Hong Kong: Adopted PCPD Artificial Intelligence: Model Personal Data Protection Framework including organisational requirements

On 11 June 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) adopted the Artificial Intelligence: Model Personal Data Protection Framework, including organisational requirements. The framework aims to assist organisations in formulating their AI strategies and governance structures, including the creation of an AI governance committee and the provision of AI-related training for employees. The framework is designed to ensure that organisations comply with the Personal Data (Privacy) Ordinance (PDPO) and also the Data Stewardship Values and Ethical Principles for AI. Specifically, the framework outlines measures in four key areas. Firstly, it recommends the establishment of an AI strategy and governance structure, including a dedicated committee to focus on AI procurement and usage, ensuring alignment with organisational goals and compliance requirements. Secondly, it addresses governance issues in AI procurement, emphasising the importance of choosing suppliers that adhere to international standards, and outlines procedures for managing and reviewing AI solutions, including data handling and ethical considerations. Thirdly, it advocates for the creation of an internal governance structure with sufficient authority and resources to oversee AI implementations and address any system failures or ethical concerns effectively. Lastly, it emphasises the importance of providing comprehensive AI-related training to employees to enhance their understanding of data protection laws, cybersecurity risks, and AI technology, ensuring they are equipped to work effectively with AI systems.