Privacy Commissioner’s Office Organises
“Privacy-Friendly Awards 2025”
Over 150 Organisations Receive Accolades
in a Record-Breaking Year 

The PCPD organised the “Privacy-Friendly Awards 2025” (Awards) Presentation Ceremony on 10 July to recognise the commitment and performance of 157 organisations, including enterprises, public and private organisations as well as government departments, in the protection of personal data privacy.
 
The Awards Presentation Ceremony was held at the Hong Kong Convention and Exhibition Centre, with the Under Secretary for Constitutional and Mainland Affairs, Mr Clement WOO Kin-man, MH, JP, officiating the event and delivering the opening address. Other officiating guests included members of the judging panel, the Hon Carmen KAN Wai-mun, JP, Adjunct Professor Jason LAU and the Chief Executive Officer (CEO) of Hong Kong Internet Registration Corporation Limited (HKIRC), Ir Wilson WONG Ka-wai. Besides, the PCPD’s Personal Data (Privacy) Advisory Committee member, Mr Joseph LIN Ho-man, MH, members of the Standing Committee on Technological Developments of the PCPD, including Professor the Hon William WONG Kam-fai, MH, Ir Alex CHAN and Dr Alan CHEUNG, and representatives of the supporting organisations, including Chairman of Hong Kong General Chamber of Commerce, Ms Agnes CHAN Sui-kuen, BBS, and Chairperson of Property Management Services Authority, Dr James WONG Kong-tin, BBS, JP, also graced the ceremony with their presence and presented awards to the winners.
 
The Awards this year, with the theme of “Safeguarding Data Security: Marching towards a New Digital Era”, recognised 157 organisations, setting a new record for the event. Among the awardees, 12 organisations were honoured with the Outstanding Gold Awards; 109 organisations won the Gold Awards; 28 organisations received the Silver Awards, and 8 organisations were presented with the Bronze Awards. In addition, three new special awards, namely the “Best AI Governance Award”, “Best Data Protection Officer Award” and “Best Data Breach Response Plan Award”, were introduced this year. Each special award was presented to three organisations, further highlighting the industry’s exceptional performance across various aspects of data governance.

Among the numerous awardees, 12 organisations received the Outstanding Gold Awards, including (in alphabetical order) AS Watson Group, Census and Statistics Department, Digital Policy Office, FWD Group Management Holdings Limited, Hong Kong Genome Institute, Huawei Services (Hong Kong) Co., Limited, Prudential General Insurance Hong Kong Limited, Swire Coca-Cola Limited, The Hong Kong Mortgage Corporation Limited, The Hongkong Electric Company, Limited, TOPPAN Edge (Hong Kong) Limited and ZA Bank Limited.
 
For special awards, recipients of the “Best AI Governance Award” were Bank of China (Hong Kong) Limited, FWD Group Management Holdings Limited and Swire Coca-Cola Limited. The “Best Data Protection Officer Award” was presented to Census and Statistics Department, FWD Group Management Holdings Limited and Swire Coca-Cola Limited. As for the “Best Data Breach Response Plan Award”, the awardees were Industrial and Commercial Bank of China (Asia) Limited, Tencent Holdings Limited and The Hong Kong and China Gas Company Limited.
 
Please click here for the opening speech of the Under Secretary for Constitutional and Mainland Affairs, Mr Clement WOO Kin-man, MH, JP (Chinese only).
 
Please click here for the welcome address of Privacy Commissioner Ms Ada CHUNG Lai-ling, SBS (Chinese only).
 
For the list of awardees and other details of the Awards, please visit the “Privacy-Friendly Awards 2025” webpage: https://www.pcpd.org.hk/privacyfriendlyawards/en/index.html

Privacy Commissioner’s Office Signs MOU with Personal Data Protection Bureau, Macao, to Jointly Propel High-Quality Development in the Greater Bay Area

The PCPD and the Personal Data Protection Bureau, Macao (PDPB) signed a Memorandum of Understanding (MOU) earlier with a view to deepening collaboration and fostering exchange in the area of personal data privacy protection, and jointly propelling the digital economy and the high-quality development of Hong Kong, Macao and the Guangdong-Hong Kong-Macao Greater Bay Area (Greater Bay Area).
 

