More than 40 percent of organizations using artificial intelligence systems collected or used personal data through AI, the city’s privacy watchdog said, as it urged businesses to strengthen safeguards against emerging privacy risks.
The Office of the Privacy Commissioner for Personal Data on Tuesday published the findings of its 2026 compliance checks on the secure and responsible use of AI across different sectors.
The checks covered 60 organizations and aimed to assess whether they complied with the Personal Data (Privacy) Ordinance when collecting, using and processing personal data through AI systems. The PCPD said no violations were found.
Among the organizations checked, 57, or 95 percent, used AI in their daily operations, up 15 percentage points from the results of similar checks conducted in 2025. Of them, 45 had been using AI for more than a year.
Of the 57 organizations using AI, 24 collected or used personal data through AI systems. All 24 had provided a Personal Information Collection Statement on or before collecting personal data and adopted security measures such as data encryption and access controls.
About 96 percent of the 24 organizations tested their AI systems before implementation to ensure reliability, robustness and fairness. Nineteen also adopted a “human-in-the-loop” approach to maintain human oversight and control over decision-making.
The checks found that about 83 percent of the 24 organizations provided AI-related training for employees, while 18 included content on AI-related privacy risks.
Twenty-two of the 24 organizations had formulated data breach response plans. However, only 17 had developed internal policies or guidelines for employees’ use of generative AI at work.
Privacy Commissioner for Personal Data Ada Chung Lai-ling said organizations must address potential privacy risks while benefiting from the convenience brought by AI.
Chung said organizations should develop comprehensive AI strategies, conduct risk and privacy impact assessments, adopt an appropriate level of human oversight, and regularly review and assess the impact of AI systems on personal data privacy.
The PCPD also said organizations using agentic AI to collect, use or process personal data should carefully consider the nature and sensitivity of the data involved, and grant such systems only the minimum access rights necessary to perform the relevant tasks.
