Latest News

Privacy Awareness Week 2025 - https://www.pcpd.org.hk/english/news_events/events_programmes/privacy_awareness_week/paw2025.html

私隱專員公署「關注私隱週2025」- AI安全「智」重要

個人資料私隱專員公署（私隱專員公署）將於6月9 – 15日舉辦「關注私隱週2025」。這是一項由亞太區保障私隱機構成員共同支持的年度保障私隱推廣活動，旨在加強公眾對保障及尊重個人資料私隱的意識。今年，公署以「AI安全『智』重要」為主題，舉辦多項活動：

1. 「AI安全『智』重要」主題電車

為提升市民對人工智能（AI ）安全的意識，私隱專員公署將於6月9 日 – 7月4日期間，推出「AI安全『智』重要」主題電車，進行巡迴宣傳。主題電車的設計以象徵AI安全的鎖為重點，結合不同與個人資料相關的圖標，並加上「AI安全」熱線（2110 1155）及全新推出的「人工智能安全」專題網站的二維碼，藉此提醒市民在使用AI時，亦要保障個人資料私隱。

2. 「人工智能安全」專題網站

隨着AI的應用日漸普及，私隱專員公署推出全新「人工智能安全」專題網站 ，一站式提供公署有關AI的指引資料、教育資訊／資源、國際發展的資訊，以及公署有關AI的最新消息及活動，方便公眾及機構查閱。

3. 「保障個人資料私隱 — 數碼時代的挑戰與機遇」研討會

私隱專員公署與香港城市大學出版社將於6月10日合辦「保障個人資料私隱 — 數碼時代的挑戰與機遇」研討會。研討會將探討香港私隱領域的最新發展，涵蓋近期資料外洩事故，以及私隱專員公署就人工智能發佈的指引。研討會亦會概述《個人資料（私隱）條例》下有關從香港轉移個人資料至境外地方的規定，以及促進大灣區內個人信息跨境流動的便利措施。隨着私隱法的急速發展（包括在香港訂立打擊「起底」的新條文以及在內地實施的《個人信息保護法》），個人及企業均需緊貼相關的轉變。就此，講者將分享他們對這些熱門議題的真知灼見，而《香港個人資料（私隱）法例的符規實務指南》（第三版）亦闡述相關議題。

4. 私隱專員公署 + 生產力局中小企數據安全培訓系列 —「中小企認識AI數據安全及私隱風險」研討會

是次研討會為私隱專員公署聯同香港生產力促進局（生產力局）推出「中小企數據安全培訓系列」的第二個培訓活動，旨在探討有關中小企在商業上的AI應用，以及所涉及的數據安全及個人資料私隱風險。私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）王雅媛女士和生產力局網絡安全及數碼轉型部總經理陳仲文工程師將於研討會上分享機構在採購、實施及使用AI系統（包括生成式AI）時的最佳行事常規，以及他們對使用AI時確保數據安全和個人資料私隱保障的看法。

活動詳情如下：

日期：2025年6月13日（星期五）

時間：下午3:00至4:15

（地址：香港灣仔皇后大道東248號大新金融中心12樓私隱專員公署演講廳）

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 陳仲文工程師 — 生產力局網絡安全及數碼轉型部總經理

登記及詳情：按此查閱詳情及登記參加。

5. 「人工智能的教育應用與安全風險—平衡創新與資料保護」研討會

在現今瞬息萬變的教育領域，AI的應用擔當着重要的角色。在利用AI進行創新學習體驗，保護敏感資料及加強網絡安全之間取得平衡尤其關鍵。私隱專員公署與香港大學資訊科技服務暨數據私隱舉辦是次研討會，旨在講解公署最新發布的AI指引資料，分享在急速發展的數碼世界中保障個人資料的見解及最佳行事常規，並在保障個人資料及網絡安全的大前提下，將AI應用至教育場景中的實用策略。多位業界專家亦會在專題討論中探討如何應對AI的誤差與用戶犯錯的情況。

活動詳情如下：

日期：2025年6月27日（星期五）

時間：下午2:00 至 5:00

（地址：香港薄扶林香港大學圖書館大樓2樓多用途室）

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 鄒錦沛教授 — 香港大學計算與數據科學學院高級講師

· 姚兆明教授 — 香港大學計算與數據科學學院教授

· 林小嫺女士 — 太古可口可樂有限公司信息安全及風險管理總監

· 林焯豪先生 — 香港警務處網絡安全及科技罪案調查科總警司

· 朱偉年博士 — 國際信息系統審計協會中國香港分會副會長及秘書

登記及詳情：按此查閱詳情及登記參加

The United Kingdom's Legal Aid Agency (LAA) has confirmed that a recent cyberattack with hackers stealing a large trove of sensitive applicant data in a data breach.  This confirmation of the data breach incident came from the UK government.