Pursuant to the MOU, the scope of collaboration between the two data protection authorities includes the sharing of experiences and good practices in the areas of law enforcement, education and training, the joining of efforts to facilitate the safe and orderly cross-boundary flow of personal information within the Greater Bay Area, as well as the provision of mutual assistance in investigations and enforcement actions, etc.

Privacy Commissioner’s Office Intervenes in Eight Personal Data Security Incidents and Advocates Strengthening the Protection of Personal Data Privacy on All Fronts

The PCPD earlier intervened in eight incidents relating to the disclosure and security of personal data involving organisations in various sectors. Owing to the deficiencies of the organisations in different aspects which resulted in the improper disclosure or unauthorised or accidental access, processing or use of personal data, the organisations in question were found to have contravened the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO). 

Summaries of the eight data security incidents (see Annex 1 for details)

1. After performing an ultrasound scan on the complainant, the doctor of a medical diagnostic centre did not log out of the system before leaving the examination room. As a result, the complainant who remained in the examination room was able to read the information of other patients displayed on the screen of the examination equipment, including the English names, the full Hong Kong Identity Card (HKID card) numbers and brief medical histories of the patients concerned.
 
2. A tour guide distributed group electronic flight tickets to tour members that contained the English names and dates of birth of over 30 individuals including the tour guide and all the tour members. As a result, the personal data of each tour member was made known to all tour members through the group electronic tickets.
 
3. When handling a complaint about parking matter, a security guard disclosed the complainant’s phone number to another carpark tenant to facilitate direct handling of the parking complaint between the two parties. This constituted improper disclosure of the complainant’s phone number to the other tenant.
 
4. A medical institution failed to properly apply the appropriate setting in the “View Summary of Responses” function during the collection of citizens’ personal data via an online registration form. As a result, the personal data of over 100 registrants, including their names in Chinese and English, phone numbers, email addresses and dates of birth, were accessible by other registrants using the “View Summary of Responses” function.
 
5. A government department posted a letter to the complainant. As the relevant staff member did not follow the established procedures in folding letters, the subject line of the letter and the case number comprising the complainant’s HKID card number were visible through the envelope window.
 
6. An insurance company printed documents on recycled papers and sent the documents to other companies. However, the papers used were obsolete resumes and HKID card copies, and this resulted in the personal data contained therein being wrongfully sent to other companies.
 
7. A retailer sent a promotional email to its members, but the responsible staff member mistakenly entered the email addresses of all members in the recipient field, resulting in the recipients being able to view the email addresses of over 1,000 members in the email.
 
8. Owing to a wrong script applied to the membership accounts system of an airline company, the complainant was erroneously directed to another customer’s account when he logged into his membership account. This enabled him to access the account information of the other customer.
 
Data Protection Principle (DPP) 3(1) of Schedule 1 to the PDPO stipulates that personal data shall not, without the prescribed consent of the data subject (namely, express consent voluntarily given by the data subject), be used (including disclosed or transferred) for a new purpose, namely, any purpose other than the purpose for which the data was to be used at the time of collection of the data, or a purpose directly related to that purpose.
 
DPP 4(1) of Schedule 1 to the PDPO stipulates that all practicable steps shall be taken to ensure that any personal data held by a data user should be protected against unauthorised or accidental access, processing, erasure, loss or use.
 
In the above cases, having considered the circumstances of the individual incidents and the information obtained, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the organisations had contravened DPP 3(1) of the PDPO concerning the use (including disclosure) of personal data or DPP 4(1) of the PDPO concerning the security of personal data.
 
The Privacy Commissioner urges organisations to enhance their employees’ awareness of personal data privacy protection and to promote good work practices. 
 
Data security pitfalls may lie in any single procedure of work. To assist organisations in addressing the challenges relating to personal data security, the PCPD would like to make six recommendations to organisations of all sectors:-
 
1. Incorporate the protection of personal data privacy into the core values of the organisation, appoint appropriate managerial personnel to be responsible for data security, and publicly demonstrate the management’s commitment to protecting personal data privacy while enabling staff members to embrace the importance of personal data privacy;
 
2. Enhance the awareness and capabilities of employees to protect privacy through training, provide targeted training for employees according to their job functions, with a focus on explaining common risks and conducting scenario drills;
 
3. Develop clear and easy-to-understand work guidelines, design checklists or flowcharts to clearly communicate operational guidelines to employees based on the job natures of different positions, and reiterate relevant key points through emails, internal platforms or meetings on a regular basis;
 
4. Adopt technical security measures, such as using an email system that is encrypted by default or enabling auto-filling of correct email recipients to reduce the risk of errors;
 
5. Regularly monitor, assess and improve compliance with data security policy, including arranging supervisors to conduct regular or surprise inspections of frontline work, ensuring thorough implementation of the personal data security policy through monitoring and regularly collecting feedback from staff for continuous improvement of the policy; and
 
6. Develop a comprehensive data breach response plan to help the organisation swiftly respond to and effectively manage data breach incidents.

