Latest news with #PersonalData(Privacy)Ordinance
HKFP
16-07-2025
- Politics
- HKFP
Hong Kong privacy watchdog launches criminal probe into AI-generated porn scandal at HKU
Hong Kong's privacy watchdog has launched a criminal probe into an AI-generated porn scandal at the city's top university after a student allegedly created indecent images of more than 20 women. The Office of the Privacy Commissioner for Personal Data (PCPD) 'has launched a criminal investigation into the incident and has no further comment at this stage,' the watchdog said in a statement on Tuesday. The statement was released days after a male law student at the University of Hong Kong (HKU) was accused of creating pornographic images of around 20 to 30 women, including his classmates and teachers, without their consent. The student allegedly used photos he found on the women's social media accounts to generate pornographic 'deepfake' images using free online artificial intelligence (AI) tools. Citing the city's privacy laws, the Tuesday statement said that it is illegal to disclose a person's personal data without their consent, causing harm to the subject or their family members. A disclosure of personal data without consent, with an intent to cause 'specified harm,' or if the offender was reckless as to whether any harm would, or would likely be caused, also constitutes an offence. The announcement was also made just hours after Chief Executive John Lee said that most local laws applied to online behaviours, including offences under the Crimes Ordinance and the Personal Data (Privacy) Ordinance. The chief executive did not mention any proposal for legislation regarding AI but urged Hong Kong universities to handle student misconduct 'seriously.' 'While some misconduct may be dealt with under internal university rules, any act that may contravene the law should be reported to law enforcement agencies for action,' he said. HKU said in a statement on Saturday that the university had issued a warning letter to the student and demanded that he formally apologise to the women. The incident was not handled by the university's Disciplinary Committee, after HKU told three anonymous victims that the male student likely did not commit an offence that could be addressed by the committee.
RTHK
07-07-2025
- Health
- RTHK
Organisations urged to up data privacy awareness
Organisations urged to up data privacy awareness Ada Chung, right, and Rebecca Ho stressed the importance of staff training to help tackle data breaches. Photo: RTHK The Office of the Privacy Commissioner for Personal Data (PCPD) on Monday called on organisations to urgently enhance employee awareness and adherence to data privacy protocols. This follows the PCPD's intervention in eight personal data breach incidents across different sectors, including a government department and medical institutions. The breaches, all violations of the Personal Data (Privacy) Ordinance, stemmed primarily from employee negligence and failure to follow established procedures, according to Privacy Commissioner Ada Chung. In one case, an online registration form of a medical institution was found to have involved the improper disclosure of personal data submitted by over 100 registrants, including their names in Chinese and English, phone numbers, email addresses and dates of birth. In another, staff at a retail company inadvertently filled in the email addresses of all its members into the recipients' field, rather than using the blind carbon copy function, thereby revealing the email addresses of more than 1,000 other members to the recipients. A third notable breach occurred within the Transport Department, where staff mailed a letter regarding the complainant's notification of an address change but failed to fold it according to required procedures, which made the complainant's Hong Kong ID card number visible through the envelope window. Of some other cases, one involved a doctor at a medical diagnostic centre who left a computer system logged in, thereby exposing confidential patient data on a monitoring device; a tour guide distributed group e-tickets that contained the unprotected personal data of more than 30 individuals; and a security guard at a residential estate improperly disclosed a complainant's phone number to another tenant while attempting to resolve a parking complaint. Chung stressed the need for organisations to create clear and straightforward work guidelines, while also enhancing employee awareness through targeted training. "We have also stressed the importance of implementation of the policies and continuous monitoring and supervision of the implementation of the policies," she said. "This can be done, for example, by sample random checking of work procedures, surprise checks by supervisors, and also this can be done by ongoing training of internal staff." Chung also highlighted the need to offer training to new staff, along with continuous training annually. Assistant Privacy Commissioner for Personal Data (Complaints and Criminal Investigation) Rebecca Ho said organisations can develop checklists and flowcharts tailored to various positions, making work guidelines easier to understand. She also stressed the importance of adopting technical security measures, such as using an encrypted email system, and developing a comprehensive data breach response plan which would enable organisations to respond swiftly and effectively to potential data breaches.
South China Morning Post
31-03-2025
- Business
- South China Morning Post
Privacy rules broken in data leak of major fashion brands finds Hong Kong watchdog
Hong Kong's privacy watchdog has ruled that a group managing several international fashion brands in the city including Paul Smith and Brooks Brothers has violated its ordinance in protecting customers' data after a data leak affecting nearly 130,000 individuals. Advertisement The incident in May last year concerned ImagineX management, a company established in 1992 which managed over 20 international fashion and beauty brands in Hong Kong, Macau, the mainland and Taiwan. 'The Privacy Commissioner found that ImagineX had not taken all practicable steps to ensure that the personal data involved was protected against unauthorised or accidental access, processing, erasure, loss or use,' said Brad Kwok Ching-hei, the watchdog's chief personal data officer, on Monday. The company had contravened the Data Protection Principle (DPP) 4(1) of the Personal Data (Privacy) Ordinance concerning the security of personal data, he added. The Office of the Privacy Commissioner for Personal Data's six rounds of investigation found that the leak had affected mainly two loyalty programs – ICARD and Brook Brothers – managed by the company concerning a total of 127,268 people. Advertisement The victims included 100,185 ICARD members and 27,069 Brook Brothers members, who faced their personal data, including names, email addresses, telephone numbers, birth months, genders and nationalities being exposed.
