Office of the Privacy Commissioner for Personal Data
Office of the Privacy Commissioner for Personal Data
12/17/2025 | Press release | Distributed by Public on 12/17/2025 00:28
Privacy Commissioner’s Office Publishes (1) Guidance on Handling Abuse of AI Deepfakes and (2) Investigation Findings of a Case Involving the Use of CCTV
Date: 17 December 2025
Privacy Commissioner's Office Publishes
Relevant requirements of the PDPO
Data Protection Principle (DPP) 1(1) of Schedule 1 to the PDPO provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; and the data collected is necessary, adequate but not excessive in relation to that purpose. DPP 1(2) also provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out that, "Organisations should avoid using CCTV to collect personal data under unfair circumstances, for example, CCTV should not be installed to collect images in places where individuals would have a reasonable expectation of privacy (e.g. changing rooms or restrooms). Although the relevant incident appears to have arisen from the incorrect installation of a wooden door, the Centre failed to take into account members' privacy expectations in intimate spaces such as restrooms and assess the appropriateness of the camera's location and filming angle when instructing the contractor to install the camera concerned. This also demonstrates that careful consideration has not been given by the Centre in the installation of CCTV system, and reflects an insufficient level of sensitivity on the protection of personal data privacy".
Having considered the circumstances of the case and the information obtained during the investigation, the Privacy Commissioner was of the view that, had the Centre not received the relevant enquiry made by its member, the video and audio recording functions of the relevant CCTV camera might subsequently have been fully activated, thereby collecting images of members inside the restroom concerned. Therefore, although the camera was not yet operational at the material time and thus did not involve the collection of "personal data", the Privacy Commissioner nevertheless issued an advisory letter to the Centre, reminding it of the requirements under DPPs 1(1) and 1(2) of the PDPO when installing CCTV cameras.
With the advancement of technology, the use of CCTV systems for purposes such as security and surveillance has become increasingly common across different industries. The PCPD published a "Guidance on the Use of CCTV Surveillance" and "Tips on the Use of CCTV Surveillance" information leaflet earlier to provide practical guidance on how to use CCTV systems responsibly, so as to assist data users to make effective use of technology while ensuring the protection of personal data privacy and compliance with the relevant requirements under the PDPO.
The Guidance and the information leaflet provide an overview of the considerations for deploying CCTV systems, including installing CCTV systems to collect personal data only for lawful purposes directly related to a data user's functions or activities, avoiding unfair surveillance, considering less privacy-intrusive alternatives, taking all practicable steps to inform potentially affected individuals, deleting footage in a timely manner, and implementing adequate security measures.
Download the "Guidance on the Use of CCTV Surveillance":
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf
Download the "Tips on the Use of CCTV Surveillance" information leaflet:
https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf
Privacy Commissioner's Office Publishes
(1) Guidance on Handling Abuse of AI Deepfakes and
(2) Investigation Findings of a Case Involving the Use of CCTV
The Office of the Privacy Commissioner for Personal Data (PCPD) today published (1) Abuse of AI Deepfakes: Toolkit for Schools and Parents (Toolkit) and (2) the investigation findings of a case involving the use of CCTV.
(1) Abuse of AI Deepfakes: Toolkit for Schools and Parents
Artificial intelligence (AI) deepfakes have become increasingly common. Deepfakes can now convincingly imitate and replace a person's face, voice or actions using personal data contained in images, videos and audio recordings. There are risks of deepfakes being abused in instances involving cyberbullying, scams, falsified intimate images and disinformation, which may cause harm to individuals, particularly children and young people.
As children and young people may create or share malicious deepfakes without realising the potential legal consequences, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, reminds the public, "Deepfakes may cause harm to others, particularly children and youngsters, if used abusively. Children and youngsters may even create or share malicious deepfakes without realising the potential legal consequences of using deepfakes. In view of this, the PCPD has published the Toolkit to provide practical advice to schools and parents, with a view to assisting them in handling deepfake incidents involving children and young people, as well as safeguarding their privacy in relation to personal data."
