complaints regarding the installation of CCTV systems in the first nine months of this year. She reminded members of the public that the use of CCTV systems to collect personal data must comply with the requirements of the PDPO. Users should assess the necessity of installation and consider whether real-time monitoring could serve as a better alternative to recording. She also recommended posting notices to inform potentially affected individuals.

Regarding the installation of in-vehicle cameras, the Privacy Commissioner also recommended that notices be posted in vehicle compartments to notify passengers of the existence and functions of such cameras, and that any footage captured must be properly handled. She also recommended that when using drones for filming, flashing lights should be used and notices or large banners should be displayed at the launch sites of drones.
 
The interview by Now News’ “News Magazine” can be viewed here (Part 1, Part 2) (Chinese only).

Reaching Out to Legal Professionals – Acting Assistant Privacy Commissioner Speaks at the Cross Strait Four Regions Young Lawyers Forum 2025

The Acting Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI attended and spoke at the Cross Strait Four Regions Young Lawyers Forum 2025 (Forum) on 25 November. The Forum was organised by the Law Society of Hong Kong.
 
In her presentation titled “Digital Governance: National Policies Shaping the Legal Landscape of Digitalisation”, Ms Lai outlined the respective legal framework in Hong Kong and the Chinese Mainland on personal data protection and the national policies which drive AI initiatives. She also introduced the work of the PCPD to facilitate compliance in the age of digitalisation, including publishing the Model Framework and supporting the facilitation measures of using the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong).
 
Please click here for the presentation deck.

Two PCPD Officers Receive the Ombudsman’s Awards 2025

Two officers of the PCPD received the Ombudsman’s Awards 2025 for Officers of Public Organisations (Awards) in recognition of their exemplary performance and professionalism in handling complaints. This marks the ninth consecutive year that PCPD officers have been honoured with the Awards.
 
The two PCPD awardees are Personal Data Officer of the Criminal Investigation Division Mr Michael TSANG Yuk-wah, and Acting Assistant Personal Data Officer of the Complaints Division Mr Francis TSANG Chi-chung.

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the presentation ceremony on 18 November and congratulated the two award-winning officers.

Enhancing Data Security for SMEs – PCPD and HKPC Jointly Organise Seminar on “How Can SMEs Respond to Data Breach Incidents”

To assist small and medium-sized enterprises (SMEs) in enhancing data security, the PCPD and the Hong Kong Productivity Council (HKPC) have jointly launched the “Data Security Training Series for SMEs”. The third seminar of the training series, titled “How Can SMEs Respond to Data Breach Incidents”, was successfully held on 12 November, attracting over 320 participants.
 
At the seminar, Mr Tamson TAM, Acting Senior Personal Data Officer (Information Technology) of the PCPD, and Ir Alex CHAN, General Manager of the Digital Trust and Transformation Division of the HKPC, shared their insights into the latest trends in cyber threats and presented some representative data breach cases involving SMEs. They also highlighted the key steps for preventing and responding to data breach incidents, and offered practical advice on developing cost-effective cybersecurity strategies.
 
Please click here for Mr Tam’s presentation deck (Chinese only).
Please click here for Ir Chan’s presentation deck (Chinese only).

Reaching Out to the Community – Acting Assistant Privacy Commissioner Interviewed by Media to Explain New Guidance on the Use of CCTV System and Video Cameras on Drones and Vehicles

The Acting Assistant Privacy Commissioner for Personal Data (Legal) Ms Fiona LAI Ho-yan was interviewed by the RTHK Radio 3’s “Backchat” on 5 November to explain the “Guidance on the Use of CCTV Surveillance” and the “Guidance on the Use of Video Cameras on Drones and Vehicles” issued by the PCPD.

The Assistant Privacy Commissioner pointed out that the use of CCTV systems, drones and in-vehicle cameras for collecting personal data must comply with the requirements of the PDPO. The new guidance issued by the PCPD provides practical recommendations to data users, assisting them to make effective use of these technologies while safeguarding personal data privacy.

Promoting AI Security – Acting Assistant Privacy Commissioner Speaks at the GenA.I. Symposium

The Acting Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI attended the GenA.I. Symposium organised by the Hong Kong Monetary Authority and the Hong Kong Cyberport Management Company Limited on 31 October, and spoke as a panellist.
 
During the panel discussion, Ms LAI discussed the personal data privacy risks posed by generative AI (Gen AI) and outlined the key considerations for financial institutions that adopt Gen AI in their operations in compliance with the PDPO. She also shared the practical recommendations and best practices from various AI-related guidelines published by the PCPD, including the “Model Framework” and the “Guidelines”.

