HK privacy watchdog unveils GenAI guidelines for employees

The guidelines have recommended that organisations, when developing internal policies on the use of Gen AI by employees, can specify the permitted Gen AI tools, which may include publicly available or internally developed Gen AI tools. Additionally, it can define the permissible purposes of use, such as drafting, summarising information and/or creating textual, audio and/or visual content; as well as the applicability of the policies or guidelines.

In terms of personal data privacy protection, organisations can provide clear instructions on the types and amounts of information that can be inputted into the GenAI tools, the permissible purposes for using the output information, the permissible storage of the output information the applicable data retention policy and other relevant internal policies to comply with.

Similarly, organisations can specify the types of devices on which employees are permitted to access GenAI tools and the categories of employees who are permitted to use GenAI tools, require employees to use robust user credentials, maintain stringent security settings in Gen AI tools, and report AI incidents according to the organisation’s AI incident response plan.

When it comes to lawful and ethical use and prevention of bias, organisations can specify that employees shall not use GenAI tools for unlawful or harmful activities, emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking, and for correcting and reporting biased or discriminatory AI-generated outputs, as well as providing instructions on when and how to watermark or label AI-generated outputs.

Additionally, organisations should specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model personal data protection framework” for recommendations on establishing GenAI governance structure and measures.

Meanwhile, the guidelines have provided practical tips on supporting employees in using Gen AI tools, which include enhancing transparency of the policies or guidelines, providing training and resources for employees’ use of Gen AI tools, providing a support team, and establishing a feedback mechanism.

Privacy commissioner Ada Chung said: “AI security is one of the important aspects of national security. In the areas of technological innovation and industrial innovation, the Country has all along put equal emphasis on development and security. The necessity to continuously advance the ‘AI Plus’ (人工智能＋) initiative to unleash the creativity of the digital economy was specifically highlighted during the 2025 ‘two sessions’.”

“To implement the spirit of the ‘two sessions’ and the Hong Kong Innovation and Technology Development Blueprint (香港創新科技發展藍圖) promulgated by the government of Hong Kong, and to facilitate the safe and healthy development of AI in Hong Kong, the PCPD published the guidelines today,” Chung added.

William Wong, member of the PCPD’s standing committee on technological developments and the Legislative Council, said, “With the latest Budget proposing to develop AI fully, I believe that more and more organisations will integrate AI into their operational processes. The issuance of the Guidelines by the PCPD can help organisations and their employees use generative AI safely and protect personal data privacy, thereby fostering the safe application of AI across different sectors and accelerating the development of new quality productive forces.”

Don't miss: HK's privacy watchdog and HKPC launch data security training for SMEs

On the other hand, the PCPD has released its investigation report on the data breach incident that ImagineX reported on 31 May last year, which reported that ImagineX received a ransom note from a threat actor on 15 May 2024, who claimed to have stolen its data and threatened to sell the data.

The investigation found that on 4 May 2024, a threat actor compromised a temporary user account created by ImagineX on its firewall on 24 April 2024 for vendor remote support. By exploiting this account, the threat actor accessed ImagineX's network and moved laterally within the network, exploiting a vulnerability in an application server running an unsupported operating system to breach the domain controller and other servers with personal data. This incident led to the exfiltration of around 68GB of data from ImagineX's network, compromising four servers and five system accounts.

According to Chung, ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use, thereby contravening Data Protection Principle 4(1) of the PDPO concerning the security of personal data. She has served an enforcement notice on ImagineX, directing it to take measures to remedy the contravention and prevent recurrence of similar contraventions in the future.

Join us this coming 17 June for #Content360 Hong Kong, an insightful one-day event centered around responsible AI, creativity VS influencers, Xiaohongshu and more. Let's dive into the art of curating content with creativity, critical thinking and confidence!

Related articles:

HK's privacy watchdog and HKPC launch data security training for SMEs
HK privacy watchdog uncovers security issues in Oxfam HK data leak
HK privacy watchdog warns URA over data leak of 199 tenants and owners