Privacy Commissioner’s Office and HKIRC Co-organise
“AI Security and Cybersecurity Summit for Enterprises”
Attracting Over 620 Corporate Representatives
With Distinguished Industry Leaders Sharing Expert Insights

The PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) co-organised the “AI Security and Cybersecurity Summit for Enterprises” (Summit) on 31 March, with the Digital Policy Office (DPO) acting as a strategic partner. Featuring two key thematic areas – “Cybersecurity” and “Artificial Intelligence (AI) Security”, the Summit invited representatives from different sectors to deliver keynote addresses and participate in panel discussions, with the aim of enhancing the awareness and readiness of organisations of all types, including small and medium-sized enterprises, in addressing cybersecurity and AI security risks encountered in the business environment. The Summit attracted over 620 corporate representatives from all sectors.
 
The Summit was officiated by the Under Secretary for Innovation, Technology and Industry (USITI), Ms Lillian CHEONG Man-lei, JP, and the Under Secretary for Constitutional and Mainland Affairs (USCMA), Mr Clement WOO Kin-man, MH, JP, who also delivered the opening remarks. They were joined by Mr ZHOU Wuhu of the Information Centre of the Liaison Office of the Central People’s Government in the HKSAR; the Acting Commissioner for Digital Policy, Mr Daniel CHEUNG, JP; the Chairman of the HKIRC, Mr Sean LEE; Privacy Commissioner Ms Ada CHUNG Lai-ling, SBS; the Chief Executive Officer of the HKIRC, Ir Wilson WONG; and member of the Legislative Council and the PCPD’s Standing Committee on Technological Developments (SCTD), Professor the Hon William WONG Kam-fai, MH, in hosting the kick-off ceremony for the Summit.
 
The Acting Commissioner for Digital Policy, Mr Daniel CHEUNG, JP, delivered a keynote address entitled “Hong Kong’s Artificial Intelligence Governance and Development Strategy”, setting out how the Government is adopting a “development and governance in parallel” approach to foster innovation while effectively managing risks and seizing the opportunities brought by AI. He said that the Government will continue to closely monitor developments in AI technologies and the evolving risk landscape, and will take a multi-pronged approach to further strengthen Hong Kong’s AI governance and development thereby fully unleashing the development potential of “AI Plus” on the premise of ensuring safety. The Government also actively encourages AI’s wide application to enable adoption and utilisation by all.
 
On the subject of “AI Security”, the Summit invited member of the Legislative Council and the PCPD’s SCTD, Professor the Hon William WONG Kam-fai, MH, to deliver a keynote address entitled “AI Security, Risks and Responses”. Professor Wong pointed out that the “15^th Five‑Year Plan” envisages the full implementation of the “AI+” initiative. While organisations leverage AI to enhance operation efficiency and explore new business opportunities, they must at the same time remain vigilant and ensure model security, usage security and society security. He also explained the underlying principles behind the risks arising from the AI agent “OpenClaw” and called upon users to take a rational approach to AI agents and use them carefully.
 
The Summit also featured two panel sessions. In the panel session entitled “Generative AI Arms Race: Attackers vs Defenders”, panellists included President of ISACA China Hong Kong Chapter, Dr Welland CHU; Chief Digital Officer of the Vocational Training Council and Principal of the Hong Kong Institute of Information Technology, Ir Dr John HUI; Chief Superintendent of Cyber Security and Technology Crime Bureau of the Hong Kong Police Force, Mr Raymond LAM; and General Manager, Corporate Information Technology of The Hong Kong and China Gas Company Limited, Mr Alex WONG. They provided in-depth perspectives on the latest developments of cyber attacks and defences. 
 
Another panel session, entitled “AI Security in Practice: Insights and Practical Experiences from Experts”, brought together seasoned experts from academia, research institutions and the business sector. Panellists included Chief Product Strategist of Hong Kong Generative AI Research and Development Center, Mr Leonard CHAN, MH; Deputy Director of Cyber Security and Analytics of the Hong Kong Applied Science and Technology Research Institute (ASTRI), Mr Ricky LEUNG; Senior Advisor of Ant Digital Technologies, Ms Jennifer TAN; and Deputy Managing Director and Chief Cyber Security and Privacy Officer of Huawei International Company Limited, Mr Ambrose TANG, who shared practical application experience and professional insights. 

Privacy Commissioner’s Office Publishes
(1) an Investigation Report on the Data Breach Incident of

Yau Yat Chuen Garden City Club and
(2) Practical Tips on Safeguarding Children’s Online Privacy

The PCPD published (1) an investigation report of the data breach incident of Yau Yat Chuen Garden City Club Limited (the Club) and (2) Practical Tips on Safeguarding Children’s Online Privacy on 23 April.

 

        1. Data Breach Incident of Yau Yat Chuen Garden City Club
The investigation arose from a data breach notification submitted by the Club to the PCPD on 31 October 2025, reporting that its club management system (the CMS) was rendered inoperable as a result of a ransomware attack that encrypted information system files stored on a server (the Incident).
 
The CMS was provided and maintained by an external service provider (the Service Provider) for managing members’ information of the Club, with all associated personal data stored on the server (the Server). The Service Provider had the ability to remotely access the Server via dedicated remote access software (the Software) for the purpose of providing technical support.
 
The investigation revealed that the Software was operating on an outdated version that contained a known security vulnerability at the time of the Incident. The vulnerability enabled the threat actor to compromise the account credentials used by the Service Provider, thereby gaining direct entry to the Server where personal data was stored. This was further facilitated by the Server being left in a logged-in state without the implementation of additional authentication controls, thereby further undermining the security defences of the CMS. In addition, the Club’s antivirus software and firewall were outdated, rendering them unable to detect and prevent the hacking activities.
 
