SINGAPORE – Consumers should be told how and why their personal data is being used in a company’s artificial intelligence (AI) systems, even if they already gave prior consent, under new personal data protection guidelines here.
Users should be told why their data is relevant to the service provided, and what kind of indicators are likely to influence decisions made by the AI. For instance, users of a streaming service should be told that their viewing history data is used to make better movie recommendations, based on the genre or films that they watched multiple times.
The guidelines, titled Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems, were published by the Personal Data Protection Commission (PDPC) on March 1.
They address concerns raised by industry players about issues related to training AI models, such as data privacy. While not legally binding, the guidelines offer best practices for how firms should handle personal data and inform customers of its use.
They make clear that once users’ personal data has been collected in accordance with the Personal Data Protection Act, it may be used in the company’s research or to improve its business without further consent.
This includes training an AI model’s understanding of customer preferences, such as in systems that automatically assign jobs to platform workers like food delivery riders. It may also apply to human resources systems that recommend potential candidates by matching information they provide to the type of job.
Data can also be used by companies, without further consent, for broader research that may not have an immediate application to their products and services, as long as details of individuals cannot be identified when the research’s findings are released. The data should be key to conducting the study and be used in a way that clearly benefits the public, said the guide.
The PDPC said organisations should generally minimise the amount of data used, and anonymise the data they collect as a good practice to reduce the risk of cyber threats.
How customers are informed is left to the company, the commission added. This can be done through notification pop-ups or more detailed written policies that are available to its users.
“Notifications need not be overly technical or detailed and should be proportionate to the risks of each use-case,” the PDPC said.
“Organisations should place themselves in the shoes of consumers and craft notifications that will enable individuals to understand how personal data will be processed to achieve the intended purpose.”
As more AI models are trained in the industry, data privacy in AI was a key concern raised by industry players during the Singapore Conference on AI in December 2023. Tech, legal and financial organisations also voiced their concerns and suggestions over the use of data to train AI models during a public consultation led by the PDPC that ended in August 2023.
Cyber-security firm Kaspersky said most consumers are unfamiliar with the need for data collection to train AI, and suggested that explicit consent be sought for the use of personal data during the development and testing stages of AI models. It also suggested the option for users to prohibit the option for their data to be used for AI training.
