In recent years, generative artificial intelligence (Gen AI) has moved from hype to habit across sectors. A compliance check conducted in 2025 by my Office, the Office of the Privacy Commissioner for Personal Data (PCPD) found that 80 percent of the surveyed organizations had used AI in their day-today operations. The accounting profession is no exception, with studies showing 88 percent of accounting and finance respondents in Hong Kong reported using Gen AI tools at work in 2025. Amid this surge in workplace adoption, the Government’s “AI Training for All” announced in this year’s Budget represents an important step in equipping organizations, including accounting firms, with the necessary knowledge to use AI tools.
A tool or a threat?
For accounting professionals, the benefits of AI may be harnessed by automating data entry and analytics, processing statements and contracts to reconcile accounts, and so on. Behind the extraordinary capabilities of AI, however, lie privacy risks that are not negligible.
For instance, the vast amount of personal data and confidential information stored in Gen AI systems may be seen as treasure troves of sensitive data and become attractive targets for hackers and cyber criminals. We have also seen reports of various AI privacy and security pitfalls present in the internal environment of an organization. For example, in 2023, sensitive internal source code was inputted by employees of a leading Korean tech giant into a Gen AI chatbot, which subsequently led to the leakage of the sensitive data.
Guidelines for the use of generative AI by employees
To mitigate the aforesaid privacy risks and to help organizations develop internal policies or guidelines on the use of Gen AI by employees at work while complying with the requirements of the Personal Data (Privacy) Ordinance, the PCPD published the “Guidelines for the Use of Generative AI by Employees” (Guidelines) in 2025.
The Guidelines, which are presented in the form of a checklist, recommend various aspects for organizations to consider when developing their internal AI policies or guidelines, including the key elements set out below.
Scope of permissible use of Gen AI
Firstly, the AI policy or guideline should specify the Gen AI tools that are permitted within the organization, which may include publicly available tools and/or internally developed tools. In addition, organizations should clearly define the permissible purposes for using these tools to avoid ambiguity – for example, whether employees may use such tools for drafting documents, summarizing information or creating textual, audio and/or visual content.
To clearly delineate accountability, organizations should also specify whether such policies apply to the entire organization or only to specific divisions or employees.
Protection of personal data privacy
It is recommended that organizations provide clear instructions on both the “inputs” and “outputs” of Gen AI tools. Regarding the permissible inputs, organizations should specify the types and amounts of information that can be entered. For instance, clear instructions should be provided on whether employees may share personal or copyrighted data with the tools.
Regarding the outputs generated by the Gen AI tools, the AI policy should outline the permissible purposes for using the outputs (including personal data), and whether, when and how such personal data should be anonymized before further use. Additionally, guidance should be provided in respect of the permissible storage of the output information and the applicable data retention policy.
Lawful and ethical use and prevention of bias
To ensure lawful and ethical use of the Gen AI tools, it should be specified in the policy that employees shall not use such tools for unlawful or harmful activities.
The Guidelines also recommend that the AI policy should emphasize that employees acting as human reviewers are responsible for verifying the accuracy of AI-generated outputs, and for correcting and reporting biased or discriminatory AI-generated outputs. To enhance transparency and avoid misleading stakeholders, organizations should also provide instructions on when and how to watermark or label AI-generated outputs.
Data security
To safeguard data security, the AI policy should specify the types of devices on which employees are permitted to access Gen AI tools and the categories of employees who are permitted to use these tools. Employees should be required to use robust user credentials and maintain stringent security settings in Gen AI tools.
In the event of any incident involving AI, such as a data breach, employees should report such incidents according to the organization’s own AI Incident Response Plan.
Violations of policies or guidelines
Lastly, we recommend organizations to specify the possible consequences of employees’ violations of the policies or guidelines on the use of AI.
Strengthening the accounting profession
Looking ahead, the priority for the accounting profession is not “more AI” but governed AI. It is high time for the accounting profession to devise their respective organizations’ AI policies or guidelines so that accountants and other staff can use the new technology effectively, responsibly and safely, thereby building a stronger profession that is able to leverage new technologies to move with the times.
