Privacy Commissioner’s Office Organises
the “Privacy-Friendly Awards 2023” Presentation Ceremony
138 Award-winning Organisations Support
the Implementation of Privacy Management Programme

Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, Secretary for Constitutional and Mainland Affairs (fourth from left), Ms Ada CHUNG Lai-ling, Privacy Commissioner for Personal Data (third from left), Members of the Personal Data (Privacy) Advisory Committee and the Standing Committee on Technology Development of the PCPD, Mr Addy WONG Wai-hung, MH, JP (third from right), Mr Joseph LIN Ho-man, MH (first from right), Ms Eirene YEUNG (second from right), Professor Jason LAU (first from left) and Professor the Hon K F WONG, MH (second from left).

Guests, judges and the PCPD’s representatives took a photo with the award-winning organisations.

The PCPD held the “Privacy-Friendly Awards 2023” (Awards) Presentation Ceremony on 31 August to recognise the commitment and performance in protecting personal data privacy of 138 organisations, including public and private organisations as well as government departments.
 
The Awards Presentation Ceremony, which was officiated by the Secretary for Constitutional and Mainland Affairs, Mr Erick TSANG Kwok-wai, GBS, IDSM, JP, was held at the Hong Kong Convention and Exhibition Centre. Other guests included members of the Personal Data (Privacy) Advisory Committee and the Standing Committee on Technology Development of the PCPD, Mr Addy WONG Wai-hung, MH, JP, Mr Joseph LIN Ho-man, MH, Ms Eirene YEUNG, Professor Jason LAU and Professor the Hon K F WONG, MH.
 
The PCPD organised the Awards under the theme of “Embrace Privacy Management Programme to Gain Trust and Benefits”. After careful consideration and assessment by the judging panel, 138 organisations were awarded, among which 8 organisations won the Outstanding Gold Awards; 80 organisations won the Gold Awards; 33 organisations won the Silver Awards and 17organisations won the Bronze Awards.

The Outstanding Gold awardees are (in alphabetical order) Census and Statistics Department, CLP Power Hong Kong Limited, Gleneagles Hospital Hong Kong, ISS Facility Services Limited, KPMG China, Swire Coca-Cola Limited, The Hong Kong and China Gas Company Limited and Union Hospital. Short videos were produced for the Outstanding Gold awardees to share their experience and insights in the protection of personal data privacy. The videos have been uploaded to the PCPD’s website and the “Privacy-Friendly Awards 2023” webpage.  

Please click here to visit the “Privacy-Friendly Awards 2023” webpage for details of the Awards.

Please click here to view the list of awardees.

Fostering a Digital Future –

Privacy Commissioner’s Office Launches New Corporate Video

The PCPD launched a new corporate video on 19 September, with a view to enhancing the public’s understanding of the PCPD’s role as an enforcer, facilitator and educator, and the PCPD’s mission to safeguard their personal data privacy.

In this ever-changing digital age, the responsible and ethical use of data and emerging technologies not only builds mutual trust, but also is a prerequisite for the development of Hong Kong into an international innovation and technology hub and a world-class smart city. Through this video, the PCPD wishes to encourage public and private organisations to work with the PCPD in promoting the healthy development of digital economy and creating a better digital Hong Kong and digital Country. Please click here to watch the video.

PRIVACY 101

Data Breach Incident and How to Handle it

A data breach is generally regarded as a suspected or actual breach of the security of personal data held by an organisation (as a data user), which exposes the personal data of data subjects to the risk of unauthorised or accidental access, processing, erasure, loss or use. It may amount to a contravention of Data Protection Principle (DPP) 4 – security of personal data of the Personal Data (Privacy) Ordinance (PDPO). The organisation should take remedial actions to mitigate the loss and damage caused to the data subjects concerned.

Here are the recommended actions to response to a data breach indicident.

Step 1 – Immediate Gathering of Essential Information 

Gather all relevant information of the data breach to assess the impact on data subjects and to identify appropriate mitigation measures, which includes:

• When and where did the breach occur?
• How was the breach detected and by whom?
• What was the cause of the breach?
• What kind of personal data was involved?
• How many data subjects might be affected? What harm may have been caused to them?

Step 2 – Containing the Data Breach

Depending on the severity of the breach and the personal data involved, this may include:

• Conducting a thorough search for the lost items containing personal data;
• Changing users’ passwords and system configurations to block any (further) unauthorised access;
• Fixing any bugs that may have caused the breach;
• Alerting banks etc to reduce the risk of financial losses for affected data subjects;
• Notifying law enforcement agencies if identity thefts or other criminal activities are likely;
• Shutting down or isolating compromised systems and checking whether other interconnected systems are affected; and
• Removing access rights of users suspected to have contributed to the breach.