The Privacy Commissioner emphasised, "Most laws in the real world apply equally in the digital world. Any use of personal data to create deepfakes is subject to the requirements of the Personal Data (Privacy) Ordinance (PDPO). Malicious use of deepfakes may contravene the requirements of the PDPO and even constitute other criminal offences. I urge the public not to defy the law."
The Toolkit introduces common types of deepfakes and typical scenarios of abusive deepfakes in the school environment. The recommendations for schools and parents are categorised into two sections, namely, How to Prevent the Creation of Abusive or Malicious Deepfakes and Tips on Protecting Personal Data Privacy and How Should Schools and Parents Handle Deepfake Incidents. Key recommendations from the Toolkit include (see Annex 1 for details):
1. How to Prevent the Creation of Abusive or Malicious Deepfakes: Tips on Protecting Personal Data Privacy
Schools
(1) Abuse of AI Deepfakes: Toolkit for Schools and Parents
Artificial intelligence (AI) deepfakes have become increasingly common. Deepfakes can now convincingly imitate and replace a person's face, voice or actions using personal data contained in images, videos and audio recordings. There are risks of deepfakes being abused in instances involving cyberbullying, scams, falsified intimate images and disinformation, which may cause harm to individuals, particularly children and young people.
As children and young people may create or share malicious deepfakes without realising the potential legal consequences, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, reminds the public, "Deepfakes may cause harm to others, particularly children and youngsters, if used abusively. Children and youngsters may even create or share malicious deepfakes without realising the potential legal consequences of using deepfakes. In view of this, the PCPD has published the Toolkit to provide practical advice to schools and parents, with a view to assisting them in handling deepfake incidents involving children and young people, as well as safeguarding their privacy in relation to personal data."
The Privacy Commissioner emphasised, "Most laws in the real world apply equally in the digital world. Any use of personal data to create deepfakes is subject to the requirements of the Personal Data (Privacy) Ordinance (PDPO). Malicious use of deepfakes may contravene the requirements of the PDPO and even constitute other criminal offences. I urge the public not to defy the law."
The Toolkit introduces common types of deepfakes and typical scenarios of abusive deepfakes in the school environment. The recommendations for schools and parents are categorised into two sections, namely, How to Prevent the Creation of Abusive or Malicious Deepfakes and Tips on Protecting Personal Data Privacy and How Should Schools and Parents Handle Deepfake Incidents. Key recommendations from the Toolkit include (see Annex 1 for details):
1. How to Prevent the Creation of Abusive or Malicious Deepfakes: Tips on Protecting Personal Data Privacy
Schools
- Limit raw materials: Avoid publishing photos or videos that clearly identify individual students;
- Control access: Only share students' photos and videos on systems such as intranet and parent portal, and regularly remove content that is no longer necessary;
- Ensure data security;
- Devise a response plan: Establish clear procedures for responding to deepfake incidents; and
- Raise awareness: Provide teaching staff with regular training in managing online risks and provide students with workshops.
Parents
- Limit sharing: Think twice before posting your child's photos or videos;
- Ensure data security;
- Communicate with your child: Educate your child on the responsible use of others' personal data; and
- Stay informed.
How Should Schools Handle Deepfake Incidents
Abusive or malicious deepfake incidents may involve students as victims, perpetrators or both. In such cases, schools should respond by following existing school policies or procedures, such as crisis management or anti-bullying guidelines, where applicable. The well-being of affected students should be the primary concern. Engage professional support services where necessary.
How Should Parents Handle Deepfake Incidents
Discovering that your child has been involved in an abusive or malicious deepfake incident, whether as victim, perpetrator or recipient, can be overwhelming and distressing. Parents and guardians are advised to respond with care and support.
Download the "Abuse of AI Deepfakes: Toolkit for Schools and Parents":
https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf
(2) Investigation Findings on a CCTV Case (See Annex 2 for details)
The PCPD has completed its investigation into a case involving a fitness centre chain (the Centre) allegedly collecting images of its members by installing a CCTV camera in the proximity of a male restroom at a new branch of the Centre.
