PCPD and HKPC Collaborate in Launching the “Data Security Training Series for SMEs” to Assist SMEs in Enhancing Data Security

In the digital era, the consequences of cyber attacks, which may result in the leakage of the personal data of customers and employees, financial loss, reputational damage and even legal consequences, can be devastating to businesses. The PCPD and the Hong Kong Productivity Council (HKPC) noted that small and medium-sized enterprises (SMEs) in particular are more vulnerable to cyber threats, as they often lack the resources and expertise in cyber security to protect themselves against cyber attacks. In view of this, the PCPD and the HKPC joined hands in launching the “Data Security Training Series for SMEs” (Training Series) starting from March 2025. The Training Series is free-of-charge and aims to assist SMEs in enhancing their data security. 
 
The Training Series consists of three seminars on different topics relating to data security, including strategies to prevent cyber attacks for SMEs, ways and means to handle a data breach incident and how to address the data security and privacy risks associated with AI. The first seminar, titled “Prevention of Cyber Attacks for SMEs” was successfully held on 20 March, attracting about 400 participants.

At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling and the General Manager of the Digital Transformation Division of the HKPC Ir Alex CHAN shared with participants some real case examples of data breaches caused by cyber attacks in recent years and introduced practical measures to enhance SMEs’ cybersecurity capabilities.

Please click here for the Privacy Commissioner’s presentation deck (Chinese only).

Please click here for Ir Chan’s presentation deck (Chinese only).

Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd.org.hk. Registration closes on 30 April 2025. 

PRIVACY 101

Cloud Computing and Personal Data Privacy: Recommendations for Organisations

Cloud computing has become the backbone of modern business, with a growing trend for organisations to fully embrace cloud services for their operations. From small startups to global enterprises, organisations are increasingly shifting their operations to the cloud, driven by the need for flexibility, scalability, and innovation.

While organisations are recognising the business advantages of cloud computing, concerns regarding personal data privacy also arise, particularly in relation to the security of personal data entrusted to cloud service providers. As technologies and trends in cloud computing evolve, here are some recommended measures for organisations using cloud services to manage their responsibilities under the Personal Data (Privacy) Ordinance (PDPO) and enhance their protection of personal data privacy:

• Service and Deployment Models: Cloud service providers may update their cloud services from time to time to offer new features or configurations. Therefore, organisations should take note of such updates and take corresponding actions, including updating the relevant software and/or adjusting the appropriate configurations;
• Standard Services and Contracts: If the standard security level or the personal data protection commitment made by a cloud service provider fails to meet the organisation’s requirements, the organisation should request customised services from the provider and negotiate contract terms that meet such requirements. Organisations should also find ways (such as audit reports or declarations) to verify the data protection and security measures adopted by cloud service providers;
• Outsourcing Arrangements: If there is a sub-contracting arrangement, organisations should ensure that they obtain contractual assurance from the cloud service provider that the same level of protection and compliance controls are applicable to their sub-contractors;
• Logging: Retain the audit trails provided by cloud service providers and review the logs regularly to detect abnormal activities;
• Appropriate User Configuration: Organisations should thoroughly understand the functions of the configurations and ensure that their access to cloud services is correctly configured with reference to individual use cases;
• Encryption in Transit and at Rest: Personal data should be encrypted when stored on the cloud, and organisations may wish to choose cloud service providers that offer encryption at rest in their services.

Additionally, organisations should enable multi-factor authentication and ensure that there are provisions in the contract requiring the erasure or return of personal data held by the cloud service provider to the organisation upon the organisation’s request, or upon completion or termination of contract.

To learn more about these recommended measures, please refer to the new “Guidance on Cloud Computing”.

PRIVACY COMMISSIONER’S FINDINGS

Advisable to Delete Data after Trying Out Smart Products

The Complaint

The complainant tried out a smart phone at a telecommunications company. During the trial, she logged into her cloud storage account on the trial phone for a short period. A few months later, the complainant received a call from an unknown person, informing her that he was able to access her personal data in her cloud storage account via his own account. Concerned about the security vulnerabilities of the cloud storage service, the complainant made a complaint to the PCPD.

Outcome

The investigation revealed that although the complainant had logged out of her cloud storage account after trying out the smart phone, she did not delete the data synchronised to the trial phone (i.e. the data which had been automatically downloaded from the complainant’s cloud storage to the trial phone after she had logged into her cloud storage account) before logging out.