Step 3 – Assessing the Risk of Harm

Assess the possible harm that may be caused to individuals, such as:

• Threats to personal safety;
• Identity theft;
• Financial loss, or loss of business or employment opportunities; and
• Humiliation, loss of dignity, damage to reputations.

Step 4  – Considering Giving Data Breach Notifications

As soon as practicable after becoming aware of the data breach, particularly when there is a real risk of harm to the affected data subjects, the organisation should notify the PCPD, affected data subjects and relevant parties.

Step 5  – Documenting the Breach

A comprehensive record of the incident would facilitate post-breach reviews and improve personal data handling practices. 

Please read the PCPD’s publications below to learn more about how to properly handle a data breach incident:

Guidance on Data Breach Handling and Data Breach Notifications (detailed guidance note)

Guidance on Data Breach Handling and Data Breach Notifications (summary pamphlet)

PRIVACY COMMISSIONER’S FINDINGS

Accessing a Patient’s Electronic Health Record for Non-medical Purposes

The Complaint

The Complainant gave consent to a doctor (Doctor) to upload his health record to the Electronic Health Record Sharing System (Sharing System) and access the said data. After the first and only visit, the Complainant made a complaint against the Doctor to the Medical Council of Hong Kong (Medical Council). While the Medical Council was handling the Complainant’s case, the Complainant received a text message from the Electronic Health Record Office, informing him that the Doctor had accessed his electronic health record in the Sharing System. The Complainant was dissatisfied that the Doctor had accessed his health record for purposes unrelated to treatment and thus lodged a complaint against the Doctor with the PCPD.

Outcome

DPP3 of the PDPO stipulates that, without the prescribed consent of the data subject, his personal data may only be used (including disclosure or transfer) for the purpose for which the data was originally collected or for purposes directly related to that purpose. The PCPD was of the view that the Doctor contravened DPP3 by accessing the Complainant’s electronic health record in the Sharing System for a purpose other than providing treatment to the Complainant and without obtaining separate consent from the Complainant.

Upon the PCPD’s intervention, the Doctor pledged to access electronic health records in the Sharing System only for the purpose of providing treatment to patients and on a “need-to-know” basis.

Regarding the incident, the PCPD issued a warning to the Doctor, requesting him to ensure that the non-compliance in this case would not be repeated. In addition, the PCPD referred the case to the Electronic Health Record Office, which manages the Sharing System, for follow-up actions.

Lessons Learnt

Healthcare providers should exercise caution and professional judgment before assessing patients’ data in the Sharing System. Inappropriate use of the patients’ data in the Sharing System would violate DPP3 of the PDPO.

TECH TALK

Protecting Your Personal Data against Phishing Emails

Email is an essential and widely-used business communication tool for employers, employees, clients, and other stakeholders to share information in this digital age. While we enjoy the tremendous convenience brought by emails to our daily lives, we should be aware of phishing emails sent by cybercriminals. Phishing emails, which impersonate legitimate entities or reputable organisations, contain malicious links that direct users to a spoofed website to trick them into submitting their personal data (such as login credentials, credit card information and other personal data). Some phishing emails also contain malicious attachments intending to install malware on the recipient’s electronic devices once the attachments are opened. 

What are the characteristics of a phishing email?

Typically, a phishing email will contain the following characteristics:

• Contains sub-domains, mismatched email addresses, misspelled URLs or other suspicious links; 

• Contains grammatical / spelling mistakes;

• Contains intimidating messages or messages requesting urgent processing;

• Requests sensitive personal data, such as financial details or passwords; and

• Contains suspicious attachments with file extensions (such as EXE, SCR, PDF, VBS, RTF,  DOC, and XLS).

What should you do if you receive a phishing email?

Here are some practical tips to protect your personal data against phishing attacks:

• Do not follow URL links from untrusted sources or spam emails to avoid being redirected to malicious websites;

• Do not disclose sensitive personal data to unknown senders;

• Do not click any suspicious links or open suspicious attachments;

• Verify the sender’s identity through channels other than those stated in the email;

• Delete confirmed phishing emails;

• Change the password immediately if you suspect that you have been defrauded, and check your account status; and

• Contact relevant organisations and/or report to the police immediately.
  

WHAT’S ON

Privacy Commissioner Publishes an Article Entitled “The Privacy and Ethical Risks of Generative AI cannot be Ignored” at OneTrust DataGuidance

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “The Privacy and Ethical Risks of Generative AI cannot be Ignored” at OneTrust DataGuidance to discuss the emergence of generative artificial intelligence (AI), while highlighting the privacy and ethical risks that should be considered regarding its use as well as the evolving regulatory landscape of AI.
 