Please click here to refer to Annex 1.

PRIVACY 101

Data Security: Fortifying Your Organisations against Data Breach Incidents

In light of rapid technological advancements, the incidence of data breaches has escalated significantly in recent years. Beyond technological vulnerabilities, human errors can also precipitate these breaches, affecting organisations across all sectors and sizes. Notable causes include cyberattacks, system misconfigurations, loss of physical documents or portable devices, improper disposal of personal data, inadvertent disclosure by email or by post, as well as staff negligence or misconduct. The ramifications of data breach incidents extend well beyond the immediate harm to affected individuals; organisations may also experience severe reputational damage. Therefore, it is imperative for organisations to prioritise data security.

While many organisations are endeavouring to integrate robust data security measures into their operational frameworks, they must also be adequately prepared for the possibility of a data breach. To safeguard data security, organisations should develop a comprehensive data breach response plan that empowers them to react swiftly and manage incidents effectively.

Here are the recommended components to include in a data breach response plan:

• A description of what constitutes a data breach, and the criteria that trigger the implementation of the data breach response plan;
• An internal incident notification procedure to escalate the breach to the senior management, the data protection officer and/or dedicated data breach response team, incorporating a standard form to facilitate the reporting of the required information;
• The designation of the roles and responsibilities of members of the dedicated team;
• A contact list with contact details of all breach response team members;
• A risk assessment workflow to assess the likelihood and severity of the harm caused to the affected data subjects as a result of the breach;
• A containment strategy for containing and remedying the breach;
• A communication plan, an investigation procedure, a record-keeping policy, and a post-incident review mechanism; 
• An investigation procedure for investigating the breach and reporting the results to the senior management; 
• A record-keep policy to ensure that the incident is properly documented; 
• A post-incident review mechanism for identifying areas that require improvement to prevent future recurrence; and
• A training or drill plan to ensure that all relevant staff can follow the procedures properly when dealing with a data breach.

For further insights into preventing and handling data breach incidents, please refer to the “Guidance on Data Breach Handling and Data Breach Notifications”.

PRIVACY COMMISSIONER’S FINDINGS

A Former Teacher Accidentally Shared a File Containing Personal Data of Students to the Entire School on a Cloud-based Drive

Background

A school reported to the PCPD that a former teacher had accidentally shared a file containing the personal data of newly-enrolled Secondary One students with the entire school via a cloud-based drive. The incident occurred during the handover process while using the drive’s template function, resulting in unnecessary access to the data by other students.

Remedial Measures

Upon receipt of the notification from the school, the PCPD initiated a compliance check. In response to the incident, the school informed the PCPD that it had disabled the user creation and template functions of the cloud-based drive. Furthermore, the school established guidelines and procedures for handling personal data on the cloud-based drive. The school also explained how to select the appropriate access rights on cloud-based platforms during a staff meeting.

Lessons Learnt

While cloud-based platforms offer convenience and accessibility, they also pose challenges to privacy protection. Organisations should provide adequate training for their staff members to ensure they handle personal data with caution and select the appropriate access rights. Furthermore, organisations should establish clear policies and procedures for the use of cloud-based platforms to provide specific operational guidelines for staff members.

TECH TALK

Empowering Individuals: Practical Tips to Safeguard Data Security

The responsibility of safeguarding data security extends beyond organisations; individuals should also take an active role in protecting their own data security at a personal level. Consider the use of public computers, which are common in Hong Kong and can be found in libraries, cafes, restaurants, and government-run facilities. With numerous individuals accessing these public computers throughout the day, significant security risks arise.

For instance, public computers may have spyware or key logger software installed. They may also be equipped with webcams, and individuals nearby can attempt to capture your account credentials. Eavesdroppers on insecure wireless networks can also intercept your passwords and gain access to your private emails.