Later, the unknown person visited the same store and tried out the same trial phone. During the trial, he also used the trial phone to log into his cloud storage account. As a result, the complainant’s data, which had been synchronised to the trial phone earlier, was then synchronised to the person’s cloud storage account.

The PCPD considered that this incident was not caused by any security vulnerabilities in the cloud storage service, but rather by the complainant’s ignorance of the data synchronisation between her cloud storage account and the trial phone.

The PCPD therefore sent a letter to the company, suggesting it to remind its customers (by posting notices or otherwise) not to use their online service accounts when trying out devices, and to ensure that data downloaded to the relevant device is deleted before leaving.

Lessons Learnt

When trying or borrowing devices like smart phones, tablets, and computers, users should be mindful of the privacy risks associated with using the devices to log into their own online service accounts (in particular accounts concerning online banking, email, cloud storage, online shopping, social networking sites, and photo albums). Customers are also reminded to delete all data downloaded to the trial devices during the trial to prevent leaving any digital footprints.

TECH TALK

Smart Tips for Protecting Your Personal Data in the Cloud

Cloud computing has become an integral part of our everyday lives. From sharing photographs to internet banking, online shopping, and video streaming, cloud services underpin many of our online activities. With just a mobile phone or a computer that connects to the internet, you can access these services anytime, anywhere. However, as we embrace the convenience of cloud computing, it is also essential to understand how to use it safely and responsibly to protect our personal data.

Here are some smart tips for the general public to consider when using cloud services:

• Choose Reliable Service Providers:  Select providers with a good reputation, particularly those supported by an independent information security management certification;
• Use Strong Passwords and Multi-factor Authentication:  Ensure your passwords are complex and unique, and enable multi-factor authentication for added security;
• Pay Attention to the Terms of Service and Security and Privacy Policies: Always read the terms of service and security and privacy policies to understand how your data will be used and protected;
• Physically Secure Your Access Device: Keep your devices secure, as hackers can access cloud platforms from them;
• Use Encryption:  Protect stored data with encryption and ensure that communication channels are also encrypted; and
• Avoid Uploading Sensitive Data: Do not upload sensitive data to the cloud. 

WHAT’S ON

Reaching Out to the Community – Privacy Commissioner Attends the Dinner Reception of Zonta Club of Kowloon and Shares Anti-fraud Tips

Privacy Commissioner Ms Ada CHUNG Lai-ling attended the dinner reception of the Zonta Club of Kowloon on 25 March to meet with members of the organisation.
 
At the event, the Privacy Commissioner shared some examples of real fraud cases and provided practical tips to the Zontians on protecting personal data when using instant messaging applications, social media, and smartphones.
 
Founded in 1977, the Zonta Club of Kowloon is a member of Zonta International. It partners with various organisations to assist women in distress, the disabled, and the underprivileged, as well as to improve the status of women worldwide.

Telling a Good Hong Kong Story – Privacy Commissioner Meets with Chief Executive of Singapore Academy of Law

The Chief Executive of the Singapore Academy of Law and the former Deputy Commissioner of the Personal Data Protection Commission of Singapore Mr YEONG Zee-kin visited the PCPD on 18 March and met with Privacy Commissioner Ms Ada CHUNG Lai-ling and representatives of the PCPD.

During the meeting, the Privacy Commissioner and Mr Yeong discussed a wide range of topical personal data privacy issues, particularly in the light of the challenges posed by emerging technologies such as artificial intelligence (AI). They also shared the respective work of the PCPD and the Singapore Academy of Law, with a view to fostering the connection and cooperation between the two organisations.

Administrative Appeals Board Dismisses EC Healthcare’s Appeal

The Administrative Appeals Board (AAB) earlier dismissed the appeal lodged by EC Healthcare against the decision of the Privacy Commissioner to serve an enforcement notice. 
 
In dismissing all 3 grounds of appeal raised by EC Healthcare, the AAB upheld the Privacy Commissioner’s findings that EC Healthcare had contravened the requirements of Data Protection Principle (DPP) 3 of the PDPO by sharing the personal data of the clients of two of its brands, namely, Primecare Paediatric Wellness Centre (Primecare) and New York Medical Group (NYMG) with other brands under EC Healthcare.
 
