Singapore | PDPC update: Advisory guidelines on use of personal data in AI recommendation and decision systems now available

1. On 1 March 2024, following its public consultation back in July 2023, the Personal Data Protection Commission (“PDPC”) released its first Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (“Guidelines”). 

2. In this newsflash, we digest the Guidelines and highlight (FAQ-style) the best practices that organisations developing or deploying AI systems should adopt to comply with the Personal Data Protection Act 2012.

Q1: What do the Guidelines cover?
 
The Guidelines were enacted to provide guidance to organisations where the design and/or deployment of AI systems involve the use of personal data. The Guidelines aim to:

  1.  provide certainty by clarifying how the Personal Data Protection Act 2012 (“PDPA”) applies when organisations use personal data to develop and train AI systems; 
  2. provide consumers assurance on how their data will be used by setting out baseline guidance and best practices for organisations on how to be transparent about their use of personal data in AI systems.

Briefly, the Guidelines cover what organisations must do at 3 key stages of the AI lifecycle. In general organisations can use personal data where there is meaningful consent from the individual. Otherwise, organisations can rely on exceptions to consent under the PDPA, e.g., for business improvement or research purposes. The Guidelines set out criteria for when these exceptions can apply. A brief outline of the 3 stages is set out below:
 

Stage of AI system implementation Relevant legal basis to collect, use and disclose personal data Other topics covered in the Guidelines Reference in Guidelines  
Development, testing and monitoring
 
Using personal data for training and testing the AI System, as well as monitoring the performance of AI Systems post deployment.
  • Consent
  • Business Improvement Exception
  • Research Exception
  • Implementing data protection measures
  • Anonymisation
Part III
Deployment
 
Collecting and using personal data in deployed AI Systems
 
(business to consumer or “B2C” situation)
  • Consent (noting in particular the notification and accountability obligations)
  • Legitimate Interests Exception
  • How to craft the notification to enable individuals to provide meaningful consent
Part IV
Procurement
 
Developing a bespoke AI system using personal data in organisations’ possession
 
(business to consumer or “B2B” situation)
  • What are your PDPA obligations if you are a Service Provider (i.e. a third-party developer of a bespoke AI system for an organisation)
  • This section is not relevant to organisations that develop AI systems in-house or who retail commercial off-the-shelf solutions that make use of AI for product features and functions
Part V


The Guidelines must be read in tandem with the PDPC’s Advisory Guidelines on Key Concepts in the PDPA, Advisory Guidelines on Selected Topics, Guide to Data Protection Practices for ICT Systems and Guide to Basic Anonymisation.
 
Q2: I am using personal data to develop, test and monitor AI models. How do the business improvement exception and research exception apply?
 
Who it applies to: Organisations who are AI developers, i.e. an organisation that develops AI models in-house, or engages third-party developers to develop bespoke AI applications using personal data in the organisation’s possession.
 
Besides seeking consent to use personal data to train an AI system, organisations who are AI developers may wish to consider relying on the Business Improvement or Research Exceptions.
 

  Business Improvement Exception Research Exception
What is it Found in Part 5 of the First Schedule and Division 2 under Part 2 of the Second Schedule to the PDPA.
 
It enables organisations to use or disclose (to a related corporation of the organisation), without consent, personal data collected in accordance with the PDPA where it falls within the following business improvement purposes:
  • Improving, enhancing or developing new goods or services;
  • Improving, enhancing or developing new methods or processes for business operations in relation to the organisations’ goods and services;
  • Learning or understanding behaviour and preferences of individuals; or
  • Identifying goods or services that may be suitable for individuals or personalising or customising any such goods or services for individuals.
Found in Division 3 under Part 2 of the Second Schedule and Division 2 under Part 3 of the Second Schedule to the PDPA.
 
It enables organisations to use and disclose personal data to conduct broader research and development that may not have any immediate application to their products, services or business operations. 
When should I consider it AI developers may rely on the Business Improvement Exception where:
  • The organisation has developed a product or has an existing product that it is enhancing;
  • AI Systems are intended to improve operational efficiency by supporting decision-making; or
  • AI Systems are intended to offer more or new personalised products and/or services such as through offering recommendations to users.
 
AI developers may rely on the Research Exception where they are:
  • Conducting commercial research to advance the science and engineering without a product development roadmap; or
  • Sharing data between unrelated companies for jointly conducted commercial research to develop new AI Systems. 

 
Q3: I am using personal data to develop, test and monitor AI models. How am I expected to protect this personal data? What is data minimisation? Should I be using anonymised data?
 
Section 7 sets out data protection considerations for organisations when using personal data to reduce data protection and cyber threat risks to the AI system. When deciding what kind of controls for data protection should be implemented, organisations should consider:

  1. The types and disclosure/theft risks that the personal data would be subject to; and
  2. The sensitivity and volume of the personal data used.
Action to take Details on implementation
Data minimisation  Organisations should use only personal data containing attributes required to train and improve the AI System.
 
Additionally, the volume of personal data necessary to train the AI System should be limited and based on the relevant time periods and other relevant filters (e.g. market /customer segment, attributes, etc.).
Pseudonomise or de-identify personal data Organisations are encouraged to use de-identified or pseudonymised data to develop, test and monitor AI models.
 
