Using Artificial Intelligence Ethically

Artificial intelligence (AI) has huge potential in boosting productivity and economic growth. Its adoption, which raises privacy and ethical risks, is also becoming increasingly popular in Hong Kong. Against this background, the Office of the Privacy Commissioner for Personal Data (PCPD) has recently issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” (Guidance) to help organisations understand and comply with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) when they develop or use AI.

The Guidance recommends that organisations embrace three fundamental Data Stewardship Values when they develop and use AI, namely, being respectful, beneficial and fair to stakeholders. In line with international standards, the Guidance sets out the following seven ethical principles for AI:

• Accountability – organisations should be responsible for what they do and be able to -provide sound justifications for their actions;
• Human Oversight – organisations should ensure that appropriate human oversight is in place for the operation of AI;
• Transparency and Interpretability – organisations should disclose their use of AI and relevant policies while striving to improve the interpretability of automated decisions and decisions made with the assistance of AI;
• Data Privacy – effective data governance should be put in place;
• Fairness – organisations should avoid bias and discrimination in the use of AI;
• Beneficial AI – organisations should use AI in a way that provides benefits and minimises harm to stakeholders; and
• Reliability, Robustness and Security – organisations should ensure that AI systems operate reliably, can handle errors and are protected against attacks.

The Guidance also provides a set of practice guide, structured in accordance with general business processes, to assist organisations in managing their AI systems. The practice guide covers four main areas:

• Establish AI strategy and governance;
• Conduct risk assessment and human oversight;
• Execute development of AI models and management of overall AI Systems; and
• Foster communication and engagement with stakeholders.

To assist organisations in understanding the Guidance, the PCPD will hold a webinar on 13 September 2021 at 3:00 – 4:30pm.  Privacy Commissioner Ms Ada CHUNG Lai-ling and Deputy Government Chief Information Officer Mr Tony WONG, JP, will explain and elaborate on the principles and practices recommended in the Guidance and the “Ethical Artificial Intelligence Framework”, which were recently issued by the PCPD and the Office of the Government Chief Information Officer respectively.  

PRIVACY COMMISSIONER'S FINDINGS

PCPD Released Inspection Report on Customers’ Personal Data Systems of Two Public Utility Companies 

Public utility companies handle vast amounts of customers’ personal data in the routine course of maintaining service accounts, processing bills and handling customer enquiries. In addition to providing reliable and high-quality services, public utilities are expected to embrace personal data privacy protection as part of their corporate governance and protect the personal data systems of their customers from unauthorised access, processing and use.  In this connection, the Privacy Commissioner carried out an inspection and released an inspection report on the customers’ personal data systems of CLP Power Hong Kong Limited (CLP) and The Hongkong Electric Company, Limited (HKE).

The findings revealed that both CLP and HKE had implemented a Personal Data Privacy Management Programme and had adopted good practices. The security measures adopted by the two companies regarding their customers’ personal data systems conformed with international standards and were found to be satisfactory. The Privacy Commissioner considers that in the protection of their customers’ personal data, the two companies comply with the requirements of Data Protection Principle 4 of Schedule 1 to the PDPO as regards the security of personal data.

In the inspection report, the Privacy Commissioner has also made the following nine recommendations to public utility companies and organisations which handle vast amounts of customers’ personal data:

• Prepare for unexpected threats to personal data privacy;
• Implement Personal Data Privacy Management Programme;
• Appoint Data Protection Officers;
• Keep personal data inventory;
• Devise system security policies and procedures;
• Adopt role-based access to customers’ data;
• Implement monitoring on top of preventive measures;
• Protect both electronic and paper records; and
• Implement measures to raise staff awareness.

PRIVACY 101

Building a “Protect, Respect Personal Data” Culture in Your Organisation

Providing Training on Personal Data Privacy Protection to Staff

A sound Personal Data Privacy Management Programme (PMP) requires all members of an organisation to be aware of, and be ready to act on personal data protection obligations. Hence, organisations should provide employees with up-to-date training and education tailored to specific needs. Organisations should also document their training processes and measure participation and effectiveness.