The AAB agreed with the Privacy Commissioner’s finding that frontline staff of EC Healthcare’s brands were able to use and make cross-brand access to clients’ personal data in EC Healthcare’s integrated system. The AAB stressed that personal data collected by Primecare or NYMG was intended for the provision of services by those brands only but not by other brands within the same field of services or within the same group company. The Personal Information Collection Statement of EC Healthcare, which permitted access of personal data across different brands, would only apply to new customers who consented to the Statement, but not personal data collected by the companies concerned before they were acquired by EC Healthcare.
 
The AAB also rejected EC Healthcare’s allegations of procedural irregularities. It was observed that by providing EC Healthcare with the relevant parts of the draft investigation report in advance, the Privacy Commissioner had already done more than what was required under the PDPO. 

Please click here to view “Decision of the AAB”: 
https://www.pcpd.org.hk/english/enforcement/decisions/files/AAB_46_2022.pdf

Raising Public Awareness to Combat Fraud – PCPD Organises a Seminar on “Protecting Personal Data to Prevent Fraud”

The PCPD organised a seminar on “Protecting Personal Data to Prevent Fraud” on 11 March, which attracted over 740 participants.
 
At the seminar, Privacy Commissioner Ms Ada CHUNG Lai-ling shared with the participants some practical tips on protecting personal data when they use instant messaging applications, social media and  smartphones. Mr Andy LAU, Senior Inspector of Police, Anti-Deception Coordination Centre (ADCC) (Publicity) of the Commercial Crime Bureau of the Hong Kong Police Force, also spoke as a guest speaker on the latest trends of scams, using real cases as examples.
 
Please click here for the Privacy Commissioner’s presentation deck (Chinese only).
Please click here for Inspector LAU’s presentation deck (Chinese only).

Reaching Out to University – PCPD’s Representative Shares Fraud Prevention Tips with Students of the Hong Kong Baptist University 

The PCPD organised a seminar titled “Beware of Scams: Protect Your Personal Data” for students at Hong Kong Baptist University on 24 March.
 
During the seminar, Ms Phoebe CHOW, Head of Corporate Communications of the PCPD, shared the latest trends in scams using real cases as examples. She also provided practical tips to students on protecting personal data privacy when using smartphones, instant messaging software, and social media.

Reaching Out to the Media Sector – PCPD and HKBU Co-organise a Seminar

The PCPD and the Institute for Journalism and Society of the School of Communication of the Hong Kong Baptist University (HKBU) co-organised a seminar on 18 March. The seminar, entitled “Challenges for the Media – How to Safeguard Personal Data Privacy in the Digital Era”, explored the challenges on the protection of privacy faced by media practitioners.  
 
During the seminar, Ms Stephanie CHAU, Legal Counsel of the PCPD, shared with the participants the privacy issues encountered in media work in the digital era, how to protect personal data privacy on social media and the privacy risks associated with the use of AI.

Please click here to download the presentation deck.

Triumph in Competition – PCPD Awarded Champion of Corporate Games 2025 Distance Run Competition

Ten staff members of the PCPD participated in the Corporate Games 2025 Distance Run Competition on 9 March. The PCPD won the Men’s Open Group B Team Champion, with Personal Data Assistant (Compliance) Mr Lester CHAN Cheuk-yin and Assistant Personal Data Officer (Complaints) Mr Jason LAU Cham-ching being the Men’s Open Group B Individual Champion and 2^nd Runner-up respectively!

The biennial Corporate Games organised by the Leisure and Cultural Services Department are a major multi-sport event for employees of private and public sector organisations. The event aims to encourage the working population to exercise regularly in order to stay healthy and fit to cope with the challenges at work. It also fosters team spirit through participation in competitions, thereby promoting “Sport for All” and conveying the message of the benefits of exercise for the body and mind.

Reaching Out to Schools – PCPD’s Representative Speaks at HKASM’s Cybersecurity Seminar

Senior Personal Data Officer (Information Technology) of the PCPD Mr William CHAN spoke at a Cybersecurity Seminar organised by the Hong Kong Academy of School Managers (HKASM). The seminar, titled “Cybersecurity: Addressing Cyber Crime and Protecting Privacy”, was held on 28 February.
 
At the seminar, Mr Chan shared with the participants examples of data breach cases involving the education sector, and explained the key points to prevent and handle data breach incidents.
 
Please click here for the presentation deck (Chinese only).