LAA is an executive agency of the UK Ministry of Justice responsible for administering legal aid in the form of advice, representation, and justice to those who can't afford to pay for it themselves.

The landscape of personal data privacy continues to evolve in the digital era. This seminar will explore the latest developments in the privacy landscape in HK, covering recent data breach cases and the various guidelines on artificial intelligence issued by the PCPD. It will also highlight the requirements under the Personal Data (Privacy) Ordinance for transferring personal data from HK and the facilitation measure for promoting cross-boundary flow of personal information within GBA. Amidst the rapid developments in privacy laws – including the introduction of the anti-doxxing regime in HK and the enactment of the Personal Information Protection Law in the Mainland – it is crucial for individuals and businesses alike to keep abreast of these changes. The speakers will share their insights on these topical issues, which are also covered in the third edition of the book named “Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance”.

The plain text file with millions of sensitive pieces of data were unencrypted, no password protection, no security. 

Cybersecurity researcher Jeremiah Fowler revealed his discovery of a massive online database containing more than 184 million unique account credentials. Usernames, passwords, emails, and URLs for a host of applications and websites, including Google, Microsoft, Apple, Facebook, Instagram, and Snapchat, among others, were stored in a file. The database also contained credentials for bank and financial accounts, health platforms, and government portals.

An infostealer is designed to grab usernames, passwords, and other sensitive data from breached sites and servers. Once the criminals get their hands on the data, they can use it to launch their own attacks or peddle the information on the dark web. 

Course outline:

• What are the general requirements for the collection and retention of personal data, and ensuring their accuracy and security in each phase of the employment process

• What are the requirements of the Code of Practice on Human Resource Management

• Collection of personal data in recruitment process e.g. medical data, reference data

• What are the legal requirements in transferring personal data to third parties

• Collection of biometrics data

• How to handle a Data Access Request by job applicants or employees

• What are the requirements for engaging in employee monitoring activities

• How to tackle employees’ personal data privacy issues arising from COVID-19

• Data Ethics

Please contact DPO office for PCPD club member number for registration at the discounted price.

M&S says it has moved into recovery mode after a ransomware attack but interruption continues. 

Pls refer to previous news posted on May 19 - https://dpo.hku.hk/news/m%26s-confirms-staff-data-stolen-in-cyber-attack

M&S forces customer password resets after data breach - https://www.computerweekly.com/news/366623565/MS-forces-customer-password-resets-after-data-breach

According to reports first published in The Telegraph, M&S management informed employees that the breach included full names and email addresses. Personal information thought to have been accessed includes names, addresses, and online order histories. However, the high street retailer reassured the public that there is no evidence of passwords, payment details, or sensitive financial data having been accessed.

News in Chinese - https://hk.news.yahoo.com/%E9%A6%99%E6%B8%AF%E9%A6%AC%E8%8E%8E%E6%B4%A9%E5%AE%A2%E6%88%B6%E8%B3%87%E6%96%99-%E5%8C%85%E6%8B%AC%E5%A7%93%E5%90%8D%E3%80%81%E9%9B%BB%E9%83%B5%E3%80%81%E9%9B%BB%E8%A9%B1%E7%AD%89-%E7%84%A1%E5%9B%9E%E8%A6%86%E7%A7%81%E9%9A%B1%E5%85%AC%E7%BD%B2%E6%9F%A5%E8%A9%A2%EF%B8%B1yahoo-092442343.html

香港馬莎洩客戶資料 包括姓名、電郵、電話等 無回覆私隱公署查詢︱Yahoo

【Yahoo新聞報道】英國零售品牌馬莎（Marks & Spencer）香港日前通知顧客，網上系統早前遭網絡攻擊，部分個人資料可能已被竊取，包括顧客姓名、電郵地址、住址、電話號碼、出生日期、網上訂單紀錄及經「隱藏」處理的付款卡資料。馬莎強調，沒有證據顯示這些資料已被外傳，亦不涉及可用付款詳情或帳戶密碼，顧客毋須採取任何行動。

• AI Framework - please visit https://dpo.hku.hk/pcpd-ai-framework

• CCTV guidelines - https://dpo.hku.hk/cctv-personal-data-protection-guidelines

• Cloud Privacy & Vendor evaluation - https://dpo.hku.hk/privacy-mgt-program, item 2.6 - https://its.hku.hk/download/?wpdmdl=57516

RSVP - https://hkuems1.hku.hk/hkuems/ec_hdetail.aspx?ueid=100418

Pearson suffered a cyberattack, discovered that an unauthorized actor gained access to a portion of their systems but confirmed that the stolen data did not include employee information. Threat actors compromised Pearson's developer environment through an exposed GitLab Personal Access Token (PAT) found in a public .git/config file.

