The PCPD Issues Two Leaflets on the Smart Use of
Smartphones and Social Media to Protect Personal Data Privacy

The PCPD published two leaflets entitled (1) “Protect Your Personal Data – Smart Use of Smartphones” and (2) “Protect Your Personal Data – Be Smart on Social Media” on 25 March respectively to provide tips for users on the smart use of smartphones and social media to help them protect their privacy.

“Protect Your Personal Data – Smart Use of Smartphones” provides tips on how to secure smartphones and the data stored on them, and how to minimise the risks of using apps:

A. Securing Your Smartphone

1. Never remove security restrictions of your smartphone (e.g. by “jailbreaking” or “rooting”);
2. Install anti-malware software;
3. Enable screen lock by passwords and/or biometrics;
4. Install the latest system updates; and
5. Turn off wireless communications when not in use.

B. Securing the Data Stored on Your Smartphones

1. Beware of public Wi-Fi;
2. Perform regular backup of your data;
3. Avoid using public chargers;
4. Turn on the ‘find my device’ function; and
5. Erase data before repair or disposal of smartphone

C. Minimising the Risks of Using Apps

1. Review privacy policies of the apps before download;
2. Protect the accounts of your apps;
3. Download apps only from official app stores;
4. Adjust the permissions and privacy settings of your apps; and
5. Remove unnecessary apps.

“Protect Your Personal Data – Be Smart on Social Media” reminds users to stay vigilant when using social media platforms and covers tips that users should be aware of while signing up for a new social media account, adjusting privacy settings, and posting information on social media:

A. Signing up for a New Social Media Account

1. Read the privacy policy;
2. Use a dedicated email account for registration;
3. Minimise the provision of personal data; and
4. Set strong passwords.

B. Adjusting Privacy Settings

1. Limit public access to your information;
2. Think twice before granting any permission;
3. Beware of “tag”; and
4. Review privacy policies and settings regularly.

C. Posting Information on Social Media

1. Beware! Information can be widely shared without your knowledge;
2. Minimise your digital footprints;
3. Do not tag people in photos lightly;
4. Review social media posts from time to time; and
5. Report improper contents.

D. Staying Vigilant on Social Media Platforms

1. Be cautious about third-party apps;
2. Stay vigilant against online scams;
3. Other users may not be real people;
4. Look out for data breaches and failed log-in attempts; and
5. Terminate unused accounts

Please click here to download the “Protect Your Personal Data - Smart Use of Smartphones” leaflet.
 
Please click here to download the “Protect Your Personal Data - Be Smart on Social Media” leaflet.

Promoting the High-Quality Development of the Greater Bay Area – Privacy Commissioner Speaks at the 8^th Guangzhou-Hong Kong-Macau Legal Studies Conference

Privacy Commissioner Ms Ada CHUNG Lai-ling (second from right) was pictured with other guest speakers.

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the 8^th Guangzhou-Hong Kong-Macau Legal Studies Conference organised by the Guangdong Province Law Society, City University of Hong Kong School of Law and University of Macau Faculty of Law on 7 March and delivered a keynote speech. She cited President Xi’s important speech during the 25^th anniversary celebration of Hong Kong’s return to the motherland in 2022. She believed that Hong Kong could continue to capitalise its distinctive advantages under the “One Country, Two Systems” principle and promote the overall development of the Guangdong-Hong Kong-Macao Greater Bay Area (Greater Bay Area).

The Privacy Commissioner gave an overview of the legal framework under the Personal Data (Privacy) Ordinance (PDPO). She also introduced the work of the PCPD in safeguarding data security, promoting cross-boundary flow of personal information and supporting the development of digital economy, with a view to making contributions towards the high-quality development of the Greater Bay Area.
 
Please click here for the Privacy Commissioner’s address (Chinese only).
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

PRIVACY 101

Appointing a Data Protection Officer for Your Organisation

In the digital age where data is the new gold, personal data serves as building blocks of many organisations. It is important for organisations to appoint a designated officer (i.e. Data Protection Officer) to oversee the organisations’ compliance with the PDPO and implementation of PMP. 

A Data Protection Officer (DPO) is usually responsible for structuring, designing and managing the PMP, which involves all procedures, training, monitoring or auditing, documenting, evaluating, and other follow-up actions in relation to the collection, holding, processing and use of personal data. For a large organisation, the DPO should be a senior executive; whereas for a small business, this can be the owner or manager. It is recommended to assign a departmental coordinator to support the DPO for large companies. Resources should also be channelled to train and develop the DPO as a professional in personal data privacy protection.  