Below are examples of personal data privacy protection training and education activities provided to employees:

To assist organisations in offering personal data protection trainings to their staff, the PCPD provides various kinds of seminars and workshops regularly. The PCPD’s representatives may conduct in-house seminars for individual organisations to explain the requirements of the PDPO to their staff.  Besides, organisations can send their staff to attend PCPD’s professional workshops tailored to the needs of those dealing with personal data in different work contexts.  For more details of the trainings provided by the PCPD, please click the following links:

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php

https://www.pcpd.org.hk/english/education_training/seminars/in_house_seminar.html

Organisations are also advised to implement a PMP. More details can be found at:

https://www.pcpd.org.hk//english/resources_centre/publications/files/PMP_guide_e.pdf

MAINLAND CORNER

The Personal Information Protection Law of the Mainland will take effect on 1 November 2021

The Personal Information Protection Law (PIPL), the first piece of legislation in the Mainland dedicated to the protection of personal information, was passed by the Standing Committee of the National People's Congress on 20 August 2021 and will be effective from 1 November 2021.

The PIPL establishes individuals’ consents as the principal legal basis for processing personal information. It requires that the processing of personal information shall abide by the principles of legality, fairness, good faith, minimum necessity, openness and transparency. There shall also be specific and reasonable purposes of processing^[1].

Individuals shall have the right to access and obtain a copy of their personal information from the processors of personal information (similar to data users under the PDPO). Individuals can also request the processors of personal information to rectify and delete their personal information, as well as to provide them with means to transfer their personal information to other processors^[2].

When processing personal information of a minor under the age of 14, processors of personal information shall obtain the consent of the minor’s parent or guardian, and establish specific processing rules^[3].

The PIPL prohibits the use of automated decision-making based on personal information if it leads to unreasonable price discrimination against individuals. In addition, when automated decision-making is used for push notification or marketing, individuals shall be provided either with an option for not receiving personalised information or convenient opt-out channels^[4].

Processors of personal information which need to transfer personal information out of the Mainland shall obtain separate consent from individuals, and meet certain requirements, such as passing the security assessment made by the state cyberspace authorities, obtaining the required certification, or entering into a standard contract as prescribed by the state cyberspace authorities^[5].

The PIPL contains provisions on extraterritorial application. Foreign organisations which process personal information of individuals in the Mainland for the purposes of offering products or services to them, or analysing and assessing their behaviours, shall be subject to this law^[6]. These foreign organisations shall also establish designated agencies or appoint representatives in the Mainland^[7].

The state cyberspace authorities shall be responsible for coordinating the protection of personal information and the relevant regulation work. Ministries of the State Council shall be responsible for the protection of personal information and regulation work within their purview^[8].

A processor of personal information which contravenes the requirements under the Personal Information Protection Law is liable to a maximum fine of RMB 50,000,000 or 5% of its annual turnover of the preceding year. Other penalties may include suspension of operation for rectification, cancellation of business permits or licenses, etc^[9].

The full text of the PIPL (in Chinese only) is available on the website of the National People’s Congress:

http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

Watch out for other updates on the PIPL on our website.

^[1] Articles 5 to 7 of the PIPL

^[2] Articles 45 to 47 of the PIPL

^[3] Article 31 of the PIPL

^[4] Article 24 of the PIPL

^[5] Articles 38 to 39 of the PIPL

^[6] Article 3(2) of the PIPL

^[7] Article 53 of the PIPL

^[8] Article 60 of the PIPL

^[9] Article 66 of the PIPL

WHAT'S ON

Mr TY LEE Took Office as the Deputy Privacy Commissioner for Personal Data

Mr TY LEE took office on 24 August 2021 as the Deputy Privacy Commissioner for Personal Data.