The Club is a private, non-profit social and recreational organisation that provides recreational facilities and dining services exclusively to its registered members and their guests. A total of 9,045 data subjects were affected by the Incident, which included 1,553 active members, 1,723 supplementary card holders, 1,313 former members, and 4,456 former supplementary card holders. The personal data affected included the full names, Hong Kong Identity Card (HKID Card) numbers and/or passport numbers, dates of birth, email addresses, contact numbers and addresses.
 
The Club notified the affected persons after the Incident, and implemented various remedial measures, which included discontinuing the use of the previously vulnerable remote access software and monitoring all remote access, updating the antivirus software and firewall for all servers and endpoints to the latest versions, and applying encryption to the personal data files on the servers.
 
The PCPD conducted four rounds of inquiries and reviewed the information provided by the Club in relation to the Incident, and the follow-up and remedial actions taken by the Club after the Incident. Having considered the circumstances of the Incident and the information obtained during the investigation, Privacy Commissioner Ms Ada CHUNG Lai-ling found that the following deficiencies of the Club contributed to the occurrence of the Incident (See Annex 1 for details): -

1. Use of outdated remote access software that contained a known security vulnerability;
   
2. Absence of user authentication measures for remote access to the Server;
   
3. Use of outdated antivirus software and firewall;
   
4. Lack of organisational measures for information security; and
   
5. Prolonged retention of personal data.

The Privacy Commissioner was disappointed that the Club had not adopted appropriate and adequate organisational and technical information security measures before the Incident to safeguard the personal data stored in its information systems. Based on the above, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance (PDPO) concerning the security of personal data.
 
In addition, the Privacy Commissioner found that the Club had not taken all practicable steps to ensure that personal data was not kept longer than was necessary for the fulfilment of the purpose for which the data was used, thereby contravening DPP 2(2) concerning the retention of personal data.
 
The Privacy Commissioner has served an Enforcement Notice on the Club, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.
 
The Privacy Commissioner notes that databases that contain the data of members and customers often contain extensive, comprehensive, and continuously updated personal data. As such, they have become primary targets for cyberattacks. Following the infiltration into such databases, threat actors often exfiltrate large amounts of personal data, which could subsequently be sold for unlawful use. 
 
The Privacy Commissioner recommends organisations to adopt adequate and appropriate organisational and technical measures to safeguard their information systems that contain personal data. In particular, organisations should:

• Timely update remote access software, antivirus software and firewalls in order to patch any known vulnerabilities;
  
• Implement effective user authentication for data access, including strong passwords and multi‑factor authentication;
  
• Establish adequate organisational measures, including clear internal policies for information security, as well as secure and reliable remote access solutions;
  
• Conduct regular security risk assessments, vulnerability scans and system audits to identify and rectify security weaknesses;
  
• Formulate a data retention policy to ensure that personal data is not retained longer than is necessary; and
  
• Provide regular staff training on information security.

The PCPD encourages organisations to make reference to the “Guidance Note on Data Security Measures for Information and Communications Technology (ICT)” and the “Guidance on Data Breach Handling and Data Breach Notifications” issued by the PCPD to bolster their defences against cyberattacks and to enhance cybersecurity and data security. To assist enterprises in safeguarding data security, the PCPD has launched a Data Security thematic webpage^[1], a data security hotline (2110 1155) and the “Data Security Scanner”^[2], which is a self-assessment toolkit for enterprises to assess the data security measures for their information systems.
 
In addition, to strengthen the capabilities of organisations, in particular small and medium enterprises and non-profit-making organisations, in safeguarding data security and cyber security, the PCPD relaunches the “Data Security Package” on 23 April. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures.

 

    2. “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”
In today’s digital world, children have been actively engaging in online learning platforms, social media platforms, online games and other online services, often from a very young age. While the internet brings convenience and opportunities for learning and social interaction, it also exposes children to increasing risks to their personal data privacy, such as excessive collection of personal data and retention of personal data for longer than is necessary. Such personal data may also be used for cyberbullying, doxxing and even scams.
 
Privacy Commissioner Ms Ada CHUNG Lai-ling notes that when compared to adults, children are generally less appreciative of the privacy and safety implications of their online behaviour. To support parents and teachers, therefore, the PCPD has published the “Practical Tips for Parents and Teachers – Safeguarding Children’s Online Privacy” (the Tips), which provide practical advice on how parents and teachers can help children protect their personal data privacy and safety in the online world.The Privacy Commissioner encourages parents and teachers to join hands to co-create a safe and privacy-friendly digital space for children, proactively guide them to develop good online habits, and strengthen their awareness of personal data protection, so that they can participate in online activities safely and with peace of mind.
 
The Tips set out practical advice on how parents and teachers can guide children to protect their personal data privacy online. Key recommendations include: 

1. Proactively participating in children’s online activities. Parents and teachers are encouraged to discuss with children the ‘dos’ and ‘don’ts’ of online behaviours, suitably use parental controls provided by online platforms to monitor children’s online activities, and try the latest technologies out to gain a deeper understanding of the functions and services of online platforms;
   
2. Safeguarding children’s online privacy. Children should be reminded not to over-share personal data when using online platforms or interacting with artificial intelligence (AI) tools. They should remain vigilant about their digital footprint, and parents and teachers should review and change default privacy settings and cultivate a sense of respect for others’ privacy;
   
3. Being a role model. Parents and teachers should set good examples by protecting their own personal data and respecting others’ personal data privacy, such as consulting friends and family members before sharing their personal data. They should also prioritise the best interest of the children when sharing their information on the internet; and  
   
4. Reminding children of the pitfalls of the digital world. Children should be reminded of risks such as online scams, cyberbullying, abuse of AI deepfakes and doxxing. They should also be reminded that their personal data is marketable by many organisations, that giving up their personal data in exchange for an ostensibly ‘free’ service may not be worthwhile, and that there is no permanent ‘delete’ button on the Internet.