To enhance your data security at an individual level, consider the following safety tips:

• If necessary, scan the public computers using a free online malware scanner before use;
• Clear all history, cookies, temporary files, your data files, your account names and passwords, etc. from public computers after use;
• Check and configure the browser settings appropriately before going online;
• Avoid conducting any sensitive activities such as online shopping, stock trading or e-banking activities, etc. on public computers, as these may expose your password and personal data, including bank account numbers or credit card numbers;
• Select a reputable location when using public computers. Some venues may completely erase the hard disk and reinstall the operating system for each user; and
• Change your username and/or passwords used on public computers after you return home or access a secure device.

WHAT’S ON

Promoting Innovation and Technology Development – Privacy Commissioner Visits Hong Kong Book Fair 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling visited Hong Kong Book Fair 2025 on 18 July and attended the book launch event of 《香港創新科技發展之路》, written by Professor the Hon William WONG Kam-fai, MH, member of the Standing Committee on Technological Developments of the PCPD and member of the Legislative Council.

Professor WONG conducts a comprehensive examination of three core issues, namely “History and Current Position”, “Education and Talents” and “Strategies and Opportunities”, in his new book, with a view to providing readers with deeper insights into Hong Kong’s economic transformation and innovation and technology development while inspiring all sectors of the society to explore and take part in building a more vibrant innovation and technology ecosystem.

Privacy Commissioner and PCPD’s Colleagues Cheer for DSE Candidates

The PCPD has many young colleagues who are former candidates of the Hong Kong Diploma of Secondary Education Examination (DSE). With the DSE results set to be announced on 16 July, Privacy Commissioner Ms Ada CHUNG Lai-ling, together with a group of young colleagues, extended their best wishes to this year’s DSE candidates, encouraging them to recognise their efforts and be prepared for the future, regardless of their DSE results.

Telling a Good Hong Kong Story – Privacy Commissioner Attends Macao’s “Judiciary Police Day” Dinner

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Macao’s “Judiciary Police Day” dinner on 11 July and exchanged views with the invited guests from various sectors.

The PCPD has maintained close contact with Macao’s Judiciary Police and has previously exchanged views with the Judiciary Police on issues relating to cybersecurity and personal data protection.

Promoting AI Security – Privacy Commissioner Publishes an Article Titled “Strengthening AI Governance” in The Bulletin

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article titled “Strengthening AI Governance” in The Bulletin, the magazine of the Hong Kong General Chamber of Commerce.
 
In the article, the Privacy Commissioner cited the findings from a 2024 survey conducted by the PCPD, which revealed that nearly 70% of enterprises recognised significant privacy risks posed by the use of artificial intelligence (AI). She emphasised that awareness alone is not sufficient and that organisations must take proactive action to ensure that employees use AI safely and in compliance with the requirements of the PDPO. To that end, she recommended that organisations refer to the “Checklist on Guidelines for the Use of Generative AI by Employees” published by the PCPD earlier for developing internal policies or guidelines on employees’ use of generative AI. By implementing a comprehensive AI policy, organisations can harness the benefits of AI while safeguarding personal data privacy.
 
Please click here to read the article.

Promoting Anti-fraud Messages – Privacy Commissioner Attends the First Anniversary Ceremony of the Anti-Deception Alliance (Education)

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the first anniversary ceremony of the Anti-Deception Alliance (Education) on 5 July and spoke as a panellist at the panel discussion.
 
The Privacy Commissioner pointed out that in the digital age, fraudsters are using AI to commit fraud, making it increasingly difficult for members of the public to guard against such threats. She reminded the public to stay vigilant against various forms of fraudulent tricks to safeguard personal data privacy. The PCPD has proactively launched a series of anti-fraud educational initiatives, including organising seminars on fraud prevention for universities, and producing short anti-fraud videos and story books for primary school students, with the aim of enhancing the awareness of fraud prevention, including that of youngsters and the public in general.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain Eight Data Security Incidents 

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 1’s “HK2000” and Now News’ “News Magazine” on 7 and 8 July. She elaborated on eight incidents relating to the improper disclosure and security of personal data handled by the PCPD earlier.

