Hong Kong checks AI privacy compliance across sectors

PCPD urged organisations using AI to strengthen governance, staff training, risk assessments, audits, and privacy safeguards.
Hong Kong PCPD AI privacy compliance checks covering personal data protection, governance, human oversight, and agentic AI safeguards

Hong Kong’s Office of the Privacy Commissioner for Personal Data has completed compliance checks on 60 organisations to assess how AI use affects personal data privacy.

The checks, launched in January 2026, covered sectors including banking and finance, education, government departments, insurance, medical services, telecommunications, transport, accounting, food and beverage, logistics, property management, and innovation and technology. The PCPD found no contravention of the Personal Data (Privacy) Ordinance during the exercise.

Among the organisations reviewed, 57 (95%) used AI in day-to-day operations, an increase of 15 percentage points from the previous round of checks. Around 79% of those organisations had used AI for more than a year, while 51% used three or more AI systems.

AI systems were mainly used for administrative support, customer service, research and development, marketing, compliance and risk management, human resources, corporate communications, cybersecurity and data analysis.

Of the 57 organisations using AI, 24 collected or used personal data through AI systems. All provided Personal Information Collection Statements before or during data collection and implemented security measures such as access controls, encryption, penetration testing and anonymisation.

The PCPD found that 23 of those 24 organisations tested AI systems before implementation, while 19 conducted privacy impact assessments. Nineteen adopted a human-in-the-loop approach, and five used a human-in-command model for oversight.

The checks also found that 19 organisations had established AI governance structures, while 17 had internal policies or guidelines for employees’ use of generative AI at work. Twenty organisations provided AI-related training, with most including content on privacy risks.

Also, the PCPD recommended that organisations using AI comply with the Personal Data (Privacy) Ordinance, establish internal governance structures, provide staff training, adopt incident response plans, conduct risk and privacy impact assessments, and regularly audit AI systems. It also urged organisations to use agentic AI prudently by limiting access rights, assessing data sensitivity and maintaining system and data security.

Why does it matter?

The checks show that AI is becoming embedded in business and public-sector operations in Hong Kong, including in areas involving personal data. The PCPD’s findings suggest that many organisations are beginning to adopt safeguards such as impact assessments, human oversight and AI governance structures, while its warnings on agentic AI point to growing concern over systems that can act with greater autonomy and access sensitive data.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.