Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Hong Kong: PCPD reports on privacy implications of AI after inspections of 28 organizations
On February 21, 2024, the Office of the Privacy Commissioner for Personal Data (PCPD) announced that it had carried out compliance checks on 28 organizations from August 2023 to February 2024 to understand their practices in relation to the collection, use, and processing of personal data in the development or use of artificial intelligence (AI), as well as their AI governance structure.
What were the observations of the inspections?
The PCPD noted the following observations after the inspections, which covered various sectors, including telecommunications, finance and insurance, beauty services, retail, transportation, education, and government departments:
- out of 21 organizations using AI in their daily operations:
- 19 had established internal AI governance frameworks; and
- 10 collected personal data through their AI products and services.
- out of the 10 organizations that collected personal data through their AI products and services:
- eight conducted privacy impact assessments prior to the development or use of AI products and services and specified retention periods for personal data;
- all 10 implemented appropriate security measures;
- nine retained personal data collected through the AI products or services; and
- one allowed data subjects to delete their personal data themselves.
What were the findings of the inspections?
In particular, the PCPD found that there were no contraventions of the Personal Data (Privacy) Ordinance (PDPO) during the compliance check process and that there is an increasing number of organizations deploying AI to enhance their daily operational efficiency.
What were the PCPD's recommendations?
Furthermore, the PCPD recommended that organizations which develop or use AI measures should:
- adopt measures to comply with the PDPO, as well as monitor and review AI systems on a continuing basis if the organization collects or processes personal data in the development or use of AI;
- establish a strategy for the development or use of AI and an internal AI governance structure, and provide adequate training to all relevant personnel;
- conduct a comprehensive risk assessment and a privacy impact assessment, to identify, analyze, and evaluate the risks, including privacy risks, in relation to the development or use of AI, and adopt appropriate risk management measures that are commensurate with the risks, for instance, by adopting a higher level of human oversight for an AI system with a higher risk profile; and
- communicate and engage effectively with stakeholders to enhance transparency in the use of AI, and fine-tune AI systems in response to concerns raised by stakeholders.
The PCPD also reminded organizations that when developing or using AI-related products and services, they should consider the guidance it issued in August 2021 on the ethical development and use of AI.
You can read the press release here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