Download the information pamphlet on “Safeguarding Children’s Online Privacy – Practical Tips for Parents and Teachers”:
https://www.pcpd.org.hk/english/resources_centre/publications/files/leaflet_childrenonlineprivacy_e.pdf
 
Furthermore, to facilitate parents and teachers in understanding the advice in the Tips, the PCPD has also published a leaflet summarising the key recommendations of the Tips. Download the leaflet:
https://www.pcpd.org.hk/english/resources_centre/publications/files/safeguarding_practicaltips.pdf

PRIVACY 101

Privacy 101: Protecting Employee Personal Data Across the Employment Lifecycle

Can an employer ask about a job applicant's criminal record? Is it reasonable to require a pre-employment health check? These are questions that human resources (HR) practitioners in organisiations would face regularly — and getting the answers wrong could potentially expose an organisation to regulatory risk.

As data users, employers are accountable for how employees' personal data is handled at every stage of the employment lifecycle. While collecting data for HR purposes often is required in business operations, organisations must ensure robust security measures are in place — from recruitment through to offboarding.

 

Here are the key areas where organisations should pay close attention:

1. Collect only what is necessary: Employers should only collect personal data from job applicants which is adequate but not excessive in relation to the purpose of recruitment;
   
2. Be transparent about purpose and use: Provide a clear Personal Information Collection Statement (PICS) on or before collecting personal data which lists out clearly the purpose of collection, the classes of transferees, and the rights of job applicants to access to and correct their personal data;
   
3. Exercise caution with health data and monitoring: Pre-employment medical checks should collect only the minimum health information necessary to support a fitness-for-work assessment;
   
4. Obtain consent before giving references: Providing a reference to a third party constitutes a change in purpose. Employers should obtain the employee's or former employee's express and voluntary consent before releasing any reference;
   
5. Restrict access on a need-to-know basis: Assign clear access rights, use password controls and encryption, maintain access logs, and provide regular training to staff who handle human resources system; and
   
6. Do not retain personal data longer than necessary: Personal data of unsuccessful applicants should generally not be kept beyond two years from rejection; former employee data should not be retained beyond seven years after departure, unless a legal obligation or the individual's consent justifies otherwise.
   

For further guidance, please refer to the “Code of Practice on Human Resource Management” and “Human Resource Management: Common Questions”.

 

PRIVACY COMMISSIONER’S FINDINGS

Collection of Copies of HKID Card and Bank Card from a Job Applicant by an Employer Prior to the Acceptance of Employment Offer

The Complaint

The complainant applied for and interviewed for a job at a branch of a company. After the interview, the staff of the company requested to make a copy of the complainant’s HKID Card and bank card (“the Documents”) in order to submit the same to the HR Department for contract preparation and job allocation purposes. Thereafter, the complainant asked the company about the outcome of his job application but did not receive any response. The complainant was dissatisfied that the company collected the copies of the Documents prior to confirming his employment offer, and hence lodged a complaint with the PCPD.

Outcome

The company explained to the PCPD that the complainant had passed the interview at the branch, and the branch manager considered the application successful. In the circumstances, the Documents were copied and passed to the district manager for vetting purposes. However, during the vetting process, the district manager considered that the company had sufficient manpower and the complainant’s application was thus rendered unsuccessful.

Upon PCPD’s intervention, the company revised its guidelines relating to the collection of personal data from job applicants. According to the revised guidelines, the company would only collect copies of the Documents at the time the selected job applicant signs the contract or during the onboarding process.

The PCPD also issued a warning to the company, requesting it to recirculate the revised guideline regularly to ensure that the staff adhered to the relevant requirements regarding the collection of personal data from job applicants.

Lessons Learnt

In accordance with the “Code of Practice on the Identity Card Number and other Personal Identifiers” (“the Code”) issued by the PCPD, employers are permitted to collect a copy of an HKID card in order to provide proof of compliance on the part of the employer with section 17J of the Immigration Ordinance (Cap.115), which provides that the employer shall inspect the HKID Card of a prospective employee before employing him. However, it is also highlighted in the Code that the employer shall not collect any HKID Card copy until the applicant is successfully recruited. In addition, as reiterated in the “Code of Practice on Human Resource Management” issued by the PCPD, an employer should not collect a copy of the HKID Card of a job applicant during the recruitment process unless and until the applicant has accepted an offer of employment.

A HKID Card copy contains important and sensitive personal data. Institutions shall take this case as an example to ensure the recruitment staff shall not collect the HKID Card copy of a job applicant unless and until the job applicant has accepted an offer of employment. Similarly, if a particular applicant has not accepted an offer of employment, it is not necessary to collect the bank account information for payroll purpose.

TECH TALK

Know Your Rights: Personal Data Privacy at Work

Throughout your working life, your employer collects and holds a wide range of personal data about you — from your contact details and salary records to medical certificates and performance appraisals. While this is a normal part of the employment relationship, many employees are unaware of the rights they have over their personal data.

Being informed is the first step to taking control. Here are the key rights every employee, job applicant or former employee should understand about their personal data privacy at work:

1. Know what data your employer holds: You can request from your employer for a list of the kinds of personal data held and the main purposes for which it is used to get the full picture of your data footprint at work;
2. Be cautious with health data: Your employer may request a pre-employment health check only if it relates to the job and you consent. During employment, only the minimum health information needed should be collected, and your health conditions should not be disclosed to colleagues without legitimate need;
3. Stay alert to collection of biometric data: If your employer uses fingerprint scanners or facial recognition for attendance or access control, ask whether less intrusive alternatives are available and how the biometric data is stored;
4. Understand disciplinary data handling: Personal data compiled during disciplinary investigations should be used strictly for that purpose. Your employer should not disclose this information beyond those directly involved;
5. Access your appraisal reports: You have the right to obtain a copy of your performance appraisal. However, your employer may redact the appraiser's identity if they have not consented to disclosure; and
6. Control public announcements about you: If your employer announces your departure publicly, only minimum information — name, job title, department — should be disclosed. Your reason for leaving should not be shared without consent.