The major duties of a DPO include:

i) Establishing and implementing the PMP programme controls, including:

• Keeping a record of the organisation’s personal data inventory, and initiating and monitoring the annual personal data inventory review exercise;
• Initiating the commencement of periodic risk assessment to all departments and monitoring, reviewing and providing advice on the completed risk assessment report;
• Monitoring, reviewing and providing advice on conducting privacy impact assessment;
• Carrying out training and education to promote staff awareness on privacy protection by circulating updates on data privacy policies, guidelines and other privacy-related information;
• Coordinating and monitoring the handling of data breach incidents, and providing advice to departments on conducting investigations;
• Providing advice to and conducting review on department’s data processor management; and
• Monitoring, reviewing and providing advice on the preparation of Personal Information Collection Statement. 
  

ii) Reviewing the effectiveness of the PMP, including preparing an oversight and review plan for the PMP, and revising the programme controls where necessary.

iii) Reporting to the top management periodically on the organisation’s compliance issues, problems encountered and complaints received in relation to personal data privacy.

To learn more about the duties of a DPO and the structure of a Data Protection Office in large organisations, please refer to section 1.2 of Privacy Management Programme: A Best Practice Guide.

PRIVACY COMMISSIONER’S FINDINGS

A Chinese Medicine Practitioner Used a Patient’s Personal Data in Direct Marketing without Taking Specified Actions to Notify the Patient and Obtain Her Consent, and Failed to Notify the Patient of Her Opt-out Right

The Complaint

The  complainant was a patient of a Chinese medicine clinic (the Clinic) and provided her personal data to the Clinic in 2015. Practitioner Y worked at the Clinic as a Chinese medicine practitioner but was never consulted by the complainant. A few years later, the complainant received a WhatsApp message from practitioner Y, who claimed to be a former practitioner at the Clinic. The message contained a photo of practitioner Y’s business name card, promoting the Chinese medicine services of her new clinic.

Outcome

Practitioner Y pleaded guilty to charges of sections 35C(1) and 35F(1) of the PDPO for failing to take the necessary action and obtain the data subject’s consent before using her personal data that was provided to another clinic in direct marketing. When using the complainant’s personal data in direct marketing for the first time, practitioner Y also failed to inform the data subject of her right to request not to use her personal data in direct marketing without charge. Practitioner Y was fined HK$2,000 in respect of each charge, totalling HK$4,000.

Lessons Learnt

In view of the rising public awareness of the importance of protecting personal data privacy, organisations and their employees should respect their customers’ choices regarding the use of their personal data in direct marketing. Former employees should pay close attention when using personal data of their previous clients in direct marketing. Apart from obtaining consent from their former employers, ex-employees should also take specified actions to notify the data subjects and obtain their consent in accordance with the requirements of direct marketing under the PDPO.

TECH TALK

Be Smart Online  –  Stay Safe against the Privacy Risks of Public Wi-Fi 

Living in the smart city, free public Wi-Fi, which is available at various public areas such as coffee shops, malls, airports and hotels, offers tremendous convenience to Internet users. When enjoying the convenience of free Wi-Fi service, are you fully aware of the potential risks to your personal data privacy?

Free public Wi-Fi is usually an open Wi-Fi network allowing the general public to establish Internet connection conveniently without authentication. In other words, anyone including malicious hackers could access the same unencrypted Wi-Fi network, posing risks to personal data security of the Wi-Fi users. Fake Wi-Fi hotspots can be set up easily by malicious actors to steal the internet users’ personal data. 

Here are some precautious to users to improve personal data security when connecting to public Wi-Fi hotspots:  

• Check to ensure the authenticity of the public Wi-Fi;
• Turn off your Wi-Fi service when it is not in use;
• “Forget” public Wi-Fi after use to avoid future automatic connection;
• Use a Virtual Private Network (VPN) to prevent hackers from reading or accessing any data by creating a privacy network through encrypting traffic between the mobile devices and the internet;
• Use a Secure Sockets Layer (https://) when accessing websites so that sensitive information such as e-banking accounts, emails and social networking accounts etc. could be encrypted without being intercepted;
• Ensure that your mobile phones or other portable devices are protected by firewalls and anti-malware software;
• Apply available software updates to mobile or other portable devices to address security vulnerabilities; and
• Avoid transmitting sensitive personal data via public Wi-Fi.

