Opinion

Hong Kong Privacy Commissioner releases first AI-focused Personal Data Protection Framework in APAC

Published Date
Jun 14 2024
As Artificial Intelligence ('AI') continues to evolve and integrates into business processes, the Office of the Privacy Commissioner for Personal Data ('PCPD') released its Artificial Intelligence: Model Personal Data Protection Framework on June 11, 2024. It is the first comprehensive guiding model framework in the Asia-Pacific region that focuses on the protection of personal data in the context of AI.

Model personal data protection framework

The Artificial Intelligence: Model Personal Data Protection Framework (the 'Model Framework') provides a comprehensive set of recommendations and best practices for organizations that procure, implement and deploy any type of AI systems that involve the use of personal data, specifically including predictive AI (AI that forecasts future outcomes) and generative AI (AI that generates new data sets).

The Model Framework covers four key areas and sets out recommended measures as follows.

1. AI strategy and governance

  • Formulate AI strategy and governance for AI solution procurement, including:
  • a seven-step procurement approach; and
  • consideration of nine governance issues, such as data processor agreements and compliance with international technical and governance standards. 
  • Establish an AI governance committee or equivalent.
  • Provide AI-related training to employees.

2. Risk assessment and human oversight

 

  • Perform comprehensive risk assessments and establish a risk management system.
  • Adopt a “risk-based” management approach with proportionate risk mitigating measures.
  • Determine the necessary level of human oversight.

3. Customisation of AI models and implementation and management of AI systems

 

  • Manage data for AI system customisation and use.
  • Test and validate AI models during customisation and implementation.
  • Ensure system and data security.
  • Continuously monitor AI systems.

4. Communication and engagement with stakeholders

 

  • Maintain regular and effective communication with stakeholders to foster transparency and trust

The recommendations are not exhaustive and the framework is non-binding, and organizations should of course ensure compliance with the requirements under the Personal Data (Privacy) Ordinance ('PDPO'). 

 

The 2021 AI Guidance

The Model Framework complements the Guidance on the Ethical Development and Use of Artificial Intelligence ('2021 AI Guidance') previously released by the PCPD in 2021. It is structured to help organizations comply with the requirements under the PDPO and the three data stewardship values and seven ethical principles outlined in the 2021 AI Guidance. Organizations that develop in-house AI models are recommended to refer to the 2021 AI Guidance instead of the Model Framework.

Key points of note

The PCPD’s release of the Model Framework marks a significant milestone for data protection in the APAC region. The Model Framework offers a solid blueprint for responsible AI innovation and the safeguarding of personal data. The Model Framework is non-binding but, like other guidance issued by the PCPD such as the Guidance Note on Data Security Measures for Information and Communications Technology, may become the benchmark for organizations to ensure compliance with the PDPO. Organizations in Hong Kong, particularly those at the beginning of their AI journey should carefully study the Model Framework and adopt its recommendations to navigate the evolving landscape of AI and data protection effectively.