AI Acceptable Use Policy (Hong Kong)

An AI Acceptable Use Policy in Hong Kong establishes the rules and responsibilities that govern the conduct it addresses.

The Personal Data (Privacy) Ordinance (Cap. 486) is the primary Hong Kong legislation governing the handling of personal data by AI systems. The six Data Protection Principles in Schedule 1 to Cap. 486 apply whenever AI tools collect, process, hold, or use personal data of individuals. The Office of the Privacy Commissioner for Personal Data (PCPD) published guidance on the ethical development and use of AI in 2021, recommending transparency in AI-generated decisions, accountability for AI outcomes, human oversight of automated processes, and privacy by design in AI system development. The PCPD has continued to issue sector-specific AI guidance, reflecting the rapid evolution of AI technology and its impact on personal data rights.

While Hong Kong does not have AI-specific legislation as of 2026, multiple existing ordinances apply directly to AI use in the workplace. The Copyright Ordinance (Cap. 528) governs the intellectual property status of AI-generated content and the risk of copyright infringement where AI tools reproduce copyrighted training data in their outputs. The Crimes Ordinance (Cap. 200) applies to AI-generated fraud, impersonation, and deepfakes. Hong Kong common law principles of negligence apply where AI-generated advice or decisions cause harm to individuals or third parties. The Competition Ordinance (Cap. 619) may apply where AI-driven pricing or market allocation algorithms raise anti-competitive concerns. The Contracts (Rights of Third Parties) Ordinance (Cap. 623) is relevant where AI-generated agreements are executed on behalf of third parties.

The Hong Kong Monetary Authority (HKMA) has issued supervisory guidance on responsible AI use by banks and financial institutions, including requirements for model risk management, explainability of AI-driven credit and risk decisions, and human oversight of algorithmic systems. The Securities and Futures Commission (SFC) has similarly addressed AI in its circular on algorithmic trading and its guidelines on technology risk management. For organisations in regulated sectors, the AI Acceptable Use Policy must align with sector-specific regulatory expectations alongside the general PDPO framework.

An AI Acceptable Use Policy covers: the approval process for AI tools; data classification rules for AI inputs; prohibited AI activities such as inputting personal data into unapproved external services or using AI for discriminatory decision-making in breach of the Sex Discrimination Ordinance (Cap. 480) or Race Discrimination Ordinance (Cap. 602); human oversight requirements; intellectual property ownership of AI-generated outputs; incident reporting for AI-related breaches; and enforcement mechanisms. Forms-legal.com provides a structured AI Acceptable Use Policy template for Hong Kong, aligned with PCPD guidance and all applicable ordinances including Cap. 486, Cap. 528, and Cap. 200.

Every Hong Kong organisation that permits employees to use AI tools — whether externally hosted generative AI services or internally deployed machine learning systems — needs an AI Acceptable Use Policy before widespread adoption begins. Deploying AI tools without governance creates unmanaged exposure under the Personal Data (Privacy) Ordinance (Cap. 486), the Copyright Ordinance (Cap. 528), and Hong Kong common law principles of confidentiality.

Organisations deploying generative AI tools for content creation, coding, customer communication, or research need the policy to prevent employees from inadvertently inputting personal data of customers or colleagues into unapproved external AI services. Under Data Protection Principle 3 of the PDPO (Cap. 486), personal data may only be used for the purpose for which it was collected — inputting customer data into a generative AI service for model training purposes may breach DPP 3 unless the customer consented to such use. The PCPD has issued guidance noting that organisations must contractually restrict AI service providers from using personal data for purposes beyond the contracted service.

Financial services firms regulated by the Hong Kong Monetary Authority (HKMA) or the Securities and Futures Commission (SFC) using AI for credit scoring, fraud detection, investment recommendations, or customer onboarding need an AI policy that reflects their heightened regulatory obligations. The HKMA's Supervisory Policy Manual and the SFC's circular on operational resilience both emphasise that algorithmic and AI-driven processes must be subject to model risk management, which an AI policy supports.

Legal and professional services firms in Hong Kong face particular confidentiality risks when using generative AI for drafting, research, or document review. Client confidentiality obligations under the Solicitors' Guide to Professional Conduct and equivalent standards for other regulated professions prohibit disclosure of client-confidential information to third parties — including AI service providers whose terms of service permit use of inputs for model training. An AI policy establishes the controls needed to prevent inadvertent breach of these professional obligations.

Healthcare organisations and medical practitioners in Hong Kong using AI for diagnostic support, clinical documentation, or patient communication must comply with the Code of Professional Conduct of the Medical Council of Hong Kong and the Hospital Authority's data governance requirements, in addition to the Personal Data (Privacy) Ordinance (Cap. 486). AI tools processing patient health data are subject to heightened scrutiny, and a documented AI policy is a prerequisite for responsible deployment.

Organisations implementing AI for HR purposes — automated CV screening, performance assessment tools, or AI-assisted interview scoring — need an AI policy addressing the anti-discrimination implications of algorithmic decision-making. AI tools used in recruitment may perpetuate or amplify biases, producing discriminatory outcomes that expose the employer to liability under the Sex Discrimination Ordinance (Cap. 480), Race Discrimination Ordinance (Cap. 602), or Disability Discrimination Ordinance (Cap. 487), even where the discriminatory outcome was not intended. The policy must require human review of all AI-generated HR decisions.

