Final Call for Applications for the Privacy-Friendly Awards 2025 

Application for the Privacy-Friendly Awards 2025 is simple and free of charge. Check out the details on the Awards website (https://www.pcpd.org.hk/privacyfriendlyawards/) and apply on or before 7 March 2025!

Deadline for “Data Security” Package Extended

The registration deadline has been extended to 30 April 2025. Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk.

Reporting to Legislative Council – Privacy Commissioner Attends Meeting of Legislative Council Panel on Constitutional Affairs to Brief Members on PCPD’s Work in 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Legislative Council Panel on Constitutional Affairs on 17 February to brief Members on the work of the PCPD in 2024 and its strategic focus this year.
 
The Privacy Commissioner reported that in 2024, the PCPD handled 442 doxxing cases. The figure significantly dropped by 42% when compared with 756 cases in 2023. In 2024, the number of doxxing cases uncovered by the PCPD’s proactive online patrols was 87, representing a significant drop of over 90% when compared to 1,134 cases in 2022 (i.e. the first year after the commencement of the anti-doxxing provisions).
 
In response to the rising trend of personal data breach incidents in recent years, the PCPD stepped up its efforts in different aspects to assist organisations in strengthening data security. This included launching a thematic webpage on “Data Security”, establishing the “Data Security Scanner” and “Data Security Hotline”, as well as publishing guidelines relating to data security.
 
Regarding the international discussions on artificial intelligence (AI), the Privacy Commissioner pointed out that the PCPD, as a co-chair of the Global Privacy Assembly’s Ethics and Data Protection in AI Working Group, would contribute to setting the priorities and approaches of data protection authorities worldwide in addressing the risks brought by AI.
 
Please click here for the Privacy Commissioner’s opening remarks (Chinese only).
Please click here for the paper submitted by the PCPD to the Legislative Council Panel on Constitutional Affairs.

PRIVACY 101

AI in Business: Maximising Benefits while Protecting Personal Data Privacy

From generative AI-powered chatbots to forecasting tools that utilise machine learning, AI has experienced exponential growth and has become an integral part of business operations. As AI takes over time-consuming tasks and automates a wide range of processes, organisations can benefit from increased efficiency, enhanced customer experience, cost reduction, and even faster decision-making processes. Organisations worldwide are racing to leverage this technology, if they have not already experienced it first-hand.

Despite the opportunities that AI presents, organisations must also heed the risks posed by AI. Among these, privacy stands out as one of the most significant concerns, as the training and use of AI systems involve processing a large amount of personal data. Protecting personal data when using AI systems is therefore of utmost importance, especially for organisations that procure, implement and use AI systems in their operations.  

In addition to integrating the Data Stewardship Values and Ethical Principles of AI advocated in the PCPD's “Guidance on the Ethical Development and Use of Artificial Intelligence” into organisations' daily operations and work flows, here are some further recommended measures to consider in safeguarding personal data while enjoying the benefits brought by AI:

• Establish AI Strategy and Governance: Formulate an AI strategy and governance considerations for procuring AI solutions, establish an AI governance committee (or similar body) and provide employees with training relevant to AI;
• Conduct Risk Assessment and Human Oversight: Conduct comprehensive risk assessments, formulate a risk management system, adopt a “risk-based” management approach, and, depending on the levels of the risks posed by AI, adopt proportionate risk mitigating measures, including deciding on the level of human oversight;
• Customisation of AI Models and Implementation and Management of AI Systems: Prepare and manage data, including personal data, for customisation and/or use of AI systems, test and validate AI models during the process of customising and implementing AI systems, ensure system security and data security, and manage and continuously monitor AI systems; and
• Communicate and Engage with Stakeholders: Communicate and engage regularly and effectively with stakeholders, in particular internal staff, AI suppliers, individual customers and regulators, in order to enhance transparency and build trust.

To learn more about the recommendations, please refer to the “Artificial Intelligence: Model Personal Data Protection Framework”.

PRIVACY COMMISSIONER’S FINDINGS

Unauthorised Access of Personal Data Held by Public Schools via a Web-based Application System

Background

Four public schools reported to the PCPD that a web-based application system operated by them and developed by the government bureau responsible for education (the System) was compromised and the data contained therein were stolen. The PCPD inquired the four schools and the bureau regarding the incident.

The compliance actions revealed that the bureau was responsible for providing technical support, guidelines and training to the schools regarding the System, whereas the schools being the System users were responsible for operating and maintaining the Systems as well as handling students’ personal data contained therein.