MEDIA STATEMENT

Ensuring Information System Security; PCPD Completes the Inspections of the Personal Data Systems of Two Educational Institutions

The PCPD has completed inspections of the personal data systems of HKICC Lee Shau Kee School of Creativity (HKICC) and the Hong Kong College of Technology (HKCT) earlier and published the inspection reports on 13 November.
 
The HKICC and the HKCT had notified the PCPD of their respective data breach incidents in 2024, both involving unauthorised access by hackers into information systems containing personal data. The PCPD conducted and concluded a compliance check and an investigation respectively into the data breach incidents in accordance with established procedures in 2024 (see Annex 1 for details). 
 
Against this background and given the upward trend in data breach incidents involving educational institutions in recent years, Privacy Commissioner Ms Ada CHUNG Lai-ling subsequently carried out inspections of the personal data systems of the two educational institutions under section 36 of the PDPO. The inspections were undertaken to assess the effectiveness of the remedial measures taken by the two institutions, to further examine the data security of their information systems containing personal data comprehensively and to make recommendations to the education sector in relation to the protection of personal data based on the results of the inspections.

 

1. Results of the Inspection Regarding the HKICC

 

The inspection results revealed that after the hacker intrusion, the HKICC has implemented various technical measures to enhance the security of its information systems, including establishing a patch management system, enabling two-factor authentication for virtual private network (VPN) login, and enforcing strong password requirements. For access control, the HKICC adopted the “least privilege” and “role-based” access control mechanism, granting users only necessary permissions based on their roles. Additionally, the HKICC provided training on the protection of personal data and information security to staff and regularly communicated relevant policies and guidelines. Overall, the Privacy Commissioner considers that the HKICC has complied with the requirements of Data Protection Principle (DPP) 4 of Schedule 1 to the PDPO concerning the security of personal data in handling the personal data of students and staff.
 
Despite the above, the Privacy Commissioner recommends that the HKICC establishes more comprehensive and specific policies on information security and data retention, enhances detection capabilities for information systems, and strengthens management and oversight of data processors in the proper destruction of the personal data held by them.

 

2. Results of the Inspection Regarding the HKCT

The inspection results revealed that the HKCT has implemented various technical measures to enhance the security and detection capabilities of its information systems after the data breach incident, and has also established a personal data privacy management programme, appointed a dedicated data protection officer, and provided staff with training and information on the protection of personal data to enhance staff awareness on cybersecurity and to safeguard them against suspicious emails. The HKCT has adopted the “least privilege” principle and “role-based” access control mechanism, under which department heads grant the minimum necessary access rights to staff based on their roles and job responsibilities. The HKCT has also established a data breach incident response plan. Overall, the Privacy Commissioner considers that the HKCT has complied with the requirements of DPP4 of Schedule 1 to the PDPO concerning the security of personal data in the handling of the personal data of students and staff.
 
Despite the above, the Privacy Commissioner recommends that the HKCT establishes more comprehensive and specific policies on information security and data retention, enhances the review of records for information systems containing personal data, and conducts regular security audits to further strengthen the protection of the personal data held by them.
  
Through the above inspection results, the Privacy Commissioner would also like to make the following recommendations to educational institutions that handle vast amounts of personal data of students and staff members to ensure data security, including: 

• Establish a Personal Data Privacy Management Programme and appoint designated officer(s) as Data Protection Officer(s);
• Establish clear internal policies and procedures on data governance and data security, and ensure thorough implementation of the same;
• Provide staff with training on the protection of personal data and information security upon onboarding and at regular intervals;
• Adopt the “least privilege” principle and “role-based” access control mechanisms;
• Implement effective measures to prevent, detect, and respond to cyberattacks;
• Conduct comprehensive security risk assessments and audits for information systems regularly;
• Exercise due diligence in appointing and managing data processors; and
• Formulate response plans for data breach incidents and incidents involving AI.
  

The PCPD encourages organisations to make reference to the “Guidance Note on Data Security Measures for Information and Communications Technology (ICT)” and “Guidance on Data Breach Handling and Data Breach Notifications” issued by the PCPD to prepare themselves against any cyberattacks and to enhance cybersecurity and data security. To assist enterprises and organisations in safeguarding data security, the PCPD has launched a Data Security thematic webpage, a data security hotline (2110 1155) and the “Data Security Scanner” , which is a self-assessment toolkit for enterprises and organisations to assess the data security measures for their ICT systems.

