Acceptable Use Policy (Hong Kong)

An Acceptable Use Policy in Hong Kong documents the organisation's approach and the obligations placed on those it covers.

No single Hong Kong statute mandates an AUP, but the policy is grounded in multiple legal frameworks. The Employment Ordinance (Cap. 57) establishes the employment relationship within which the AUP operates — an employer may set reasonable workplace rules, and breach of those rules may constitute misconduct justifying disciplinary action up to summary dismissal under Section 9 of Cap. 57. The Personal Data (Privacy) Ordinance (Cap. 486) becomes directly relevant where the organisation monitors employee use of IT systems, as monitoring involves the collection and processing of personal data. The Office of the Privacy Commissioner for Personal Data (PCPD) has published guidance on employee monitoring, emphasising that monitoring must be disclosed to employees in advance, limited to stated purposes, and proportionate to the legitimate objectives pursued. The Crimes Ordinance (Cap. 200) criminalises unauthorised access to computers under Sections 27A and 161, and the Copyright Ordinance (Cap. 528) prohibits unlicensed reproduction and distribution of software and other copyrighted content — both risks that a properly drafted AUP directly addresses.

An AUP protects the organisation from legal and reputational risks arising from employee misuse of technology. Without a documented policy, employers lack a clear contractual and evidentiary basis for disciplinary action when employees access inappropriate content, install unauthorised software, share confidential information through personal email, or cause data breaches through careless security practices. With a documented AUP that employees have acknowledged in writing, the employer has both a legal basis for disciplinary proceedings and evidence that employees were on notice of the rules.

Hong Kong organisations operating in regulated sectors face additional AUP requirements. The Hong Kong Monetary Authority (HKMA) Supervisory Policy Manual requires licensed banks to maintain IT governance frameworks that include documented acceptable use standards. The Securities and Futures Commission (SFC) expects licensed corporations to have information security policies including user access controls and acceptable use standards. The AUP forms a core element of these regulatory compliance frameworks and should be integrated with the organisation’s broader information security policy, data protection policy, and cybersecurity incident response plan.

Every Hong Kong organisation that provides IT systems, internet access, or digital resources to employees or contractors needs an Acceptable Use Policy from the moment it provides technology to any user. The AUP is not a one-time document — it must be updated as the organisation's technology environment, legal obligations, and business practices evolve.

New employee onboarding requires the AUP to be provided as part of the employment package so that clear expectations about permitted and prohibited use are established from day one. The employee should sign and return an acknowledgement confirming receipt and understanding of the policy. Under Hong Kong common law, an employer can only rely on the AUP as the basis for disciplinary action — including summary dismissal under Section 9 of the Employment Ordinance (Cap. 57) — where the employee was aware of its existence and content.

Organisations implementing remote working arrangements need an AUP that addresses home network security, the use of personal devices for work purposes (BYOD), and the risks of accessing company systems through unsecured public Wi-Fi. Remote working has expanded the attack surface for cybersecurity incidents, and the AUP must clearly extend to all locations from which employees access company systems, not just the physical office.

Organisations deploying monitoring tools to track employee IT usage must confirm that the AUP discloses the monitoring transparently to comply with the Personal Data (Privacy) Ordinance (Cap. 486) and the PCPD's guidance on employee monitoring. Without prior disclosure, monitoring may breach Data Protection Principle 1 (purpose and manner of collection) and expose the organisation to regulatory action by the PCPD or adverse consequences in employment proceedings before the Labour Tribunal.

Financial institutions regulated by the Hong Kong Monetary Authority (HKMA) or the Securities and Futures Commission (SFC) need an AUP that reflects their heightened obligations regarding information security, client data protection, and cybersecurity risk management. The HKMA's Supervisory Policy Manual and the SFC's circular on cybersecurity create specific expectations for regulated firms' IT governance frameworks, and the AUP is a core component of those frameworks.

Organisations that have suffered a data breach or cybersecurity incident and are reviewing their internal controls need a thorough AUP as part of their remediation programme. The PCPD's guidance on data breach response and the Office's enforcement powers under the Personal Data (Privacy) Ordinance (Cap. 486) mean that inadequate IT governance — including absence of a clear AUP — can be cited as an aggravating factor in regulatory investigations.