Pearson is a UK-based education company supporting schools, universities, and individuals in over 70 countries through its print and online services.

Pearson stated, "once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts. We also supported law enforcement's investigation. We have taken steps to deploy additional safeguards onto our systems, including enhancing security monitoring and authentication." 

To implement the policy direction from the “Two Sessions” to promote the “AI Plus” Initiative and the and the Hong Kong Innovation and Technology Development Blueprint promulgated by the Government of SAR, and to promote the safe and healthy development of AI in HK, the PCPD has begun a new round of compliance checks in February 2025, covered 60 local organisations across various sectors, including telecommunications, banking and finance, insurance, beauty services, retail, transportation, education, medical services, public utilities, social services and government departments.

Report can be downloaded - https://lnkd.in/dMM2dCVC
More details - https://lnkd.in/dmqVqxwX

The incident comes barely 48 hours after Co-op first disclosed it was experiencing a similar cyber attack that it also took proactive steps to mitigate, and less than a fortnight after M&S was forced to suspend multiple online services following an incident.

This lends weight to growing speculation that all three attacks may share a common link, originated through an unidentified third-party retail services partner in a supply chain attack.

"There must be a common thread across these retailers that has put them firmly in the crosshairs of cyber criminals. These aren’t isolated events, they are a wake-up call," said by 

Tim Grieveson, ThingsRecon.

Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community.

WSU serves a student body of 47,000 and employs over 4,500 permanent and seasonal staff, operating with an annual budget of approximately $600 million.

1. concerns compromise of one of the University’s single sign-on (SSO) systems between January and February 2025. This breach has reportedly led to the unauthorized access of demographic, enrollment, and progression information for approximately 10,000 current and former students.

2. concerns a leak on the dark web of personal information belonging to members of the University’s community. Hackers published the data on Nov 1, 2024 and WSU only became aware of it on Mar 24 2025.

The UAE Cabinet has greenlit a groundbreaking initiative to launch the world’s first integrated AI-based regulatory intelligence system, designed to speed up and modernize the legislative process by up to 70%.

In a historic move, the UAE Cabinet, chaired by Sheikh Mohammed bin Rashid Al Maktoum, has approved the launch of the world’s first integrated regulatory intelligence ecosystem, marking a major leap forward in AI-powered governance.

https://www.pcpd.org.hk/english/resources_centre/publications/files/

guidelines_ai_employees.pdf (Eng)

https://www.pcpd.org.hk/tc_chi/resources_centre/publications/

files/guidelines_ai_employees.pdf (Chinese)

Privacy Commissioner’s Office Publishes Guidelines for the Use of Generative AI by Employees 

• Scope of permissible use of Gen AI: Specify the permitted Gen AI tools, the permissible purposes of use and the applicability of the policies or guidelines;

• Protection of personal data privacy: Provide clear instructions on the types and amounts of information that can be inputted into the Gen AI tools, the permissible purposes for using the output information, the permissible storage of the output information, the applicable data retention policy and other relevant internal policies to comply with;

• Lawful and ethical use and prevention of bias: Specify that employees shall not use Gen AI tools for unlawful or harmful activities, emphasise that employees are responsible for verifying the accuracy of AI-generated outputs through ways such as proofreading and fact-checking, and for correcting and reporting biased or discriminatory AI-generated outputs, as well as providing instructions on when and how to watermark or label AI-generated outputs;

• Data security: Specify the types of devices on which employees are permitted to access Gen AI tools and the categories of employees who are permitted to use Gen AI tools, require employees to use robust user credentials, maintain stringent security settings in Gen AI tools, and report AI incidents according to the organisation’s AI Incident Response Plan; and

• Violations of policies or guidelines: Specify the possible consequences of employees’ violations of the policies or guidelines, and refer to the PCPD’s “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework) for recommendations on establishing Gen AI governance structure and measures.

https://www.cac.gov.cn/2025-04/09/c_1745906286623776.htm - in Chinese only

On 9 April, China’s CAC issued a set of 𝗙𝗔𝗤𝘀 𝗼𝗻 𝘁𝗵𝗲 𝗖𝗵𝗶𝗻𝗲𝘀𝗲 𝗱𝗮𝘁𝗮 𝗲𝘅𝗽𝗼𝗿𝘁 𝗹𝗲𝗴𝗮𝗹 𝗿𝗲𝗴𝗶𝗺𝗲.

🛡️ 𝗦𝗰𝗼𝗽𝗲 𝗼𝗳 𝗿𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀: Data export restrictions under Chinese laws apply only to ‘important data’ and ‘personal information’. This highlights the need for organisations subject to China’s data laws to classify any such data in their possession, in order to effectively address compliance requirements.