The investigation arose from a complaint received by the PCPD consequent upon the discovery by a member of the Centre on 16 July 2025 that a CCTV camera was installed in the proximity of a male restroom of the Ma On Shan branch (the Branch) of the Centre, causing him discomfort and concerns about being recorded while using the restroom. The said member therefore lodged a complaint with the PCPD on the next day.
The PCPD immediately conducted an onsite inspection at the Branch on 18 July 2025. It also made three rounds of enquiries with the Centre and reviewed the responses and information provided by the Centre. The investigation revealed that there was a public corridor in the men's restroom area of the Branch leading to three male restrooms. The Centre stated that about a week prior to the commencement of operation of the Branch, a wooden door originally planned to be installed at the male restroom identified by the complainant was mistakenly installed at the entrance of the public corridor outside the men's restroom area by the contractor, resulting in the restroom concerned not having its door installed. Under these circumstances, if the video recording function of the camera concerned had been activated, its location and filming angle could have captured images of the area inside the restroom concerned. In respect of this, the Centre confirmed to the PCPD that, at the material time, the camera concerned was still in the installation and system-testing phase, and its video and audio recording functions had not been activated nor had any images been collected. Following the enquiry made by its member on 16 July 2025, the Centre removed the camera on 17 July and covered the entrance of the restroom concerned with a black curtain as an interim measure.
Upon the PCPD's intervention, the Centre implemented the following remedial actions:-
Abusive or malicious deepfake incidents may involve students as victims, perpetrators or both. In such cases, schools should respond by following existing school policies or procedures, such as crisis management or anti-bullying guidelines, where applicable. The well-being of affected students should be the primary concern. Engage professional support services where necessary.
How Should Parents Handle Deepfake Incidents
Discovering that your child has been involved in an abusive or malicious deepfake incident, whether as victim, perpetrator or recipient, can be overwhelming and distressing. Parents and guardians are advised to respond with care and support.
Download the "Abuse of AI Deepfakes: Toolkit for Schools and Parents":
https://www.pcpd.org.hk/english/resources_centre/publications/files/ai_deepfake.pdf
(2) Investigation Findings on a CCTV Case (See Annex 2 for details)
The PCPD has completed its investigation into a case involving a fitness centre chain (the Centre) allegedly collecting images of its members by installing a CCTV camera in the proximity of a male restroom at a new branch of the Centre.
The investigation arose from a complaint received by the PCPD consequent upon the discovery by a member of the Centre on 16 July 2025 that a CCTV camera was installed in the proximity of a male restroom of the Ma On Shan branch (the Branch) of the Centre, causing him discomfort and concerns about being recorded while using the restroom. The said member therefore lodged a complaint with the PCPD on the next day.
The PCPD immediately conducted an onsite inspection at the Branch on 18 July 2025. It also made three rounds of enquiries with the Centre and reviewed the responses and information provided by the Centre. The investigation revealed that there was a public corridor in the men's restroom area of the Branch leading to three male restrooms. The Centre stated that about a week prior to the commencement of operation of the Branch, a wooden door originally planned to be installed at the male restroom identified by the complainant was mistakenly installed at the entrance of the public corridor outside the men's restroom area by the contractor, resulting in the restroom concerned not having its door installed. Under these circumstances, if the video recording function of the camera concerned had been activated, its location and filming angle could have captured images of the area inside the restroom concerned. In respect of this, the Centre confirmed to the PCPD that, at the material time, the camera concerned was still in the installation and system-testing phase, and its video and audio recording functions had not been activated nor had any images been collected. Following the enquiry made by its member on 16 July 2025, the Centre removed the camera on 17 July and covered the entrance of the restroom concerned with a black curtain as an interim measure.
Upon the PCPD's intervention, the Centre implemented the following remedial actions:-
(1) installed a wooden door at the entrance of the restroom concerned to fully enclose the interior of the restroom;
(2) removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
(3) repositioned the CCTV camera to the ceiling outside the entrance of the restroom, ensuring it would not capture any area inside the three restrooms.