WHAT’S ON

Reaching Out to the Innovation and Technology Sector – Privacy Commissioner Visits the Hong Kong Applied Science and Technology Research Institute

Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD visited the Hong Kong Applied Science and Technology Research Institute (ASTRI) on 22 March to exchange views on technological innovation and personal data privacy protection.

During the visit, CEO of ASTRI Dr Denis YIP and his team introduced the core areas of ASTRI’s applied research, including smart city, the applications of AI models and showcased applications such as cross-boundary federated learning systems for SMEs and the use of generative artificial intelligence in business operations.

The Privacy Commissioner expressed her appreciation for ASTRI’s hospitality and the informative sharing sessions. The Privacy Commissioner looks forward to fostering the collaboration with ASTRI, thereby jointly contributing to the development of Hong Kong as a leading innovation and technology hub. 

Telling a Good Hong Kong Story – Privacy Commissioner Speaks at Gathering of AmCham HK

Privacy Commissioner Ms Ada CHUNG Lai-ling  gave a presentation at a briefing to the members of the American Chamber of Commerce in Hong Kong (AmCham HK) on 21 March. The Privacy Commissioner explained the six Data Protection Principles under the PDPO and pointed out that they reflected international standards.
 
The Privacy Commissioner also discussed the significant impacts of data breaches to businesses and introduced the PCPD’s resources for businesses to enhance their data security, such as the guidance materials on data breach handling and the adoption of Personal Data Privacy Management Programme (PMP), as well as the self-assessment toolkit “Data Security Scanner”.
 
Please click here for the Privacy Commissioner's presentation deck.

Promoting Cross-Boundary Flow of Personal Information – Privacy Commissioner Publishes an Article on Hong Kong Lawyer

Privacy Commissioner Ms Ada CHUNG Lai-ling published an article entitled “A Trusted Framework for the Cross-boundary Flow of Personal Information within the Guangdong–Hong Kong–Macao Greater Bay Area” on Hong Kong Lawyer.
 
In the article, the Privacy Commissioner introduced the Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong) (the GBA SC) jointly formulated and published by the Cyberspace Administration of China (CAC), the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administrative Region (ITIB) and the PCPD on 13 December 2023. As a facilitation measure to promote cross-boundary flows of personal information (i.e., personal data) in the Greater Bay Area, the GBA SC simplifies the compliance requirements for conducting cross-boundary flows of personal information within the Greater Bay Area, thereby promoting the development of the Greater Bay Area’s digital economy and assisting Hong Kong in integrating into the national development of the Mainland.   
 
The Privacy Commissioner encourages enterprises to adopt the GBA SC to effect cross-boundary transfers of personal information in the Greater Bay Area, and reminds personal information processors (including data users) and the recipients of the data who intend to adopt the GBA SC to pay attention to their specific obligations and responsibilities under the GBA SC.  
 
Please click here to read the article.

Reaching Out to Legal Professionals – Privacy Commissioner Attends the Law Society of Hong Kong Spring Cocktail Reception 2024

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the Law Society of Hong Kong Spring Cocktail Reception 2024 on 28 February to celebrate the beginning of the Year of the Dragon with legal professionals.
 
The Privacy Commissioner has been supporting the work of the Law Society of Hong Kong. Over the past years, she served as a member of the judging panel for its Pro Bono and Community Work Recognition Programme and spoke at seminars or conferences organised by the Law Society of Hong Kong.

Reaching Out to Schools – Privacy Commissioner Speaks on the Protection of the Personal Data Privacy of Students and the Doxxing Offences

Privacy Commissioner Ms Ada CHUNG Lai-ling was invited by the Journalism Education Foundation (Foundation) again to speak at the seminar entitled “Media and Information Literacy Series: Seminar on Understanding the Internet, Social Media and Protection of Personal Data Privacy”. The seminar was co-organised by the Education Bureau and the Foundation on 28 February, where the Privacy Commissioner gave a presentation to more than 230 primary and secondary school principals and teachers.
 
