AI Sigil Logo
Contact Us
Back to all insights
A magnifying glass highlighting the importance of scrutiny and oversight in AI applications.

Sections

AI Governance Guidelines for Organizations in Hong Kong

AI Governance: Practical Guidance from Hong Kong Privacy Commissioner for Personal Data

Introduction

Artificial Intelligence (AI) tools have become increasingly prevalent across various industries in Hong Kong. According to the Office of the Privacy Commissioner for Personal Data (PCPD), a compliance check conducted in May 2025 revealed that 80% of organizations (48 out of 60) reported incorporating AI into their daily operations.

In light of this widespread adoption, the PCPD has issued new practical guidance to help organizations establish effective internal policies that address the unique risks and challenges associated with AI usage. Organizations are encouraged to refer to the earlier published Checklist on Guidelines for the Use of Generative AI by Employees to assist in this process.

Key Areas for Developing Internal AI Policies

The PCPD recommends that organizations focus on the following critical areas when formulating their internal AI policies:

Scope of Permissible Use

Organizations should clearly define which Generative AI (Gen AI) tools are approved for use and specify the permitted use cases, such as drafting documents or creating content. It is essential to clarify to whom the policy applies, whether to all employees or limited to specific departments.

Protection of Personal Data Privacy

The internal AI policy must provide explicit guidance on the inputs and outputs of Gen AI tools. This should include:

  • Types and amounts of information permitted for input.
  • Use cases for AI-generated outputs.
  • Rules for storage and retention of information to ensure compliance with data privacy laws.

Lawful and Ethical Use and Prevention of Bias

The policy should explicitly prohibit the use of AI for unlawful or harmful activities. Furthermore, all AI-generated outputs must undergo human review to verify accuracy and identify potential bias or discrimination. Instructions on watermarking or labeling AI-generated materials should also be included.

Data Security

Organizations must define which categories of employees are authorized to access Gen AI tools and specify the devices on which these tools can be used. Implementing strong user credentials and security settings is mandatory, and employees should report any AI-related incidents according to the organization’s incident response plan.

Violations of AI Policy

Consequences for non-compliance with the internal AI policy should be clearly outlined. For broader AI governance, organizations can refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” issued in 2024.

Supporting Responsible Use: Practical Measures

The PCPD suggests several practical support measures, including:

  • Regular communication with employees about internal policies and updates.
  • Targeted training for employees.
  • A designated support team and a feedback mechanism to promote continuous improvement.

Takeaways

To align with the expectations set by the PCPD and mitigate AI-related risks, organizations should consider the following actions:

  • Conduct a comprehensive review of all AI tools and use cases within the organization, particularly regarding personal data processing.
  • Clearly specify approved AI tools, outline permitted use cases, and require pre-approval for new tool adoption.
  • Prohibit the entry of sensitive information into public AI tools and evaluate personal data input for compliance with privacy laws.
  • Assign reviewers for high-risk use cases and mandate thorough fact-checking and bias assessments for AI-generated content before external use.
  • Implement strong authentication, encryption, and secure configurations while restricting AI use to approved devices.
  • Provide role-specific training and accessible support channels for employees.
  • Regularly audit AI use, gather employee feedback, and update internal policies as needed.
  • Ensure compliance with data privacy laws, including the Personal Data (Privacy) Ordinance (PDPO).

As AI continues to reshape the business landscape in Hong Kong, the PCPD urges organizations to adopt a proactive and structured approach to AI governance by establishing comprehensive AI policies that promote lawful, ethical, and responsible use of AI technologies.

More Insights

A globe with a digital lock

US Rejects UN’s Call for Global AI Governance Framework

November 23, 2025 AI,Artificial Intelligence Governance,Global Collaboration,International Policy
U.S. officials rejected the establishment of a global AI governance framework at the United Nations General Assembly, despite broad support from many nations, including China. Michael Kratsios of the...
Read More
A digital lock

Agentic AI: Managing the Risks of Autonomous Systems

November 23, 2025 AI,AI Governance,Artificial Intelligence Governance,Regulatory Compliance
As companies increasingly adopt agentic AI systems for autonomous decision-making, they face the emerging challenge of agentic AI sprawl, which can lead to security vulnerabilities and operational...
Read More
A puppet

AI as a New Opinion Gatekeeper: Addressing Hidden Biases

November 23, 2025 AI,AI Ethics,AI Governance,AI Regulation Awareness
As large language models (LLMs) become increasingly integrated into sectors like healthcare and finance, a new study highlights the potential for subtle biases in AI systems to distort public...
Read More
A blueprint to illustrate the structured approach to creating regulatory frameworks.

AI Accountability: A New Era of Regulation and Compliance

November 23, 2025 AI,AI Accountability,AI Regulation,Regulatory Compliance
The burgeoning world of Artificial Intelligence (AI) is at a critical juncture as regulatory actions signal a new era of accountability and ethical deployment. Recent events highlight the shift...
Read More
A blueprint

Choosing Effective AI Governance Tools for Safer Adoption

November 23, 2025 AI,AI Governance,AI Regulation Awareness,Regulatory Compliance
As generative AI continues to evolve, so do the associated risks, making AI governance tools essential for managing these challenges. This initiative, in collaboration with Tokio Marine Group, aims to...
Read More
A network globe illustrating global consensus and collaboration on AI governance.

UN Initiatives for Trustworthy AI Governance

November 23, 2025 AI,AI Governance,AI Regulation,Global AI Policy
The United Nations is working to influence global policy on artificial intelligence by establishing an expert panel to develop standards for "safe, secure and trustworthy" AI. This initiative aims to...
Read More
A compass

Data-Driven Governance: Shaping AI Regulation in Singapore

November 23, 2025 AI,AI Ethics,AI Governance,Technology Policy
The conversation between Thomas Roehm from SAS and Frankie Phua from United Overseas Bank at the SAS Innovate On Tour in Singapore explores how data-driven regulation can effectively govern rapidly...
Read More
A roadmap

Preparing SMEs for EU AI Compliance Challenges

November 23, 2025 AI,AI Governance,AI Regulation Awareness,EU Compliance
Small and medium-sized enterprises (SMEs) must navigate the complexities of the EU AI Act, which categorizes many AI applications as "high-risk" and imposes strict compliance requirements. To adapt...
Read More
A digital lock – representing security and control over AI systems.

Draft Guidance on Reporting Serious Incidents Under the EU AI Act

November 23, 2025 AI,AI Regulation,EU Compliance,Regulatory Frameworks
On September 26, 2025, the European Commission published draft guidance on serious incident reporting requirements for high-risk AI systems under the EU AI Act. Organizations developing or deploying...
Read More