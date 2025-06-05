Hong Kong's Privacy Commissioner for Personal Data (PCPD) recently published Guidelines for the Use of Generative AI by Employees. We look at the key points contained in the Guidelines below.

The aim of the Guidelines is to assist employers in developing internal policies on the use of generative artificial intelligence ('Gen AI') by employees that align with Hong Kong's personal data and privacy laws. Examples of Gen AI outlined in the Guidelines include: chatbots; optical character recognition; text, image, video and voice generators; document or presentation generators; and speech to text tools.

A representative of the PCPD has said the Guidelines, "[...] can help organisations and their employees use generative AI safely and protect personal data privacy, thereby fostering the safe application of AI across different sectors [...]". They were issued off the back of recent findings by the PCPD that less than 30% of organisations in Hong Kong currently have Gen AI policies in place. The Guidelines emphasise the importance of data security and the lawful and ethical use of Gen AI tools in the workplace.

Internal AI policies

When drafting internal AI policies, it is recommended that organisations carefully consider and set out the following:

the scope of the permitted Gen AI use (e.g. permitted Gen AI tools and the permissible purposes of use);

measures to protect personal data (e.g. data input considerations, permissible uses of output data, data retention policies);

the duty of employees not to use Gen AI tools for unlawful or harmful activities, and to verify / credit AI-generated content (e.g. fact check, watermark or label AI-generated outputs);

data security measures (e.g. specify who may access Gen AI tools and the types of devices on which employees are permitted to access Gen AI tools, maintain stringent security settings on Gen AI tools and clear reporting channels and procedures in the event of a data breach); and

consequences and procedures in the event that an employee violates the company's Gen AI policies.

The Guidelines also recommend that employers regularly communicate policies and guidelines to employees, and provide regular training on how to use Gen AI tools effectively and responsibly. Employers should establish dedicated support teams and feedback mechanisms to effectively implement AI systems and policies while safeguarding the personal data privacy of individuals.

Takeaway for employers

The Guidelines are a welcome development in the fast-moving and complex area of workplace AI. Employers in Hong Kong should implement clear internal policies on the use of Gen AI to ensure compliance with data privacy laws and to safeguard personal information. Regular training, clear usage guidelines, and strong data security measures are also essential. An online copy of the Guidelines can be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.