share on
閱讀中文版本
Among organisations using AI to process personal data, over 80% provided AI-related training for employees, according to the Privacy Commissioner’s Office.
More than 90% of Hong Kong organisations are now using AI in their day-to-day operations. Among those that process personal data through AI systems, nearly 80% have adopted a “human-in-the-loop” approach to ensure human oversight, according to the latest compliance checks by the Office of the Privacy Commissioner for Personal Data (PCPD).
Conducted in January 2026, this new round of compliance checks covered 60 organisations across sectors including banking and finance, beauty services, education, government departments, insurance, medical services, public utilities, retail, social services, telecommunications, transportation, accounting, food and beverage, innovation and technology, logistics, and property management.
The findings revealed that 57 organisations (95%) used AI in their day-to-day operations – a 15-percentage point increase from the previous year. Among them, 45 organisations (approximately 79%) had been using AI for over a year, while more than half (29 organisations) deployed three or more AI systems across functions such as administrative support, customer service, research and development, marketing, and compliance/risk management.
At the same time, 24 organisations (approximately 42%) reported collecting and/or using personal data through AI systems. Of these, all provided data subjects with Personal Information Collection Statements on or before the collection of personal data, specifying the purposes for which the data would be used, as well as the classes of persons to whom the data might be transferred, etc. Seven organisations (about 29%) even specified the use of AI tools in processing personal data in their Personal Information Collection Statements.
Only seven organisations (about 29%) retained personal data collected through AI systems – a significant 50-percentage point decrease from the previous year. These organisations specified the retention periods for personal data and would delete the data once the original purposes of collection had been fulfilled. The remaining majority (17 organisations) did not retain such data.
On the security front, all organisations collecting and/or using personal data through AI systems implemented measures such as access control, data encryption, penetration testing, and anonymisation of personal data. Among these, five organisations (around 21%) also put in place AI-related security alerts and conducted red-teaming drills.
In terms of management and governance of AI systems, among the 24 organisations:
- 23 (about 96%) conducted tests prior to the implementation of AI systems
- 19 (about 79%) conducted privacy impact assessments prior to the implementation of AI systems
- 22 (about 92%) formulated data breach response plans
- 15 (about 63%) conducted internal audits and/or independent assessments on a regular basis
Notably, nearly 80% (19 organisations) adopted a “human-in-the-loop” approach for human oversight of AI systems, ensuring that human actors retained control of the decision-making process to prevent or mitigate errors or improper decisions made by AI systems.
The remaining five organisations (about 21%) adopted the “human-in-command” approach, under which human actors reviewed the outputs of AI systems to oversee the operations of systems and intervened only if necessary.
In parallel, close to 80% (19 organisations) established AI governance structures, such as setting up AI governance committees and/or appointing designated personnel to be responsible for overseeing the use of AI systems. More than 60% (15 organisations) also referenced PCPD’s AI-related guidelines or advice when collecting, using, and processing personal data through AI systems.
The PCPD identified no contravention of the PDPO during the compliance check process.
The compliance checks also found that all organisations reviewed that collected and/or used personal data through AI systems permitted employees to use generative AI at work. Among these, 17 (about 71%) have formulated internal policies or guidelines to help ensure its proper use. Five organisations (about 21%) planned to do so.
More than 80% (20 organisations) also provided AI-related training for employees – an increase of around eight percentage points year-on-year – with 18 organisations including training content on AI-related privacy risks, up around seven percentage points from the previous year.
Ada Chung, Privacy Commissioner for Personal Data, highlighted that while organisations benefit from the convenience brought by AI, they must also address the potential privacy risks as AI adoption continues to accelerate.
“Organisations should develop comprehensive AI strategies, conduct risk and privacy impact assessments, adopt an appropriate level of human oversight, and regularly review and assess the impacts of AI systems on personal data privacy to ensure compliance with the relevant requirements of the PDPO when collecting, using and processing personal data through AI systems.”
ALSO READ: Hong Kong’s PCPD publishes guidelines regarding employees’ use of Gen AI
share on
Follow us on Telegram and on Instagram @humanresourcesonline for all the latest HR and manpower news from around the region!
Related topics