The PCPD published the “Guidance on the Ethical Development and Use of Artificial Intelligence” in August 2021 to help organisations develop and use AI systems in a privacy-friendly and ethical manner.
 
In the article, the Privacy Commissioner calls for all stakeholders to join hands in ensuring that applicable laws are complied with and core ethical principles such as fairness, transparency and security are embedded in the development and use of AI. The Privacy Commissioner also reminds tech companies that they bear responsibilities in the first place to ensure the lawful and ethical development and use of AI, so that the new technology is used for human good.
 
Please click here to read the article.

Reaching Out to the Community – Privacy Commissioner Interviewed by the Media to Explain the Leaflet on “10 TIPS for Users of AI Chatbots”

Privacy Commissioner Ms Ada CHUNG Lai-ling was interviewed by RTHK Radio 1’s “Hong Kong Today” and Commercial Radio 1’s “On a Clear Day” on 14 September to explain the leaflet entitled “10 TIPS for Users of AI Chatbots” (the Leaflet) issued by the PCPD on 13 September.

During the interviews, the Privacy Commissioner pointed out that as the use of AI chatbots has become popular in Hong Kong, the Leaflet aims to raise the awareness of members of the public to protect their own personal data privacy while using AI chatbots. 

Please click here (from 1:07:21 to 1:12:07) to listen to the interview by RTHK Radio 1's “Hong Kong Today” (Chinese only).

Reaching Out to the MPF Industry – Privacy Commissioner Attends the Celebration Event of the 25^th Anniversary of the Establishment of Mandatory Provident Fund Schemes Authority

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the celebration event of the 25^th anniversary of the establishment of the Mandatory Provident Fund Schemes Authority (MPFA) on 11 September. The Privacy Commissioner congratulated the MPFA on its 25^th anniversary and exchanged views with stakeholders in the MPF industry at the event.

Reaching Out to the Greater Bay Area — Privacy Commissioner Visits Nansha, New Area of Guangzhou

Privacy Commissioner Ms Ada CHUNG Lai-ling and officers of the PCPD visited Nansha Planning Exhibition Hall and China Future Internet Engineering Centre (Greater Bay Area Innovation Centre) on 8 September to learn about the latest development of Guangzhou Nansha New Area and exchange views on fostering the interconnectivity of data in the Greater Bay Area and the development of digital economy.
 
In June 2022, the State Council released the “Master Plan of Guangzhou Nansha on Deepening Comprehensive Global Cooperation among Guangzhou, Hong Kong and Macao”. The Nansha Planning Exhibition Hall showcases the history and latest development of Guangzhou Nansha New Area and its role in the development of the Greater Bay Area.
 
The China Future Internet Engineering Centre (CFIEC) is recognised by the National Development and Reform Commission. It fosters the construction of global interconnection and participates in the standardisation and industrialisation of global technology.

Privacy Commissioner Publishes an Article Entitled “Your Personal Information is not Safe when You Shop Online”

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “Your Personal Information is not Safe when You Shop Online”.

The Privacy Commissioner pointed out that the ever-growing complexity of the digital landscape calls for a more cautious approach to data security and the use of online services. Giving away personal data to social media and shopping platforms can be perilous, given the increasing reports on data scraping, digital fraud, identity theft and other threats.

She reminded operators of such platforms to assume responsibility for protecting their users’ privacy and users of online platforms to stay vigilant and think twice before sharing any personal data to prevent any unintended adverse consequences from happening.

The article was published in HK01, Hong Kong Economic Journal, Hong Kong Economic Times, Ming Pao, Sing Tao Daily, South China Morning Post and Wen Wei Po on 6 September.

Please click here to read the article in Chinese.

Please click here to read the article in English.

Promoting Data Security – Privacy Commissioner Speaks at the Grand Opening of HKPC’s “Smart & Secure City Hall” Exhibition

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Grand Opening of the “Smart & Secure City Hall” exhibition launched by the Hong Kong Productivity Council (HKPC) on 4 September. The exhibition showcases booths from the HKPC and various supporting organisations with a view to demonstrating the latest developments and trends in the field of cybersecurity. Being one of the supporting organisations, the PCPD set up its own booth at the exhibition to highlight its efforts in promoting data security. 
 
The Privacy Commissioner also spoke as a panellist at the panel discussion entitled “Cyber Security Tips for Individuals and Enterprises in Smart & Secure City” held at the Grand Opening. During her speech, the Privacy Commissioner emphasised the heightened importance of safeguarding personal data privacy in today’s digital era. She urged individuals to exercise caution and be mindful of potential privacy pitfalls when using online services such as social media platforms and online shopping platforms.  She also reminded enterprises of the importance of preventing and managing data breaches properly to safeguard data security.