Mr Lee is a barrister-at-law. He joined the Department of Justice (DOJ) as a Government Counsel in 1997. Mr Lee had worked in the Civil Litigation Unit of the Civil Division, the Secretariat of the Law Reform Commission and various Units of the Constitutional and Policy Affairs Division of the DOJ. He left DOJ as a Senior Assistant Solicitor General.

Mr Lee was appointed after an open recruitment exercise.

Privacy Commissioner Delivered a Keynote Speech at the Women in Governance Conference

Privacy Commissioner Ms Ada CHUNG Lai-ling gave a keynote speech on corporate governance policies that support women at the Women in Governance Conference organised by the Hong Kong Institute of Directors and five other institutes of directors on 11 August 2021.

In her keynote speech, the Privacy Commissioner emphasised the importance of gender diversity in corporate governance and shared her views on relevant corporate governance policies that support women.

RECOMMENDED ONLINE TRAINING

PCPD's 25th Anniversary Event - Webinar on the New Standard Contractual Clauses of the EU for Transfer of Personal Data from EU to Third Countries

The General Data Protection Regulation (GDPR) of the European Union (EU) imposes requirements on the transfer of personal data from EU to non-EU countries. Standard Contractual Clauses (SCCs) have been heavily relied upon by many organisations to enable lawful and secure transfer of personal data from the EU to third countries. In June 2021, the European Commission adopted a new set of SCCs to better reflect the requirements under the GDPR and the ruling made by the Court of Justice of the EU in the case of Schrems II that also invalidated the EU-US Privacy Shield. In this webinar, the PCPD invites expert speakers to-

• explain the requirements on international transfer of personal data under the GDPR and the effect of the ruling in Schrems II;
• explain the features of the new SCCs adopted by the European Commission and how organisations in Hong Kong can make use of the new SCCs to comply with the relevant legal requirements on transfer of personal data from the EU; and
• share practical experience in transferring personal data from the EU to Hong Kong.

Date: 6 September 2021 (Monday)

Time: 4:00 pm – 5:30pm

Host/Moderator: Ms Ada CHUNG Lai-ling, Privacy Commissioner

Speakers:

• Mr Ralf SAUER, Deputy Head of Unit for International Data Flows and Protection of European Commission
• Mr Eduardo USTARAN, Partner & Global Co-head of Privacy and Cybersecurity Practice of Hogan Lovells, London
• Mrs Ina WEYGANT, Group Data Protection Officer, Cathay Pacific Airways

Fee: $450 / $360*

(*applicable to members of PCPD's Data Protection Officers' Club only)

Accreditation: Accreditation of the Law Society of Hong Kong is being sought

Language: English

Who should attend: Legal professionals, Compliance Officers, Data Protection Officers and others who operate businesses in the EU

PCPD's 25th Anniversary Event - Webinar on the Ethical Development and Use of Artificial Intelligence

Artificial Intelligence (AI) presents huge opportunities and benefits to economic development and our daily life. However, it also poses challenges to personal data privacy as personal data is commonly used in the development and application of AI. This webinar will explain and elaborate on the principles and practices recommended in the “Guidance on the Ethical Development and Use of Artificial Intelligence” and “Ethical Artificial Intelligence Framework”, which were newly issued by the PCPD and the Office of the Government Chief Information Officer respectively.

Date: 13 September 2021 (Monday)

Time: 3:00 pm – 4:30pm

Speakers:

• Ms Ada CHUNG Lai-ling, Privacy Commissioner
• Mr Tony WONG, JP, Deputy Government Chief Information Officer

Fee:

• Data Protection Officers’ Club members / HKSAR Government officers – Free
• Other participants – $350

Language: Cantonese

Who should attend: DPOC Members, government bureaux and departments, and members of industrial and professional associations who develop or use AI in their work

Online Professional Workshop on Data Protection and Data Access Request

Organisation may frequently receive Data Access Request (DAR) lodged by customers or employees in daily operations. This workshop will examine in detail the compliance requirements for handling DAR under the PDPO and provide practical guidance to participants on handling DAR, so as to assist participants to handle DAR properly and effectively.

