Media Statements

Date: 18 August 2021

 PCPD Publishes “Guidance on Ethical Development and Use of AI” and Inspection Report on Customers’ Personal Data Systems of Two Public Utility Companies

Artificial intelligence (AI) has huge potential in boosting productivity and economic growth. Its adoption, which raises privacy and ethical risks, is also becoming increasingly popular in Hong Kong. Against this background, the Office of the Privacy Commissioner for Personal Data (PCPD) today (18 August) issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” (Guidance) to help organisations understand and comply with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) when they develop or use AI.

The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “Hong Kong is dedicated to becoming a data hub for the Greater Bay Area and the Asia Pacific region.  In line with the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area, the healthy development and use of AI can help Hong Kong exploit its advantages as a regional data hub, as well as empower Hong Kong to become an innovation and technology hub and a world-class smart city.”

The Guidance recommends that organisations embrace three fundamental Data Stewardship Values when they develop and use AI, namely, being respectful, beneficial and fair to stakeholders. In line with international standards, the Guidance sets out the following seven ethical principles for AI :

• Accountability – Organisations should be responsible for what they do and be able to provide sound justifications for their actions;
• Human Oversight – Organisations should ensure that appropriate human oversight is in place for the operation of AI;
• Transparency and Interpretability – Organisations should disclose their use of AI and relevant policies while striving to improve the interpretability of automated decisions and decisions made with the assistance of AI;
• Data Privacy – Effective data governance should be put in place;
• Fairness – Organisations should avoid bias and discrimination in the use of AI;
• Beneficial AI – Organisations should use AI in a way that provides benefits and minimises harm to stakeholders; and
• Reliability, Robustness and Security – Organisations should ensure that AI systems operate reliably, can handle errors and are protected against attacks.

 
The Guidance also provides a set of practice guide, structured in accordance with general business processes, to assist organisations in managing their AI systems. The practice guide covers four main areas:

• Establish AI strategy and governance;
• Conduct risk assessment and human oversight;
• Execute development of AI models and management of overall AI Systems; and
• Foster communication and engagement with stakeholders.

Download the “Guidance on the Ethical Development and Use of Artificial Intelligence”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_ethical_e.pdf

Inspection Report on Customers’ Personal Data Systems

The PCPD today also released an inspection report on the customers’ personal data systems of CLP Power Hong Kong Limited (CLP) and The Hongkong Electric Company, Limited (HKE). The findings revealed that both CLP and HKE had implemented a Personal Data Privacy Management Programme and had adopted good practices. The security measures adopted by the two companies regarding their customers’ personal data systems conformed with international standards and were found to be satisfactory. The Privacy Commissioner considers that in the protection of their customers’ personal data, the two companies comply with the requirements of Data Protection Principle 4 of Schedule 1 to the PDPO as regards the security of personal data.

The Privacy Commissioner said, “The PCPD is committed to monitoring and supervising compliance with the provisions of the PDPO, including exercising the power under section 36 of the PDPO to carry out site inspections of the data systems of organisations which handle vast amounts of personal data. Depending on the facts of individual cases, the PCPD will give advice to the organisation concerned to strengthen the protection of customers’ personal data privacy, including the implementation of effective measures to prevent the improper use of customers’ personal data by staff for doxxing or other unauthorised or illegal purposes.”

Through the findings of the inspection, the Privacy Commissioner would like to make the following nine recommendations to public utility companies and organisations which handle vast amounts of customers’ personal data:

• Prepare for unexpected threats to personal data privacy;
• Implement Personal Data Privacy Management Programme;
• Appoint Data Protection Officers;
• Keep personal data inventory;
• Devise system security policies and procedures;
• Adopt role-based access to customers’ data;
• Implement monitoring on top of preventive measures;
• Protect both electronic and paper records; and
• Implement measures to raise staff awareness.

Download the Inspection Report “Customers’ Personal Data Systems of CLP Power Hong Kong Limited and The Hongkong Electric Company, Limited”:
https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r21_3099_e.pdf