Promoting AI Security – Assistant Privacy Commissioner Joins Panel Discussion at AI STR (Safety, Trust, Responsibility) Forum

The Assistant Privacy Commissioner for Personal Data (Compliance, Global Affairs and Research) of the PCPD Ms Joanne WONG attended Artificial Intelligence Safety, Trust, and Responsibility Forum (AI STR Forum) on 27 February.
 
Ms WONG spoke as a panellist at a session titled “Balancing Innovation and Risk in the AI Era”, where she introduced the work of the PCPD in facilitating organisations to strike a balance between innovation and ensuring personal data privacy protection. She also recommended organisations to refer to the various guidelines published by the PCPD, including the “Artificial Intelligence: Model Personal Data Protection Framework” published in 2024, for recommendations and best practices on AI governance.

The AI STR Forum was a Hong Kong subforum of the AI Action Summit 2025 that took place in Paris, France. The Forum was co-organised by World Digital Technology Academy, International Academicians Science & Technology Innovation Centre and Cyberport.

Raising Public Awareness of Fraud Prevention – PCPD Launches a New Anti-fraud Promotional Poster

Starting from 2023, the PCPD has launched a series of anti-fraud publicity activities under the theme of “Don’t Hand Over Your Personal Data – Beware of Fraudsters”, which included broadcasting promotional videos, distributing promotional posters, organising thematic seminars, etc., with a view to raising public awareness of fraud prevention.

In view of the ever-evolving deceptive tactics and the emergence of different kinds of fraud cases, the PCPD has launched a new anti-fraud promotional poster with the theme of “Too good to be true?” to remind members of the public that there is no “free lunch”, and the public should stay vigilant against fraud. The poster is now displayed at bus shelters and on the PCPD’s website.

“Don’t Hand over Your Personal Data – Beware of Fraudsters”! Click here to watch the PCPD’s anti-fraud videos (Chinese only).

MEDIA STATEMENT

A Male Arrested for Suspected Doxxing Arising from a Friend’s Monetary Disputes

The PCPD arrested a Chinese male aged 73 on Hong Kong Island on 24 March. The arrested person was suspected to have disclosed the personal data of a data subject without the latter’s consent, in contravention of section 64(3A) of the PDPO.

The PCPD’s investigation revealed that the victim and the arrested person became acquainted through business dealings. Since 2022, business disputes arose between the victim and a business partner, with both litigating against the other for compensation. In January 2025, the victim’s wife received messages from an instant messaging application, stating that the disputes would be escalated, with banners openly displayed. Soon after, the victim’s wife saw someone displaying a banner containing the victim’s personal data in the residential estate where the victim and his wife resided, alongside some negative comments against the victim. The personal data disclosed included the victim’s Chinese name, address and photo.

The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

  
Relevant Provisions under the PDPO

Pursuant to section 64(3A) of the PDPO, a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject —

1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3A) is liable on conviction to a fine of $100,000 and imprisonment for two years.

Pursuant to section 64(3C) of the PDPO, a person commits an offence if —

1. The person discloses any personal data of a data subject without the relevant consent of the data subject—
   1. With an intent to cause any specified harm to the data subject or any family member of the data subject; or
   2. Being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject; and
2. The disclosure causes any specified harm to the data subject or any family member of the data subject.

A person who commits an offence under section 64(3C) is liable on conviction on indictment to a fine of $1,000,000 and imprisonment for five years.

According to section 64(6) of the PDPO, specified harm in relation to a person means —

1. Harassment, molestation, pestering, threat or intimidation to the person;
2. Bodily harm or psychological harm to the person;
3. Harm causing the person reasonably to be concerned for the person’s safety or well-being; or
4. Damage to the property of the person.

Privacy Commissioner Ms Ada CHUNG Lai-ling Expresses Condolences for the Passing of Former Privacy Commissioner Mr Roderick WOO Bun

Privacy Commissioner Ms Ada CHUNG Lai-ling and colleagues of the PCPD expressed deepest sorrow over the passing of the former Privacy Commissioner Mr Roderick WOO Bun, JP.
 
Mr Woo was appointed as the Privacy Commissioner from 2005 to 2010 and served as the President of the Law Society of Hong Kong from 1993 to 1996. In 2014, he was admitted to the Law Society of Hong Kong’s Roll of Honour.