(2) removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
(3) repositioned the CCTV camera to the ceiling outside the entrance of the restroom, ensuring it would not capture any area inside the three restrooms.
Relevant requirements of the PDPO
Data Protection Principle (DPP) 1(1) of Schedule 1 to the PDPO provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; and the data collected is necessary, adequate but not excessive in relation to that purpose. DPP 1(2) also provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out that, "Organisations should avoid using CCTV to collect personal data under unfair circumstances, for example, CCTV should not be installed to collect images in places where individuals would have a reasonable expectation of privacy (e.g. changing rooms or restrooms). Although the relevant incident appears to have arisen from the incorrect installation of a wooden door, the Centre failed to take into account members' privacy expectations in intimate spaces such as restrooms and assess the appropriateness of the camera's location and filming angle when instructing the contractor to install the camera concerned. This also demonstrates that careful consideration has not been given by the Centre in the installation of CCTV system, and reflects an insufficient level of sensitivity on the protection of personal data privacy".
Having considered the circumstances of the case and the information obtained during the investigation, the Privacy Commissioner was of the view that, had the Centre not received the relevant enquiry made by its member, the video and audio recording functions of the relevant CCTV camera might subsequently have been fully activated, thereby collecting images of members inside the restroom concerned. Therefore, although the camera was not yet operational at the material time and thus did not involve the collection of "personal data", the Privacy Commissioner nevertheless issued an advisory letter to the Centre, reminding it of the requirements under DPPs 1(1) and 1(2) of the PDPO when installing CCTV cameras.
With the advancement of technology, the use of CCTV systems for purposes such as security and surveillance has become increasingly common across different industries. The PCPD published a "Guidance on the Use of CCTV Surveillance" and "Tips on the Use of CCTV Surveillance" information leaflet earlier to provide practical guidance on how to use CCTV systems responsibly, so as to assist data users to make effective use of technology while ensuring the protection of personal data privacy and compliance with the relevant requirements under the PDPO.
The Guidance and the information leaflet provide an overview of the considerations for deploying CCTV systems, including installing CCTV systems to collect personal data only for lawful purposes directly related to a data user's functions or activities, avoiding unfair surveillance, considering less privacy-intrusive alternatives, taking all practicable steps to inform potentially affected individuals, deleting footage in a timely manner, and implementing adequate security measures.
Download the "Guidance on the Use of CCTV Surveillance":
https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf
Download the "Tips on the Use of CCTV Surveillance" information leaflet:
https://www.pcpd.org.hk/english/resources_centre/publications/files/tips_on_cctv_surveillance.pdf
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left), and the Assistant Privacy Commissioner (Complaints & Criminal Investigation), Ms Rebecca HO Kan-yeuk (right), elaborated on the "Abuse of AI Deepfakes: Toolkit for Schools and Parents" and the investigation findings of a case involving the use of CCTV.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, explained the AI Deepfake Toolkit.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, explained the AI Deepfake Toolkit.
The Assistant Privacy Commissioner (Complaints & Criminal Investigation), Ms Rebecca HO Kan-yeuk, reported on the investigation findings of a case involving the use of CCTV.
-End-
Installation of a CCTV by a Fitness Centre Chain
Investigation Findings
Figure 1
(A picture taken from the inside of the restroom concerned showing the position of the relevant CCTV camera which was mounted at the entrance of the public corridor)
Figure 2
(The PCPD conducted an onsite inspection and observed that there was a public corridor in the men's restroom area leading to three male restrooms with a black curtain placed at the entrance of the restroom concerned covering the inside area)
The Branch operates 24 hours a day, allowing members access to its facilities at all times. The Centre stated that the purpose of installing the camera concerned was to provide 24-hour video surveillance for routine security monitoring, in order to enhance safety management during unstaffed overnight hours, assist in handling emergencies and protect members' safety by covering blind spots. Each Single Restroom is equipped with an emergency call button. If necessary, the member could press the emergency call button, and an emergency signal will be triggered which activates the flashing alert device mounted outside the door and simultaneously sends an alarm to the staff system. According to the Centre, the CCTV camera concerned is necessary for monitoring during unstaffed overnight hours as the images sent by it could serve as a visual aid when the emergency call button inside the Single Restrooms is pressed (such as showing whether someone is gathering outside, calling for help or requiring immediate staff intervention), assisting the Centre to determine whether the alarm is wrongly activated or signal a genuine emergency situation. This would ensure staff can promptly identify whether a member is stranded in one of the Single Restrooms and contact external assistance or emergency services. The footage collected could also assist in subsequent investigations or compilation of incident reports. In addition, even when the emergency call button is not pressed, the camera concerned could help detect abnormal conditions in the men's restroom area.