The organisers conducted this seminar again in view of the overwhelming response to similar seminars held in January and October last year. At the seminar, the Privacy Commissioner elaborated on the seriousness of the doxxing offences, how to protect the personal data privacy of students and prevent the privacy risks arising from the use of social media and AI chatbots. The Privacy Commissioner provided concrete examples and practical advice to the audience. The Manager (Corporate Communications) of the PCPD Mr Eric PHENG, also shared some practical tips on how to protect personal data online.
 
Please click here for the presentation deck (Chinese only).

Enhancing Data Security – the PCPD and Hong Kong Internet Registration Corporation Limited Jointly Organise a Seminar on Cybersecurity and Data Breach Handling

The PCPD and Hong Kong Internet Registration Corporation Limited (HKIRC) co-organised a seminar on “Responding to Cyber Security Threats and Data Breaches” in hybrid mode on 19 March, which attracted over 880 participants.
 
At the seminar, Cyber Security Manager of the HKIRC Mr Arktos LAM provided an overview of the latest developments of cyber threats and shared some tips on enhancing cyber security for organisations. Chief Personal Data Officer (Compliance & Enquiries) of the PCPD Mr Brad KWOK also spoke about how to prevent and handle data breach incidents.

Please click here to download Mr Lam’s presentation deck (Chinese only).

Please click here to download Mr Kwok’s presentation deck (Chinese only).

Enhancing Data Governance – The PCPD Organises “Medical and Healthcare Sector – Experience Sharing Session on Good Data Governance”

The PCPD organised the “Medical and Healthcare Sector – Experience Sharing Session on Good Data Governance” (Sharing Session) in hybrid mode on 8 March, which attracted over 180 participants from various sectors, including the medical and healthcare, banking, insurance, government/ public bodies and legal sectors.
 
At the Sharing Session, Assistant Privacy Commissioner for Personal Data (Corporate Communications and Compliance) Ms Joyce LAI delivered the welcome address and recommended organisations to establish a comprehensive PMP to enhance their personal data governance and ensure data security.
 
In addition, representatives of the Outstanding Gold Awardees of the PCPD’s “Privacy-Friendly Awards 2023”, including Mr Wilfred CHIU, Director of Operations, Gleneagles Hospital Hong Kong, and Dr Joseph HO, Chairman of the Privacy Committee, Union Hospital, were invited to share their practical experience in developing a PMP, as well as handling issues that organisations may encounter in implementing data governance and strengthening data security.

Please click here for the presentation deck of Gleneagles Hospital Hong Kong.

Please click here for the presentation deck of Union Hospital.

Reaching Out to the Financial Sector – Assistant Privacy Commissioner Joins Panel Discussion at ASIFMA Annual Conference 2024

Assistant Privacy Commissioner for Personal Data (Legal, Global Affairs & Research) of the PCPD Ms Cecilia SIU attended the Asia Securities Industry & Financial Markets Association (ASIFMA) 2024 Annual Conference on 1 March, and spoke on the panel titled “Generative AI – Cutting Through the Hype”.
 
Ms Siu discussed the privacy challenges associated with the use of generative artificial intelligence (AI) but stressed that they should not be barriers to innovation. She suggested that organisations that develop and use AI should adopt the recommendations on the ethical principles and measures set out in the PCPD’s “Guidance on the Ethical Development & Use of AI” to strike a balance between fostering innovation and ensuring the protection of personal data privacy.

The conference attracted an audience of over 500 delegates from the financial industry.

MEDIA STATEMENT

A 32-year-old Male Arrested for Suspected Doxxing Acts

The PCPD arrested a Chinese male aged 32 on Hong Kong Island on 26 March. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person offers fortune-telling services. The victim consulted the arrested person in June 2023 and they became acquainted. In July 2023, the arrested person engaged the victim to manage his business account on a social media platform (the Account) and agreed to pay renumeration to her. Subsequently, disputes arose between the parties on matters relating to the renumeration and the management of the Account. In August 2023, four messages containing the personal data of the victim were posted on the said social media platform, alongside some negative comments against the victim. The personal data disclosed included the victim’s Chinese name, English name, alias, mobile phone number, residential address, photo and the user name of her social media account.

The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.
  

Relevant Provisions under the PDPO
 
Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject – 

1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject. 
   

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if – 

1. the person discloses any personal data of a data subject without the relevant consent of the data subject –
   1. with an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
      
2. the disclosure causes any specified harm to the data subject or any family member of the data subject.
   

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means – 

1. harassment, molestation, pestering, threat or intimidation to the person;
2. bodily harm or psychological harm to the person;
3. harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. damage to the property of the person.