PCPD Publishes Investigation Findings on the Data Breach Incident of the Companies Registry and Commenced Compliance Check regarding Deliveroo’s Cessation of Operations in Hong Kong

On completion of its investigation into the data breach incident of the Companies Registry (the Registry), the PCPD published the investigation findings on 12 March.
 
The investigation arose from a data breach notification submitted by the Registry to the PCPD on 19 April 2024, reporting the risk of personal data leakage identified in the e-Search Services of the e-Services Portal (the Incident).
 
Background
 
On 27 December 2023, the Registry launched its fully revamped “Integrated Companies Registry Information System” (the relevant system) together with the “e-Services Portal” to provide users with electronic search and document submission services. Subsequently, during routine work on 18 April 2024, the Registry discovered that the e-Search Services of the “e-Services Portal” transmitted additional personal data to searchers’ computers, other than the relevant search information. However, the personal data concerned was not directly displayed on the search result pages, searchers needed to open the web developer tool¹, which was rarely used by general users, on the search result pages, used the search function within different panels of the web developer tool and entered part of the personal data concerned (such as partial HKID Card Numbers) to locate the “additional” personal data. Furthermore, searchers could also access some of the “additional” personal data using robotic search². In addition, the same issue was also identified in the electronic submission of notices relating to the third parties appointed by licensed money lenders.
 
Investigation Findings
 
The PCPD conducted four rounds of enquiries with the Registry and approached the contractor engaged by the Registry for the revamp of the relevant system (the Contractor) twice to obtain information regarding the Incident. The PCPD also reviewed over 1,500 pages of documents provided by the Registry, including the service contract between the Registry and the Contractor, and design and test reports of the relevant system, etc. The PCPD thanked the Registry and the Contractor for their cooperation and the provision of the information requested in the investigation.
 
According to the information provided by the Registry and the Contractor, the Incident stemmed from the use of common modules (常用模組) in designing the affected functions of the relevant system without removing excessive data fields, which resulted in the transmission of “additional” personal data to searchers’ computer. The investigation revealed that this issue had been present since the launch of the relevant system (i.e. 27 December 2023). However, the “additional” information concerned was not directly displayed on the search result pages, and there was no evidence to suggest that the “additional” personal data was subject to any unauthorised or accidental access.
 
A total of 109,002 individuals might have been affected by the Incident. The personal data involved included the HKID Card numbers, passport numbers and/or usual residential addresses (URAs) of 108,575 directors of companies; the HKID Card numbers and/or passport numbers of 217 disqualified persons, applicants of money lenders, and third parties appointed by licensed money lenders; and the names, telephone numbers and/or email addresses of 210 contact persons of money lenders. The investigation revealed that nearly 90% of the personal data involved, including the personal data of directors of companies, was available for inspection in the images of documents registered with the Registry.
 
In the aftermath of the Incident, the Registry has notified all individuals who might have been affected by the Incident, immediately rectified the relevant system design, engaged an independent third party to conduct a comprehensive review of the relevant system and took remedial actions to prevent recurrence of similar incident.
 
Having considered the circumstances of the Incident and the information obtained during the investigation, the PCPD’s observations regarding the Incident are as follows:

1. The Registry implemented a series of security measures in the revamp of the relevant system: In engaging the Contractor to revamp the relevant system, the Registry had adopted contractual means to require the Contractor to design the system in a privacy-sensitive manner and adhere to the relevant standards and guidelines issued by the Government when designing the system. Additionally, the service contract specified the minimum qualification requirements for project team members. Before the rollout of the relevant system, both the Registry and the Contractor conducted a series of tests and assessments, including user acceptance tests and privacy impact assessments. The Contractor also conducted a total of four additional code reviews, and the results of the code reviews were verified by the Registry. Overall, the PCPD considered that the Registry had taken a series of security measures in the revamp of the relevant system.
   
   
2. The risk of unauthorised or accidental access to the affected personal data is relatively low: The PCPD noted that the “additional” personal data involved was not directly displayed on the search result pages. Searchers needed to take additional steps or procedures through tools such as web developer tool or robotic search to access the relevant data. Furthermore, there is also no evidence to suggest that any “additional” personal data had been subject to improper access. In view of the above, the probability and risk of unauthorised or accidental access to the personal data involved is considered to be relatively low.