In respect of the above circumstances, the Centre confirmed to the PCPD that the camera concerned remained in the installation and system-testing phase from its installation to its removal. The Centre had not activated its video and audio recording functions to collect any images. Following the relevant enquiry made by its member, the Centre removed the relevant camera immediately on 17 July 2025 and covered the entrance of the restroom concerned with a black curtain as an interim measure. Upon the PCPD's intervention, the Centre implemented the following remedial actions:-
Figure 3
Annex 1
Key Recommendations of
Abuse of AI Deepfakes: Toolkit for Schools and Parents
Abuse of AI Deepfakes: Toolkit for Schools and Parents
- How to Prevent the Creation of Abusive or Malicious Deepfakes: Tips on Protecting Personal Data Privacy
Schools
- Limit raw materials: Avoid publishing photos or videos that clearly identify individual students;
- Control access: Only share students' photos and videos on systems such as intranet and parent portal, and regularly remove content that is no longer necessary;
- Ensure data security: Store students' personal data on secure platforms and apply technical measures such as multi-factor authentication;
- Devise a response plan: Establish clear procedures for responding to deepfake incidents and designate a crisis management team for handling such incidents; and
- Raise awareness: Provide teaching staff with regular training in managing online risks and provide students with workshops.
Parents
- Limit sharing: Think twice before posting your child's photos or videos. Avoid making any shared images publicly accessible and review privacy settings on social media accounts;
- Ensure data security: Implement appropriate technical measures to protect all social media and cloud accounts that store family photos and videos; and keep mobile phones and apps up to date;
- Communicate with your child: Educate your child on the responsible use of others' personal data and legal implications and explain the consequences of misuse of personal data; and
- Stay informed: Follow guidance and information from the Government, the PCPD, the Police, school and/or other organisations regarding deepfakes.
- How Should Schools Handle Deepfake Incidents
- The well-being of affected students should be the primary concern. Engage professional support services where necessary;
- Secure relevant evidence and handle it on a need-to-know and confidential basis;
- Report to the school management and/or a designated team responsible for handling related issues;
- Instruct students to stop sharing the deepfake materials and delete the materials as soon as possible;
- Find out whether the deepfake materials were produced and/or distributed without the consent of the person(s) featured;
- Inform the parents or guardians of the affected students, if applicable;
- Communicate clearly to creators and distributors the possible legal consequences of producing or sharing malicious deepfake materials; and
- Where a crime is suspected, make enquiries with or report it to the Police. In cases involving the misuse of personal data or doxxing, contact the PCPD for assistance or to lodge a complaint.
- How Should Parents Handle Deepfake Incidents
If your child has been involved in a deepfake incident, parents can take the following steps respectively:
-
If your child is a victim of an abusive or malicious deepfake:
- Recognise that the incident may be traumatic for your child; provide emotional support and reassurance;
- Create a safe space for your child to talk about his/her feelings. Engage professionals from support services, such as social workers, if needed;
- Secure the digital environment by making your child's accounts private and encourage him/her to take a break from social media;
- Secure relevant evidence for potential follow-up actions and support your child in making enquiries with or reporting the matter to the relevant authorities, including schools and law enforcement agencies;
- Support your child in reporting the deepfake materials and requesting their removal from online platforms. May also seek help from the PCPD to remove the deepfake materials; and
-
Be alert to any signs of threats or blackmail. If necessary, contact law enforcement authorities.