A 30-year-old Male Arrested for Suspected Doxxing of Former Friend

The PCPD arrested a Chinese male aged 30 in Kowloon on 21 March 2024. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the arrested person and the victim got acquainted in March 2022 but their relationship subsequently turned sour. As a result, the victim blocked the arrested person’s instant messaging application account to stop the arrested person from contacting her. In July 2022, a number of messages containing the personal data of the victim were posted on an online forum, alongside some negative comments against the victim. Later between June and August 2023, several similar messages containing the personal data of the victim were again posted on the same online forum. The personal data disclosed in the messages included the victim’s Chinese name, English name, alias, date and month of birth, partial mobile phone number, occupation, previous organisation, monthly salary and religion.
 
The PCPD reminds members of the public that they should not dox others because of personal disputes. Doxxing is not a means to resolve disputes as it would only escalate conflict. Moreover, doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

Response of the PCPD on the SCAA’s Data Breach Incident

The PCPD received a data breach notification from the South China Athletic Association (SCAA) on 18 March, reporting that about 70,000 data subjects may have been affected by the data breach incident. The PCPD has advised the relevant organisation to notify the affected data subjects as soon as possible, and has commenced an investigation into the incident in accordance with established procedures.
 
Having considered that the incident may involve the leakage of personal data, which include names, Hong Kong Identity Card numbers, passport numbers, addresses, email addresses, phone numbers, dates of birth and photos, the PCPD appeals to the affected persons to make enquiries or complaints with the relevant organisation or the PCPD if they suspect that their personal data have been leaked.   
 
The PCPD calls on the affected persons to be vigilant of potential theft of their personal data and take the following measures to protect personal data privacy:

• Consider changing the passwords of online accounts and activate the multi-factor authentication feature (if available);
  
• Beware of any unusual logins of personal emails;
• Review bank statements to spot any unauthorised transactions;
• Stay vigilant when they receive any suspicious calls, text messages or emails from unknown sources;
• Do not arbitrarily open attachments or links in text messages or emails, or disclose personal data readily; and
• Be vigilant against phishing or other possible scams.

The PCPD Welcomes the Passage of the Safeguarding National Security Ordinance by the Legislative Council

The PCPD welcomes the passage of the Safeguarding National Security Ordinance by the Legislative Council, which completed the enactment of local legislation on Article 23 of the Basic Law and improved the regime for safeguarding national security.
 
The PCPD is committed to protecting personal data privacy of members of the public through monitoring, supervising and ensuring compliance with the provisions of the PDPO. As regards the expansion of the scope of “public officer” under the Safeguarding National Security Ordinance to include the Privacy Commissioner for Personal Data or a person employed or engaged by the Privacy Commissioner under the PDPO, the PCPD welcomes the provision and agrees that the relevant clause will strengthen the protection of confidential information as well as enable the PCPD to more effectively perform its roles and duties under the PDPO.
 
Since the Personal Data (Privacy) Amendment Ordinance 2021 came into effect on 8 October 2021, the PCPD has been continuously combatting doxxing offences with resolute efforts. Doxxing is a serious offence, especially in cases involving doxxing of personnel who handle cases concerning national security or are responsible for the work on safeguarding national security. Therefore, the PCPD welcomes the increase of penalty for doxxing offences against those personnel.
 
In order to address the national security risks posed by the current information technology or electronic world and new technologies that may emerge in the future, the Safeguarding National Security Ordinance introduces offences to combat acts endangering national security that are done in relation to a computer or electronic system. The PCPD supports the combatting of serious acts of sabotage or weakening of public infrastructure, or acts done in relation to a computer or electronic system without lawful authority which endanger national security. The PCPD agrees that the relevant offences will not hinder the development of innovation and technology, but instead provide a safer environment for the development of related fields.

The PCPD Proactively Commences Inspection of the Newly Established Children’s Biobank of Hong Kong Hub of Paediatric Excellence, The Chinese University of Hong Kong

The PCPD noted that the biobank (Biobank) established by the Hong Kong Hub of Paediatric Excellence of The Chinese University of Hong Kong (HKHOPE) is about to be launched and the Biobank is envisaged to store at least 800,000 biological samples for use by members of the HKHOPE and other research teams.
 