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the Investigation Report on the Data Breach Incident of Yau Yat Chuen Garden Club and Practical Tips on Safeguarding Children’s Online Privacy

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today”, RTHK Radio 1’s “HK2000”, CRHK’s “On a Clear Day” and Now News’ “News Magazine” on 24 April. During the interviews, she elaborated on the key findings of the investigation report of the data breach incident of the Yau Yat Chuen Garden City Club Limited (the Club) and explained the Tips published by the PCPD.

In the interviews, the Privacy Commissioner pointed out that in the data breach incident of the Club, the developer of the relevant remote access software had issued a security alert regarding security vulnerabilities as early as January 2025. However, neither the service provider nor the Club took any follow‑up actions, reflecting insufficient awareness of personal data security on the part of the Club and its service provider.

To strengthen the capabilities of organisations in safeguarding data security and cyber security, the PCPD has relaunched the “Data Security Package”. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures.

In addition, the Tips published by the PCPD set out a four‑step approach, offering practical advice to parents and teachers on how to help children safeguard their personal data privacy and security in the online world. The Privacy Commissioner also encouraged parents to adopt an open attitude and engage their children in more discussions about online security measures and precautions, so as to foster children’s awareness of protecting their privacy.

The Assistant Privacy Commissioner (Compliance, Global Affairs and Research) Ir Alex CHAN Chung-man, was also interviewed by RTHK Radio 3’s “Hong Kong Today” to explain the investigation report of the data breach incident of the Club.

Click here to listen to the interview by RTHK News’ “Hong Kong Today” (54:27-59:47) (Chinese only).
Click here to listen to the interview by RTHK Radio 1’s “HK2000” (Chinese only).

Click here to watch the interview by Now News’ “News Magazine” (Part 1, Part 2) (Chinese only).

Click here to listen to the interview by RTHK Radio 3’ s “Hong Kong Today” (40:30-45:32).

Privacy Commissioner Attends the Opening Ceremony cum Seminar of the “National Security Education Day”

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Opening Ceremony cum Seminar of the “National Security Education Day” on 15 April. The theme of this year’s National Security Education Day is “Proactively Align with the 15^th Five-Year Plan Follow a Holistic Approach to Development and Security.”

On 1 July 2015, the National Security Law of the Country was passed at the 15^th meeting of the Standing Committee of the 12^th National People’s Congress, and the National People’s Congress designated 15 April of each year as the “National Security Education Day”. This year marks the 11^th “National Security Education Day”, sixth anniversary of the implementation of the Hong Kong National Security Law, as well as the second anniversary of the implementation of the Safeguarding National Security Ordinance.

Reaching Out to Information Technology Sector – Privacy Commissioner Meets with Representatives of ISACA China Hong Kong Chapter

The President of ISACA China Hong Kong Chapter (ISACA), Dr Welland CHU, led a delegation to visit the PCPD on 14 April and met with Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD.
 
During the meeting, the parties introduced their latest initiatives and strategic developments respectively, as well as exchanged views and shared experiences on various aspects of personal data privacy protection, including data security and AI security.
 
The PCPD and ISACA will continue their close collaboration and further strengthen their ties to raise the awareness and capability of the information technology sector to address the risks brought by emerging technologies.

Promoting Digital Economy – Privacy Commissioner Attends the 2026 World Internet Conference Asia-Pacific Summit

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 2026 World Internet Conference Asia-Pacific Summit (Summit) on 14 April, where she engaged in discussions with representatives of international organisations, and experts and scholars.

The Summit was hosted by the World Internet Conference, organised by the HKSAR Government and co-organised by the Innovation, Technology and Industry Bureau. Following the debut hosting of last year’s summit, Hong Kong once again hosted the Summit this year under the theme “Digital and Intelligent Empowerment for Innovative Development – Jointly Building a Community with a Shared Future in Cyberspace”.

Through participants’ in-depth discussions on global internet frontier topics, the Summit aims to promote high-quality innovation and technology development, strengthen regional digital collaboration, and jointly create new momentum and advantages for the development of the Asia-Pacific region.

In addition, the Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ir Alex CHAN Chung-man also participated in a panel discussion titled “Dialogue on the Development of Hong Kong’s Cybersecurity Standards Framework”. The panel focused on how to ensure alignment between regulatory oversight, law enforcement and compliance guidance, as well as providing the industry with clear and consistent implementation standards.

Reporting to Legislative Council – Secretary for Constitutional and Mainland Affairs and Privacy Commissioner Attend Special Meeting of the Legislative Council Finance Committee

The Secretary for Constitutional and Mainland Affairs (SCMA), Miss Janice TSE Siu-wa, GBS, JP, attended a special meeting of the Legislative Council (LegCo) Finance Committee on 13 April, at which she briefed LegCo Members on the key areas of the estimated expenditure of the Constitutional and Mainland Affairs Bureau for 2026-27. Privacy Commissioner Ms Ada CHUNG Lai-ling also attended the meeting and responded to LegCo Members’ questions concerning the work of the PCPD.
 
The Privacy Commissioner stated that the PCPD has continued to promote data security and to strengthen collaboration with the industry. In addition to its regular seminars and workshops, the PCPD organised the “AI Security and Cybersecurity Summit for Enterprises” in March this year, providing practical advice on enhancing data security to enterprises, particularly small and medium-sized enterprises. The PCPD also plans to launch a free website security scanning service within the year. Furthermore, the PCPD publishes guidelines on data security from time to time, in particular on the handling and notification of data breach incidents.

On the enforcement front, the PCPD has strengthened its efforts through compliance checks, investigations and inspections to ensure that data users comply with the relevant requirements of the PDPO.
 
