Safeguarding your digital footprint: How AI impacts data privacy in Hong Kong
Introduction
When one speaks about artificial intelligence (“AI”), one thinks of the risks associated as much as one does about its range of applications and the abundance of business opportunities it opens up to. Inevitably, the new risks arising from the innovative applications of AI present regulatory challenges in the area of personal data protection. Taking the initiative to provide guidance for Hong Kong enterprises, the Office of the Privacy Commissioner for Personal Data published the Artificial Intelligence: Model Personal Data Protection Framework (the “Model Framework”) on 11 June 2024.
Recommended measures
The use of AI shall embrace data stewardship values and ethical principles. For example, the use of AI shall be respectful, beneficial and fair, bearing in mind accountability, human oversight, data privacy etc. To achieve the same, the Model Framework recommends appropriate policies, practices and procedures for organisations to adopt when they procure, implement and use AI solutions. The Model Framework focuses on 4 main areas:
1. AI strategy and governance;
2. Risk assessment and human oversight;
3. Customisation of AI models and implementation and management of AI systems; and
4. Communication and engagement with stakeholders.
This newsletter aims to give an overview for each of the main area stated above.
AI strategy and governance
Organisations should have an internal AI governance strategy, which generally comprises an AI strategy, governance considerations for procuring AI solutions, and an AI governance committee (or similar body) to steer the process.
The AI strategy shall provide directions on the purposes for which AI solutions may be procured and how AI systems can be implemented. On one hand, such strategy provides guidance and AI-related training internally to staff members and personnel within the organisations, such that they are familiar with the “do’s and don’ts” and are equipped with the skills to work in an environment using AI systems. On the other hand, as the procurement of AI solutions often engages third parties who customises AI systems, the Model Framework also proposes procurement practices that embodies governance considerations in relation to dealing with external AI procurement parties, say, whether the potential AI suppliers have followed international technical and governance standards.
At the same time, an AI governance committee which should report to the board shall be established to oversee the procurement, implementation and use of the AI system, and cultivate effective internal reporting mechanisms for reporting system failure or raising any data protection or ethical concerns to facilitate proper monitoring by the AI governance committee.
Conduct risk assessment and human oversight
A risk-based approach should be adopted in the procurement, use and management of AI systems. Comprehensive risk assessments shall systematically identify, analyse and evaluate the risks that are involved in the process. Factors that should be considered in a risk assessment include requirements of the Personal Data (Privacy) Ordinance, Cap 486 (“PDPO”), such as the volume, sensitivity and quality of data, security of data, the probability of privacy risks and the potential severity of the harm that might result.
The rationale behind such risk management measures is proportionality, meaning that the types and extent of risk mitigation measures should correspond with and be proportionate to the levels of the identified risks. For example, an AI system might be used for decision making or assist in decision making process. If there might be algorithmic bias and discrimination in the AI system and the decision to be made is very important or has a critical impact on the company, then a higher level of human oversight would be needed than an AI system with a lower risk profile. In such circumstances, human shall retain control in the decision-making process to prevent and mitigate errors by AI, otherwise known as the human-in-the-loop strategies.
AI models customisations and
implementation and management of AI systems
Major customisation and management process comprises of three steps: first, data preparation and management; second, customisation and implementation; and last, management and continuous monitoring. The primary goal of customisation of AI Models is to use the data to improve the AI solution's performance by providing more domain / context-specific information. Continuous review and user support are required after the adoption of an AI model to ensure that the AI systems remain effective, relevant and reliable. Good data governance in the customisation and operation of AI not only protects individuals' personal data privacy but also ensures data quality, which is critical to the robustness and fairness of AI systems. In formulating the same, measures must be adopted to ensure compliance with the requirements under the PDPO.
Communication and engagement with stakeholders
Organisations should communicate and engage effectively and regularly with stakeholders, in particular internal staff, AI suppliers, individual customers and regulators to enhance transparency and build trust. Very often, one is required to provide explanations for decisions made by and output generated by AI, disclose the use of the AI system, disclose the risks, and consider allowing opt-out. Communication with stakeholders, particularly consumers, should be in plain language that is clear and understandable to lay persons, and such communication should be drawn to the attention of stakeholders.
Conclusion
The Model Framework carries far more weight than a simple guide on data privacy. Instead, it provides practical recommendations and best practices to assist organisations to procure, implement and use AI in compliance with the relevant requirements of the PDPO, so that organisations can harness the benefits of AI while safeguarding personal data privacy. If you or your company is actively adopting AI in your daily business operations, you are strongly advised to consult the full Model Framework, and if in doubt, consult your legal representatives.
For enquiries, please feel free to contact us at: |
E: technology@onc.hk T: (852) 2810 1212 19th Floor, Three Exchange Square, 8 Connaught Place, Central, Hong Kong |
Important: The law and procedure on this subject are very specialised and complicated. This article is just a very general outline for reference and cannot be relied upon as legal advice in any individual case. If any advice or assistance is needed, please contact our solicitors. |
Published by ONC Lawyers © 2024 |