share on
These guidelines focus on how to use generative AI safely while protecting personal data privacy and ensuring data security, along with practical tips.
With the growing adoption of generative AI (Gen AI) in Hong Kong, the Office of the Privacy Commissioner for Personal Data (PCPD) has published the Checklist on Guidelines for the Use of Generative AI by Employees.
The Guidelines aim to assist organisations in developing internal policies or guidelines on the use of Gen AI by employees at work, while complying with the requirements of the Personal Data (Privacy) Ordinance (PDPO), as emphasised by Ada Chung, Privacy Commissioner for Personal Data (Privacy Commissioner).
When developing internal policies or guidelines on the use of Gen AI by employees, the Guidelines recommend that organisations should specify:
- the permitted Gen AI tools, which may include publicly available and/or internally developed Gen AI tools;
- the permissible purposes of use, for example, drafting, summarising information and/or creating textual, audio and/or visual content; and
- the applicability of the policies or guidelines.
To protect personal data privacy, organisations should provide clear instructions on:
- the types and amounts of information that can be inputted into the Gen AI tools, for example, whether to include personal data or other data;
- the permissible purposes for using the output information;
- the permissible storage of the output information;
- the applicable data retention policy; and
- other relevant internal policies to comply with, for example, those on personal data handling and information security.
Organisations should ensure the lawful and ethical use of Gen AI and prevent bias by specifying that employees shall not use Gen AI tools for unlawful or harmful activities.
It's important also to emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking. They are also responsible for correcting and reporting biased or discriminatory AI-generated outputs.
Additionally, organisations should provide instructions for employees on when and how to watermark or label AI-generated outputs.
In terms of data security, the Guidelines recommend organisations to specify:
- the types of devices on which employees are permitted to access Gen AI tools, for example, work devices provided by employers; and
- the categories of employees who are permitted to use Gen AI tools, for example, those who have operational needs, have received relevant training, and have prior permission; and require employees to use robust user credentials.
Organisations should maintain stringent security settings in Gen AI tools, and report AI incidents, such as data breach incidents involving the use of AI, unauthorised input of personal data into Gen AI tools, abnormal output results and/or output results that may potentially breach the law, according to the organisation’s AI Incident Response Plan.
Meanwhile, organisations should specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) for recommendations on establishing Gen AI governance structure and measures.
The Guidelines also provide practical tips on supporting employees in using Gen AI tools, which include:
- Enhancing transparency of the policies or guidelines: Regularly communicate the policies or guidelines to employees and keep employees informed of any updates in a timely manner;
- Providing training and resources for employees’ use of Gen AI tools: Educate employees on how to use Gen AI tools effectively and responsibly, including explaining the capabilities and limitations of the tools, providing practical tips and examples, and encouraging employees to read the privacy policies and terms of use of such tools, etc.;
- Providing a support team: Set up a designated support team to assist employees in using Gen AI tools in their work, provide technical assistance, and address employees’ concerns; and
- Establishing a feedback mechanism: Establish channels for employees to provide feedback to help the organisation identify areas for improvement and tailor internal policies or guidelines according to the circumstances.
“The Country will continuously promote the ‘AI Plus’ Initiative, aiming to drive high-quality development through innovative applications, as well as explore and expand diverse application scenarios for AI,” said Prof Hon William Wong Kam-fai, MH, member of the PCPD’s Standing Committee on Technological Developments and the Legislative Council.
“With the latest Budget proposing to develop AI fully, I believe that more and more organisations will integrate AI into their operational processes. The issuance of the Guidelines by the PCPD can help organisations and their employees use generative AI safely and protect personal data privacy, thereby fostering the safe application of AI across different sectors and accelerating the development of new quality productive forces.”
share on