The PDPC’s Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems provides organisations with guidance on baseline policies and best practices for protecting personal data when using AI systems.

Insights

PDPC Issues Guidelines for Use of Personal Data in AI Systems

Date
March 5, 2024
Author
OrionW

On 1 March 2024, the Personal Data Protection Commission (PDPC) issued the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (AI Guidelines). The AI Guidelines clarify how the Personal Data Protection Act 2012 (PDPA) applies to the collection and processing of personal data to develop, train, deploy and procure systems that embed machine learning models to make autonomous decisions to generate recommendations and predictions (AI Systems).

The AI Guidelines are largely consistent with the draft guidelines issued on 18 July 2023.

Conditions for Collecting and Using Personal Data in AI Systems

Organisations using personal data to develop an AI System may rely on the Business Improvement Exception or Research Exception to collect and process personal data in lieu of obtaining consent.  The Business Improvement Exception may be relied for (1) product/service or business system development or improvement or (2) identifying preferences or personalising products/services. On the other hand, the Research Exception maybe used for relevant research and development without any immediate application.

However, when deploying an AI System, organisations are required to obtain consent before using personal data, unless an exception applies. Individuals must be sufficiently informed about the product feature that requires the collection and processing of personal data, the types of personal data that will be collected and processed, why processing personal data is relevant to the product feature and what specific personal data will influence the product feature.

In all cases, organisations should be transparent to individuals about their use of personal data for their AI Systems and have appropriate policies and practices to ensure compliance with the PDPA.

The AI Guidelines also discuss the role of a service provider that develops and deploys bespoke AI Systems for other organisations as a data intermediary. Best practices for such service providers include keeping track of data used to form training datasets and supporting organisations in complying with their notification, consent and accountability obligations under the PDPA.

For further details on the AI Guidelines, see our article on the Proposed Guidelines.

Conclusion

As organisations increasingly look toward AI Systems to improve efficiency, they should also be mindful of their regulatory obligations, including under the PDPA, when using personal data to develop or deploy AI Systems and use AI Systems in a transparent and responsible manner.    

For More Information

OrionW regularly advises clients on data protection matters.  For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.