Hong Kong privacy watchdog issues guidelines as AI gains popularity in market

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Hong Kong’s office of the Privacy Commissioner for Personal Data (PCPD) has issued the “Guidance on the Ethical Development and Use of Artificial Intelligence” (Guidance) to help organisations understand and comply with the relevant requirements of the Personal Data (Privacy) Ordinance (PDPO) when they develop or use AI. According to the PCPD office, Artificial intelligence (AI) has huge potential in boosting productivity and economic growth, but at the same time, its raises privacy and ethical risks as it gains popularity in Hong Kong.

The Privacy Commissioner for Personal Data (Privacy Commissioner), Ada Chung Lai-ling, said, “Hong Kong is dedicated to becoming a data hub for the Greater Bay Area and the Asia Pacific region. In line with the outline development plan for the Guangdong-Hong Kong-Macao Greater Bay Area, the healthy development and use of AI can help Hong Kong exploit its advantages as a regional data hub, as well as empower Hong Kong to become an innovation and technology hub and a world-class smart city.”

The Guidance recommends that organisations embrace three fundamental data stewardship values when they develop and use AI, namely, being respectful, beneficial and fair to stakeholders. In line with international standards, the Guidance sets out the following seven ethical principles for AI:

Accountability – Organisations should be responsible for what they do and be able to provide sound justifications for their actions;

Human Oversight – Organisations should ensure that appropriate human oversight is in place for the operation of AI;

Transparency and Interpretability – Organisations should disclose their use of AI and relevant policies while striving to improve the interpretability of automated decisions and decisions made with the assistance of AI;

Data Privacy – Effective data governance should be put in place;

Fairness – Organisations should avoid bias and discrimination in the use of AI;

Beneficial AI – Organisations should use AI in a way that provides benefits and minimises harm to stakeholders; and

Reliability, Robustness and Security – Organisations should ensure that AI systems operate reliably, can handle errors and are protected against attacks.

The Guidance also provides a set of practice guide, structured in accordance with general business processes, to assist organisations in managing their AI systems. The practice guide covers four main areas:

Establish AI strategy and governance;
Conduct risk assessment and human oversight;
Execute development of AI models and management of overall AI Systems; and
Foster communication and engagement with stakeholders.

The PCPD also released an inspection report on the customers’ personal data systems of CLP Power Hong Kong (CLP) and The Hongkong Electric Company (HKE). The findings revealed that both CLP and HKE had implemented a personal data privacy management programme and had adopted good practices. The security measures adopted by the two companies regarding their customers’ personal data systems conformed with international standards and were found to be satisfactory.

The Privacy Commissioner said, “The PCPD is committed to monitoring and supervising compliance with the provisions of the PDPO, including exercising the power under section 36 of the PDPO to carry out site inspections of the data systems of organisations which handle vast amounts of personal data.”

“Depending on the facts of individual cases, the PCPD will give advice to the organisation concerned to strengthen the protection of customers’ personal data privacy, including the implementation of effective measures to prevent the improper use of customers’ personal data by staff for doxxing or other unauthorised or illegal purposes,” he said.

Through the findings of the inspection, the Privacy Commissioner would like to make the following nine recommendations to public utility companies and organisations which handle vast amounts of customers’ personal data: