PDPC consults on proposed Advisory Guidelines on (1) Use of personal data in AI recommendation and decision systems and (2) PDPA for children’s personal data

25 August 2023

The Personal Data Protection Commission Singapore (“PDPC”) is conducting a public consultation in July/August to seek feedback on the following:

• Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (Consultation period from 18 July to 31 August 2023)
• Proposed Advisory Guidelines on the Personal Data Protection Act for Children’s Personal Data (Consultation period from 19 July to 31 August 2023)

Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

The proposed Advisory Guidelines are part of Singapore’s wider effort to lay the groundwork for a trusted ecosystem for artificial intelligence (“AI”) development and deployment. The proposed Advisory Guidelines cover situations where the design and/or deployment of machine-learning AI models or systems involve the use of personal data in scenarios governed by the Personal Data Protection Act 2012 (“PDPA”) and aim to (i) clarify how the PDPA applies when organisations use personal data to develop and train AI systems, and (ii) provide baseline guidance and best practices for organisations on how to be transparent about whether and how their AI systems use personal data to make recommendations, predictions, or decisions.

The proposed Advisory Guidelines are organised according to the following stages of AI system implementation:

• Development, testing and monitoring of AI system: This section refers to the use of personal data in AI system development, testing and monitoring. Apart from seeking consent for the use of personal data to train an AI model, organisations may wish to consider if it is appropriate to rely on the business improvement or research exceptions to consent under the PDPA when using personal data to develop an AI system.
• Deployment of AI system: This section deals with how the PDPA applies when organisations deploy AI systems in their products or services that collect and use personal data. When organisations deploy AI systems to provide new functionalities or enhance product features by collecting and/or processing personal data, they should be mindful of the PDPA obligations relating to consent, notification and accountability.
• Procurement of AI system: This section is relevant for organisations that engage service providers (e.g. systems integrators) who provide professional services for the development and deployment of bespoke or fully customisable AI systems. Where service providers, as part of developing
  and deploying bespoke or fully customisable AI systems, process personal data on behalf of their customers, they may occupy the position of data intermediaries and may thus have to comply with applicable obligations under the PDPA. This section also sets out best practices on how service providers may support organisations to develop policies and practices that can meet their obligations relating to consent, notification and accountability.

The section is not relevant to organisations that develop AI systems in-house or who purchase commercial off the-shelf solutions that make use of AI for their product features and functions.

PDPC recognises the new concerns arising from the use of personal data in generative AI, for instance, the use of publicly available personal data to train large models, and to produce synthetic media or “deep fakes”. PDPC is looking into these issues and considering whether further guidance should be provided under the PDPA.

Proposed Advisory Guidelines on the PDPA for Children’s Personal Data

PDPC is seeking views on the issuance of the proposed Advisory Guidelines to cover issues such as obtaining children’s consent, using children’s personal data, and according higher standards of protection to children’s personal data. The proposed Advisory Guidelines are intended to apply to organisations that offer products or services that are likely to be accessed by children, or are in fact accessed by children, even if the products or services are not targeted at children. Organisations that are data intermediaries or that retain children’s personal data are also expected to implement additional measures to protect children’s personal data.

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg and the Ministry of Communications and Information (MCI) website www.mci.gov.sg:

• Consultation paper on proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems
• Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems
• Consultation paper on proposed Advisory Guidelines on the PDPA for Children’s Personal Data
• Speech by Minister for Communications and Information Josephine Teo at the opening of the Personal Data Protection Week on 18 July 2023
• Opening Remarks by Lew Chuen Hong, Commissioner of the Personal Data Protection Commission, at the International Association of Privacy Professionals (IAPP) Asia Privacy Forum 2023 on 19 July 2023