Reaching Out to the Property Management Sector – Privacy Commissioner Attends the “Embracing the New Era for Property Management” Commemorative Ceremony 2023 of the Property Management Services Authority

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the “Embracing the New Era for Property Management” Commemorative Ceremony hosted by the Property Management Services Authority (PMSA) on 31 August and received the certificate of appreciation from the PMSA in recognition of the support of the PCPD given to the work of the PMSA in implementing the licensing regime for the property management industry and promoting the professional and quality development of the property management industry.

Promoting Data Security – PCPD’s Representative Speaks at the Build a Secure Cyberspace 2023 Seminar

Acting Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK spoke at the Build a Secure Cyberspace 2023 “Protect Your Online Identity” Seminar on 22 September. Jointly organised by the Office of the Government Chief Information Officer, the Hong Kong Police Force and the Hong Kong Computer Emergency Response Team Coordination Centre, the seminar aims to promote data security and raise the awareness of protecting the online identities of individuals and enterprises.
 
At the seminar, Mr Kwok highlighted different personal data privacy risks relating to online activities and shared with participants useful tips and suggestions on the protection of digital identities in order to avoid identity theft and the related losses.
 
Please click here to download Mr Kwok’s presentation deck.

Reaching Out to the Community – PCPD's Representative was interviewed by TVB News’ “A Closer Look”

Acting Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK was interviewed by TVB News’ “A Closer Look” on the privacy issues arising from the use of CCTV systems.

During the interview, Mr Kwok explained that if a CCTV system has a recording function and that a data user seeks to identify specific persons or compile information about identified individuals through the CCTV, the recording might constitute collection of personal data under the PDPO and the data user must comply with the requirements of the PDPO, including the Data Protection Principles specified therein.

The PCPD has issued the “Guidance on CCTV Surveillance and Use of Drones” which offers advice on the application of Data Protection Principles in the use of CCTV, with a view to enabling organisations to use CCTV in a manner which is in compliance with the requirements of the PDPO.

Please click here to view the interview by TVB News’ “A Closer Look”, which was broadcast on 21 September (Chinese only).

The PCPD Publishes an Inspection Report on the Personal Data System of the Registration and Electoral Office

The PCPD published an Inspection Report on the personal data system of the Registration and Electoral Office (REO) on 20 September.

Since 2017, there have been repeated data breach incidents relating to the personal data held by the REO. Each of the incidents attracted considerable media attention and criticism from the public. Against this background, Privacy Commissioner Ms Ada CHUNG Lai-ling invoked the power vested in her under section 36 of the PDPO to carry out an inspection to review the personal data system of the REO, with an aim to strengthen the protection of personal data in the possession of the REO and prevent the reoccurrence of similar incidents in the future.
 
The findings of the inspection reveal that the REO has made significant efforts to implement a Personal Data Privacy Management Programme and has built a robust infrastructure to protect personal data privacy, which is supported by an ongoing review and monitoring process to facilitate compliance with the requirements under the PDPO. The compliance standard of the REO in terms of data protection is expected to be further stepped up, considering its implementation of the recommendations made by the Office of the Government Chief Information Officer in a review report and its continuous compliance with the PCPD’s enforcement notices relating to the two data breach incidents in 2022.
 
The Privacy Commissioner has also made ten recommendations to the REO in the report to enhance the security of the personal data held by the REO.
 
In addition, the Privacy Commissioner strongly encourages the REO to continuously strive to instil and maintain a strong culture of data protection among all staff members to better protect the privacy and security of the personal data of its stakeholders and demonstrate its commitment to good data governance and building trust with members of the public.
 
Please click here to download the “Inspection Report: Personal Data System of the Registration and Electoral Office”.

Nurturing Young Talents – the Privacy Commissioner Prize in Privacy and Data Protection Law 2022-23

Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research) Ms Cecilia SIU presented the 2022-23 Privacy Commissioner Prize in Privacy and Data Protection Law to recognise the best research paper submitted for 2022-23 in the study of privacy and data protection laws.

The Prize was presented at the Faculty of Law, the University of Hong Kong (HKU), on 31 August 2023 to Mr YU Sheung Him Ambrose, who was a Year 5 Bachelor of Business Administration (Law) and Bachelor of Laws (Double Degree) student of HKU. The winning essay is entitled ‘Civil Action against Breach of Privacy in Hong Kong – Where the Law Stands Now and the Way Forward’.

Safeguarding Data Security – The PCPD Issues Pamphlet on Data Breach Handling and Data Breach Notifications

In today’s digital age, cyberattacks leading to data breaches occur from time to time. To assist organisations in handling data breaches properly, the PCPD published a new “Guidance on Data Breach Handling and Data Breach Notifications” recently and reinforced it by issuing a pamphlet on the Guidance (Pamphlet) on 5 September. The Pamphlet uses infographics to present a summary of the important contents of the Guidance in order to assist organisations in responding to data breaches by preparing for both the “BEFORE” and “AFTER” scenarios – with recommendations on formulating a personal data breach response plan as a contingency plan and a step-by-step approach to contain damage and harm after the occurrence of a breach.