A 60-year-old Female Arrested for Suspected Doxxing of a Former Schoolmate Arising from Monetary Disputes

The PCPD arrested a Chinese female aged 60 on Hong Kong Island on 12 November . The arrested person was suspected to have disclosed the personal data of a former schoolmate without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim and the arrested person formerly acquainted with each other while attending the same secondary school. They met again in 2018 when the victim borrowed money from the arrested person because of financial difficulties in operating her factory at the time. The victim promised to pay interest to the arrested person every month and the victim subsequently borrowed more money from the arrested person, with the loan amount totaling approximately HK$20,000,000. Since early 2025, however, the victim failed to pay interest to the arrested person. Subsequently, between April and May 2025, a neighbour of the victim received a total of three different flyers by mail, making some adverse comments against the victim and alleging that the victim failed to repay her debt. The flyers also disclosed her personal data, including the victim’s Chinese name, Hong Kong Identity Card number, residential address and her photos.

  
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   i.  With an intent to cause any specified harm to the data subject or any family member of the data        subject; or
   ii. Being reckless as to whether any specified harm would be, or would likely be, caused to the data
       subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

A 54-year-old Male Arrested for Suspected Doxxing of a Former Employer

The PCPD arrested a Chinese male aged 54 in Kowloon on 7 November. The arrested person was suspected to have disclosed the personal data of a former employer without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person was an employee of the victim’s company (the Company) between November 2023 and May 2024, during which the arrested person was the administrator of a number of chat groups created by the Company and its related companies on an instant messaging application to promote their businesses. In early March 2025, two photos of a loan agreement showing the victim as the borrower and a video clip of the victim reading the contents of the aforesaid agreement, together with five other photos of court documents showing the victim, the Company and its related companies as the defendants of civil claims were posted on two of the chat groups. The personal data disclosed included the victim’s Chinese name, Hong Kong Identity Card number, Chinese Mainland and Hong Kong mobile phone numbers, Chinese Mainland bank account number, the names of the Company and related companies, as well as his facial image as shown in the video.

 
The PCPD reminds members of the public that they should not dox others because of work disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Measures for Certification of Cross-Border Personal Information Transfer”
《個人信息出境認證辦法》的重點

Under Article 38 of the Personal Information Protection Law, personal information processors may transfer personal information outside Chinese Mainland by passing a security assessment, concluding a standard contract, or obtaining personal information protection certification. The Cyberspace Administration of China (CAC) has issued departmental rules on security assessments and standard contracts, including the “Security Assessment Measures on Cross-border Transfers of Data” in 2022 and the “Measures on the Standard Contract for Cross-border Transfers of Personal Information” in 2023.

With regard to certification, the CAC and the State Administration for Market Regulation (SAMR) only released the “Announcement on Implementing Personal Information Protection Certification” in 2022. To further promote the efficient and safe cross-border flow of personal information and regulate certification activities, the CAC and the SAMR jointly published the “Measures for Certification of Cross-Border Personal Information Transfer” (Measures) on 17 October 2025. The Measures will take effect on 1 January 2026. This article provides an overview of the Measures.

根據《個人信息保護法》第三十八條，個人信息處理者可透過安全評估、訂立標準合同及個人信息保護認證等方式向中國境外提供個人信息¹ 。國家互聯網信息辦公室（網信辦）已針對安全評估及標準合同發布了相關部門規章，包括2022年公布的《數據出境安全評估辦法》² 及2023年的《個人信息出境標準合同辦法》³ 等。在個人信息出境認證方面，網信辦及國家市場監督管理總局（市監局）僅於2022年公布了《關於實施個人信息保護認證的公告》⁴（《公告》）。為進一步促進個人信息高效安全跨境流動、規範出境認證活動，網信辦及市監局於2025年10月17日公布《個人信息出境認證辦法 》⁵ （《辦法》）。《辦法》將於2026年1月1日實施，其重點如下：

 

出境認證的定義
《辦法》所稱的個人信息出境認證（出境認證），是指由依法取得個人信息保護認證資質的專業認證機構（認證機構），證明個人信息處理者向中國境外提供個人信息等個人信息處理活動符合相關法律、行政法規、部門規章、標準、技術規範的合格評定活動⁶ 。

 

獲得出境認證的條件⁷
個人信息處理者通過出境認證方式向境外提供個人信息，應符合以下情形：

• 適用對象：非關鍵信息基礎設施運營者。
• 個人信息數量：自當年1月1日起累計向境外提供10萬人以上、不滿100萬人個人信息（不含敏感個人信息）或者不滿1萬人敏感個人信息；個人信息處理者不得採取數量拆分等手段，將應當通過出境安全評估的個人信息通過認證方式向境外提供⁸ 。
• 個人信息類型：向境外提供的個人信息不包括重要數據。

 

個人信息處理者的義務⁹
個人信息處理者在申請出境認證向境外提供個人信息前，應當按照法律、行政法規的規定履行告知、取得個人單獨同意、進行個人信息保護影響評估等義務。有關評估的內容包括但不限於：個人信息處理者和境外接收方處理個人信息的目的、範圍、方式等的合法性、正當性、必要性；出境個人信息的敏感程度、可能帶來的風險；以及境外接收方所在國家或者地區的政策和法規對出境個人信息安全和權益的影響等。