Given that the Biobank would store vast amounts of biological samples which involve personal data of minors, including their health conditions, and that biological samples are personal data of sensitive nature, the PCPD decided to invoke its power under section 36 of the PDPO to proactively inspect the Biobank of HKHOPE. The inspection is carried out with a view to understanding the ways and means through which HKHOPE would collect, hold, use and process children’s biological samples and related personal data, as well as the security measures adopted throughout the process, to ensure the protection of personal data privacy.
 
Through this inspection, the PCPD will make practical recommendations to HKHOPE to assist them in complying with the provisions of the PDPO.

The PCPD Strongly Condemns Ted HUI for Suspected Doxxing of Hong Kong Judges and Other Law Enforcement Officers
 
The PCPD strongly condemns Ted HUI Chi-fung for blatantly disclosing the personal data of judges, prosecutors and law enforcement officers of the Hong Kong Special Administrative Region in an online post without the consent of the persons concerned, and his appeal to the public to provide him with further information of the officers concerned. The PCPD stressed that the relevant acts of Ted HUI may constitute doxxing offences under sections 64(3A) or 64(3C) of the PDPO, and the PCPD strongly condemns him for such acts.
 
The PCPD reminds members of the public that doxxing is a serious offence. Uploading or reposting doxxing messages, as well as responding to some online calls for doxxing and disclosing the personal data of data subjects without their consents, may constitute a doxxing offence. Offenders are liable on conviction to a fine up to $1,000,000 and imprisonment for five years. Members of the public are urged not to respond to Ted HUI’s post by doxxing the officers listed in the post or providing the personal data of other officers.

A 64-year-old Male Arrested for Suspected Doxxing Arising from Monetary Disputes

The PCPD arrested a Chinese male aged 64 in Kowloon on 29 February. The arrested person was suspected to have disclosed the personal data of a data subject without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim became acquainted with a man (the Man) in late 2021. Since then, the victim and the Man had made advance payments for each other to purchase different kinds of goods. Their friendship subsequently turned sour after which both parties had disputes on the amounts of the advance payments. Thereafter, a number of messages were sent to the victim requesting her to repay outstanding debts to the Man. In January 2023, a dunning letter containing the personal data of the victim was mailed to the victim’s supervisor and the letter also contained insulting and defamatory content urging the victim to repay outstanding debts. The personal data disclosed included the victim’s Chinese name, alias, occupation, Hong Kong Identity Card number, date of birth as well as a photo of the victim and her daughter.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Basic Security Requirements for Generative Artificial Intelligence Service” 
《生成式人工智能服務安全基本要求》的重點

To support the implementation of the “Interim Measures for the Management of Generative Artificial Intelligence Services”, the National Information Security Standardisation Technical Committee of China (TC260) released the “Basic Security Requirements for Generative Artificial Intelligence Service” (the Requirements) on 29 February 2024. The Requirements sets out the basic standards that service providers of generative AI services should follow in relation to the security of AI training data and foundation models, the technical security measures to be adopted, as well as the security assessments to be conducted, in providing the service to nationals of the Mainland. This article provides an overview of the Requirements.

為支撐《生成式人工智能服務管理暫行辦法》的具體落實，全國網絡安全標準化技術委員會於2024年2月29日發布《生成式人工智能服務安全基本要求》（《安全基本要求》）¹。《安全基本要求》旨在向提供生成式人工智能服務²的服務提供者³從語料安全、模型安全、安全措施，和安全評估要求方面提出基本要求，有關重點如下：

語料安全要求⁴

《安全基本要求》就訓練語料（training data）作出的定義如下：「所有直接作為模型訓練輸入的數據，包括預訓練、優化訓練過程中的輸入數據。」《安全基本要求》就有關語料的來源，内容和標注三方面向服務提供者提出詳盡的安全要求，重點包括：

• 語料來源安全要求：
  • 服務提供者面向特定語料來源進行採集前，應對該來源語料進行安全評估，語料內容中含違法不良信息超過5%的，不應採集該來源語料；面向特定語料來源進行採集後，應當對該語料進行核驗，含違法不良信息超過5%的，不應使用該語料進行訓練；
  • 從來源可追溯方面，服務提供者應當具有該語料來源的開源許可協議或相關授權文件；使用自採語料時，則應具有採集記錄，不應採集他人已經明確不可採集的語料。