Please click here to download the Pamphlet.

Please click here to download the “Guidance on Data Breach Handling and Data Breach Notifications”.

MEDIA STATEMENT

A 59-year-old Solicitor Arrested for Suspected Doxxing of a Barrister

The PCPD arrested a Chinese male aged 59 on Hong Kong Island on 25 September. The arrested person was suspected to have disclosed the personal data of a barrister without his consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person is a solicitor who instructed the victim to act as the legal representative for a litigation case. Thereafter, the arrested person only paid a small portion of the service fee to the victim. In September 2022, the law firm to which the arrested person belonged received a complaint from the victim, and it subsequently settled the outstanding payment and dismissed the arrested person. Between September 2022 and April 2023, a total of 74 messages containing the personal data of the victim were posted in multiple personal accounts on two social media platforms, alongside some negative comments on him. The personal data disclosed included the victim’s Chinese name, English surname and alias, photo, occupation, the website address of his chambers and a copy of the victim’s Hong Kong Identity Card (HKID card) which showed particulars including his Chinese name, English name, HKID card number, date of birth, gender and a photo of him, etc.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Identity cards contain sensitive personal data. Disclosing or reposting copies of identity cards without the consent of the data subject concerned, either arbitrarily or maliciously, may constitute a doxxing offence. An offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
 

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject – 

   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or

   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and

2. the disclosure causes any specified harm to the data subject or any family member of the data subject. 

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means –

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

The PCPD Recommends Organisations to Strengthen Data Security Measures to Ensure Data Security

The PCPD noted the successive hacker attacks on the information systems of organisations recently which involved the leakage of  personal data. The PCPD condemns such attacks and expresses grave concern about the incidents. The PCPD wishes to remind all organisations, whether public/private organisations, to comply with the relevant requirements under the PDPO, in particular, DPP 4 of the PDPO, which requires that all practicable steps shall be taken by data users to ensure that any personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use.

The PCPD recommends that organisations holding personal data should regularly conduct data security risk assessments, and put in place adequate and effective security measures to safeguard the information and communications systems and personal data in its control or possession, based on the nature, scale and complexity of the data procession activities, as well as the results of risk assessments. The PCPD reminds all organisations to take precautionary measures and raise their awareness of cyber security and review their data security systems. To strengthen data security and prevent malicious attacks on their information systems, organisations should adopt the following data security measures in a timely manner:

• Secure computer networks: Using security devices or software such as firewalls and/or antimalware applications to protect computer networks. Software (including mobile apps and anti-malware applications) should be regularly updated to detect new viruses and emerging threats;
• Regularly conduct vulnerability assessments and penetration tests, in particular for those internetfacing systems;
• Implement patch management to fix security vulnerabilities in a timely manner;
• Encrpytion of data in transit and storage, and effective management and protection of the encryption keys;
• Database management: Separating database servers from web servers by firewalls to protect the internal servers in case the web servers are compromised;
• Adopt the “least privilege” principle to grant as few access rights as possible to complete a task and assign users to appropriate roles (including restriction of the volume of data to be accessed and the duration of access); and
• Timely destruction of unnecessary or expired personal data.
  

To strengthen data security system, the PCPD issued the “Guidance Note on Data Security Measures for Information and Communications Technology” (the Guidance Note) in August 2022, to provide data users with recommended data security measures. For details, please click here to download the Guidance Note.

In parallel, the PCPD has set up a dedicated hotline and email service for small and medium enterprises (SMEs) (telephone: 2110 1155, email: sme@pcpd.org.hk), which aims to provide SMEs with a readily available channel to make enquiries about how to ensure compliance with the PDPO. To enhance publicity and education, the PCPD arranges seminars for members of the public and organisations from time to time to explain the importance of protecting personal data privacy. Organisations interested in arranging the in-house seminars can contact the PCPD (email: inhouse_seminar@pcpd.org.hk). 
 
The PCPD strongly advises organisations to notify the PCPD of any data breach incident as soon as practicable. Early notification of a data breach incident to the PCPD will enable the PCPD to help the organisation and the affected parties to take appropriate and timely measures to minimise the damage caused by the incident to the organisation and the affected parties. Organisations are also strongly advised to notify the affected data subjects as soon as possible of any data breach incident.
 
To assist organisations in preparing themselves in the event a data breach occurs, the PCPD has also updated the “Guidance on Data Breach Handling and Data Breach Notifications” (the Guidance) in June 2023, which contains practical recommendations to help organisations prepare data breach response plans and handle data breach incidents. Please click here to download the Guidance. 