During the interview, the Privacy Commissioner emphasised that the eight incidents were isolated cases primarily caused by staff negligence or the lack of awareness to protect privacy. While organisations in Hong Kong have shown improved awareness regarding privacy protection over the past few years, she highlighted the need for ongoing monitoring and assessment to ensure that employees would properly follow organisations’ procedures and policies. She recommended that organisations should enhance employees’ awareness and capabilities in privacy protection through training, formulate clear and easy-to-understand work guidelines, and develop a comprehensive data breach response plan, etc.

In addition, the Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Ms Rebecca HO Kan-yeuk was interviewed by RTHK Radio 3’s “Hong Kong Today” and RTHK Radio 3’s “Backchat” on 7 and 8 July on the details of the eight data security incidents.

The interview by RTHK News’  “Hong Kong Today” can be listened here (49:46-53:49) (Chinese only).
The interview by RTHK Radio 1’s “HK2000” can be listened here (Chinese only).
The interview by Now News’ “News Magazine” can be viewed here (Part 1, Part 2) (Chinese only).

Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Meeting of the Legislative Council

The Secretary for Constitutional and Mainland Affairs (SCMA), Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, attended a meeting of the Legislative Council (LegCo) on 2 and 3 July for the debate on the motion on “Developing a personal data protection regime framework to address the challenges in the age of artificial intelligence” and delivered speeches. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting to listen to the valuable views and recommendations of Members.

The motion moved by Hon Doreen KONG Yuk-foon, as amended by Hon Duncan CHIU, Hon LAM San-keung and Ir Hon LEE Chun-keung, was passed by the LegCo.
 
Please click here for the opening remarks of the SCMA (Chinese only).
Please click here for the closing remarks of the SCMA (Chinese only).

Reaching Out to the Education Sector – Privacy Commissioner Attends the Closing Ceremony of “Discussing News and Information with Teachers and Students” Programme 

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the closing ceremony of the “Discussing News and Information with Teachers and Students” Programme on 28 June. The Programme was organised by the Hong Kong Press Council, and the Privacy Commissioner presented certificates to the participating students.

The Programme is a media and information literacy educational campaign organised by the Hong Kong Press Council. Under the Programme, seminars and workshops have been held for around 50 primary and secondary schools since 2024. The Programme aims to enhance the ability of teachers and students to ascertain the authenticity of news and to protect personal privacy.

Promoting Cross-Boundary Flow of Personal Information – Assistant Privacy Commissioner Speaks at the “13^th Mainland, Hong Kong and Macao Legal Seminar”

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ms Joanne WONG attended the “13^th Mainland, Hong Kong and Macao Legal Seminar” organised by the Department of Justice of the Government of the Hong Kong Special Administrative Region, the China Law Society and the Legal Affairs Bureau of the Government of the Macao Special Administrative Region on 21 July. The theme of the seminar was “Anchoring the new strategic positioning and facilitating the construction of the Guangdong-Hong Kong-Macao Greater Bay Area (GBA) with high-quality rule of law”.

At the seminar, Ms WONG participated in the panel discussion on “Data element market governance and competition order protection in the GBA” and explored the importance of safe cross-boundary flow of personal data in contributing to the continuous growth of a thriving digital economy in the GBA. Ms WONG also introduced the essential parts of the “Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong)”. 

Please click here for the presentation deck (Chinese only).

Reaching Out to University – PCPD and the University of Hong Kong Jointly Organise a Seminar

The PCPD and the Information Technology Services – Data Protection Office of the University of Hong Kong co-organised a seminar titled “AI Driven Education & Cybersecurity Challenges in AI: Balancing Innovation and Data Protection” on 27 June, which attracted about 150 participants from the higher education sector.

At the seminar, Ms Joanne WONG, Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD, shared recommendations and best practices in the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” regarding AI governance for the protection of personal data privacy. She also introduced the PCPD’s “Checklist on Guidelines for the Use of Generative AI by Employees” published earlier this year.

The seminar was one of the key events of the PCPD’s Privacy Awareness Week 2025, held under the theme “AI Security Matters for All.”

Please click here for Ms Wong’s presentation deck.

MEDIA STATEMENT

A 32-year-old Male Arrested for Suspected Doxxing of Estranged Wife and Baby Girl Arising from Family Dispute

The PCPD arrested a Chinese male aged 32 in Kowloon on 22 July. The arrested person was suspected to have disclosed the personal data of his estranged wife and her daughter without the wife’s consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim is the arrested person’s estranged wife. The victim found out that she was pregnant after separating from the arrested person in early 2024, and gave birth to a daughter at the end of the same year.
 
