News

[𝗟𝗲𝗴𝗮𝗹 𝗨𝗽𝗱𝗮𝘁𝗲: 𝗖𝗵𝗲𝗰𝗸𝗹𝗶𝘀𝘁 𝗼𝗻 𝗚𝘂𝗶𝗱𝗲𝗹𝗶𝗻𝗲𝘀 𝗳𝗼𝗿 𝘁𝗵𝗲 𝗨𝘀𝗲 𝗼𝗳 𝗚𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝘃𝗲 𝗔𝗜 𝗯𝘆 𝗘𝗺𝗽𝗹𝗼𝘆𝗲𝗲𝘀]

02/04/2025

Intended to foster the healthy development of artificial intelligence while balancing the compliance with the requirements of the Personal Data (Privacy) Ordinance, the Hong Kong Office of the Privacy Commissioner for Personal Data published the “Checklist on Guidelines for the Use of Generative AI by Employees” on 31 March 2025.

The checklist aims to help organisations develop internal policies or guidelines for the use of generative AI tools at work. In particular, the checklist recommends the inclusion of the following aspects into an organisation’s internal policies and guidelines:

Coverage of policies or guidelines by employees

– Specifying the permitted generative AI tool(s) and application(s) to be used within the organisation

– Applicability of the internal policy (i.e. the whole organisation, specific departments, specific ranks or employees)

Protection of data privacy

– Setting out the permitted type(s) and amount of information to be inputted into the generative AI tool (including personal data, confidential information, proprietary and copyrighted data)

– Setting out clear instructions on permissible uses of generated information

– Anonymisation of personal data

– Requirements on storage of output information

Lawful and ethical use and prevention of bias

– Prohibiting the use of generative AI tools for any unlawful or harmful activities

– Emphasise that human review and input should be conducted to prevent any inaccurate, biased or discriminatory output

Data security

– Specifying the permitted devices and personnel that can access the generative AI tool

– Robust information security requirements (i.e. strong passwords with multi-factor authentication for devices and accounts)

– Devising and complying with AI and data breach incident response plans and protocols

Consequences on violation of internal policies or guidelines

While the checklist is largely introduced from a personal data protection perspective, a holistic approach should be adopted when preparing internal policies and guidelines. Legal and practical issues surrounding the use of AI, including but not limited to IP ownership and infringement, discriminatory content, biased or inaccurate information, breach of trade secrets, infringement of publicity rights (including portrait, name and voice), and risk of violation of the terms and conditions of the AI tool should all be coherently addressed in the internal policy or guideline.

At ELLALAN, we regularly advise clients on navigating the latest regulatory requirements and trends on AI, personal data, and intellectual property. To understand how your business can be better prepared in the era of AI, please reach out to our team (Alan Chiu, Managing Partner or Hank Yeung, Associate)