Please click here for the opening remarks of the SCMA (Chinese only).

Reaching Out to the Community – Privacy Commissioner Attends the Opening Ceremony of the Joint District Office of LegCo Member Dr Hon Webster NG Kam‑wah and Wan Chai District Council Members

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the opening ceremony of the joint district office of member of the LegCo (Accountancy), Dr Hon Webster NG Kam-wah, JP, and members of the Wan Chai District Council, Mr Sam NG Chak‑sum and Ms Peggy LEE Pik‑yee, MH, on 9 April. The Privacy Commissioner exchanged views with district residents and representatives from various sectors at the event.

Reaching Out to the Community – Privacy Commissioner Interviewed by Media to Explain the Information Leaflet Issued by the PCPD on the Use of Data in eHealth System by Healthcare Professionals

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK News’ “Hong Kong Today” and RTHK Radio 1’s “HK2000” on 1 April to explain the Information Leaflet on the use of data in the eHealth System by healthcare professionals recently published by the PCPD.
 
During the interviews, the Privacy Commissioner pointed out that the PCPD received a total of 16 complaints and 10 enquiries relating to the eHealth System last year, and five complaints and one enquiry in the first two months of this year. The complaint cases can broadly be categorised into two main types: (1) healthcare professionals opening eHealth System accounts for patients without obtaining their consents; and (2) healthcare professionals accessing patients’ medical records without their consents.
 
She explained that, with the increasingly widespread use of the eHealth System and the expansion of the eHealth System to enable broader sharing of patients’ health data, the PCPD published the Information Leaflet to assist healthcare providers and healthcare professionals in gaining a more comprehensive understanding of, and complying with, the relevant requirements of the PDPO when they handle patients’ personal data in the eHealth System. She also recommended that healthcare providers enhance staff training and formulate clear internal guidelines to strengthen frontline staff’s awareness of protecting patients’ data.

Reaching Out to the Accounting Sector – Privacy Commissioner Speaks at the AWAHK Luncheon

Privacy Commissioner Ms Ada CHUNG Lai-ling attended a luncheon event organised by the Association of Women Accountants (Hong Kong) (AWAHK). The Privacy Commissioner was invited to participate in a panel discussion entitled “Dare to Dream? Reflecting on 20 years of accomplishment and navigating into the future” as a guest speaker.
 
During the event, the Privacy Commissioner shared her professional experience and explained how, in her role as a regulator, she navigates various challenges encountered in her day-to-day work. She also exchanged views with industry representatives on the best practices for safeguarding personal data privacy.

Reaching Out to Education Sector – Privacy Commissioner and PCPD Representatives Speak on AI Security and Data Security

Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD attended the workshop titled “Media and Information Literacy (MIL) Series: (6) Workshop on Responsible Information Handling Where Personal Data Meets Artificial Intelligence” on 26 March to elaborate on AI security and data security to teachers. The workshop was co‑organised by the Education Bureau and the Journalism Education Foundation.
 
The Privacy Commissioner delivered a presentation titled “Understanding AI Security and Privacy Risks in Schools”, explaining to participants the personal data privacy risks that may arise from the use of AI in schools, as well as how to prevent and handle AI deepfake incidents. She also shared recommendations for developing internal guidelines on the use of generative AI for teaching staff and students. In addition, Manager (Corporate Communications) of the PCPD Mr Eric PHENG introduced the Data Protection Principles and shared real-life cases of data breach incidents involving schools.
 
During the workshop, representatives of the PCPD also introduced the steps for anonymising personal data and guided participants to use the deepfake technology through trial-and-error to generate portraits of individual persons.
 
Please click here for the presentation deck (Chinese only).

Reaching Out to University –  Assistant Privacy Commissioner Speaks at Career Talk Entitled ‘Why AI-Driven Future requires Lawyers who Speak “Tech”?’

The Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI delivered a keynote address and participated in a panel discussion at the career talk entitled ‘Why AI-Driven Future requires Lawyers who Speak “Tech”?’ on 24 April. The career talk was jointly organised by the International Association of Privacy Professionals (IAPP) Hong Kong KnowledgeNet Chapter and the School of Law of the City University of Hong Kong.
 
Ms LAI delivered a keynote address entitled “Protection of Personal Data Privacy in the Age of Artificial Intelligence”. In her address, she highlighted the personal data privacy risks posed by the growing adoption of AI and provided an overview of the guidelines relating to AI published by the PCPD, including the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework), “10 Tips for Users of AI Chatbots” and the “Checklist on Guidelines for the Use of Generative AI by Employees” (Guidelines). Ms Lai also shared her career journey as a legal professional with the participants at the panel discussion.
 
Please click here for Ms Lai’s presentation deck (Chinese only).

Reaching Out to the IT Sector – Assistant Privacy Commissioner Speaks at the Luncheon Meeting of the Hong Kong China Network Security Association

The Assistant Privacy Commissioner for Personal Data (Legal) of the PCPD Ms Fiona LAI Ho-yan delivered the opening remarks at the “AI & Data Privacy Luncheon” organised by the Hong Kong China Network Security Association on 25 March.
 
At the luncheon meeting, Ms LAI discussed how enterprises could address the privacy risks arising from the use of AI. She also introduced the recommendations on AI governance and the best practices provided in the Model Framework published by the PCPD, along with the recommendations for developing internal policies or guidelines on the use of generative AI by employees set out in the Guidelines.
 
Please click here for the presentation deck.

Event Organised in Celebration of PCPD’s 30^th Anniversary – “Effective Data Governance in Action: Experience Sharing Session by Privacy-Friendly Awardees 2025”

To mark the 30^th anniversary of the PCPD, the PCPD launches a series of initiatives on data security and AI data privacy security. An experience sharing session entitled “Effective Data Governance in Action: Experience Sharing Session by Privacy-Friendly Awardees 2025” (Sharing Session) was successfully held on 14 April, with a view to assisting enterprises in adopting strong data governance and fostering a privacy centric culture. The Sharing Session attracted over 200 participants from various sectors, including the government/public bodies, banking, insurance and information technology sectors.