• 語料内容安全要求：
  • 服務提供者應當對語料內容進行過濾，採取關鍵詞、分類模型、人工抽檢等方式，充分過濾全部語料中的違法不良信息；
  • 服務提供者應設置語料及生成內容的知識產權負責人，對用於訓練的語料進行知識產權侵權風險進行識別，並在使用者協議中告知使用者相關的知識產權風險；
  • 服務提供者在使用包含個人信息的語料前，應取得對應個人的同意；在使用包含敏感個人信息的語料前，亦應取得對應個人的單獨同意⁵。

• 語料標注安全要求：
  • 服務提供者應自行組織對標注人員提供安全培訓⁶；
  • 安全性標注規則應能指導標注人員就語料及生成內容的主要安全風險進行標注，並對《安全基本要求》附錄A中所列的31種安全風險作出應有的對應標注規則；
  • 服務提供者亦應對每一批功能性標注語料進行人工抽檢，發現內容不準確的，應重新標注；發現內容中包含違法不良信息的，該批次的標注語料應作廢⁷。

模型安全要求⁸

《安全基本要求》就模型安全方面向服務提供者提出要求，重點包括：

• 如需基於第三方基礎模型提供服務，服務提供者應使用已經主管部門備案的基礎模型；
• 在模型生成内容安全方面，生成內容的安全性應作為評價生成結果優劣的主要考慮指標之一；
• 在生成內容準確性方面，服務提供者應採取技術措施提高生成內容響應使用者輸入意圖的能力，提高生成內容中數據及表述與科學常識及主流認知的符合程度，減少其中的錯誤內容；
• 在生成內容可靠性方面，服務提供者應採取技術措施提高生成內容格式框架的合理性以及有效內容的含量，提高生成內容對使用者的幫助作用。

安全措施要求⁹

在安全措施方面，服務提供者應符合以下重點要求：

• 服務提供者應充分論證其模型在服務範圍內各領域應用生成式人工智能的必要性、適用性以及安全性；服務用於關鍵信息基礎設施，以及如自動控制、醫療信息服務、心理諮詢、金融信息服務等重要場合的，應具備與風險程度以及場景相適應的保護措施；
• 以交互介面提供服務的，應在網站首頁等顯著位置向社會公開服務適用的人群、場合、用途等信息，宜同時公開基礎模型的使用情況；
• 應提供接受公眾或使用者投訴舉報的途徑及回饋方式，包括但不限於電話、郵件、交互視窗、短信等方式中的一種或多種；
• 應採取關鍵字、分類模型等方式對使用者輸入的信息進行檢測，使用者連續三次或一天內累計五次輸入違法不良信息或明顯誘導生成違法不良信息的，應依法依約採取暫停提供服務等處置措施¹⁰；
• 服務提供者應制定在模型更新、升級時的安全管理策略；
• 服務提供者應將訓練環境與推理環境隔離，避免數據洩露和不當訪問。

另外，服務提供者亦應按照《安全基本要求》第8章建立關鍵詞庫、生成内容測試題庫和拒答測試題庫，並按照網絡安全實際需要及時更新，每月宜至少更新一次。

安全評估要求¹¹

值得注意的是，服務提供者需按照《安全基本要求》進行安全評估，並提交評估報告，進行備案，方可提供有關生成式人工智能服務。安全評估可由提供方自行開展，亦可委託第三方評估機構開展。有關安全評估的重點要求包括：

• 安全評估應覆蓋第5章至第8章中所有條款，而每個條款應形成單獨的評估結果，評估結果應為符合、不符合或不適用¹²；
• 評估報告應就整體評估作結論，如屬自行開展安全評估的，應至少具有三名負責人的共同簽字；
• 服務提供者對語料安全情況進行評估時，應符合特定要求，包括採用人工抽檢，從全部語料中隨機抽取不少於4,000條語料，合格率不應低於96%¹³；
• 服務提供者對生成内容安全情況進行評估時，應符合特定要求，包括採用人工抽檢、關鍵詞抽檢、及分類模型抽檢，從生成內容測試題庫中隨機抽取不少於1,000條測試題，模型生成內容的抽樣合格率不應低於90%。

總結

總括而言，《安全基本要求》為生成式人工智能服務提供者提供了更清晰的規管要求，有助提高生成式人工智能服務的安全水平。有關服務提供者宜緊貼國内在生成式人工智能服務方面的最新法律法規進展，以作相應的業務整合，避免誤墮法規。