DPP 4(1) of Schedule 1 to the PDPO requires a data user to take all practicable steps to ensure that personal data held by the data user is protected against unauthorised or accidental access, processing, erasure, loss or use.
 
The PCPD’s investigation revealed that there is no evidence to suggest that the “additional” personal data had been subject to any unauthorised or accidental access. Based on the information obtained during the investigation and the relevant facts, the PCPD noted that the Registry implemented a series of security measures in the revamp of the relevant system, which included incorporating contractual requirements on the security measures that should be taken by the Contractor in the revamp of the relevant system, the tests and assessments conducted by both the Registry and the Contractor prior to the launch of the relevant system, as well as the additional code reviews.
 
Based on the above findings, the PCPD considered that there is insufficient evidence to suggest that the Registry failed to take all practicable steps to safeguard the personal data held by it during the process of revamp of the relevant system which amounts to contravention of DPP 4(1). Notwithstanding the above, in light of the fact that there was indeed a risk of personal data leakage associated with the relevant system, the PCPD provided advice to the Registry to conduct regular and thorough reviews on any systems containing personal data to ensure that they are free from other system design and security vulnerabilities.
 
Given that Privacy Commissioner Ms Ada CHUNG Lai-ling was appointed as the Registrar of Companies before September 2020, Ms CHUNG was not involved in this investigation to avoid any possible conflict. This investigation was led and conducted by the Assistant Privacy Commissioner for Personal Data (Legal) (Acting) Ms Fiona LAI Ho-yan and Chief Personal Data Officer (Compliance & Enquiries) Mr Brad KWOK Ching-hei.
 
Commenced Compliance Check against Deliveroo
 
In addition, takeaway delivery platform Deliveroo recently announced that it would be ceasing its operations in Hong Kong, which may affect the personal data privacy rights of its customers and delivery riders. The PCPD has commenced a compliance check against Deliveroo in accordance with established procedures to gather more information, with a view to assisting the relevant merchants, including the operator taking over the business, in handling, deleting or transferring the personal data of customers and delivery riders in compliance with the requirements of the PDPO. The compliance check has been commenced to ensure that the personal data concerned would not be misused, leaked or fallen into the hands of fraudsters for fraudulent activities. The PCPD appeals to the affected customers and delivery riders to make enquiries with the relevant merchants or the PCPD (telephone: 2827 2827 or email: communications@pcpd.org.hk) if they are concerned about how the merchants handle their personal data.

¹ A web developer tool is a test tool built into the browser for use by web developers. For example, for general users using the Google Chrome browser, pressing the F12 key will open the developer tools interface.

² A robotic search refers to a search request issued by a computer programme.

A Female Arrested for Suspected Doxxing Arising from Online Shopping Dispute

The PCPD arrested a Chinese female aged 31 in the New Territories on 10 March. The arrested person was suspected to have disclosed the personal data of a customer without her consent, in contravention of section 64(3A) of the PDPO.
 
The PCPD’s investigation revealed that the victim purchased beauty products from an online platform (the Platform) in November 2024 and received a parcel (the Parcel) from the Shop a few days later. However, instead of the products she ordered, the Parcel contained pieces of jewelleries. Thereafter, the victim received messages sent through an instant messaging application demanding her to return the Parcel; otherwise, the incident would be disclosed on a social media platform.
 
On the following two days, a total of seven posts containing the personal data of the victim were posted on the Platform’s social media account, alongside some negative comments against her. Some of the posts also offered monetary reward to netizens who could provide more personal data of the victim or forward the relevant posts. The personal data disclosed included the victim’s English name, date of birth, mobile phone number, usernames of two of her social media accounts, the district and the name of the building where she resides, the name of the secondary school that she attended, and her photos.
 
The PCPD reminds members of the public that they should not dox others because of monetary disputes. Doxxing is a serious offence and the offender is liable on conviction to a fine up to $1,000,000 and imprisonment for five years.

MAINLAND CORNER

Highlights of the “Measures for the Management of Personal Information Protection Compliance Audits” 

《個人信息保護合規審計管理辦法》的重點

While the requirements for personal information protection compliance audits (compliance audits) are outlined in existing regulations such as the Personal Information Protection Law and the Regulations on Network Data Security Management, the specific requirements have not yet been provided. On 14 February 2025, the Cyberspace Administration of China issued the “Measures for the Management of Personal Information Protection Compliance Audits” (Measures), providing detailed requirements regarding the obligations of personal information processors and professional institutions as well as the key items to review in compliance audits. The Measures will become effective on 1 May 2025. This article provides an overview of the Measures.

