Hong Kong Office of the Privacy Commissioner assessing regulatory issues from AI in the workplace
The use of Artificial Intelligence (AI) can provide benefit to all sectors of the economy. This requires AI to be deployed in workplaces. Employers and HR teams must be mindful of ethical and privacy risks that arise from the use of AI in recruitment and employment processes and management.
The Personal Data (Privacy) Ordinance (PDPO) applies in respect of the protection of personal data in the employment context. This applies throughout the personal data life cycle, including collection, processing, transfer, retention, use and destruction of personal data. Typical classes of personal data in the employment context include recruitment data, personnel records, performance records, activity records and sensitive records.
The Office of the Privacy Commissioner of Personal Data (PCPD) issued the Code of Practice on Human Resource Management in April 2016. If an employer breaches this Code of Practice, this gives rise to a rebuttable presumption in any legal proceedings that the employer has breached the PDPO.
The key Data Protection Principles (enshrined in the PDPO) as they apply to an employer are to:
The PCPD has been the primary regulator exploring and addressing regulatory issues arising from AI. This is understandable, as there is an overlap of issues between governance of personal data and governance of AI. Nonetheless, this does reflect a degree of regulatory courage, as the issues involved in governance of AI are broader and more complex than simply personal data protection.
The PCPD had published two key papers on AI governance. Its first publication in August 2021 introduced an explanation of governing ethical principles for AI Development and use, and provided practical guidance on systems and processes an organisation could adopt. It included a practical self-help checklist for organisations to self-assessment. More recently, in June 2024, the PCPD deepened its prior published guidance by publishing a model framework for personal data protection in the context of AI development and use.
Key features employers should take note of from the 2021 guidance and 2024 model framework above include that companies should:
Employers need to ensure that they comply with the PDPO when deploying and using AI in respect of employment matters. They should also be aware of the personal data risks with the use of AI and automated decision making. These include over-collection and over-retention of data, use of personal data for unauthorised purposes, and data privacy and security. For instance, risks may arise when employee personal data collected from recruitment or performance reviews are used as AI training data sets for future selection exercises.
The PCPD conducted compliance checks on 28 local organisations from August 2023 to February 2024 on their collection, use and processing of personal data using AI, and their AI governance structure. The PCPD will continue to monitor the personal data privacy and protection risks arising from the development, deployment and use of AI.
The Artificial Intelligence Act in the EU came into force in August 2024. Generally, it follows a risk-based approach in classifying AI systems on levels of risk and establishing certain requirements based on that risk. The EU classified activities regarding selection, promotion, recruitment and termination as high risk.
The UK government opted for a “pro-innovation approach” to regulating AI. The UK government presently does not intend to introduce an all-encompassing statute to regulate AI and will instead customise existing regulations to address risks. The intention is to maintain flexibility of commercial operations. However, the new UK government has not ruled out the possibility of legislating on the development of AI systems in the future.
AI may bring possible benefits and efficiencies to employers. These include:
The PDPO, being a principle-based and technology-neutral legislation, allows a relatively flexible regulatory regime in the use of AI that balances the needs of the relevant stakeholders and the legal requirements on personal data appropriate to the local circumstances.
Employers should familiarise themselves with the current requirements under the PDPO and be aware of any changes as to these rules. They should formulate and introduce policies for AI and conduct impact assessments before using AI tools and technology. This is a rapidly changing area. New requirements will likely arise at a quick pace. Insofar as AI is concerned, the future is no longer coming; the future is here.
Russell Bennett is a Partner and Head of the Employment Practice at Tanner De Witt in Hong Kong. Mark Chiu is a Consultant in the Employment Practice at Tanner De Witt in Hong Kong.
