The Office of the Privacy Commissioner for Personal Data (PCPD) has released a new set of guidelines to help organisations in Hong Kong manage the use of generative AI (Gen AI) while ensuring data privacy and security. The guidelines outline key areas organisations should address, including specifying which Gen AI tools employees can use.
The Checklist on Guidelines for the Use of Generative AI by Employees aims to assist businesses in developing internal policies that comply with the Personal Data (Privacy) Ordinance (PDPO) and promote responsible AI usage.
The new guidelines define permissible purposes such as content creation or summarisation, and ensuring compliance with internal data protection policies. Clear instructions must be provided on data input limitations, acceptable storage methods, and retention policies to prevent privacy breaches. Employees are also responsible for verifying AI-generated content to correct inaccuracies and address biases.
To enhance security, the guidelines recommend restricting Gen AI access to authorised employees using employer-provided devices and enforcing strong user authentication. Organisations must also establish an AI Incident Response Plan to manage potential risks, such as data breaches or unlawful AI-generated outputs.
Additionally, businesses are encouraged to train employees on AI usage, set up a dedicated support team, and implement feedback mechanisms to refine policies. These measures aim to ensure the ethical and lawful use of AI while fostering innovation in Hong Kong’s evolving digital landscape. With AI adoption on the rise, these guidelines serve as a crucial framework for responsible implementation across industries.