Subsequently in May 2025, two messages as well as some comments containing the personal data of the victim and her daughter were posted in an open discussion group and a personal account on a social media platform questioning the blood relationship between the arrested person and the baby girl, and making negative comments about the victim. Among others, a copy of an alleged DNA Report was uploaded.
 
The personal data disclosed included the Chinese name, English name, HKID card number, residential address, photos and a video of the victim depicting her face, alongside the username of her social media account, her former occupation and job title. The baby girl’s Chinese name, English name and a photo depicting her face were also disclosed.
 
The PCPD reminds members of the public that they should not dox others because of family disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

A 36-year-old Female Arrested for Suspected Doxxing of a Couple Arising from Monetary Disputes

The PCPD arrested a Chinese female aged 36 in the New Territories on 30 June. The arrested person was suspected to have disclosed the personal data of a couple without their consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victims are married, and the arrested person was formerly a friend of the male victim. In March 2025, the male victim borrowed money from the arrested person, and sent her photos of his HKID card and a “Demand for Rates and/or Government Rent” (Demand) addressed to the female victim via an instant messaging application. A dispute later arose between the parties regarding the repayment arrangement.
 
In early May 2025, four posts demanding repayment from the victims were published in a personal account on a social media platform. These posts included a photo of the male victim’s HKID card and a photo of the Demand. The HKID card photo disclosed the male victim’s personal data including his Chinese name, English name, Chinese Commercial Code of the victim’s name, HKID card number, date of birth, gender and photo, whereas the photo of the Demand disclosed the female victim’s English name and residential address.
 
In mid-May 2025, flyers demanding loan repayment were found posted on the corridor wall outside the victims’ residence. The flyers contained a partially redacted photo of the male victim’s HKID card, but disclosed the male victim’s Chinese name, English name, Chinese Commercial Code of the victim’s name, HKID card number, date of birth, gender and photo.

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence. Moreover, identity cards contain sensitive personal data, and any reckless or intentional disclosure or reposting of copies of identity cards without the data subjects’ consent may constitute a doxxing offence. An offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Data Security Technology – Security Requirements for Processing of Sensitive Personal Information”

《數據安全技術敏感個人信息處理安全要求》的重點

Further to the publication of “Practical Guidance of Cybersecurity Standards – Classification Guidelines for Sensitive Personal Information” in September 2024, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “Data Security Technology – Security Requirements for Processing of Sensitive Personal Information” (Security Requirements) on 25 April 2025. Coming into effect on 1 November 2025, the Security Requirements outlines the definition and classification of sensitive personal information. It further establishes both general and specific security requirements for processing such information. This article provides an overview of the Security Requirements.

繼2024年9月發布《網絡安全標準實踐指南—敏感個人信息識別指南》（《識別指南》）¹後，全國網絡安全標準化技術委員會在2025年4月25日發布了《數據安全技術敏感個人信息處理安全要求》（《安全要求》）²，將於2025年11月1日正式實施。《安全要求》既闡明了識別和界定敏感個人信息的要求，亦規定了敏感個人信息處理的通用安全要求和特殊安全要求。

《安全要求》適用於個人信息處理者開展敏感個人信息處理活動，也適用於監管部門和第三方評估機構對敏感個人信息處理活動進行監督、管理和評估³。

識別及界定敏感個人信息⁴

《安全要求》規定信息處理者按照以下規則識別敏感個人信息，即一旦遭到洩露或非法使用，容易導致自然人：

• 人格尊嚴受到侵害的個人信息（如「人肉搜索 」、非法侵入網絡賬戶等）；
• 人身財產安全受到危害的個人信息（如行蹤軌跡信息）；及
• 財產安全受到危害的個人信息（如金融賬戶信息）。

假如多項一般個人信息匯聚後，一旦洩露或非法使用可能帶來上述的影響，也應將其整體參照敏感個人信息進行識別與保護。

此外，敏感個人信息應屬以下其中一個類別：

• 生物識別信息
• 宗教信仰信息
• 特定身份信息
• 醫療健康信息
• 金融賬戶信息
• 行蹤軌跡信息
• 不滿十四周歲未成年人的個人信息
• 其他敏感個人信息