The bureau provided updated versions of the System from time to time with additional functions addressing cybersecurity issues. After detecting an unauthorised access into the System, the bureau released an updated version of the System fixing the security vulnerabilities, and requested the schools to update to the latest version within two weeks. However, not all schools suffering from the attack applied the update promptly.

Remedial Measures

In response to the incident, the bureau issued notices to schools reminding them to regularly review the operation of the System server and logs according to the applicable task list. The bureau also committed to having more direct communication with schools if a high-risk situation arose and an immediate critical security update was warranted. On the other hand, the bureau confirmed that the System was gradually moving to a centralised cloud platform so as to better monitor the suspicious activities and apply protective measures or new versions in a timely manner.

Lessons Learnt

No organisation could be completely immune from cyberattacks. It is therefore important for data users to take all reasonable precautions to protect their systems from cyberattacks. Although the bureau is not the data user in this incident, being the System provider as well as the supervisory body of public schools, the bureau could adopt a more proactive approach to direct its users to install all critical updates. On the other hand, the schools should have acted promptly once they received any notice regarding the update of the System from the bureau so as to safeguard data integrity and security.

TECH TALK

AI Chatbots and Privacy: Essential Tips for Safe Use

As AI chatbots have commonly integrated into our daily routines – whether we are seeking quick answers to questions from banks, making reservations at restaurants, or even finding products and recommendations while shopping online – it is essential for users to understand how to protect their personal data privacy. With these convenient tools at our fingertips, ensuring that we use them safely and responsibly is paramount.

Here are some practical tips for users of AI chatbots to safeguard their personal data while enjoying the benefits brought by this innovative technology.

Before Registration/Use:

• Read the Privacy Policy, Terms of Use and other relevant data handling policies;
• Beware of fake apps and phishing websites posing as known AI chatbots; and
• Adjust the settings to opt-out of sharing chat history (if applicable).

When Interacting with AI Chatbots:

• Refrain from sharing your own personal data and others’ personal data;
• If necessary, submit a correction or removal request;
• Guard against cybersecurity threats; and
• Delete outdated conversations from chat history.

Safe and Responsible Use of AI Chatbots:

• Be cautious about using the information provided by AI chatbots; and
• Refrain from sharing confidential information and files.

WHAT’S ON

Reaching Out to the Education Sector – Privacy Commissioner Attends the Annual Dinner of the Hong Kong Association for Computer Education

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Annual Dinner of the Hong Kong Association for Computer Education (HKACE) on 27 February to meet with members of the HKACE.

The PCPD has been collaborating with the HKACE, including organising seminars, to raise the awareness of data security in the education sector.

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society’s 15^th Recreation and Sports Night

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Law Society of Hong Kong (Law Society)’s 15^th Recreation and Sports Night on 21 February to meet with members of the legal profession.

The 15^th Recreation and Sports Night is one of the sub-events of the Sports Law Mega Event 2025 organised by the Law Society. The PCPD is one of the supporting organisations. The Sports Law Mega Event 2025 consists of two other sub-events: the Sports Law Conference and the 9^th Guangdong-Hong Kong-Macao Lawyers Sports Meet.

Reaching Out to the Commercial Sector – Privacy Commissioner Attends “10 Issues of Most Concern Perceived by the HK Commercial Sector in 2024” Prize Presentation Ceremony

Privacy Commissioner Ms Ada CHUNG Lai-ling attended “10 Issues of Most Concern Perceived by the HK Commercial Sector in 2024” prize presentation ceremony on 18 February and served as a guest to announce one of the most concerned issues. The Ceremony was jointly organised and supported by local associations, chambers of commerce, the Hong Kong Commercial Daily and other media.
 
The event has been organised since 2006, and the selection is from the major news events that matter most to the Hong Kong commercial sector, with a view to reflecting the sector’s thoughts, policy concerns and demands.

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society of Hong Kong Spring Cocktail Reception 2025

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Law Society of Hong Kong Spring Cocktail Reception 2025 on 12 February to celebrate the Year of the Snake with legal professionals.

The Privacy Commissioner has been supporting the work of the Law Society. Over the past years, she served as a member of the judging panel for its Pro Bono and Community Work Recognition Programme, spoke at seminars or conferences organised by the Law Society and published articles on the monthly magazine Hong Kong Lawyer.

Reaching Out to University – Privacy Commissioner Shares Fraud Prevention Tips with Lingnan University Students

The PCPD organised a webinar for students of Lingnan University on 11 February on fraud prevention and the requirements of Personal Data (Privacy) Ordinance (PDPO). The seminar attracted over 170 participants.