The PCPD’s Response to Media Enquiries on Data Breach Incident of Consumer Council

In response to media enquiries, the PCPD confirmed that it had received a data breach notification from the Consumer Council on 21 September and has commenced a compliance check into the incident in accordance with established procedures. The PCPD has also advised the relevant organisation to notify the affected data subjects as soon as possible.

Having considered that the incident may involve the leakage of personal data, the PCPD appeals to the possibly affected data subjects to be vigilant about potential theft of their personal data. If they are in doubt about whether their personal data have been leaked, they may make enquiries with the relevant organisation or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk). To protect personal data privacy, affected data subjects are advised to take the following measures:

• Consider changing the passwords of online accounts and activate the multi-factor authentication function (if available);
• Beware of any unusual logins of personal emails or accounts;
• Review bank statements to spot any unauthorised transactions;
• Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources, do not open attachments or disclose personal data arbitrarily; and
• Be vigilant against phishing or other possible scams.

In parallel, the PCPD recommends organisations which handle personal data should adopt the following data security measures to safeguard data security and prevent malicious attacks on their information systems:

• Adopt data governance and organisational measures: Organisations should establish clear internal policy and procedures on data governance and data security, including the appointment of a suitable personnel in a leadership role to bear specific responsibility for data security, and ensure that sufficient training is provided for staff members;
• Conduct regular risk assessments on data security for new systems and applications before launch, as well as regularly thereafter;
• Implement a series of technical and operational security measures;
• Properly manage data processors: A data user must adopt contractual or other means to prevent unauthorised or accidental access, processing, erasure, loss or use of the data transferred to the data processor;
• Take timely remedial actions in the event of data security incidents, thereby reducing the gravity of harm that may be caused to the organisation and affected individuals; and
• Regularly monitor, evaluate and improve compliance with data security policies.

For details, please click here to download the “Guidance Note on Data Security Measures for Information and Communications Technology”. 
 
To assist organisations in preparing themselves in the event a data breach occurs, the PCPD has also issued the “Guidance on Data Breach Handling and Data Breach Notifications”, which contains practical recommendations to help organisations prepare data breach response plans and handle data breach incidents.
 
Please click here to download the “Guidance on Data Breach Handling and Data Breach Notifications”.

A 44-year-old Chinese Female Arrested for Doxxing

The PCPD arrested a Chinese female aged 44 in Kowloon on 14 September. The arrested person was suspected to have disclosed the personal data of two data subjects without their consent, in contravention of section 64(3A) of the PDPO.

The male victim is a primary school student and the female victim is his mother. The PCPD’s investigation revealed that the arrested person lives near the two victims and is acquainted with them. The son of the arrested person is of similar age as the male victim. A few years ago, the male victim was admitted to a school, and the arrested person has been expressing her dissatisfaction about the matter from time to time since then. Subsequently between November 2022 and May 2023, a total of 20 messages containing the personal data of the victims were posted in two open discussion groups and in two personal accounts of a social media platform, alongside some negative comments on them. The personal data disclosed included the victims’ Chinese names, residential address and photos, the mobile phone number and the province of origin of the female victim as well as the partial name of the primary school that the male victim attended.

The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

The PCPD Issues 10 Tips for Users of AI Chatbots

The PCPD noted that according to a local survey, nearly 80% of youngsters in Hong Kong have used generative artificial intelligence (AI) tools such as ChatGPT. In response to the rising popularity of the use of AI chatbots powered by generative AI, the PCPD published a leaflet entitled “10 TIPS for Users of AI Chatbots” on 13 September, which aims to help users protect their personal data privacy and provide tips on the safe use of AI chatbots.
 
Specifically, the 10 Tips cover the following areas:

Before Registration or Use

Tip 1:  Read the Privacy Policy, the Terms of Use and other relevant data handling policies;

Tip 2:  Beware of fake Apps and phishing websites posing as known AI chatbots; and
Tip 3:  Adjust the settings to opt-out of sharing chat history (if applicable).
 
When Interacting with AI chatbots
Tip 4:  Refrain from sharing your own personal data and others’ personal data;
Tip 5:  If necessary, submit a correction or removal request;
Tip 6:  Guard against cybersecurity threats; and
Tip 7:  Delete outdated conversations from chat history.
 
Safe and Responsible Use of AI Chatbots
Tip 8:  Be cautious about using the information provided by AI chatbots;
Tip 9:  Refrain from sharing confidential information and files; and
Tip 10: Teachers / parents should provide guidance to students when they are interacting with AI chatbots.
 
Please click here to download the leaflet for further details of each tip. 

