Latest News

請於2026年5月4日（星期一）下午 1:00 或之前填妥報名表格。成功報名者將於2026年5月4日（星期一）或之前收到確認電郵。

隨着數碼科技及人工智能（AI）技術迅速發展，騙徒利用不同渠道進行詐騙，例如釣魚短訊、即時通訊軟件騙局、社交媒體詐騙、虛假網店、二維碼陷阱，甚至利用AI製作深度偽造（deepfake）影片及以AI配音冒充家人、同事或服務提供者，令人防不勝防。

講座重點：

• 講解新興騙案趨勢

• 分享真實案例及防騙貼士

• 介紹使用 AI 聊天機械人、智能手機及社交媒體時的私隱風險

• 分享在數碼平台上保護個人資料的實用貼士

Do you think your digital "brain" stay with the company you supported after you left the company? Companies are increasingly replacing routine and even mid-level tasks with AI, leading to heightened job insecurity. AI just makes it faster, cheaper, and scalable. What used to take years of process documentation and knowledge transfer can now be compressed into a prompt file.

“Colleague.skill” is readily available on GitHub that housed a former employee’s documentations (and knowledge) into a digital avatar like a human colleague. There is also an “anti-distill.skill” tool released that can rewrite work documents to replace the core knowledge by some “correct but useless” content. 

China CAC has released draft regulations to govern the development and deployment of digital human. 数字虚拟人信息服务管理办法（征求意见稿）（China Digital Human Information Service Management Measures (Draft))(Chinese version): https://lnkd.in/gW6xKvgT

https://officechai.com/ai/chinas-workers-are-weaponizing-ai-against-each-other-through-colleague-skill-files-and-fighting-back/ 

4th April 2026 – (Hong Kong) The Hospital Authority has confirmed that patient records were exposed online after its monitoring system detected suspected unauthorised access and disclosure to a third‑party platform, reportedly linked to dark web forums. Speculation had circulated that as many as 270,000 medical records were involved.

The Privacy Commissioner’s Office confirmed it had received formal notification from the Hospital Authority and indicated that more than 56,000 individuals were affected. The compromised data is understood to include patients’ names, Hong Kong identity card numbers, gender, dates of birth, hospital reference numbers, appointment details and certain health information.

Chinese version: https://news.rthk.hk/rthk/ch/component/k2/1849931-20260404.htm - 醫管局有病人資料外洩已報警　私隱專員公署：逾5萬6千人受影響

An experience sharing session featuring Outstanding Gold Awardees of the “Privacy-Friendly Awards 2025”, with a view to assisting enterprises in adopting strong data governance and fostering a privacy centric culture. The invited organisations, covering banking, insurance and data management sectors, will share their hands-on experiences and practical insights in implementing robust data governance policies, including managing and safeguarding sensitive customers’ personal data at scale. Through real-life examples, they will also highlight the measures they have undertaken to strengthen data security and showcase how technology can be leveraged to enhance privacy protection.

私隱專員公署多年來持續舉辦「小學生保障私隱活動」，以多元化的活動形 式，加強兒童對尊重及保障個人資料私隱的認識。本故事書為2025 至2026 年 度活動的重點項目之一，獲得教育局支持。私隱專員公署希望透過書中小主角 的經歷，引導學生正確使用人工智能、慎用社交媒體、適當應對網絡欺凌、保 護個人帳戶及尊重他人私隱。故事書最後亦提供讀後「思考任務」及「活動任 務」，鼓勵學校善用有關資源，進一步引導學生在日常生活中實踐私隱保障。

Specific highlights

• Promoting AI Security - article entitled "Privacy Safeguards are Vital for AI Use" (https://www.pcpd.org.hk/english/whatsnew/20260324.html)

• Promoting the Safe Use of AI - "JC GoAL" Project (https://www.pcpd.org.hk/tc_chi/whatsnew/20260313.html)

• PCPD publishes investigation findings on an incident relating to the Wrongful Disclosure (https://www.pcpd.org.hk/english/whatsnew/20260327.html)

• Your HKID Card Number and Your Privacy (https://www.pcpd.org.hk/misc/dpoc/newsletter.html#finding)

Apr

Data Protection in Property Management Practices (Face-to-face workshop)

Practical Workshop on Data Protection Law (Online workshop)

