Data Protection in the Use of AI Systems – PDPC Proposes Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

Introduction

The Personal Data Protection Commission (“PDPC“) has launched a public consultation (“Consultation“) seeking views on the Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems (“Guidelines“). The purpose of these Guidelines is to clarify how the Personal Data Protection Act 2012 (“PDPA“) applies to the collection and use of personal data by organisations to develop and deploy systems that embed machine learning (“ML“) models (“AI Systems“) which are used to make decisions autonomously or to assist a human decision-maker through recommendations and predictions.

The release of these proposed Guidelines for consultation is timely given the rapid development of AI technology and their deployment by businesses across a wide variety of functions. For example, AI recommendation and decision systems are used in e-commerce to recommend and personalise products or content to users based on browsing and purchasing behaviour, and to predict product demand so as to optimise product focus and inventory.

One of the key issues is the use of personal data in the training of such AI Systems. While such data may be essential to the training process, it raises questions about how it interacts with an organisation’s data protection obligations under the PDPA, and how to avoid the breach of such obligations. The Guidelines will thus be a vital source of guidance in this regard.

The consultation on the Guidelines is in line with the increasing focus on responsible use of AI by Singapore’s regulators. In June 2023, the Infocomm Media Development Authority launched the AI Verify Foundation (“Foundation“), which aims to harness the collective contributions of the global open-source community to develop the AI Verify testing tool for the responsible use of AI. The Foundation will look to boost AI testing capabilities and assurance to meet the needs of companies and regulators globally. For more information on this, please see our Legal Update on “Ensuring the Responsible Use of AI – Singapore Launches the AI Verify Foundation”, available here.

The Consultation ends on 31 August 2023. Businesses utilising AI Systems may wish to digest the practices proposed in the Guidelines regarding the use of personal data, and to provide feedback on the Guidelines where relevant. This Update highlights key elements of the Guidelines.

Overview of the Guidelines

The proposed Guidelines are intended for situations where the design or deployment of AI Systems involves the use of personal data in scenarios governed by the PDPA. The aim of these Guidelines is to:

Clarify how the PDPA applies when organisations use personal data to develop and train AI Systems; and
Provide baseline guidance and best practices for organisations on how to be transparent about whether and how their AI Systems use personal data to make recommendations, predictions, or decisions.

The Guidelines are organised according to the stages of AI System implementation as follows:

Development, Testing and Monitoring

Business Improvement Exception and Research Exception

When using personal data to train an AI model, organisations can seek the consent of the individual to which the personal data relates. Apart from this, the PDPA provides certain exceptions to the Consent Obligation, including the Business Improvement Exception and the Research Exception. Organisations may wish to consider if it is appropriate to rely on either exception when using personal data to develop an AI System.

The Business Improvement Exception enables organisations to use, without consent, personal data that they had collected in accordance with the PDPA, where the use of the personal data falls within the scope of any of the prescribed business improvement purposes.
The Research Exception allows organisations to use personal data for research purposes, subject to certain conditions.

The Guidelines set out the following examples of purposes where the Business Improvement Exception could be relevant to AI System development:

Recommendation engines in social media services that offer users content aligned to their browsing history;
Job assignment systems that automatically assign jobs to platform workers;
Internal HR systems used to recommend potential job candidates by providing a first cut in matching candidates to job vacancies; and
Use of AI Systems or ML models to provide new product features and functionalities to improve competitiveness of products and services.

The Guidelines also set out the following relevant considerations on whether to rely on the Business Improvement Exception:

Whether using personal data for this purpose contributes towards improving the effectiveness or quality of the AI Systems or ML models and their output;
Whether it is technically possible or cost-effective to use other means to develop, test or monitor the AI Systems or ML models;
Common industry practices or standards on how to develop, test and monitor such AI Systems or ML models; and
Whether such use will contribute to the effectiveness or improved quality of new product features and functionalities that help organisations innovate, improve competitiveness, become more efficient/effective, and enhance consumer choice, experience, and usability.