有關各類別的詳情及例子，可參閱《安全要求》的附錄A。

敏感個人信息處理通用及特殊安全要求

《安全要求》針對敏感個人信息處理，提出了多項通用安全要求及特殊安全要求。通用安全要求可分為五大範疇，例子及部分要求摘要如下⁵：

《安全要求》為不同類別的敏感個人信息提出個別規定，例子及部分要求摘要如下⁶：

總結

《安全要求》為識別及界定敏感個人信息提供了具體指引，亦按照各類別的敏感個人信息的特色，提出了相應的安全要求。隨着個人信息安全的監管不斷細化，個人信息處理者、第三方評估機構等相關持份者宜密切關注監管動向，了解並遵循最新的合規要求。

¹ 全文：https://www.tc260.org.cn/upload/2024-09-18/1726621097544005928.pdf。本欄2024年6月亦曾介紹其徵求意見稿。

² 全文：https://www.tc260.org.cn/upload/2025-06-17/1750126302878095198.pdf。

³ 《安全要求》第1章。

⁴ 《安全要求》第4章。

⁵ 詳情見《安全要求》第5章。

⁶ 詳情見《安全要求》第6章。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities. 

Date: 6 August 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Language: Cantonese

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 13 August 2025 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Language: Cantonese 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

Accreditation: 2 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices

Professional Workshop on Data Protection in Banking/Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/financial practitioners, company secretaries and solicitors.

Date: 20 August 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong)

Language: Cantonese 

Fee: $750/$600*

(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

Accreditation: 3 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Hong Kong Institute of Bankers)

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry

New Series of Professional Workshops on Data Protection in Sep 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Hong Kong Institute of Bankers Annual Banking Conference 2025

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2025 (Conference) is the premier event for banking professionals seeking to thrive in today’s rapidly evolving financial landscape. Organised by the HKIB, the Conference will bring together industry leaders, regulators, and experts to explore the latest trends, innovative strategies, and critical challenges shaping the future of banking.

Under the theme “NextGen Banking: Adapting, Innovating, Thriving”, the Conference will take place on 26 September at the Hong Kong Convention and Exhibition Centre. Through keynote speeches, interactive panels, and extensive networking opportunities, attendees will gain valuable knowledge and strategies to navigate change and lead their organisations into the next era of banking.

Please click here for the details and registration.

PCPD Supports the BugHunting Campaign 2025

The PCPD participates in the “BugHunting Campaign 2025” (Campaign) as a Strategic Partner. The Campaign is co-organised by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force and a crowdsourced cybersecurity company, Cyberbay, which leverages a specialised crowdsourced vulnerability detection platform, recruiting experts through bounty rewards to provide participating organisations with free cybersecurity testing. The Campaign also employs AI-powered security assessments, which not only focuses on detects vulnerabilities within corporate systems but also carries out security audits on AI applications, to prevent data breaches and offer comprehensive protection against emerging cyber threats.

The Campaign is now open to organisations for registration. Please click here for the details.

PCPD Supports the HKIoD Award for Director Excellence 2025

The “HKIoD Award for Director Excellence 2025” (Awards) organised by The Hong Kong Institute of Directors (HKIoD) is now open for nominations. The PCPD is pleased to be one of the supporting organisations of this prestigious Awards.

“Redefining Leadership for the New Era” is the theme of the Awards this year. Nomination for the Awards will be closed on 31 July.

Please click here for the Awards nomination form and related information on the HKIoD’s website.

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2025

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2025 (Scheme). Co-organised by Hong Kong Internet Registration Corporation Limited and ISACA China Hong Kong Chapter, the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defence line, and to enhance organisations’ protection level by encouraging the organisations to raise staff awareness by multiple channels. Applications are now open for the upcoming round of the Scheme for 2025.

Please click here for the Scheme details and application.

PCPD Supports the Hong Kong Volunteer Award 2025

The PCPD is delighted to be one of the supporting organisations of the Hong Kong Volunteer Award 2025. It is a volunteer recognition scheme co-organised by the Home and Youth Affairs Bureau and the Agency for Volunteer Service, supported through “JC VOLUNTEER TOGETHER” Project which is funded by The Hong Kong Jockey Club Charities Trust. Dedicated to recognising the contributions and achievements of outstanding volunteers, corporations, organisations, estates and schools, it is open for applications now.

Please click here for more details.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.