May

Personal Data Privacy Management Programme (Online workshop)

Data Protection in Direct Marketing Activities (Face-to-face workshop)

June

Data Protection in Banking/Financial Services (Online workshop)

Navia Benefit Solutions, Inc. (Navia) is informing nearly 2.7 million individuals of a data breach that exposed their sensitive information to attackers. The hacker accessed and may have exfiltrated the following types of data: 

• Full name, Date of birth, Social Security Number (SSN), Phone number, Email address, Participation in HRA (Health Reimbursement Arrangements), FSA (Flexible Spending Accounts) information, Consolidated Omnibus Budget Reconciliation Act (COBRA) enrollment information

Notification to Employees: https://www.documentcloud.org/documents/27895002-navia-notice/

Navia is a nationwide administrator of employee benefits, managing over 10,000 employers and more than 1M participants.

A data breach affecting 15,661 Ericsson Inc. (US) employees & customers has been disclosed after attackers compromised a third-party service provider used by the company. News posted on 10th Mar 2026. The incident involved unauthorised access to files containing personal information, according to breach notifications filed with US state authorities.

The breach was reportedly detected on April 28, 2025, when the service provider identified suspicious activity on its systems. The Ericsson Inc. launched an investigation with the assistance of external cybersecurity specialists and also notified the FBI. A detailed review was completed on Feb 23, 2026, confirming the breach.

Ericsson Inc. is the US subsidiary of Swedish Telefonaktiebolaget LM Ericsson. The Stockholm-headquartered company employs nearly 90,000 people globally.

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php - Application Form for all upcoming professional workshops.

Practical Workshop on Data Protection Law

Date: 22 Apr 2026 (Wed), Time: 2:15pm – 5:15pm

Key takeaways:

• Examining the application of the six data protection principles with special highlights on recent administrative appeals board and court cases.

• What are the local and global trends in protecting data privacy rights?

• Problems frequently encountered by organisations dealing with personal data, including:

- What are the points to consider when drafting a personal information collection statement?
- What are the special requirements in complying with or refusing to comply with a data access/correction request?
- How to comply with the direct marketing requirements in a joint marketing campaign?
- What are the steps to take when outsourcing the processing of personal data to agents located in or outside Hong Kong?
- How to determine whether an exemption provision applies to a particular situation, including requests for personal data possessed by organisational data users

• How to strike the right balance between protecting personal data of individuals and safeguarding the organisations’ best interests?

• Consequences of breach of the Ordinance and liabilities of key officers

• Sharing of practical experiences in applying the rationale behind legal and quasi-legal decisions, coupled with illustrations from real-life examples.

Jan-Feb PCPD Professional Workshops

https://dpo.hku.hk/news/2026-jan-feb-pcpd-professional-workshops-(charged)

PCPD has respectively served Enforcement Notice or warning letter on the three organisations, directing them to remedy and prevent recurrence of their respective contraventions.

Summaries of the Three Data Security Incidents

1. The complainant worked for a security service company. The complainant’s supervisor sent a notice of termination of employment containing the complainant’s HKID card number to a work-related chat group in an instant messaging application. This resulted in the disclosure of the complainant’s personal data to other staff members in the group.

2. The head of the security department of a hotel stored annual performance appraisal forms of departmental staff members in a desk drawer. As the desk was shared among staff members of the department and the department head did not lock the drawer in accordance with the hotel’s guidelines, the complainant (an employee of the hotel’s security department at the material time) inadvertently read the appraisal forms that contained the personal data of all the departmental staff members stored in the drawer while searching for other documents.

3. An administrative staff member of a social welfare organisation was responsible for scanning a dismissal document relating to the complainant. During the process, the staff member mistakenly saved the scanned copy in the department’s shared folder. As a result, the complainant’s personal data contained in the document was accessible to other staff members of the department.

Registration by 5pm on 27 March 2026.

The Office of the Privacy Commissioner for Personal Data (PCPD) and the Hong Kong Internet Registration Corporation Limited (HKIRC) will co-organise the “AI Security and Cybersecurity Summit for Enterprises” (Summit) on 31 March 2026. Registration is now open to all sectors!