🔐 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗶𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁 𝗱𝗮𝘁𝗮: By default, important data must be stored in China. Exporting important data requires going through a security assessment conducted by the CAC (ie a regulatory approval process) to ensure that the data export does not endanger national security or the public interest.

💡 𝗥𝗲𝘀𝘁𝗿𝗶𝗰𝘁𝗶𝗼𝗻𝘀 - 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: In contrast, exporting personal information is less restricted. In fact, there are no specific restrictions on non-CIIO organisations exporting non-sensitive personal information of fewer than 100,000 people in any one calendar year. However, exporting sensitive personal information (eg biometrics, financial or medical data) is restricted, as is the export of non-sensitive personal information of 100,000 people or more in any one calendar year. Depending on the transfer scenarios (sensitivity and volume), one of three mechanisms - security assessment, standard contract or certification - must be implemented.

✅ ‘𝗡𝗲𝗰𝗲𝘀𝘀𝗶𝘁𝘆’ 𝗳𝗼𝗿 𝗽𝗲𝗿𝘀𝗼𝗻𝗮𝗹 𝗶𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 𝗲𝘅𝗽𝗼𝗿𝘁: What is sometimes forgotten is the prerequisite that a data export of personal information must be ‘necessary’. The FAQs clarify that ‘necessity’ means the data export must directly relate to the processing purpose, have minimal adverse impact on the individuals, and adhere to the data minimisation and storage limitation principles.

🤝 𝗚𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗠𝗡𝗖𝘀: The FAQs also address the practical challenges faced by groups of companies in complying with China’s data export requirements. It suggests that a group’s parent company can apply for a security assessment or sign the standard contract on behalf of its subsidiaries, so as to reduce administrative burden. Additionally, the CAC is preparing the ‘certification’ mechanism, which will allow multinational groups to obtain a single certification from an accredited third party and eliminate the need for each group entity to sign and file separate standard contracts.

The different free trade zone in China can apply the relaxation rules on cross border data flow available in other free trade zone. In other words, companies in Shanghai Lin Gang Free Trade zone can also benefit from the relaxation rules available for companies in Beijing Free Trade Zone.

為協助機構在使用AI時可以更好地保障個人資料私隱，包括加強其AI管治和制定僱員在工作時使用生成式AI的內部政策或指引，個人資料私隱專員公署（私隱專員公署）舉辦是次研討會，以討論AI普及所帶來的私隱風險、分享《人工智能（AI）: 個人資料保障模範框架》中有關保障個人資料私隱的AI管治建議及最佳行事常規，以及介紹公署最新發表的《僱員使用生成式AI的指引清單》。

講者：

· 王雅媛女士 — 私隱專員公署助理個人資料私隱專員（合規、環球事務及研究）

· 鄧昭健先生 — 香港華為國際有限公司副業務總經理兼首席網路安全與隱私保護官

講座重點：

· 使用AI帶來的個人資料私隱風險

· 《人工智能（AI）：個人資料保障模範框架》的主要建議

· 介紹私隱專員公署最新發表的《僱員使用生成式AI的指引清單》的主要建議

· 分享開發及使用AI技術的良好私隱保障行事方式

· 分享企業如何在利用AI的優勢和保障個人資料私隱之間取得平衡

A lawsuit filed accused Oracle of failing to acknowledge a recent data breach. Oracle attempted to minimize the severity of the incident by describing the compromised system as a “legacy environment” that had been unused for eight years. The lawsuit specifically addresses a major security breach discovered in March that reportedly compromised 6 million records containing sensitive authentication-related data from Oracle Cloud infrastructure, potentially affecting more than 140,000 tenant databases.

On March 23, travelers at KLIA reported disruptions with flight information display systems, check-in counters, and other services. While KLIA operator Malaysia Airports Holdings Berhad (MAHB) initially confirmed a cyberattack "affecting certain computer systems," the company claimed that operations were not affected. In a speech two days later, Malaysian Prime Minister Anwar Ibrahim called the disruption "quite heavy" and said that a ransom demand for $10 million had been refused. 

While MAHB, which operates 39 airports across Malaysia, downplayed the impact of the attack, Ibrahim described it as a heavy burden on the operator and cited the ransom demand of $10 million during a March 25 speech marking the nation's 218th Police Day.

A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code and some personal information belonging to up to 200,000 customers. The actor tried to extort the company by threatening to publish 37GB of data that includes backups and details about the company’s cloud infrastructure and internal applications.

Europcar Mobility Group is a subsidiary of Green Mobility Holding that operates the Europcar, Goldcar, and Ubeeqo brands with a diverse offering of compact cars, luxury vehicles, vans, and trucks. The company's customer base spread across 140 countries in Europe, North America, Asia, and Africa.