內地現有的法規，包括《個人信息保護法》¹及《網絡數據安全管理條例》²等均有提及關於個人信息保護合規審計（合規審計）的規定，但並未提供相關細節的具體要求。國家互聯網信息辦公室於2025年2月14日發出《個人信息保護合規審計管理辦法》（《辦法》）³，該《辦法》針對個人信息處理者和專業機構在合規審計中的義務，以及合規審計的重點審查事項，提供詳細要求。《辦法》將會自2025年5月1日實施，重點摘錄如下：

定義及適用對象

合規審計是指對個人信息處理者的個人信息處理活動是否遵守法律、行政法規的情況進行審查和評價的監督活動⁴。《辦法》適用於中國境內開展的合規審計⁵，但不適用於國家機關和法律、法規授權的具有管理公共事務職能的組織的合規審計⁶。

合規審計的種類及相關要求

綜合《個人信息保護法》及《網絡數據安全管理條例》的相關條文，合規審計可分為兩類：

• 定期審計：個人信息處理者⁷及網絡數據處理者⁸應當定期對其處理個人信息遵守法律、行政法規的情況進行合規審計。
• 外部審計：履行個人信息保護職責的部門（保護部門）發現個人信息處理活動存在較大風險或者發生個人信息安全事件的，可以要求個人信息處理者委託專業機構進行合規審計⁹。

定期審計

《辦法》釐清了定期審計的頻率要求，規定處理超過1,000萬人個人信息的個人信息處理者應當每兩年至少開展一次合規審計¹⁰。《辦法》亦明確指出定期審計可由個人信息處理者內部機構或者委託專業機構進行¹¹。

外部審計

《辦法》進一步說明觸發外部審計的條件，例如上述「發生個人信息安全事件」是指「導致100萬人以上個人信息或者10萬人以上敏感個人信息洩露、篡改、丟失、毀損」的情形¹²。

《辦法》亦對開展外部合規審計的個人信息處理者提出更詳細要求，包括：

• 按保護部門要求選定專業機構，在限定時間內完成合規審計，並將合規審計報告報送保護部門¹³。
• 按保護部門要求對合規審計中發現的問題進行整改，並在整改完成後15個工作日內，向保護部門報送整改情況報告¹⁴。
  
  

《辦法》對個人信息處理者的其他要求¹⁵

《辦法》規定，處理100萬人以上個人信息的個人信息處理者應當指定個人信息保護負責人，負責合規審計工作。而提供重要互聯網平台服務、用戶數量巨大、業務類型複雜的個人信息處理者，應當成立主要由外部成員組成的獨立機構對合規審計情況進行監督。

《辦法》對專業機構的重點要求

《辦法》對專業機構提出多項要求，包括：

• 在合規審計中獲得的個人信息、商業秘密等應當依法予以保密，並在合規審計工作結束後及時刪除相關信息¹⁶。
• 應當具備開展合規審計的能力，有與服務相適應的審計人員、場所、設施和資金等。《辦法》亦鼓勵專業機構通過認證¹⁷。

《個人信息保護合規審計指引》

《辦法》附有《個人信息保護合規審計指引》（《指引》），列出一系列合規審計中應重點審查的事項。《辦法》明確指出，個人信息處理者無論是進行定期審計或外部審計，都應參照《指引》的要求¹⁸。

總結

《辦法》清晰且全面地規定了合規審計的實施方式。個人信息處理者宜細閱《辦法》及《指引》，以妥善進行合規審計工作。

¹ 全文： https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm

² 全文： https://www.gov.cn/zhengce/content/202409/content_6977766.htm

³ 全文： https://www.cac.gov.cn/2025-02/14/c_1741233507681519.htm

⁴《辦法》第二條。

⁵《辦法》第二條。

⁶《辦法》第十九條。

⁷《個人信息保護法》第五十四條。

⁸《網絡數據安全管理條例》第二十七條。

⁹《個保法》第六十四條。

¹⁰《辦法》第四條。

¹¹《辦法》第三條。

¹²《辦法》第五條。

¹³《辦法》第九至十條。

¹⁴《辦法》第十一條。

¹⁵《辦法》第十二條。

¹⁶《辦法》第十三條。

¹⁷《辦法》第七條。

¹⁸《辦法》第六條。

RECOMMENDED TRAININGS

Professional Workshop on Data Protection in Property Management Practices

Property management practitioners often face challenges in personal data protection in their daily operations as many aspects of their work involve the collection and use of personal data of flat owners, residents, car park users and others. This workshop aims to assist property management practitioners in understanding the application of the PDPO in their daily work, and to provide practical guidance to the participants on how to comply with the requirements under the PDPO. 