With the Digital Policy Office acting as a strategic partner, the Summit will feature two key thematic areas – “AI Security” and “Cybersecurity”, each presenting dedicated keynote presentations and panel discussions. The event will bring together leading experts, industry leaders, policymakers and company directors to explore the evolving AI security and cybersecurity threat landscape, exchange innovative solutions, and share insights into strengthening cybersecurity and data protection in the age of AI.

昂坪360表示，正就被盜資料進行評估、持續監控，並作善後處理，初步評估受影響的個人資料包括昂坪360員工、年票乘客，以及曾參與市務推廣活動及推廣資訊接收名單上的人士、供應商及昂坪市集租戶等的資料，初步確定所涉的資料為姓名及聯絡方法，例如電話號碼或電郵地址，已啟動與受影響人士溝通。

English version of the news - https://www.scmp.com/news/hong-kong/law-and-crime/article/3344932/personal-data-stolen-ransomware-attack-hong-kongs-ngong-ping-360-attraction

https://www.pcpd.org.hk/english/news_events/media_statements/files/2026.02.23_JointStatement_AIGeneratedImagery.pdf

Expectations for Organisations  

• Implement robust safeguards to prevent the misuse of personal information and  generation of non-consensual intimate imagery and other harmful materials,  particularly where children are depicted.  

• Ensure meaningful transparency about AI system capabilities, safeguards, acceptable  uses and the consequences of misuse.  

• Provide effective and accessible mechanisms for individuals to request the removal of  harmful content involving personal information and respond rapidly to such requests.   

• Address specific risks to children through implementing enhanced safeguards and  providing clear, age-appropriate information to children, parents, guardians and  educators.

Figure is a Fintech lender. According to reporting by TechCrunch and subsequent analysis, 967,200 customer email records were compromised after a social engineering attack granted unauthorized access to Figure’s internal systems. 

Roughly 2.5 GB of data was posted online by ShinyHunters, suggesting a sizable internal data set. Because birth dates and home addresses are commonly used in identity verification across financial and telecom services, their exposure significantly increases the potential for misuse.

The UK Information Commissioner’s Office (ICO) has won an important appeal relating to data protection obligations arising from a 2017-18 cyber attack at electronics retailer Currys PC World. Currys Group Ltd was previously DSG Retail, that they fell victim to a major cyber attack during a nine-month period in 2017 and 2018. 

In January 2020, the ICO levied a £500,000 fine on DSG under the Data Protection Act (DPA) 1998 after its investigation found the retailer had failed to patch software systems, install firewalls, segregate its networks, conduct routine security testing, or protect personal data. The fine was lower than that mandated under GDPR because the breach took place before the legislation came into effect.

Eurail B.V., the operator that provides access to 250,000 kilometers of European railways, confirmed that data stolen in a breach earlier this year is being offered for sale on the dark web. Eurail B.V. is a Netherlands-based firm that manages and sells passes (Eurail and Interrail) for train travel across Europe, offering flexibility for multi-country trips.

Last month, the company disclosed that it suffered a data breach when threat actors gained unauthorized access to its customer database, compromising sensitive information, including full names, passport details, ID numbers, bank account IBANs, health information, and contact details (email addresses, phone numbers).

The concerned data protection authorities have been notified in accordance with the GDPR requirements, and authorities outside the EU will be alerted soon.

Hong Kong’s Department of Health (DH) has suspended a Dental House Officer on non-civil service terms and referred the matter to law enforcement after uncovering suspected unauthorised access to electronic medical records. The case surfaced when a member of the public, alerted by an SMS from the Electronic Health Record Registration Office, queried why a DH healthcare officer had viewed his records despite no recent use of DH services.

https://www.info.gov.hk/gia/general/202601/28/P2026012800601p.htm

DH follows up seriously on case of suspected unauthorised access to medical records

• To discuss the personal data privacy risks of AI, and provide practical guidance for organisations to develop and use AI in a privacy-friendly manner;

• To raise awareness of emerging cyber threats among organisations and explore actionable strategies and best practices for enhancing cyber resilience and data security; and

• To facilitate networking and knowledge sharing among cybersecurity experts and AI specialists.

PCPD has initiated a compliance review into HSBC’s PayMe, following reports that early adopters may have unknowingly exposed their personal transaction details due to outdated privacy settings. The examination of "privacy by design" includes the vulnerability of legacy users and the need for in-app prompts.