At the webinar, Privacy Commissioner Ms Ada CHUNG Lai-ling and PCPD’s representative elaborated on some common types of frauds and offered tips to the students to prevent fraud. The speakers also gave an overview of the six Data Protection Principles under the PDPO, with a view to enhancing students’ respect for and protection of personal data privacy.

Enhancing Data Security – PCPD Collaborates with HKIRC to Launch the Third Episode of Promotional Video 

To assist organisations in raising employees’ awareness of cyber security and personal data protection, the PCPD and the Hong Kong Internet Registration Corporation Limited (HKIRC) have jointly launched a series of promotional videos to provide relevant guidance and tips in a lively manner to organisations.

The third episode, themed “Safely Using Artificial Intelligence in the Workplace”, is now available at the PCPD’s website, YouTube channel and other social media platforms, as well as HKIRC’s “Cybersec Training Hub”. Please click here to watch the video.

Promoting AI Security – Privacy Commissioner Speaks at Tech Applied Summit

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the inaugural Tech Applied Summit organised by the Hong Kong Applied Science and Technology Research Institute (ASTRI) themed “Leading Tech Forward” on 10 February.

The Privacy Commissioner spoke as a panellist at a thematic session titled “Ensuring Trustworthiness in Generative AI - Challenges and Solutions”, where she discussed the privacy risks posed by generative AI and shared the work of the PCPD in education and facilitating compliance in the area. The Privacy Commissioner also introduced the various guidelines published by her, including the “Artificial Intelligence: Model Personal Data Protection Framework” published in 2024.

The Summit attracted more than 2,000 participants including government officials, as well as local, Mainland and overseas technology experts from tech companies, universities and research centres.

Reaching Out to the Community – PCPD’s Representative Attends HKFYG’s 65^th Anniversary Luncheon and Neighbour Fest

The then Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI Chi-man attended the Hong Kong Federation of Youth Groups’ (HKFYG) 65^th Anniversary Luncheon and Neighbour Fest on 25 January and exchanged views with different stakeholders who attended the luncheon.
 
The PCPD organised seminars for the education sector and parents from time to time. The HKFYG supported the PCPD by sending representatives to speak at the seminars to share their experience on the handling of cyberbullying cases.

PCPD Arranges All Staff Members to Visit the National Security Exhibition Gallery

The PCPD arranged all staff members to visit the National Security Exhibition Gallery in groups on 23 and 24 January to gain further understanding and insights into the 20 security fields of the holistic approach to national security.
 
The National Security Exhibition Gallery is the first thematic gallery in the HKSAR dedicated to the systematic promotion of national security education. Located on the second floor of the Hong Kong Museum of History in Tsim Sha Tsui, the National Security Exhibition Gallery has an area of over 1,100 square metres and is open to the public free of charge.

MEDIA STATEMENT

A 43-year-old Male Arrested for Suspected Doxxing Arising from Monetary Dispute

The PCPD arrested a Chinese male aged 43 in Kowloon on 24 February. The arrested person was suspected to have disclosed the personal data of his former friend and her daughter without the former friend’s consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the arrested person and the victim had had a relationship since 2021 which terminated in 2022. The arrested person continued contacting the victim afterwards. The two had a monetary dispute in 2024 and the arrested person alleged that the victim owed him money.

On three different occasions between December 2024 and early January 2025, dunning flyers containing the same set of personal data of the victim and her daughter were posted at the external walls of the primary school attended by the victim’s daughter and at nearby lamp posts and housing estate, claiming that the victim had not repaid the debt. Later in mid-January 2025, the victim received some photos in an instant messaging application showing a person wearing a T-shirt printed with the same contents of the aforesaid flyers taking MTR and dining in a restaurant near her residence. The personal data disclosed included the Chinese name and photo of the victim, and the Chinese name of her daughter alongside the name of the primary school and grade that she was attending.

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject —

   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

A Debt Collector Arrested for Suspected Doxxing

The PCPD arrested a Chinese male aged 40 in Kowloon on 11 February. The arrested person was suspected to have disclosed the personal data of the data subject without his consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim had been unable to settle outstanding debts which he owed to several financial institutions. In November 2024, dunning flyers containing the personal data of the victim were posted on a corridor wall outside the unit where he resided, alongside allegations that the victim was in debt. The personal data disclosed included the victim’s Chinese name, residential address, partial HKID card number, as well as a partly redacted copy of the victim’s HKID card showing his photo, Chinese name, English name, name in Chinese Commercial Code and gender.
 