Response of the PCPD on the Cyberport’s Data Breach Incident

The PCPD received a data breach notification from Cyberport on 18 August and commenced a compliance check into the incident in accordance with established procedures. The PCPD has advised the relevant organisation to notify the affected data subjects as soon as possible, and is not in a position to disclose further information at this stage.
 
Having considered that the incident involved the leakage of personal data, the PCPD has set up a hotline for members of the public to make enquiries or complaints. The hotline number is 3423 6611 and the email address is communications@pcpd.org.hk. The PCPD appeals to the affected data subjects to make enquiries or complaints with the PCPD or the relevant organisation if they suspect that their personal data have been leaked. 
 

For the measures that affected data subjects and organisations should take, please refer to the media statement above on “The PCPD Response to Media Enquiries on Data Breach Incident of Consumer Council”.

A 44-year-old Chinese Male Arrested for a Suspected Doxxing of Former Business Partners

The PCPD arrested a Chinese male aged 44 in the New Territories on 7 September. The arrested person was suspected to have disclosed the personal data of two data subjects without their consents, in contravention of section 64(3A) of the PDPO.
 
The two victims are spouses. The PCPD’s investigation revealed that the male victim and the arrested person were formerly business partners whose relationship turned sour because of monetary disputes. In June 2023, four messages containing the personal data of the victims were posted in a personal account on a social media platform, alongside some negative comments on the victims. The personal data disclosed included the victims’ partial Chinese names, place of residence and their photo.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services”
《網絡安全標準實踐指南 – 生成式人工智能服務內容標識方法》的重點

The Interim Measures for the Management of Generative Artificial Intelligence Services, which came into effect on 15 August 2023, imposes the “labelling content” obligation on generative artificial intelligence (AI) service providers. To provide specific requirements on how to label AI generated content, the National Information Security Standardization Technical Committee (TC260) has released the “Practical Guidance of Cybersecurity Standards – Labelling Methods for Content Generated by Generative Artificial Intelligence Services” (the Practical Guidance) on 25 August 2023 to provide further guidelines. The Practical Guidance contains detailed technical requirements on how content around texts, images, audios and videos as generated by AI should be labelled. This article provides an overview of the Practical Guidance. 

《生成式人工智能服務管理暫行辦法》¹（《辦法》）已於2023年8月15日起施行，當中第12條特別要求生成式人工智能服務提供者就生成内容進行標識。為貫徹落實《辦法》中的有關要求，並協助生成式人工智能服務提供者等有關單位做好內容標識的工作，全國信息安全標準化技術委員會 (信安標委) 於2023年8月25日發布《網絡安全標準實踐指南 – 生成式人工智能服務內容標識方法》（《實踐指南》）²，就圍繞文本、圖片、音頻和視頻四類生成內容的內容標識方法提出具體指引，有關重點如下：

規管範圍和標識方法

《實踐指南》適用於生成式人工智能服務提供者在利用生成式人工智能技術向公眾提供生成文本、圖片、音頻和視頻等內容時對生成內容進行標識的活動³。

有關標識方法分爲兩大類⁴：

1. 顯式水印標識 – 指在交互界面內或背景中添加的半透明文字⁵。
2. 隱式水印標識 – 指通過修改圖片、音訊、視頻內容添加的，人類無法直接感知、但可通過技術手段從內容中提取的標識。

標識方式和標識信息

《實踐指南》就標識方式和標識信息提出具體指引，當中包括⁶：

1. 在人工智能生成內容的顯示區域中，有關服務提供者應在顯示區域下方或使用者輸入信息區域下方持續顯示提示文字，或在顯示區域的背景均勻添加包含提示文字的顯式水印標識。提示文字應至少包含「由人工智能生成」或「由AI 生成」等信息。

2. 由人工智能生成圖片、視頻時，應採用在畫面中添加提示文字的方式進行標識。提示文字宜處於畫面的四角，所占面積應不低於畫面的3%或文字高度不低於20 像素。提示文字內容應至少包含「人工智能生成」或「AI 生成」等信息⁷。

3. 由人工智能生成圖片、音頻、視頻時，應按以下方式在生成內容中添加隱式水印標識：

1. 圖片：隱式水印標識應通過空域水印或變換域水印的方式實現，含有隱式水印的原始生成圖片應滿足任意連續50%以上面積且分辨率大於等於384×384 的切片均包含完整標識信息；
2. 音頻：隱式水印標識應通過時域水印或變換域水印的方式實現，含有隱式水印標識的原始生成音頻應滿足任意連續10 秒以上音頻內容中均包含完整標識信息；
3. 視頻：隱式水印標識應通過時空域水印或變換域水印的方式實現，含有隱式水印標識的原始生成視頻應滿足任意連續5 秒以上視頻內容中均包含完整標識信息；
4. 服務提供者應具有從該服務所生成內容中提取隱式水印標識的接口或工具。