At the Sharing Session, representatives of the Outstanding Gold Awardees of the “Privacy-Friendly Awards 2025”, including Prudential General Insurance Hong Kong Limited, TOPPAN Information Solution (Hong Kong) Limited and ZA Bank Limited, shared their hands-on experiences and practical insights in implementing robust data governance policies, in particular in managing and safeguarding sensitive customers’ personal data at scale. Through real-life examples, the speakers also highlighted the measures taken to strengthen data security and showcased how technology can be leveraged to enhance privacy protection.

Please click here for the presentation deck of the representative of Prudential General Insurance Hong Kong Limited.
Please click here for the presentation deck of the representative of TOPPAN Information Solution (Hong Kong) Limited.
Please click here for the presentation deck of the representative of ZA Bank Limited.

Promoting AI Security – PCPD Produces a Promotional Video on “Artificial Intelligence: Model Personal Data Protection Framework”

The PCPD has produced a promotional video showcasing the Model Framework published by the PCPD earlier. Presented in a lively and engaging format, the video features the animated mascot “Data Guardian”, who explains the recommended measures under the four areas of the Model Framework, to assist organisations in procuring, implementing and using AI, including generative AI, in compliance with the relevant requirements of the PDPO. The four areas include:

• Establish AI Strategy and Governance;
• Conduct Risk Assessment and Human Oversight;
• Customisation of AI Models and Implementation and Management of AI Systems; and
• Communication and Engagement with Stakeholders.
  

The Model Framework has won the “Hong Kong Public Sector Initiative of the Year – Regulatory” award in the Asia Pacific GovMedia Conference & Awards 2025.  The award seeks to recognise public sector projects that are transforming the Asia Pacific region and making a global impact.

The video is available on the PCPD’s website, YouTube channel and social media platforms.

Please click here to watch the video.

MEDIA STATEMENT

The PCPD Convenes Learning Session on the National 15^th Five-Year Plan

The PCPD earlier convened a learning session on the Outline of the National 15^th Five-Year Plan on 17 April. The PCPD invited HKSAR member of the National Committee of the Chinese People’s Political Consultative Conference (CPPCC), Ms Agnes CHAN Sui-kuen, BBS, to speak as a guest speaker. The learning session, hosted by Privacy Commissioner Ms Ada CHUNG Lai-ling, SBS, enabled colleagues of the PCPD to gain a deeper understanding of the National 15^th Five-Year Plan Outline and to better proactively align with the National 15^th Five-Year Plan Outline in their work.
 
The Privacy Commissioner expressed her sincere appreciation to Ms Chan for her sharing, which enhanced PCPD colleagues’ understanding of the national development strategies as well as the forward-looking, strategic and actionable nature of formulating the first “Hong Kong’s Five-Year Plan” by the HKSAR Government under the leadership of the Chief Executive, as well as the abundant opportunities it will bring to Hong Kong. At the learning session, the Privacy Commissioner also shared with colleagues of the PCPD the key points of the speeches delivered by the officiating guests at the ceremony of the “National Security Education Day”, including the Director of the Hong Kong and Macao Work Office of the Communist Party of China Central Committee and the Hong Kong and Macao Affairs Office of the State Council, Mr XIA Baolong, the Director of the Liaison Office of the Central People’s Government in the HKSAR, Mr ZHOU Ji, and the Chief Executive, Mr John LEE, GBM, SBS, PDSM, PMSM. She also reminded colleagues of the PCPD to keep up their effort in safeguarding national security and to join hands to ensure the steadfast and successful implementation of “One Country, Two Systems”.
  
At the learning session, the Privacy Commissioner and Ms Chan respectively presented PCPD colleagues with the traditional Chinese versions of the first volume of Selected Works of Xi Jinping on Economy, along with two volumes of Xi Jinping and University Students for learning. Copies of these publications are also available at the PCPD office, enabling colleagues to gain a better understanding of the Country’s development landscape and opportunities.
 
The PCPD has consistently placed strong emphasis on learning and training relating to national development and Mainland affairs. It continues to arrange colleagues’ participation in national studies, sharing sessions and visits to Mainland enterprises, and has for three consecutive years organised colleagues’ participation in national studies courses, assisting colleagues in understanding the latest national planning directions and the overall development landscape.

A 45-year-old Male Arrested for Suspected Doxxing of a Female Friend Arising from Personal Disputes

The PCPD arrested a Chinese male aged 45 in the New Territories on 2 April. The arrested person was suspected to have disclosed the personal data of a female friend without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person and the victim became acquainted in 2023 and had a relationship for around two months. While the two maintained contact after the relationship had broken down, their relationship turned sour because of some disputes relating to household decoration.
 
Between December 2025 and January 2026, messages were posted in a personal account on a social media platform on three occasions and flyers were posted outside various premises on four occasions, which disclosed the personal data of the victim alongside some negative comments against her. The personal data disclosed included the victim’s Chinese name, alias, gender, date of birth, HKID Card number, residential address, mobile phone number and her photo.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflicts. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to HK$1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

 

   a. With an intent to cause any specified harm to the data subject or any family member of the data

       subject; or

   b. Being reckless as to whether any specified harm would be, or would likely be, caused to the data

       subject or any family member of the data subject.

 

A person who commits an offence under section 64(3A) is liable on conviction to a fine of HK$100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

 

   a. The person discloses any personal data of a data subject without the relevant consent of the data

       subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

   b. The disclosure causes any specified harm to the data subject or any family member of the data

       subject.