 

申請出境認證的方法
個人信息處理者通過出境認證方式向境外提供個人信息，應當向認證機構申請出境認證¹⁰ 。認證機構應當按照出境認證基本規範、個人信息保護認證規則開展認證活動，認證證書的有效期為3年¹¹ 。

 

認證機構的義務
若認證機構發現獲證個人信息處理者存在個人信息出境情況與出境認證範圍不一致等情形，不再符合認證要求的應當暫停其使用相關認證證書，直至撤銷¹² 。如認證機構在開展出境認證活動中，發現個人信息出境活動違反法律法規，應當及時向國家網信等部門報告¹³ 。

 

監督管理
國家市場監督管理部門和國家網信部門對出境認證活動進行監督，對認證過程、認證結果、認證機構進行抽查¹⁴ 。省級以上網信等部門發現獲證個人信息處理者個人信息出境活動存在較大風險或者發生個人信息安全事件的，可對其進行約談並要求整改¹⁵ 。

 

其他參照依據和標準¹⁶
網信辦指出，認證機構開展個人信息出境認證、相關企業申請個人信息出境認證，參照的依據和標準主要是2022年11月公布的《公告》以及國家標準《數據安全技術 個人信息跨境處理活動安全認證要求》。此外，為落實《辦法》的規定，網信辦將於其網站公示相關認證機構。

 

總結

網信辦近年先後發布《數據出境安全評估辦法》及《個人信息出境標準合同辦法》等規定。《辦法》的出台，標誌着《個人信息保護法》的數據出境安全評估、個人信息保護認證、個人信息出境標準合同等出境制度設計的全面落地，也標誌着中國數據跨境流動制度體系的全面建立。

 

 

 

 

 

¹ 《個人信息保護法》第三十八條規定，個人信息處理者因業務等需要，確需向中國境外提供個人信息的，應當具備下列條件之一：（一）依照本法第四十條的規定通過國家網信部門組織的安全評估﹔（二）按照國家網信部門的規定經專業機構進行個人信息保護認證﹔（三）按照國家網信部門制定的標準合同與境外接收方訂立合同，約定雙方的權利和義務﹔（四）法律、行政法規或者國家網信部門規定的其他條件。
² 全文：https://www.cac.gov.cn/2022-07/07/c_1658811536396503.htm

³ 全文：https://www.cac.gov.cn/2023-02/24/c_1678884830036813.htm

⁴ 全文：https://www.cac.gov.cn/2022-11/18/c_1670399936658129.htm

⁵ 全文：https://www.cac.gov.cn/2025-10/17/c_1762449728720008.htm

⁶《辦法》第三條。

⁷《辦法》第五條。

⁸ 根據《促進和規範數據跨境流動規定》第七條，關鍵信息基礎設施運營者以外的數據處理者自當年1月1日起累計向境外提供100萬人以上個人信息（不含敏感個人信息）或者1萬人以上敏感個人信息，應申報數據出境安全評估。

⁹《辦法》第六條。

¹⁰《辦法》第七條。

¹¹《辦法》第八條。

¹²《辦法》第十條。

¹³《辦法》第十一條。

¹⁴《辦法》第十三條。

¹⁵《辦法》第十六條。
¹⁶ 見《數據出境安全管理政策問答（2025年10月）》。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers to provide copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.

 

This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR.

 

Date: 3 December 2025 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel

Professional Workshop on Data Protection in Insurance

Insurance practitioners handle a large amount of customers’ personal data, including customers' names, telephone numbers, addresses, identity card numbers, etc. in their daily operation. Therefore, a proper understanding of the requirements under the PDPO is necessary. 

This workshop will examine core concepts of practical data protection compliance illustrated by specific scenarios to highlight potential problems and their resolution. Participants will also engage in discussion of real cases relating to the handling of personal data in different aspects of insurance work.

 

Date: 7 January 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong (accreditation will be sought), Insurance Authority, Estate Agents Authority, Hong Kong Institute of Bankers)

 

Who should attend: Insurance practitioners, data protection officers, compliance officers, solicitors, advisers and other personnel undertaking work relating to the insurance industry

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

 

Date: 14 January 2026 (Wednesday)

 

Time: 2:15pm – 4:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 2 CPD points (The Law Society of Hong Kong (accreditation will be sought), Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities. 

 

Date: 28 January 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Mode: Online

 

Language: Cantonese

 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong (accreditation will be sought), Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals

New Series of Professional Workshops on Data Protection from Feb to Mar 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.