¹ 全文：https://www.tc260.org.cn/front/postDetail.html?id=20240301164054

² 根據《安全基本要求》第3章，「生成式人工智能服務」是指「利用生成式人工智能技術向中華人民共和國境內公眾提供生成文本、圖片、音頻、視頻等內容的服務」。

³ 根據《安全基本要求》第3章，「服務提供者」是指「以交互介面、可編程接口等形式提供生成式人工智能服務的組織或個人」。

⁴《安全基本要求》第5章。

⁵ 或符合法律、行政法規規定的其他情形。

⁶ 有關培訓內容應包括標注任務規則、標注工具使用方法、標注內容質量核驗方法、標注數據安全管理要求等。

⁷ 而對安全性標注而言，每一條標注語料應至少經由一名審核人員審核通過。

⁸《安全基本要求》第6章。

⁹《安全基本要求》第7章。

¹⁰《安全基本要求》亦提及，在向使用者提供服務方面而言，服務提供者對明顯偏激以及明顯誘導生成違法不良信息的問題，應拒絕回答；而對其他問題，應均能正常回答。

¹¹《安全基本要求》第9章。

¹² 結果為符合的，應提供充分的證明材料；結果爲不符合的，應説明不符合的原因；結果爲不適用的，應説明不適用理由。

¹³ 服務提供者亦應結合關鍵字、分類模型等技術抽檢，從全部語料中隨機抽取不少於總量10%的語料，而抽樣合格率不應低於98%。

RECOMMENDED TRAININGS

Seminar on “Cross-boundary Flow of Personal Information Within the Greater Bay Area”

Given the close integration of cities in the Greater Bay Area, the demand for data flows between Hong Kong and other cities in the Greater Bay Area is increasing. In addition to enabling the overall digitalisation and economic development of the Greater Bay Area, cross-boundary data flows will expedite the establishment of the “Digital Bay Area”.

Against this background, the PCPD organises the seminar on “Cross-boundary Flow of Personal Information Within the Greater Bay Area”, in which the Government Chief Information Officer, Ir. Tong Wong, JP, will provide an overview of the facilitation measure of the GBA SC including the relevant filing requirements and an update on the “early and pilot implementation” arrangement of the GBA SC. Privacy Commissioner Ms Ada Chung Lai-ling will explain the scope of application of the GBA SC and the obligations and responsibilities of contracting parties thereunder, and highlight the requirements under the PDPO in transferring personal data from Hong Kong as well as the latest requirements under the Regulations on Facilitating and Regulating Cross-Border Data Flow issued by the CAC on 22 March 2024.

Enrolment is on a first-come-first-served basis.

Date: 9 April 2024 (Tuesday)

Time: 2:30 pm – 4:00 pm

Mode: Online / Face-to-face

(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $500 (Standard fee) /

        $400 (Discounted fee for PCPD’s Data Protection Officers’ Club members)

Language: Cantonese

Who should attend: Data protection professionals, legal practitioners, and all who are interested to learn about cross-boundary transfers of personal information

Professional Workshop on Data Protection in Property Management Practices

Property management practitioners often face challenges in personal data protection in their daily operations as many aspects of their work involve the collection and use of personal data of flat owners, residents, car park users and others. This workshop aims to assist property management practitioners in understanding the application of the PDPO in their daily work, and to provide practical guidance to the participants on how to comply with the requirements under the PDPO. 

Date: 10 April 2024 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Online

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Property management personnel, data protection officers, compliance officers, solicitors, members of owner’s corporation

Professional Workshop on Personal Data Privacy Management Programme

With the ever-rising expectations of customers and stakeholders regarding organisations’ responsible use of personal data in recent years, personal data privacy protection should no longer be seen as purely a compliance issue. To build trust with customers and enhance their competitive and reputational advantages, organisations should develop and implement a comprehensive PMP to proactively embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a business imperative throughout the organisations. By attending this workshop, participants will understand the key components of a PMP, and learn how to continuously maintain and improve it for effective implementation in their organisations. 

Date: 17 April 2024 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Face-to-face

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Data protection officers, compliance professionals, company secretaries, solicitors, executives from business and public sectors, and those who are interested in keeping abreast of the data protection trend and best practices

Other Professional Workshops on Data Protection from May to June 2024:

Online Free Seminar – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions show below:

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special offer for organisational renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450 starting from 1 April 2024).

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.