Date: 8 September 2021 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, Data Protection Officers, Administration Managers, Human Resource Officers, Customer Services Personnel

Online Professional Workshop on Data Protection in Banking/Financial Services

This workshop is designed for banking and financial personnel who wish to acquire knowledge on the requirements under the PDPO in different aspects of the banking and financial services. It will examine the personal data privacy issues facing banking and financial personnel in their daily operation and provides practical steps that can be taken to deal with the issues effectively.

Date: 15 September 2021 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data Protection Officers, Compliance Officers, Company Secretaries, Solicitors, Advisers and other personnel undertaking work relating to the banking/financial industry

Online Professional Workshop on Privacy Management Programme

Privacy and personal data protection cannot be managed effectively if they are merely treated as a legal compliance issue. Instead, organisations should embrace personal data privacy protection as part of their corporate governance responsibilities and apply them as a business imperative throughout the organisation. It is therefore of paramount importance to develop its own Privacy Management Programme (PMP). Through this workshop, participants will be able to understand the fundamentals and components of a PMP and how to maintain and improve it on an ongoing basis.

Date: 29 September 2021 (Wednesday)

Time: 2:15pm – 4:15pm

Fee: $750/$600*

(*Members of the Data Protection Officers' Club and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices

Online Free Seminar - Introduction to the PDPO Seminar

The PCPD organises free introductory seminars to raise public awareness and their understanding of the PDPO.

Date: 13 September 2021 (Monday)

Time: 3:00pm - 4:30pm

Fee:  Free of charge

Language: Cantonese

Arrange In-house Seminar for Your Organisation 

Protection of personal data privacy is gaining its importance in employee training. If you would like to arrange for your organisation to learn more about the PDPO and protection of personal data privacy, you can make a request for an in-house seminar via our online form.

Seminar outline:

• A general introduction to the PDPO
• The six data protection principles (industry-related cases will be illustrated)
• Direct Marketing
• Offences & Compensation
• Q&A Session

Duration: 1.5 hour

SUPPORTING EVENT

PCPD Supports the Hong Kong Institute of Bankers Annual Banking Conference 2021

The Hong Kong Institute of Bankers (HKIB) Annual Banking Conference 2021, is now open for registration.  The PCPD is pleased to be one of the supporting organisations of this event.

With the theme "Re-Globalisation, Sustainability and Transformation under the New Normal", this year's HKIB Annual Banking Conference will focus on the profound changes in the industry as a result of the pandemic and the key strategic goals that are high on the financial services agenda for the new normal.

For more details, please visit: http://bankingconference.hkib.org/hkib2021/

PCPD Supports the “Hong Kong Cyber Security New Generation Capture the Flag (CTF) Challenge 2021” Contest

Jointly organised by Hong Kong Computer Emergency Response Team Coordination Centre and Hong Kong Productivity Council, the “Hong Kong Cyber Security New Generation Capture the Flag (CTF) Challenge 2021” aims to enhance the Cyber Security’s knowledge of practitioners and students via a fun game. The PCPD is pleased to be one of the supporting organisations of this event. 　

For more details, please visit: https://ctf.hkcert.org/

READER SURVEY

Let us know your thoughts and feedback on the contents of the e-newsletter so that we can do better.

Please take a few minutes to answer the questions by clicking the button below and email the completed form to dpoc@pcpd.org.hk. We look forward to receiving your valuable feedback for continuous improvement.

RENEWAL OF DPOC's MEMBERSHIP

Renew your membership today and continue to enjoy privileges in course enrolments throughout the year!

Special offer for organisational renewal:

Organisation are entitled to the 2-for-1 scheme, i.e. two memberships for an annual membership fee of HK$350. Act now for the renewal!

Contact Us

Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.