As for the Research Improvement Exception, the relevant considerations would include the following:

How and the extent to which developing such an AI System will improve understanding and development of science and engineering;
Potential of application of the AI System to increase innovation in products or services that benefit society by improving the quality of life;
How the use of personal data helps develop more effective methods to improve quality or performance of the AI System or ML model; and
Developing industry practices or standards for the development and deployment of AI Systems or ML models.

Data Protection Considerations

The Guidelines highlight that when designing, training, testing, or monitoring AI Systems using personal data, appropriate technical, process and/or legal controls for data protection should be included. This would include the following:

Where possible, organisations are encouraged to pseudonymise or de-identify the personal data used as a basic data protection control.
In the context of developing AI Systems, organisations should practise data minimisation as good practice.
If pseudonymisation is not possible and raw personal data has to be used, organisations are reminded of their Protection Obligation under the PDPA.
AI Systems will have security risks/points of weakness that can be exploited for privacy attacks. Organisations should take a privacy-by-design approach and take steps to assess the risk of such privacy attacks as well as seek to mitigate such risks within the AI System.
Per the Accountability Obligation under the PDPA, organisations must ensure that their policies regarding the use of personal data in their organisations to develop AI Systems are updated, and practices established.

As highlighted, organisations are encouraged to anonymise their datasets instead of using personal data. Organisations should carefully weigh the pros and cons of using both types of data, and clearly document internally the reasons for choosing to use personal data instead of anonymised data. The Guidelines set out considerations for whether anonymisation is sufficiently robust as to reduce the risk of re-identification:

Whether the process of chosen anonymisation method is reversible;
The extent of disclosure of the dataset and its intended recipients;
Whether a motivated individual can likely find means to re-identify the anonymised dataset using either publicly available information or information the organisation already has in its possession; and
The extent of controls the organisation has put in place, including within the AI System, to prevent re-identification of the anonymised data.

Deployment – Collection and Use of Personal Data in AI Systems

This section deals with how the PDPA applies when organisations deploy AI Systems in their products or services that collect and use personal data. Organisations should be mindful of their relevant PDPA obligations – specifically, the Consent Obligation, Notification Obligation and the Accountability Obligation.

Consent and Notification Obligations

When AI Systems are deployed to end users, personal data may be collected and/or processed by the AI System to provide the recommendation, prediction or decision. In such situations, organisations must be aware of their Consent Obligation and Notification Obligation under the PDPA. This is to enable individuals to provide meaningful consent.

Consent – Organisations are allowed to collect, use, or disclose an individual’s personal data if the individual gives his consent for the collection, use or disclosure of his personal data.
Notification – Users must be notified of the purpose of the collection and intended use of their personal data when their consent is sought for such collection and use.

The Guidelines encourage organisations to provide information on the following in crafting their notifications to users regarding the use of their personal data in the AI System:

The function of their product that requires collection and processing of personal data;
A general description of types of personal data that will be collected and processed;
Explain how the processing of personal data collected is relevant to the product feature; and
Identify specific features of personal data that are more likely to influence the product feature.

The Guidelines further set out the following practices on the manner of providing the above information:

The provision of such information could be through notification pop-ups or can be included in more detailed written policies that are publicly accessible or made available to end users on request.
It may be useful to consider “layering” of information –displaying the most relevant information more prominently, and then providing more detailed information elsewhere.
Where organisations assess that it is necessary to limit or omit details in order to protect commercially sensitive and/or proprietary information, if appropriate, and choose to provide a more general explanation instead, it is good practice for these decisions to be justified and documented clearly internally.

Accountability Obligation

The Accountability Obligation under the PDPA refers to how an organisation discharges its responsibility for personal data which it has collected or obtained for processing, or which it has control over. Amongst other things, organisations are required to develop policies and practices to meet its PDPA obligations.