De-identifying personal data involves removing identifiers that directly identify individuals. This includes, for example, using pseudonymisation to replace the value of an attribute with an unrelated but unique value.
Anonymisation Organisations are encouraged to use anonymised data as far as possible. Personal data is considered anonymised where there is no serious possibility of re-identification. This involves considerations such as whether the process of chosen anonymisation method is reversible, and the extent of controls the organisation has in place to prevent re-identification of the anonymised data.

 
Q4: I have deployed my AI system – and I am collecting personal data to be processed by the deployed system. How do I go about obtaining consent to do so?
 
Consent is required for the collection and use of personal data to provide recommendations, predictions or decisions (the Consent Obligation), unless deemed consent or exceptions to the Consent Obligation apply (e.g. the Legitimate Interests Exception under s. 13 PDPA).
 
The Guidelines sets out recommendations for organisations to craft the notification, so that meaningful consent from individuals is obtained:
 

Contents Action to take
(1) Type of information to be provided Specify the function of the product that requires collection and processing of personal data;
  • Provide a general description of types of personal data that will be collected and processed;
  • Explain how the processing of personal data collected is relevant to the product feature; and
  • Identify specific features of personal data that are more likely to influence the product feature.
(2) How the notification may be presented Depending on the user profile, this could be through notification pop-ups or more detailed written policies that are publicly accessible or made available upon request.
 
For more details, see sections 9.6 and 9.7
(3) What if some information is commercially sensitive Recognising that organisations may need to protect commercially sensitive information, the PDPC provides that organisations may provide a more general explanation instead, and to justify and document such decisions internally. 

 
Q5: What governance measures should I implement when I collect and use personal data in AI systems, so that I fulfil the Accountability Obligation in the PDPA?
 
The Accountability Obligation (under sections 11 and 12 of the PDPA) refers to how an organisation discharges its responsibility for personal data which it has collected or obtained for processing, or which it has control over. Section 12 of the PDPA requires organisations to develop policies and practices to meet their obligations under the PDPA, and written policies/documentations of processes will be evidence of compliance.
 
You can fulfil this obligation, by doing, amongst other things:
 

Action Details of implementation
Have measures in place to ensure personal data is used in a safe and trusted manner within the AI system
  • Measures to achieve fairness and reasonableness for decisions during development and testing stages, e.g. measures relating to bias assessment, ensuring quality of training data, or the repeatability of results using personal data;
  • Safeguards to protect personal data, e.g. pseudonymisation and data minimisation during model development and testing, ensuring the security of AI Systems before and after their deployment, etc.
  • Organisations may also consider whether to provide information on how accountability mechanisms and human agency and oversight have been implemented where outcomes may have a higher impact on the individual.
Provide information on measures to ensure data quality during AI system development
 
Such information includes:
  • Steps taken to ensure the quality of personal data in the training dataset (e.g. how representative, how recent) to improve model accuracy and performance
  • Whether pseudonymised data was used during model development or what safeguards were adopted if personal data had been used instead;
  • Whether it was necessary to use personal data when conducting bias assessments on training datasets;
  • If personal data was used, the process or safeguards adopted to secure the testing environment; and
  • Whether data minimisation was practised at all stages of model and/or AI System development and testing.
Make clear and concise information about such policies and practices available to individuals
  • Making the policy publicly available through the organisation’s website, instead of upon request
  • If the organisation relies on exceptions to consent (e.g. Business Improvement and Research Exceptions), to provide information about the practices and safeguards adopted to protect the interests of individuals
Perform self-assessments to assess compliance with AI governance principles and make improvements based on results
  • Review the Model AI Governance Framework to understand the principles and put in place the recommended steps; perform self-assessments with the Implementation and Self-Assessment Guide for Organisations
  • Use technical tools such as AI Verify, where information from the testing report can be included in notifications or written policies – e.g. results of explainability testing can be used to identify the data features that are most likely to influence the recommendation, prediction or decision


Q6: I am a service provider engaged by an organisation to develop a bespoke/fully customisable AI system for them – what must I do in relation to personal data from that organisation in my possession?

 
If a service provider (in the course of developing bespoke or fully customisable AI systems), processes personal data on behalf of its customers, it takes on the role of a data intermediary and must comply with the applicable obligations in the PDPA (i.e. the Protection, Retention Limitation and Data Breach Notification Obligations).
 
It is thus good practice for a service provider to adopt the following practices: 

Action Significance
At pre-processing stage, use techniques such as mapping and labelling to keep track of data used to form the training dataset
  • Supports you in assessing if there has been a data breach (in relation to the data in your possession) that should be reported to your customers;
  • Provides customers that deploy AI Systems with information to assess whether there is a notifiable data breach and the scope of impact of any modification of training datasets on the AI System; and
  • Identifies sensitive personal so that you may implement the appropriate level of security and data protection measures. 
Maintain a provenance record to document the lineage of training data (identify source of training data and track how it is transformed during data preparation)
Support the organisation that engaged you in meeting its Notification, Consent and Accountability Obligations Your customer may not have the same technical expertise as you, and hence may require you to provide technical clarifications on how the AI system arrives at a decision/recommendation, or consult you on the adequacy and accuracy of information in policy documents they have developed for their customers.