隱式水印標識中至少要包含服務提供者名稱，亦可包含內容ID⁸ 等其他內容。

4. 由人工智能生成的圖片、音頻、視頻以文件形式輸出時，應在文件元數據中添加擴展字段進行標識。擴展字段內容應包含服務提供者名稱、內容生成時間、內容ID 等信息。

5. 由自然人提供服務轉為由人工智能提供服務，容易引起使用者混淆時，應通過提示文字或提示語音的方式進行標識，提示文字或提示語音應至少包含「人工智能為您提供服務」或「AI 為您提供服務」等信息。

總結

總括而言，《實踐指南》就如何落實《辦法》中就生成式人工智能服務内容進行標識的要求提供了更為清晰的指引。有關服務提供者宜細閲《實踐指南》及留意信安標委及其他相關部門發布的最新要求，務實遵從相關法規及指引中的有關規定。

¹ 全文：http://www.cac.gov.cn/2023-07/13/c_1690898327029107.htm

² 全文：https://www.tc260.org.cn/front/postDetail.html?id=20230825190345

³ 《實踐指南》第1條。

⁴《實踐指南》第2條。

⁵ 可通過調整文字圖案分布密度、顯示參數等使顯式水印標識不影響正常使用，但仍可清晰分辨，例如將其透明度設為90%等。

⁶《實踐指南》第3條。

⁷ 視頻中由當前服務生成的畫面應添加提示，其他畫面可不添加提示。

⁸ 内容ID是服務提供者對生成内容的唯一標號。

RECOMMENDED TRAININGS

Webinar on “Review of the Implementation of the EU’s General Data Protection Regulation and the Way Forward”

This year marks the 5th anniversary of the implementation of the European Union’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018. Over the past five years, the GDPR has become a benchmark for data protection, reshaping the way in which global businesses and organisations protect and handle personal data privacy.

To reflect on the implementation of the GDPR and how it has influenced global perspectives on data protection practices, the PCPD organises this webinar to discuss the latest regulatory landscape in the EU and the challenges faced by organisations in their personal data protection practices. Our renowned speakers will share their insights on the latest developments of the privacy laws and regulations in the EU, and their practical experience in relation to the implementation and enforcement of the GDPR in the past five years, as well as their views on the challenges faced by organisations.

Date: 5 October 2023 (Thursday)

Time: 4:00pm – 5:30pm

Fee: $500/$400*

(*Members of the DPOC may enjoy the discounted fee)

Language: English

Who Should Attend: legal professionals, compliance officers, data protection officers and others who have business operations in the EU or have business relationships with EU entities. 

Professional Workshop on Data Protection in Property Management Practices

Property management practitioners often face challenges in personal data protection in their daily operations as many aspects of their work involve the collection and use of personal data of flat owners, residents, car park users and others. This workshop will introduce the key features of the “Guidance on Property Management Practices” published by the PCPD to assist property management practitioners in understanding the application of the PCPD in their daily work, and to provide practical guidance to the participants on how to comply with the requirements under the PDPO. 

Date: 11 October 2023 (Wednesday)

Time: 2:15pm – 4:15pm

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who Should Attend: property management personnel, data protection officers, compliance officers, solicitors, members of owner’s corporation.

Professional Workshop on Recent Court and Administrative Appeals Board Decisions

Legal professionals and compliance officers should keep abreast of the latest decisions and arguments of the court and the Administrative Appeals Board relating to personal data privacy. In this regard, our PCPD lawyer will give you a deep dive into those cases and the commonly deployed provisions of the PDPO, strengthening your understanding of the cases from a legal perspective and the knowledge in the interpretation and application of the PDPO.

Date: 25 October 2023 (Wednesday)

Time: 2:15pm – 5:15pm

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: solicitors, barristers, in-house lawyers, data protection officers, compliance officers, company secretaries and administration managers.

Other Professional Workshops on Data Protection from November to December 2023:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming session shows below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

Renewal of DPOC’s Membership

Renew your DPOC membership today and continue to enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$350).

Renew your membership now to keep up-to-date with the latest news and legal developments!

SUPPORTING EVENT

PCPD Supports the Law Society of Hong Kong’s International Summit 2023 in Celebration of the 10th Anniversary of the Belt and Road Initiative “Peace and Prosperity on the Belt and Road” 

The PCPD is delighted to be one of the supporting organisations of the Law Society of Hong Kong’s International Summit 2023 on “Peace and Prosperity on the Belt and Road”, which will take place on 11 October 2023 at the Hong Kong Ocean Park Marriott Hotel.

Please click here for more details.

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.