Categories of Awards and Assessment Criteria

Categories of Awards

A Privacy-Friendly Award will be presented to the awardees in recognition of their commitment and efforts in the protection of personal data privacy, while encouraging them to implement good data governance and enhancing their awareness of protecting personal data privacy and data security.

Outstanding Gold Award

Five “Privacy Protection Measures” being put in place or completed with outstanding performance

Gold Award

Five “Privacy Protection Measures”
being put in place or completed

Silver Award

Three or four “Privacy Protection Measures”
being put in place or completed

Bronze Award

One or two “Privacy Protection Measure(s)”
being put in place or completed

Three Special Awards are introduced this year, they are:

Best AI Governance Award;
Best Data Protection Officer Award; and
Best Data Breach Response Plan Award.

The 2025 Awards will be valid till 30 June 2027.

Assessment Criteria (Privacy Protection Measures)

Organisations should indicate whether the following Privacy Protection Measure(s) has/have been put in place or completed by the application deadline for the Awards (7 March 2025), and provide relevant supporting document/information for illustration:

Assessment Criteria	Required Documents/Information
Privacy Protection Measure 1 Discussed data security policies or reviewed the implementation of data security measures at board meetings and/or senior management meetings in the organisation within the past 24 months before submission of the application	Relevant meeting minutes/documents
Privacy Protection Measure 2 Have at least one Data Protection Officer (DPO) (either on a full-time or part-time basis) or have established a dedicated department for data protection. Please also state the responsibilities of the DPO/the department and the initiative(s) carried out by the DPO/the department in the past 24 months before submission of the application	Proof of having Data Protection Officer(s) (DPO) or a dedicated department for data protection A brief introduction of the responsibilities of the DPO/the department and the initiative(s) carried out by the DPO/the department
Privacy Protection Measure 3 Completed the PCPD’s Data Security Scanner¹	Upload the screenshot (including date and reference number) to this application form after the completion of the PCPD’s Data Security Scanner
Privacy Protection Measure 4 Developed a data breach response plan²	Proof of having a data breach response plan/similar guidelines/policies
Privacy Protection Measure 5 Provided training or education for staff on the protection of personal data privacy within the past 24 months before submission of the application	Relevant training records or training materials

¹The PCPD Data Security Scanner: https://www.pcpd.org.hk/Toolkit/en/

²Please refer to P.3 of “Guidance on Data Breach Handling and Data Breach Notifications”https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_note_dbn_e.pdf