A Hong Kong AI Acceptable Use Policy must include the following key elements to address data protection, intellectual property, confidentiality, and human oversight obligations under applicable Hong Kong law and regulatory guidance.

Scope and covered technologies: The policy must define which AI technologies are covered — generative AI tools (large language models used for text, code, or image generation), AI-powered analytics platforms, machine learning decision-support tools, robotic process automation, and AI features embedded in standard software such as email clients or office productivity tools. The scope should distinguish between approved AI tools (those that have been evaluated and authorised by the IT or compliance function) and unapproved tools (those that have not been evaluated). The policy must bind all employees, contractors, and temporary staff who access company systems.

AI tool approval process: The policy must establish a formal process for evaluating and approving AI tools before they are used in the organisation. The evaluation framework should assess: compliance with the Personal Data (Privacy) Ordinance (Cap. 486), particularly whether the AI provider processes personal data outside Hong Kong and whether adequate contractual protections are in place; intellectual property implications under the Copyright Ordinance (Cap. 528); the AI provider's terms of service regarding data retention, model training, and data sharing; security certifications and standards; and accuracy and reliability track record. Only tools that pass the approval process should be made available to employees.

Data classification and input restrictions: The policy must establish a data classification framework specifying which categories of data may and may not be input into AI tools. Personal data as defined by the Personal Data (Privacy) Ordinance (Cap. 486) — information relating to an identified or identifiable individual — must not be input into external generative AI services unless specific contractual safeguards are in place with the AI provider. Confidential business information, trade secrets, client-confidential data, and financial information that could be market-sensitive should be prohibited from input into external AI services. The data classification must be communicated clearly so that employees can apply the rules in practice.

Prohibited AI activities: The policy must specify categories of AI use that are not permitted. Prohibited activities should include: inputting personal data or confidential information into unapproved AI tools; using AI to generate communications that misrepresent facts or impersonate individuals (which may constitute fraud or deception under the Crimes Ordinance (Cap. 200)); creating deepfakes or synthetic media intended to deceive; using AI to circumvent security controls or access data beyond the user's authorisation; relying on AI outputs for legally or regulatorily significant decisions without human review; and using AI in recruitment decisions without documented human oversight and bias assessment.

Human oversight and verification requirements: The policy must require human review of AI-generated outputs before they are used externally, submitted as formal advice, incorporated into legal documents, or used to make decisions affecting individuals. The PCPD's guidance on AI emphasises that organisations deploying AI for automated decision-making affecting individuals must confirm meaningful human oversight. Employees must be required to verify the accuracy of AI-generated information — AI tools can produce plausible but incorrect outputs (hallucinations), and reliance on unverified AI outputs in professional, legal, or financial contexts can cause serious harm.

Intellectual property and AI-generated content: The policy must address the ownership and use of AI-generated content. Under the Copyright Ordinance (Cap. 528), the copyright status of AI-generated works in Hong Kong remains legally uncertain — computer-generated works may attract copyright where there is sufficient human authorship in the creative process. The policy must specify that the organisation retains ownership of all AI-generated outputs produced using company AI tools or by employees in the course of their employment, and must prohibit employees from using AI to reproduce or adapt copyrighted third-party content without authorisation.

Incident reporting: The policy must establish a clear process for reporting AI-related incidents — including inadvertent input of personal data into an unapproved AI tool, AI-generated outputs that caused harm, suspected model bias, or security incidents involving AI systems. The incident reporting process should feed into the organisation's broader incident response framework and, where personal data breaches are involved, comply with the PCPD's recommended breach notification practices under the Personal Data (Privacy) Ordinance (Cap. 486). Section 66 of Cap. 486 provides a civil right of action for individuals who suffer damage as a result of a data user's contravention of the Ordinance — AI-related data breaches can therefore generate both regulatory enforcement by the PCPD and civil claims by affected individuals.

Anti-discrimination compliance in AI-driven HR decisions: Where AI tools are used in recruitment, performance assessment, or other employment decisions, the policy must require human review of all AI outputs before any decision is made. AI systems trained on historical data may embed and amplify existing biases, producing outcomes that breach the Sex Discrimination Ordinance (Cap. 480), Race Discrimination Ordinance (Cap. 602), Disability Discrimination Ordinance (Cap. 487), or Family Status Discrimination Ordinance (Cap. 527). The Equal Opportunities Commission (EOC) applies a purposive interpretation to these ordinances and has indicated that discriminatory algorithmic outcomes do not excuse employers from liability on the ground that the decision was machine-generated. Employers must document their human review process and bias-testing methodology.

Training and awareness: The policy must require regular training for all employees on the responsible use of AI tools, the specific risks of generative AI (hallucination, bias, confidentiality), and the organisation's AI governance framework. Training must be updated as AI technology and regulatory guidance evolve. The PCPD's 2021 guidance on ethical AI development and use, the HKMA's circular on responsible AI in banking, and the SFC's technology risk management guidance should all be incorporated into training content for relevant staff. The Crimes Ordinance (Cap. 200) Sections 27A and 161 apply to unauthorised computer access, which can arise where AI tools are misused to access data beyond the user's permissions. Forms-legal.com provides a structured AI Acceptable Use Policy template for Hong Kong, covering all PDPO Cap. 486, Copyright Ordinance Cap. 528, Crimes Ordinance Cap. 200, and EOC compliance requirements under Cap. 480, Cap. 487, Cap. 527, and Cap. 602.