 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of HK$1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

PCPD Publishes Information Leaflet on the Use of Data in eHealth System by Healthcare Professionals to Enhance the Protection of Patients’ Privacy

In light of the expansion of the Electronic Health System (eHealth System) to enable broader sharing of patients’ health data, and to ensure that patients’ personal data privacy is adequately protected, the PCPD published an information leaflet titled “Points to Note for Healthcare Providers and Healthcare Professionals” (Information Leaflet) on 31 March. The Information Leaflet aims to assist healthcare providers (healthcare providing organisations) and healthcare professionals (such as doctors and nurses) to better understand and comply with the requirements of the PDPO when handling patients’ personal data through the eHealth System. These include the relevant provisions of the PDPO relating to the collection and use of personal data, data accuracy and data security.
  
The Information Leaflet provides practical guidance on matters that healthcare providers and healthcare professionals should note, as well as recommended good practices when they use the eHealth System in handling patients’ personal data. These include:

• Prior to patients’ participation in the eHealth System: ensuring that their staff will remind patients, before giving joining consent and/or sharing consent, to read carefully the relevant “PICS”, “Privacy Policy Statement”, and “Participant Information Notice”;
  
• Access to and use of electronic health records: should take reasonable steps to ensure that only relevant healthcare professionals can access patients’ health records in the eHealth System, and should not use patients’ personal data for new purposes, for example, for uploading patients’ health records to social media without their consents;
  
• Accuracy of personal data: ensuring that the electronic health records they provide to the eHealth System are accurate;
  
• Security of personal data: adopting all practicable steps to protect the security of personal data in the eHealth System and to reduce the risk of data breach and, if there is a data breach of the eHealth System, notify both the Commissioner for the Electronic Health Record and the Privacy Commissioner as soon as possible;
  
• Direct marketing: using electronic health records in the eHealth System for direct marketing is a criminal offence under the Electronic Health System Ordinance. Additionally, if healthcare providers intend to use the personal data in their local systems for direct marketing, they must comply with the requirements under the relevant provisions of the PDPO. Otherwise they will likewise be committing a criminal offence;
  
• Transparency: should formulate and periodically review their personal data privacy policies; and
  
• Data access requests or data correction requests: handling data access and correction requests in accordance with the PDPO, and providing relevant training and guidelines.

The Information Leaflet also includes an action list to assist healthcare providers in reviewing whether adequate measures have been adopted to safeguard personal data privacy.
 
Download the “Personal Data (Privacy) Ordinance and the Electronic Health System: Points to Note for Healthcare Providers and Healthcare Professionals”:
https://www.pcpd.org.hk//english/resources_centre/publications/files/eHRSS_Points_to_Notes_ENG.pdf

MAINLAND CORNER

Highlights of the “Draft Regulations on Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors” 
《小型個人信息處理者個人信息保護簡化措施規定（徵求意見稿）》的重點

To support innovative development of micro, small and medium-sized enterprises and to simplify the obligations of small-scale personal information processors in complying with personal information laws and regulations, the Cyberspace Administration of China released the “Draft Regulations on Simplified Personal Information Protection Measures for Small-Scale Personal Information Processors” (Draft Regulations) for public consultation on 3 April 2026. The Draft Regulations supports small-scale personal information processors in adopting simplified measures commensurate with their scale and capabilities to safeguard personal information, on the basis of compliance with relevant personal information protection laws and administrative regulations. The simplified measures cover requirements relating to personal information processing rules, as well as requirements for notification and consent, among others. The consultation will end on 3 May 2026. This article provides an overview of the Draft Regulations.

 

為支持中小微企業創新發展、簡化小型個人信息處理者履行個人信息保護法律法規義務的措施，國家互聯網信息辦公室（網信辦）於2026年4月3日發布《小型個人信息處理者個人信息保護簡化措施規定（徵求意見稿）》¹ 。《徵求意見稿》支持小型個人信息處理者在遵守個人信息保護相關法律、行政法規基礎上，採取與小型個人信息處理者規模、能力等相當的簡化措施保障個人信息安全²，涵蓋有關個人信息處理規則的規定，以及告知與同意的要求等等。徵求意見期將於2026年5月3日結束，《徵求意見稿》的重點如下：

 

適用範圍

《徵求意見稿》提出的規定適用於中國境内的小型個人信息處理者，即處理不滿10萬人個人信息的個人信息處理者。³

 

簡化個人信息處理規則及公開方式

與《個人信息保護法》（《個保法》）⁴相比，《徵求意見稿》簡化了小型個人信息處理者個人信息處理規則的内容及公開方式，無須列出個人行使《個保法》規定權利的方式和程序⁵。若小型個人信息處理者依托網絡平台、園區或商業物業等提供產品服務，在遵守它們統一制定的個人信息處理規則等前提下，更可以不再制定個人信息處理規則⁶。

 

在公開信息處理規則方面，線下收集個人信息的小型個人信息處理者可通過在經營場所醒目位置張貼公告等簡便方式公開；線上收集個人信息的，可通過服務協議等方式公開⁷。

 

簡化告知及同意義務

《徵求意見稿》提出，小型個人信息處理者若符合特定條件，可以僅通過公開個人信息處理規則向個人履行告知義務⁸。

 

此外，在特定情況下，小型個人信息處理者無須另行取得個人同意，即可處理其個人信息。例如，若個人在知情情况下主動配合提供敏感個人信息，小型個人信息處理者即可按照已告知的個人信息處理目的、方式、種類等處理其敏感個人信息⁹。

 

豁免出境個人信息的合規要求¹⁰

《徵求意見稿》列出了六個免予申報數據出境安全評估、訂立個人信息標準合同、通過個人信息保護認證的條件，與現行《網絡數據安全管理條例》第三十五條及《促進和規範數據跨境流動規定》第五條的要求一致。

 