-
If your child has created, received and/or shared deepfake materials:
- Guide your child to stop creating and/or sharing abusive or malicious materials and to delete them immediately;
- Request the relevant online platforms to remove the relevant content, where possible;
- Explain to your child the possible harms and legal consequences of creating and/or sharing malicious deepfakes; and
- Educate your child on the responsible use of others' personal data when creating deepfake materials and explain the consequences of misuse of personal data.
Annex 2
Installation of a CCTV by a Fitness Centre Chain
Investigation Findings
The complainant is a member of a fitness centre chain (the Centre). On 16 July 2025, the complainant discovered that a CCTV camera had been installed in the proximity of a male restroom at a new branch of the Centre located in Ma On Shan (the Branch), which caused him discomfort and concerns about being recorded while using the restroom. The said member therefore lodged a complaint with the PCPD on the next day.
Upon receipt of the complaint on 17 July 2025, the PCPD immediately conducted an onsite inspection at the Branch on 18 July 2025. It also made enquiries with its staff and took photographs relevant to the case. Subsequently, the PCPD conducted three rounds of enquiries with the Centre regarding the incident.
According to the information obtained during the investigation, the Branch commenced its operation on 3 July 2025. There was a short public corridor in the men's restroom area with a wooden door at its entrance. The camera concerned was mounted on the ceiling above the wooden door, facing the male restroom identified by the complainant. The said male restroom was not fitted with a wooden door at the time of the incident (see Figure 1).
Upon receipt of the complaint on 17 July 2025, the PCPD immediately conducted an onsite inspection at the Branch on 18 July 2025. It also made enquiries with its staff and took photographs relevant to the case. Subsequently, the PCPD conducted three rounds of enquiries with the Centre regarding the incident.
According to the information obtained during the investigation, the Branch commenced its operation on 3 July 2025. There was a short public corridor in the men's restroom area with a wooden door at its entrance. The camera concerned was mounted on the ceiling above the wooden door, facing the male restroom identified by the complainant. The said male restroom was not fitted with a wooden door at the time of the incident (see Figure 1).
Figure 1
(A picture taken from the inside of the restroom concerned showing the position of the relevant CCTV camera which was mounted at the entrance of the public corridor)
The public corridor in the men's restroom area of the Branch led to three male restrooms (see Figure 2), including the restroom concerned (with urinals and washbasins) and two adjacent single restrooms for men equipped with pedestal toilets and washbasins and fitted with wooden doors (the Single Restrooms). The Centre explained that about a week prior to the commencement of operation of the Branch in late June 2025, the contractor mistakenly installed a wooden door intended for the restroom concerned at the entrance of the public corridor in the men's restroom area. The Centre clarified that the position of the camera was originally part of the public corridor area and its purpose was to monitor the public space within the men's restroom area.
Figure 2
(The PCPD conducted an onsite inspection and observed that there was a public corridor in the men's restroom area leading to three male restrooms with a black curtain placed at the entrance of the restroom concerned covering the inside area)
The Branch operates 24 hours a day, allowing members access to its facilities at all times. The Centre stated that the purpose of installing the camera concerned was to provide 24-hour video surveillance for routine security monitoring, in order to enhance safety management during unstaffed overnight hours, assist in handling emergencies and protect members' safety by covering blind spots. Each Single Restroom is equipped with an emergency call button. If necessary, the member could press the emergency call button, and an emergency signal will be triggered which activates the flashing alert device mounted outside the door and simultaneously sends an alarm to the staff system. According to the Centre, the CCTV camera concerned is necessary for monitoring during unstaffed overnight hours as the images sent by it could serve as a visual aid when the emergency call button inside the Single Restrooms is pressed (such as showing whether someone is gathering outside, calling for help or requiring immediate staff intervention), assisting the Centre to determine whether the alarm is wrongly activated or signal a genuine emergency situation. This would ensure staff can promptly identify whether a member is stranded in one of the Single Restrooms and contact external assistance or emergency services. The footage collected could also assist in subsequent investigations or compilation of incident reports. In addition, even when the emergency call button is not pressed, the camera concerned could help detect abnormal conditions in the men's restroom area.
