Latest News

All data protection coordinators 

- please be reminded to have the yearly Data Inventory (for Restricted and Confidential data according to ISDM classification) READY by Dec 31 2025

https://www.pcpd.org.hk/english/education_training/organisations/workshops/workshop.php for all upcoming professional workshops.

Date: 7 Jan 2026 (Wed), Time: 2:15pm – 5:15pm

Key takeaways:

• An overview of the data protection provisions

• Recent topical issues on data privacy

• Liabilities of insurance companies and insurance practitioners

• Useful pointers on Personal Information Collection Statement

• Collection of customers’ medical data

• Collection of Hong Kong identity card number and copy

• Engagement of private investigators in insurance claims

• Retention of customers’ personal data

• Use of customers’ data for internal training

• Security of customers’ personal data handled by staff and agents

• Handling of data access requests from customers

• Data Ethics

Deepfakes may cause harm to others, particularly children and youngsters, if used abusively. Children and youngsters may even create or share malicious deepfakes without realising the potential legal consequences of using deepfakes. The PCPD has published the Toolkit to provide practical advice to schools and parents, with a view to assisting them in handling deepfake incidents involving children and young people, as well as safeguarding their privacy in relation to personal data.

https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf

The investigation arose from a complaint received by the PCPD consequent upon the discovery by a member of the Centre on 16 July 2025 that a CCTV camera was installed in the proximity of a male restroom of the Ma On Shan branch (the Branch) of the Centre, causing him discomfort and concerns about being recorded while using the restroom.

The Centre implemented the remedial actions:-

(1) installed a wooden door at the entrance of the restroom concerned to fully enclose the interior of the restroom;
(2) removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
(3) repositioned the CCTV camera to the ceiling outside the entrance of the restroom, ensuring it would not capture any area inside the three restrooms.

TIps on CCTV Surveillance

https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf

Guidance on the Use of CCTV Surveillance

https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf

LKQ is the Fortune 500 company provides recycled, refurbished, and aftermarket components for cars and other types of vehicles. The firm told the Maine Attorney General’s Office that the personal information of more than 9,000 individuals was compromised in the attack.

SecurityWeek reached out to LKQ for comment multiple times since it was named on the Cl0p website in late October, but the company has not responded.

In a security advisory, Cisco said it discovered a hacking campaign on December 10 targeting Cisco AsyncOS software, and in particular the physical and virtual appliances Cisco Secure Email Gateway, Cisco Secure Email, and Web Manager. The advisory said affected devices have a feature called “Spam Quarantine” enabled and are reachable from the internet.

Kevin Beaumont, a security researcher who tracks hacking campaigns, told TechCrunch that this appears to be a particularly problematic hacking campaign since a lot of big organizations use the affected products, there are no patches available, and it’s unclear how long the hackers had backdoors in the affected systems.

Modified data protection training will be released to all staff (including new hired staff) in mid Jan 2026. Please stay tuned for the announcement. 

Please visit dpo.hku.hk or email group-its-dpo@hku.hk for inquiries.

Gartner is warning organizations to block AI browsers due to significant cybersecurity risks. 

These browsers, which integrate AI-powered features like summarization and autonomous task completion, pose threats such as data exposure, phishing attacks, and unauthorized transactions. The risks stem from AI browsers' tendency to prioritize user experience over security, making them vulnerable to prompt injection attacks and data leaks including user credentials that open businesses and individuals to further danger.

Gartner advises organizations to conduct thorough risk assessments and implement strict policies to mitigate these risks. However, even with precautions, the risks associated with AI browsers may outweigh their benefits, leading Gartner to recommend blocking them for the foreseeable future.

Park Dae-jun has resigned as chief executive of South Korean retail giant Coupang after a data breach exposed the personal information of more than half of the country’s population.

The retail giant, often compared to Amazon for its dominance in South Korean e-commerce and logistics, last month revealed details of a data breach affecting close to 34 million people. The breach allegedly began in June but wasn’t noticed until November, when Coupang initially said over 4,500 customers had their data stolen. The company later revised that figure dramatically upward.

The Coupang hack is the latest in a string of security incidents affecting corporate giants and the central government across the country this year, including a data center fire that led to a massive, irretrievable loss of South Korean government data.

Many of the world's top artificial intelligence companies are accidentally publishing their passwords and digital keys on GitHub. The problem was found by security researchers at Wiz who examined 50 leading AI firms, and discovered that 65% of them had accidentally exposed highly sensitive information online.

The information that the companies have accidentally leaked included API keys, tokens, and other credentials capable of granting access to internal systems, training data, or even private AI models.

The affected companies are worth over US $400 billion in total, with major names such as Anthropic (the makers of Claude), Glean, and Crusoe Energy amongst those examined.

it is these AI companies that are developing the technology increasingly integrated into our personal and professional lives. It powers the chatbots, recommendation systems, decision-making tools, and more that are likely to be integral to your business and will continue to be increasingly important in the future.

• Date & time: Dec 17, 10:30am-12pm

• RSVP: https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=104153 (online/onsite)

• Venue: DIL room, 2/F Main Library

• Agenda covers data protection basic training, DAR, CCTV guidelines, use case

過去一周，警方接獲逾40宗釣魚騙案，騙款超過600萬港元。有市民收到「假冒煤氣公司」的釣魚短訊，訛稱「本期燃氣費用逾期未交，於指定日期前繳費，避免出現逾期費用」。有受害人信以為真，誤信自己欠交上期煤氣費用，遂點擊釣魚短訊內的超連結，被轉至假冒煤氣公司的頁面，按指示輸入電話號碼、信用卡號碼、安全碼（CVV/CVC）及一次性密碼（OTP）等個人資料。直至銀行職員聯絡，驚覺其信用卡曾有多次可疑交易，始知受騙。

This is part of the broader Digital Omnibus Proposal to simplify and streamline EU laws on AI, data, digital, and cyber.