簡化個人信息保護合規審計及影響評估¹¹

《徵求意見稿》同時附有《小型個人信息處理者個人信息保護合規審計自查表》及《小型個人信息處理者個人信息保護影響評估表》，讓小型個人信息處理者以簡便方式開展個人信息保護合規審計及個人信息保護影響評估。《徵求意見稿》規定小型個人信息處理者應至少每五年開展一次合規審計，但若通過個人信息保護認證 ，可在認證有效期內可以免予開展合規審計 。

 

簡化個人信息洩露的通報要求¹²

如發生個人信息洩露，而且因客觀條件限制無法通過其他方式通知個人，可以僅通過在經營場所醒目位置張貼公告、在產品服務客戶端中彈窗公告等簡便方式通知。

 

處罰

與《個保法》相比，《徵求意見稿》新增了在特定情況下不予處罰，以及從輕或減輕處罰的規定¹³。 例如，若小型個人信息處理者屬初次違法且危害後果輕微並及時改正，將不予處罰¹⁴ 。

 

總結

《徵求意見稿》的簡化措施讓小型個人信息處理者降低合規成本，同時提升個人信息保護水平，促進中小微企業創新發展。小型個人信息處理者宜細閱當中要求，於《徵求意見稿》定稿後採取相應措施。

 

 

 

 

¹ 全文：https://www.cac.gov.cn/2026-04/03/c_1776865011603509.htm

²《徵求意見稿》第三條。

³《徵求意見稿》第二條。

⁴ 《個保法》第十七條。全文：https://www.cac.gov.cn/2021-08/20/c_1631050028355286.htm

⁵《徵求意見稿》第四條。

⁶《徵求意見稿》第五條及第八條。

⁷《徵求意見稿》第四條。

⁸《徵求意見稿》第六條。條件包括：處理個人信息（不含敏感個人信息）為提供產品或者服務所必需；不向其他個人信息處理者提供且不對外公開個人信息，並在個人信息處理規則中明示。

⁹《徵求意見稿》第十條。《個保法》第二十九條要求，處理敏感個人信息應當取得個人的單獨同意；法律、行政法規規定處理敏感個人信息應當取得書面同意的，從其規定。

¹⁰《徵求意見稿》第十一條。

¹¹《徵求意見稿》第十四條及第十五條。

¹²《徵求意見稿》第十七條。

¹³《徵求意見稿》第十九條及第二十條。

¹⁴《徵求意見稿》第二十條。

RECOMMENDED TRAINING

PCPD 30^th Anniversary Presents – Public Seminar on “Preventing Scams in the Digital Era”

With the rapid development of digital technologies and AI, scammers are exploiting various channels to commit fraud, including phishing SMS messages, scams carried out through instant messaging applications, social media deception, fake online shops, QR‑code traps, and even AI‑generated deepfake videos or AI‑cloned voices to impersonate family members, colleagues, or service providers, which are difficult to guard against.

Against this background, the PCPD organises this seminar, where Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) Ir Alex CHAN Chung-man will share with the public how to protect themselves in the AI era, including how to use AI chatbots, smartphones and social media wisely to safeguard personal data privacy. Mr Stephanie ANG, Senior Inspector of the Anti-Deception Coordination Centre of the Commercial Crime Bureau of the Hong Kong Police Force, will also discuss the latest trends of emerging scams, using real cases as examples, and share anti-scam tips.

Members of the public with an interest in the topic are welcome to attend.

 

Date: 5 May 2026 (Tuesday)

 

Time: 3:00pm – 4:00pm

 

Mode: Hybrid

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: Free of charge

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, the protection of personal data privacy should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive Personal Data Privacy Management Programme (PMP) to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. 

By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations.  

 

Date: 6 May 2026 (Wednesday)

 

Time: 2:15pm – 4:15pm

  

Mode: Online
 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 2 CPD points (The Law Society of Hong Kong, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices.

Professional Workshop on Data Protection in Direct Marketing Activities

Organisations often use customers’ personal data to conduct direct marketing activities to promote products or services. These activities are governed by the PDPO. Organisations have the responsibility to ensure that their employees clearly understand and comply with the provisions on direct marketing under the PDPO, which also helps organisations maintain a positive reputation and demonstrate their corporate social responsibility. 

This workshop will explain in detail the requirements of the direct marketing provisions under the PDPO and provide participants with practical guidance on compliance and share conviction cases relating to direct marketing, aiming to help participants understand how to properly use customers’ personal data in direct marketing activities. 

 

Date: 13 May 2026 (Wednesday)

 

Time: 2:15pm – 5:15pm

 

Venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

 

Language: Cantonese

 

Fee: $750/$600*
(*Members of the DPOC and supporting organisations may enjoy the discounted fee)

 

Accreditation: 3 CPD points (The Law Society of Hong Kong, Insurance Authority, Estate Agents Authority, Property Management Services Authority, Hong Kong Institute of Bankers)

 

Who should attend: Data protection officers, compliance officers, company secretaries, administration managers, IT Managers, solicitors, database managers and marketing professionals.

Professional Workshop on Data Protection in Jun 2026:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

 

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

 

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

 

Join us now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENTS

PCPD Supports the Cyber Security Staff Awareness Recognition Scheme 2026/27

The PCPD is delighted to be one of the scheme partners of the Cyber Security Staff Awareness Recognition Scheme 2026/27 (the Scheme). Co-organised by the DPO, HKIRC and ISACA, the Scheme aims to promote “Human Firewall” concept among the industry by raising cyber security staff awareness on top of technical protection as a second level defense line, and to enhance organisations’ protection level by encouraging the organsations to raise staff awareness by multiple channels, e.g. training, policy, communication, drill, etc. The Scheme is now open for application until 14 August.

Please click here for the Scheme details and application.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen’s Road East, Wanchai, Hong Kong

Tel: 2827 2827

 

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

 

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.