The rapid adoption of generative artificial intelligence ("GenAI") applications and agents is quickly transforming the workplace and how work is done in many enterprises in Hong Kong. The ease of use of GenAI tools can disguise personal data privacy and protection risks. In this update, Pádraig Walsh from our Data Privacy practice looks at the new guidelines published by the Office of the Privacy Commissioner for Personal Data ("PCPD") to help businesses develop internal policies or guidelines for employees' use of Gen AI at work.
The key points of the PCPD Guidelines for the Use of Generative AI by Employees are:
(a)Specify the scope of permissible use
Businesses should specify:
(i) what GenAI tools can be used. Ideally, the permitted list should identify the specific version that is permitted, noting that commercially licensed versions of publicly available GenAI tools may provide more privacy protection.
(ii)what the permitted GenAI tools can be used for. This should identify the specific work processes that the permitted GenAI tools can be used for – such as drafting marketing collateral, and so on.
(iii)who is permitted to use the GenAI tools. This could be everybody in the business, or specific departments or ranks.
(b)Protect personal data privacy
GenAI tools generally function by the user providing inputs or prompts that are processed to deliver an output. Businesses should:
(i) specify the permissible types and amounts of information that can be inputted into GenAI tools;
(ii)expressly prohibit excluded information (which may include personal, confidential, proprietary or copyrighted information);
(iii)specify the permissible use of the information and output generated by GenAI tools and identify situations where personal data should be anonymised before further use;
(iv) specify how output information should be stored and deleted; and
(v)ensure that the policies or guidelines on the use of GenAI align with other relevant internal policies, including those on personal data handling and information security.
(c)Lawful and ethical use and prevention of bias
Businesses should specify that employees must not use GenAI tools for unlawful or harmful activities. They should also define the ethical values and standards which employees should observe when reviewing AI-generated output, including accuracy, prevention of bias and discrimination, and labelling to identify use of GenAI in production of materials.
(d)Data security
Businesses should specify:
(i)the devices on which employees are permitted to access Gen AI tools (e.g. office computers, work phones, and tablets). In general, employees should only use GenAI tools for work-related purposes on work provided devices;
(ii)who is permitted to use Gen AI tools (e.g. employees with operational needs who have received relevant training);
(iii)the use of robust user credentials and stringent security settings when using the tools. Security settings should prioritise data security, which may include measures such as disabling saving functions and prohibiting sharing of prompts with GenAI providers; and
(iv) the procedures for reporting data breaches, unauthorised input of personal data, abnormal output results, and potentially illegal output.
(e)Specify consequences of violation of the policies or guidelines
Businesses should specify the possible consequences of employees' violation of the policies or guidelines on the use of GenAI.
(f)Support employees in using GenAI tools
Businesses should ensure that the policies or guidelines on the use of AI are clearly communicated to employees. Businesses should also provide training and resources to help employees understand the risks of GenAI, and to use GenAI tools effectively and responsibly. Businesses should establish channels for employees to provide feedback on their experience using GenAI tools.
Concluding remarks
In Hong Kong, the PCPD has taken the lead in giving horizontal guidance across all industry sectors in respect of risks associated with adoption of GenAI. Even in these guidelines, the PCPD noted that its reference to information includes personal data and general information also. This is sensible. It is difficult to segregate and deal with personal data risks only when addressing GenAI systems.
The adoption of the recommendations in these guidelines is a very good step forward for businesses looking to adopt and implement a framework to guide employees on the use of GenAI tools in the workplace. Ultimately, the implementation of the guidelines will safeguard personal data and also provide a foundation for the safe and responsible use of AI by businesses.
The path to implementation of the PCPD guidelines involves assessing the guidelines in the context of the business and its business processes, drafting an AI Usage Policy that will apply to employees, and providing training, guidance and support to employees on the requirements of that policy. We at Tanner De Witt can help and assist in each of these steps.
The PCPD Guidelines for the Use of Generative AI by Employees is available on this link.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