The PCPD reminds members of the public that identity cards contain sensitive personal data. Disclosing copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information in Face Recognition Payment Scenarios”  

《網絡安全標準實踐指南 — 人臉識別支付場景個人信息安全保護要求》的重點

The National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the “Practical Guidance of Cybersecurity Standards – Requirements for Protection of Personal Information in Face Recognition Payment Scenarios” (the Practical Guidance) on 26 January 2024, setting out security requirements for the collection, storage, transmission, export, and deletion of personal information in facial recognition payment scenarios. This article provides an overview of the Practical Guidance.

全國網絡安全標準化技術委員會（網安標委）於2025年1月26日發布《網絡安全標準實踐指南 — 人臉識別支付場景個人信息安全保護要求》（《指南》）¹。《指南》提出了人臉識別支付場景數據收集、存儲、傳輸、導出、刪除等環節的安全要求，重點摘錄如下：

《指南》的對象

《指南》為下列四類組織或個人提供指引²：

1. 人臉識別支付服務提供方；
2. 人臉驗證服務方；
3. 設備運營方（例如營運自動售賣機的企業）；及
4. 場所管理方（例如物業管理公司）。

人臉識別支付服務的定義

《指南》所提及的人臉識別支付服務主要覆蓋以下兩大類場景³：

1. 通過用戶所擁有的設備提供的人臉識別支付服務（例如手機銀行及手機支付App）: 在此類場景中，相關方包含人臉識別支付服務提供方、人臉驗證服務方及用戶，不涉及場所管理方及設備運營方。
2. 通過經營主體布放的設備提供的人臉識別支付服務（例如櫃員機、自動販賣機等）: 在此類場景中，相關方涉及人臉識別支付服務提供方、人臉驗證服務方、場所管理方及設備運營方。

《指南》的安全要求

《指南》為各相關方提出了詳盡的建議要求，部分要求如下：

1. 基本要求⁴

2. 數據收集、存儲、傳輸、導出、刪除的安全的重點要求⁵

總結

《指南》圍繞人臉識別支付場景的整個個人信息處理過程，向人臉識別支付服務提供方、人臉驗證服務方、設備運營方及場所管理方提供了詳盡且落地的指引。相關各方宜參閱箇中建議，在各個環節妥善保護個人信息安全。

¹ 全文： https://www.tc260.org.cn/front/postDetail.html?id=20250126115447

² 《指南》第2章。

³ 《指南》第3章。

⁴ 《指南》第4章。

⁵ 《指南》第5章。

⁶ 要求用戶直視收集設備並做出目光注視、特定姿勢、表情，或進入明確標註了人臉識別應用的專用收集通道等。見《指南》5.1(b) 注釋。

⁷ 按照法律法規明確要求留存的人臉識別相關存證數據除外。

⁸ 有關管理部門有明確要求的除外。見《指南》6.4(a)。

⁹ 因業務需要確需提供或委託處理的，應進行個人信息保護影響評估並按照法律要求取得相應的合法性基礎。見《指南》6.4(b)。

¹⁰ 註冊時保存的特徵信息，以及為保證個人財產安全，相關主管部門明確要求必須保留的數據除外。見《指南》6.5(a)。

RECOMMENDED TRAININGS

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, the PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

Date: 5 March 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers and compliance officers, company secretaries and administration managers

Professional Workshop on Data Protection in Banking/Financial Services

The application of fintech has developed rapidly in recent years, changing the landscape of the financial world. Practitioners of the banking and financial industry may face different personal data privacy issues in their business operations. To deal with these new challenges, a clear understanding of the requirements under the PDPO is necessary.

This workshop examines the risks of handling personal data in the daily operations of banking and financial services institutions, and provides practical advice on how to deal with these issues effectively. It is particularly suitable for data protection officers, compliance officers, banking/ financial practitioners, company secretaries and solicitors.

Date: 12 March 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance officers, company secretaries, solicitors, advisers and other personnel undertaking work relating to the banking/financial industry

Professional Workshop on Data Protection and Data Access Request

Receiving Data Access Requests (DAR) is a frequent occurrence for many organisations. For example, employees may request employers for copies of their previous appraisal reports; patients may request for copies of their medical records, etc. Handling DAR properly, effectively and in a timely manner poses a challenge to many organisations.

This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and offer practical guidance to participants on handling DAR. 

Date: 19 March 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, data protection officers, administration managers, human resource officers, customer services personnel

New Series of Professional Workshops on Data Protection from Apr to Jun 2025:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.