The Guidelines thus provide that organisations that make use of AI Systems should be transparent and include relevant practices and safeguards to achieve fairness and reasonableness in their written policies. The level of detail to be provided should be proportionate to the risks present in each use-case.

Organisations should consider pre-emptively making such written policies available through their website, and not only upon request of individuals.
Organisations are generally encouraged to consider providing more information on data quality and governance measures taken during AI System development if such information is deemed relevant and doing so does not compromise security, safety, or commercial confidentiality.

The Guidelines also make reference to additional resources which organisations may take advantage of in fulfilling their Accountability Obligation:

The Model AI Governance Framework may provide further suggestions on managing stakeholder interaction.
The Implementation and Self-Assessment Guide for Organisations may help in providing guiding questions and examples on stakeholder interaction.
Organisations can consider using technical tools such as AI Verify to validate the performance of the AI System or ML model. Information from the testing report can be used to support information that they wish to include into their notifications or written policies.

Procurement of AI Systems

This section is relevant for organisations that engage service providers (e.g., systems integrators) who provide professional services for the development and deployment of bespoke or fully customisable AI Systems.

Where such service providers process personal data on behalf of their customers, they may be deemed to be data intermediaries and thus have to comply with applicable obligations under the PDPA. Service providers who are data intermediaries should adopt the following practices:

At pre-processing stage, use techniques such as data mapping and labelling to keep track of data that was used to form the training dataset; and
Maintain a provenance record to document the lineage of the training data that identifies the source of training data and tracks how it has been transformed during data preparation.

Such service providers are encouraged to provide support to the organisations that need to meet their Notification Obligation, Consent Obligation and Accountability Obligation. The Guidelines provide the following best practices to achieve this:

Understand the information that customers are likely to require based on their needs and impact on users; and
Design the system to ensure that the organisation can obtain relevant information.

Concluding Words

AI tools present a multitude of use-cases for businesses, including AI recommendation and decision systems. However, such AI Systems are often reliant on the use of personal data for training the system. In Singapore, the PDPA imposes strict obligations on organisations that use personal data, with potentially onerous penalties for a breach thereof. It is thus important for businesses that use AI Systems to understand how the PDPA obligations relate to AI Systems.

The proposed Guidelines seek to provide more specific guidance on the PDPA obligations that organisations should consider when using AI Systems. Helpfully, the Guidelines also provide best practices that organisations may employ to achieve compliance with these obligations.

Businesses may wish to consider whether the principles and best practices set out in the Guidelines are adequate or practical in the context of their operations. Organisations should also consider whether their current policies and practices are in line with the Guidelines and what action needs to be taken to achieve compliance. Parties who wish to provide feedback, or who have further queries on the Guidelines and related issues, may feel free to contact our team below.

Click on the following links for more information (available on the PDPC website at www.pdpc.gov.sg):

Source link

b"asta binance h"anvisningskod commented on IP Basics: Copyright Law (Podcast) – Copyright: I don't think the title of your article matches th
binance konto commented on AI And The Channel: It’s Go Time: Thanks for sharing. I read many of your blog posts
小艾彩票平台 commented on Create the content you envision: Hello, for all time i used to check blog posts her
天天官网 commented on 10 AI Applications to Streamline Business and Customer Experiences: After looking into a few of the blog posts on your
免费Binance账户 commented on Foreshadowing Biden’s AI Executive Order? — AI: The Washington Report | Mintz: Can you be more specific about the content of your

Data Protection in the Use of AI Systems – PDPC Proposes Guidelines on Use of Personal Data in AI Recommendation and Decision Systems

Leave a Reply

RECENT POSTS

Quantum mechanics principles help researchers build cancer prediction models

Snowflake launches operations in Chile to strengthen agent enterprise

The spread of low-quality AI videos continues unabated…The AI Basic Law is also insufficient

Related Posts

Leave a Reply