Cloud service and SaaS companies providing services to Hong Kong business customers frequently require their customers to adopt their own AUP governing employee use of the SaaS platform, as a condition of the service agreement. The AUP in these cases must specifically address the use of the relevant cloud service and the customer's obligations under the provider's terms of service.

A Hong Kong Acceptable Use Policy must include the following key elements to be legally effective, clearly communicated, and compliant with the Personal Data (Privacy) Ordinance (Cap. 486) and applicable employment law.

Scope and applicability: The policy must clearly define who is bound by it — all employees, contractors, temporary staff, agency workers, and authorised visitors — and which systems, devices, and networks are covered. Coverage must extend to company-owned desktops, laptops, mobile devices, email accounts, cloud services, internal networks, and remote access systems. Where employees use personal devices for work purposes (BYOD), the policy must specify the conditions under which personal devices may access company systems and the security requirements that apply.

Permitted use and personal use allowance: The policy must describe what constitutes acceptable use of company IT resources. Where the organisation permits limited personal use of IT resources during work hours or breaks, the conditions and limits of that permission must be stated — for example, brief personal internet browsing is permitted provided it does not interfere with work duties and does not access prohibited categories of content. Any personal use authorised by the policy is a matter of grace rather than a legal entitlement, and the organisation retains the right to withdraw personal use access.

Prohibited conduct: The policy must set out specific prohibited activities with enough detail to leave users in no doubt about what is not permitted. Prohibited activities should include: accessing or distributing obscene, indecent, or offensive material (which may constitute criminal offences under the Control of Obscene and Indecent Articles Ordinance (Cap. 390)); accessing systems without authorisation (an offence under Sections 27A and 161 of the Crimes Ordinance (Cap. 200)); copying or distributing copyrighted software without a licence (an offence under the Copyright Ordinance (Cap. 528)); sharing login credentials with others; installing unapproved software that may introduce malware; and using company systems for personal commercial activities.

Email and internet use standards: The policy must address professional standards for business email communications, including prohibition on forwarding confidential information to personal email accounts, restrictions on the use of company email addresses for social media registrations, and guidelines on professional tone and content in business communications. Internet browsing restrictions must be stated, including categories of content that are blocked or prohibited.

Security obligations: Employees must be required to use strong, unique passwords for all company systems and to change passwords at prescribed intervals; to lock screen when leaving workstations unattended; to report suspected security incidents, phishing attempts, or data loss to the IT department promptly; to keep devices physically secure, particularly when travelling; and to comply with all software update and patch management requirements. These obligations directly support the organisation's cybersecurity posture.

Monitoring and privacy disclosure: The policy must inform employees that the organisation may monitor their use of company IT systems — including email, internet browsing, device activity logs, and system access records — and must state the purposes of monitoring (security, compliance, performance management, and investigation of suspected misconduct) and how monitoring data is stored and used. This transparency is required by the PCPD's guidance and Data Protection Principle 1 of the Personal Data (Privacy) Ordinance (Cap. 486). The monitoring disclosure must be specific enough to be meaningful — a vague statement that 'monitoring may occur' without identifying what is monitored and why does not satisfy the PDPO transparency requirement.

Data protection obligations: The policy must address employees' obligations regarding handling of personal data of customers, employees, and third parties in accordance with the Personal Data (Privacy) Ordinance (Cap. 486). Employees must be required to handle personal data only for authorised purposes, to comply with the organisation's data protection policy, and to report any suspected personal data breach to the relevant contact immediately under the PCPD's recommended breach notification framework.

Consequences of breach and enforcement: The policy must clearly state that breach of the AUP may result in disciplinary action, up to and including summary dismissal for serious misconduct under Section 9 of the Employment Ordinance (Cap. 57), and that certain breaches may also constitute criminal offences. The disciplinary process must be fair and consistent with employment law requirements. Forms-legal.com provides a structured Acceptable Use Policy template for Hong Kong covering all PDPO and Employment Ordinance requirements.

Acknowledgement and training: The policy must require each user to sign a written acknowledgement confirming that they have read, understood, and agreed to comply with the AUP. New employees must sign on joining; existing employees must re-acknowledge when the policy is materially updated. Regular training reinforcing the key provisions of the AUP is recommended by the PCPD and the Hong Kong Monetary Authority as part of good IT governance practice.