Top 5 proposed EU AI Act changes

1. 𝗧𝗶𝗺𝗲𝗹𝗶𝗻𝗲 𝗰𝗵𝗮𝗻𝗴𝗲𝘀 (Article 113): The obligations for providers and deployers of high-risk AI systems currently due to apply from 2 August 2026 to be delayed to either:

a) 6-12 months after technical standards for high-risk AI requirements are approved; or

b) 2 Dec 2027 (in Annex III) and 2 Aug 2028 (in Annex I).

2. 𝗗𝗼𝘄𝗻𝗴𝗿𝗮𝗱𝗶𝗻𝗴 𝗔𝗜 𝗟𝗶𝘁𝗲𝗿𝗮𝗰𝘆 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 (Article 4): encourage providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy.

3. 𝗘𝗨 𝗔𝗜 𝗢𝗳𝗳𝗶𝗰𝗲 𝘀𝗰𝗼𝗽𝗲 𝗲𝘅𝗽𝗮𝗻𝘀𝗶𝗼𝗻 (Article 75): by designating the AI Office (part of the European Commission) as the the authority responsible for supervision and enforcement.

4. 𝗟𝗶𝗺𝗶𝘁𝗶𝗻𝗴 𝗿𝗲𝗴𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝗼𝗻 𝗶𝗻 𝗽𝘂𝗯𝗹𝗶𝗰 𝗘𝗨 𝗱𝗮𝘁𝗮𝗯𝗮𝘀𝗲 (Article 6): they will still have to provide evidence of this derogation assessment upon request.

5. 𝗣𝗿𝗼𝗽𝗼𝗿𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 𝗳𝗼𝗿 𝘀𝗺𝗮𝗹𝗹 𝗺𝗶𝗱-𝗰𝗮𝗽𝘀 (𝗦𝗠𝗖𝘀) (Article 99): defined as companies that employ up to 750 people and have an annual turnover of under €150 million).

Graphic from https://siliconangle.com/2025/11/19/eu-revise-gdpr-ai-act-part-regulatory-simplification-push/

First Post - Nov 6 2025

Second Post - Nov 20 2025

=========================

Date & Time: 2 December 2025 (Tue), 3:00 pm – 5:00 pm

Speakers: 

- Ms Kaisy HUNG, Senior Statistician (IT Services), Census and Statistics Department

- Mr Rick CHAN, Chief Systems Manager (Project Governance and Cybersecurity), DPO

- Don TAI, Senior Manager (Infrastructure and Information Security), HK Genome Institute

- Mr LEUNG Wai-kin, General Manager (Customer Services), The HK Electric Company, Limited

Key Topics:

• Practical strategies for implementing proactive and effective data governance to properly manage vast amount of personal data

• Real-life examples of privacy-by-design and privacy-by-default

• Privacy controls/measures taken to enhance data security and prepare for future privacy challenges

Please REACH OUT TO group-ITS-DPO@hku.hk if you want to join for free (FYI Each DPOC member can register up to 3 free seats)

Nov 2025

Nov 25 - DAR walkthrough for UHS

Dec 2025

Dec 12 - Data Protection session at HRO Induction
Dec 16 - Data Protection session with Faculty of Science
Dec 17 - Data Protection workshop with Hall Managers

Mar 2026 

Mar 5 - Data Protection Workshop for Faculty of Social Science

Clop (sometimes written “Cl0p”) is a known for its multilevel extortion techniques and global malware distribution. 

The NHS appears alongside other names, one of which, US newspaper The Washington Post, has confirmed that it fell victim to a Cl0p attack orchestrated via two distinct vulnerabilities in Oracle’s E-Business suite, patched earlier in the autumn. NHS England’s digital teams published an advisory notice covering the Oracle bugs – CVE-2025-53072 and CVE-2025-62481 as on 23 October.

Quick summary

- Researchers find 65% of the Forbes top 50 AI companies are leaking secrets

- These come in the form of tokens, API keys, and sensitive credentials

- Wiz used a '‘Depth, Perimeter, and Coverage' approach to spot leaks

According to Forbes, top 50 leading AI companies as a benchmark, the experts uncovered nearly two-thirds (65%) of these top AI firms were leaking verified secrets on GitHub. These tokens, sensitive credentials, and API keys were found buried deep in places most researchers and scanners would never encounter, like deleted forks, developer repos, and gists.

Quick ref here & Information will be posted in DPO website - "Resources CCTV - https://dpo.hku.hk/cctv-surveillance":

- “Guidance on the Use of CCTV Surveillance”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf
- “Tips on the Use of CCTV Surveillance” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf
-  “Guidance on the Use of Video Cameras on Drones and Vehicles”: https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cameras_vehicles.pdf
-  “Responsible Use of Drones and In-Vehicle Cameras” information leaflet: https://www.pcpd.org.hk/english/resources_centre/publications/files/responsible_vehicle_cameras.pdf

The Cl0p leak website contains links to 2.7 TB of archive files storing information allegedly obtained from Emerson and 116 GB of archive files with information allegedly belonging to Schneider Electric.

On October 28, 2025, the Standing Committee of the National People’s Congress passed the latest amendment to the Cybersecurity Law of the PRC, which—for the first time—explicitly includes artificial intelligence in the core legal framework of national cybersecurity.

A newly added Article 20 states:

“The State supports basic theoretical research and key technologies in artificial intelligence such as algorithms, promotes the construction of data resources and computing infrastructure, improves ethical norms for AI, strengthens risk monitoring, assessment, and security supervision, and promotes the application and healthy development of AI.”

Companies will likely face future requirements for AI safety assessments, algorithm filing, and ethical review.