Date: 2 April 2025 (Wednesday)

Time: 2:15pm – 4:15pm

Mode: Face-to-face
(Physical venue: Lecture Room, the PCPD’s Office, 12/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong)

Fee: $750/$600*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Property management personnel, data protection officers, compliance officers, solicitors, members of owner’s corporation

Practical Workshop on Data Protection Law

With the growing public awareness of and expectations for the protection of personal data privacy, it has become a norm for organisations to incorporate personal data privacy protection as part of their corporate governance responsibilities to gain customers’ trust and confidence. 

This workshop will examine the practical application of the PDPO at work by the sharing of real-life cases and providing practical advice. This workshop is particularly suitable for barristers, solicitors, in-house legal counsels, data protection officers and compliance officers.

Date: 9 April 2025 (Wednesday)

Time: 2:15pm – 5:15pm

Mode: Online

Fee: $950/$760*

(*Members of the DPOC and the supporting organisations may enjoy the discounted fee)

Language: Cantonese

Who should attend: Solicitors, barristers, in-house legal counsels, data protection officers, compliance officers

New Series of Professional Workshops on Data Protection from May to Jun 2025:

Online Free Seminars – Introduction to the PDPO Seminar

The PCPD organises free introductory seminars regularly to raise public awareness and their understanding of the PDPO. Details of the upcoming sessions are shown below: 

Seminar Outline:

• A general introduction to the PDPO;
• The six Data Protection Principles;
• Offences and compensation;
• Direct marketing; and
• Q&A session. 

Arrange an In-house Seminar for Your Organisation 

Teaching employees how to protect personal data privacy is increasingly recognised as an important part of employee training. If you wish to arrange an in-house seminar for your organisation to learn more about the PDPO and data privacy protection, you can make a request for an in-house seminar via our online form.

The seminar outline is as follows:

• A general introduction to the PDPO;
• The six Data Protection Principles (industry-related cases will be illustrated);
• Data security management;
• Handling of data breach incidents;
• Direct marketing;
• Offences and compensation; and
• Q&A session.

Duration: 1.5 hours

APPLICATION / RENEWAL OF DPOC MEMBERSHIP

Apply or renew your DPOC membership today and enjoy privileged access to course enrolments throughout the year!

Special Offer for Organisational Renewals:

Organisations can join the 2-for-1 scheme, which enables you to receive two memberships for the price of one annual fee (HK$450).

Join us now to keep up-to-date with the latest news and legal developments!

SUGGESTION BOX

The PCPD values the opinions of all our DPOC members. We love to hear your ideas and suggestions on what privacy topics you would like to learn more about. Email your thoughts to us at dpoc@pcpd.org.hk and we shall include the most popular topics in our future e-newsletters.

Contact Us

Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wanchai, Hong Kong

Tel: 2827 2827

If you do not wish to receive the PCPD e-Newsletter, please click here to unsubscribe.
 

Copyright

Disclaimer

The information and suggestions provided in this publication are for general reference only. They do not serve as an exhaustive guide to the application of the law. The Privacy Commissioner makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. This publication also contains information or suggestions contributed by others, whose views or opinions are solely those of the contributors and do not necessarily reflect or represent those of the Privacy Commissioner. All information and suggestions provided in this publication will not affect the functions and powers conferred upon the Privacy Commissioner under the Personal Data (Privacy) Ordinance.

The PCPD shall not be liable for any damages (including but not limited to damages for loss of business or loss of profits) arising in contract, tort or otherwise from (i) the use of or inability to use this publication or its content, or (ii) from any action taken or decision made on the basis of the content of this publication.

If you click any hyperlink in this publication that brings you to sites operated by other organisations, the PCPD accepts no responsibility for the contents of those sites and shall not be liable for any loss or damage arising out of and/or incidental to the use of the contents.