Hong Kong Releases New Guidelines on Generative AI in the Workplace: What Employers Should Know

Businesses with employees in Hong Kong should be aware of new guidelines aiming to help companies develop policies on generative AI use in the workplace. Although the new guidelines are not binding, they are meant to align with existing data privacy requirements in Hong Kong. How will these guidelines impact your business? Read on to learn more, including seven best practices.

What Happened?

The new “Checklist on Guidelines for the Use of Generative AI by Employees” aims to assist companies with developing policies on generative AI in light of existing data privacy rules in the Personal Data (Privacy) Ordinance (PDO).

You should note that Hong Kong’s Privacy Commissioner for Personal Data (PCPD) is responsible for enforcing and overseeing compliance with the PDO, which has been in force since 1996 (with recent updates). The Commissioner regulates the collection and handling of personal data in Hong Kong.

The PDO applies to any person who collects, holds, processes, or uses personal data in Hong Kong, in both the private and public sectors. “Personal data” means information that relates to a living individual and can be used to identify that individual.

How Do the New AI Guidelines Impact Employers?

The guidelines recommend that employers carry out the following tasks to ensure responsible use of generative AI use in the workplace:

• Scope of permissible use: Instruct employees on which generative AI platforms they can use, when they can use them, and for what purposes. Be sure employees receive all applicable company policies on the matter.
• Protection of personal data privacy: Provide employees with clear instructions on how personal data can be entered into generative AI platforms. For example: What information can be used? How should data obtained through the platform be stored? What is the applicable data retention policy?
• Lawful and ethical use and bias prevention: Inform employees about the lawful and ethical use of generative AI. This includes proofreading and fact-checking information obtained through a generative AI platform, correcting and reporting biased or discriminatory information, and watermarking or labeling the information whenever appropriate. Remind employees not to use generative AI for unlawful or harmful purposes.
• Data security: Instruct employees on the specific devices they can use to access generative AI platforms and which employees are allowed to use them. Other security measures you should consider adopting include:
  • requiring employees to use strong credentials;
  • maintaining strong security settings in generative AI platforms; and
  • reporting AI incidents.

You may also want to have an AI incident response plan in place.

• Violations: Inform employees about the consequences for violating AI policies.
• Transparency: Inform employees about existing AI policies and any updates as they are made.
• Training and resources: Train employees on how to use generative AI platforms, the limitations of these platforms, and the importance of reading privacy policies and the platforms’ terms of use.
• Support teams: Appoint a team to assisting employees in using generative AI. This includes providing technical assistance and addressing any concerns.
• Establishing a feedback mechanism: Allow employees to provide feedback through designated channels.

What Are the Risks of Noncompliance?

Although the guidelines are not officially binding, they are connected to the PDO’s privacy data rules – which are binding – and the guidelines are an illustration of what the PCPD expects companies in Hong Kong to have in place when it comes to their employees’ use of generative AI.

Compliance with data privacy rules is critical. Breaches of the PDO may result in fines of up to HK$1 million (approximately USD 130,000) in daily penalties, as well as potential imprisonment.

An Employer’s 7-Step Action Plan

If your company has employees in Hong Kong, you should consider taking these seven steps to comply with the PDO and align your policies with the recent AI guidelines:

1. Review your generative AI policies and practices and update them in accordance with the guidelines.
2. Carefully review the security measures you have in place and create AI incident response plans.
3. Provide employees with clear information on how to input and protect personal data when using generative AI platforms.
4. Train all employees on the use generative AI and on your company’s policies, including the consequences for violations.
5. Appoint a support team to assist employees in the use of generative AI. Ensure support team members are sufficiently trained and knowledgeable about AI.
6. Create feedback mechanisms for employees on the use of generative AI in your workplace. Ensure your company has policies in place to prevent discrimination, harassment, or retaliation against employees who utilize those feedback mechanisms, especially if they use them to report actual or perceived violations of the PDO or other applicable laws.
7. Reach out to our International Practice Group to help your business navigate these changes.
   
   

Want to Learn More About AI? Join Fisher Phillips for our third-annual AI Conference for business professionals this July 23 – 25, in Washington, D.C. Learn more and register here.

Conclusion

If you require any assistance related to compliance with data privacy rules in Hong Kong, please contact your Fisher Phillips attorney, the authors of this Insight, or any attorney in our International Practice Group or AI, Data, and Analytics Practice Group. We will continue to monitor the situation and provide updates as warranted, so make sure to sign up for Fisher Phillips' Insight System to receive the most up-to-date information.