In respect of the above circumstances, the Centre confirmed to the PCPD that the camera concerned remained in the installation and system-testing phase from its installation to its removal. The Centre had not activated its video and audio recording functions to collect any images. Following the relevant enquiry made by its member, the Centre removed the relevant camera immediately on 17 July 2025 and covered the entrance of the restroom concerned with a black curtain as an interim measure. Upon the PCPD's intervention, the Centre implemented the following remedial actions:-
- installed a wooden door at the entrance of the restroom concerned to fully enclose the interior of the restroom;
- removed the door mistakenly installed at the entrance of the corridor and placed separate restroom signages outside the three male restrooms; and
- repositioned the CCTV camera to the ceiling outside the entrance of the restroom concerned, ensuring it would not capture any area inside the three restrooms (See Figure 3).
Relevant requirements of the PDPO
Data Protection Principle (DPP) 1(1) of Schedule 1 to the PDPO provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; the data collected is necessary, adequate but not excessive in relation to that purpose. DPP 1(2) also provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out, "Organisations should avoid using CCTV to collect personal data under unfair circumstances, for example, CCTV should not be installed to collect images in places where individuals would have a reasonable expectation of privacy (e.g. changing rooms or restrooms). Although the relevant incident appears to have arisen from the incorrect installation of a wooden door, the Centre failed to take into account members' privacy expectations in intimate spaces such as restrooms and assess the appropriateness of the camera's location and filming angle when instructing the contractor to install the camera concerned. This also demonstrates that careful consideration has not been given by the Centre in the installation of CCTV system, and reflects an insufficient level of sensitivity on the protection of personal data privacy".
Having considered the circumstances of the case and the information obtained during the investigation, the Privacy Commissioner was of the view that, had the Centre not received the relevant enquiry made by its member, the video and audio recording functions of the relevant CCTV camera might subsequently have been fully activated, thereby collecting images of members inside the restroom concerned. Therefore, although the video and audio recording functions of the camera concerned was not yet activated at the material time and thus did not involve the collection of "personal data", the Privacy Commissioner nevertheless issued an advisory letter to the Centre, reminding it of the requirements under DPPs 1(1) and 1(2) of the PDPO when installing CCTV cameras.
Data Protection Principle (DPP) 1(1) of Schedule 1 to the PDPO provides that personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user; the data collected is necessary, adequate but not excessive in relation to that purpose. DPP 1(2) also provides that the means of personal data collection shall be lawful and fair in the circumstances of the case.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, pointed out, "Organisations should avoid using CCTV to collect personal data under unfair circumstances, for example, CCTV should not be installed to collect images in places where individuals would have a reasonable expectation of privacy (e.g. changing rooms or restrooms). Although the relevant incident appears to have arisen from the incorrect installation of a wooden door, the Centre failed to take into account members' privacy expectations in intimate spaces such as restrooms and assess the appropriateness of the camera's location and filming angle when instructing the contractor to install the camera concerned. This also demonstrates that careful consideration has not been given by the Centre in the installation of CCTV system, and reflects an insufficient level of sensitivity on the protection of personal data privacy".
Having considered the circumstances of the case and the information obtained during the investigation, the Privacy Commissioner was of the view that, had the Centre not received the relevant enquiry made by its member, the video and audio recording functions of the relevant CCTV camera might subsequently have been fully activated, thereby collecting images of members inside the restroom concerned. Therefore, although the video and audio recording functions of the camera concerned was not yet activated at the material time and thus did not involve the collection of "personal data", the Privacy Commissioner nevertheless issued an advisory letter to the Centre, reminding it of the requirements under DPPs 1(1) and 1(2) of the PDPO when installing CCTV cameras.
Figure 3
(Upon the PCPD's intervention, the Branch fitted a wooden door at the restroom concerned to fully enclose the interior and repositioned the CCTV camera to the ceiling outside the entrance of the restroom)
Office of the Privacy Commissioner for Personal Data published this content on December 17, 2025, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on December 17, 2025 at 06:28 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]