Artificial intelligence (AI) is rapidly transforming the modern workplace, offering organisations powerful tools to boost productivity, automate processes and drive innovation. From chatbots and generative AI (Gen AI) tools to advanced analytical and decision-making systems, the adoption of AI technologies has become increasingly prevalent in Hong Kong.
However, this rapid transformation also carries certain risks, particularly from a data privacy perspective. In response, the Office of the Privacy Commissioner for Personal Data (PCPD) has issued a “Checklist on Guidelines for the Use of Generative AI by Employees” (the Guidelines), providing practical guidance for employers in devising internal policies and guidelines on the use of the Gen AI tools by employees for work purposes.
What are the key features of the Guidelines?
The Guidelines sets out the key considerations an employer should consider when developing their own internal policies or guidelines regarding their employees’ use of Gen AI.
| Suggested areas |
Key recommendations |
| Scope of permissible use |
- Clearly specify which Gen AI tools and applications are allowed for work-related use
- Define the types of tasks for which employees may use Gen AI tools (e.g. drafting, summarising and/or content creation)
- Set out the scope of individuals to whom the policy applies (e.g. organisation-wide, specific departments or certain roles)
|
| Protection of personal data privacy |
- Provide clear instructions on the types and amounts of information that can and cannot be entered into Gen AI tools
- Where the employer allows personal data to be entered into Gen AI tools, provide clear instructions on how personal data should be anonymised or cleansed before input
- Specify how AI-generated outputs may be used and stored
- Ensure that the AI policy is aligned with other internal personal data related policies
|
| Lawful and ethical use |
- Prohibit unlawful or harmful use of Gen AI tools
- Emphasise the role of employees as human reviewers to verify the accuracy of AI-generated outputs, prevent bias and discrimination, and apply appropriate labelling or watermarking of AI-generated content
|
| Data security |
- Specify permitted devices and users, require robust user credentials and security settings, and recommend disabling prompt saving or sharing functions to minimise risks
- Require employees to report AI-related incidents, including data breaches or abnormal outputs in accordance with the existing incident response plan
|
| Consequences |
- Outline the consequences of non-compliance with the policy
|
Please see this link here for the full Employer AI Guidelines.
Key takeaways for employers
Developing internal policies or guidelines for the use of generative AI by employees is a critical first step. However, this alone is not sufficient.
Employers must, among other things, promote, implement and regularly review these policies, as well as provide continuing AI-related training to employees. Importantly, this applies not only to employers that have implemented GenAI tools, but also to those that have not, as employees may still independently access and use AI tools not provided by their employer. Taking these proactive steps will not only help the employer minimise potential risks, but also foster a workplace culture where GenAI tools are used responsibly and effectively in the long term.
For employers that procure, implement and use AI systems that involve the use of personal data in their operations, they should also take into account the practical recommendations set out in the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) issued by the PCPD in June 2024. Please see here for details of the Model Framework.
Both the Guidelines and the Model Framework form part of the PCPD’s codes of practice. If a data breach occurs in relation to an employer’s use of AI and legal proceedings are initiated by the PCPD, any failure to comply with the Guidelines and the Model Framework may be used as evidence against the employer in such proceedings.
