Close Menu
Data

Singapore’s Privacy Commission advises on Ai

5gantennas.orgBy No Comments5 Mins Read


background

On 1 March 2024, Singapore’s Personal Data Protection Commission (Commission) published Advisory Guidelines on the Use of Personal Data in AI Systems to Provide Recommendations, Predictions and Decisions (Guidelines).

The guidelines were developed following a public consultation held in July and August last year, during which a number of organizations submitted comments.[1] Regarding the proposed draft guidelines. After considering all feedback received, the guidelines were published on March 1, 2024.

Do the guidelines apply to all AI systems?

These guidelines apply to identification AI systems used to make decisions, predictions, and recommendations. These do not apply to generative AI, and the Commission is likely assessing the need for further guidelines that specifically address data processing in the development and deployment of generative AI.

Do the guidelines impose mandatory requirements?

These guidelines are recommendations and are not intended to impose legally binding obligations on either the Commission or any other organization or person.

Similarly, this guideline is intended to be read alongside other advisory guidelines, such as the key concepts of Singapore’s overarching data protection law, the Personal Data Protection Act (PDPA).[2]

However, the Guidelines provide regulatory guidance and certainty by clarifying how the PDPA applies when organizations use personal data to develop and train AI systems, and provides assurance to consumers by setting baseline guidance and best practices to be transparent about their use. Collection of personal data to deploy AI.

How are the guidelines structured?

The guidelines are structured as follows based on typical stages of AI system implementation:

  1. Develop, test, monitor
  2. introduction
  3. procurement

What do the guidelines recommend?

1. Develop, test and monitor

Organizations may use personal data to develop AI models, either internally or in partnership with third-party service providers. The consent of the individual whose personal data will be used must be sought. Alternatively, exceptions to consent may be considered, such as:

(a) Business improvement

Business improvement exceptions relate to the following cases:

  • The organization has developed a product or is enhancing an existing product
  • AI systems aim to improve operational efficiency by supporting decision making
  • AI systems aim to provide users with more or new personalized products and services by providing recommendations.

However, this exception only applies when data is shared between affiliates within a group or between departments within a single company.

Additionally, the following prerequisites must be met:

  • Purposes cannot be reasonably achieved unless personal data is in a form that allows identification of individuals.
  • Its use is what a reasonable person would consider appropriate under the circumstances

Examples cited in the guidelines include:

  • A recommendation engine for social media services that serves relevant content based on a user’s browsing history.
  • Job assignment system that assigns jobs to platform workers
  • Internal personnel system for recommending job seekers
  • Use AI systems to deliver new product features and improve competitiveness
  • Bias testing of AI systems, or “debiasing” datasets for model training

(b) Research

The research exception is relevant when an organization conducts commercial research and development to advance science and engineering generally without requiring immediate application to products, services, business operations, or markets.

In contrast to the business improvement exception, the research exception allows data sharing between unrelated companies for joint commercial research to develop new AI systems.

However, the following conditions must be met:

  • Purposes cannot be reasonably achieved unless the data is in personally identifiable form
  • There is a clear public benefit
  • Results will not be used to make decisions that affect individuals
  • Published results must not identify individuals

(c) Anonymization

Organizations are encouraged to anonymize their datasets as much as possible. While there are trade-offs such as model accuracy, reproducibility, and reproducibility of results, organizations must document why they choose to use personal data over anonymized data and adopt appropriate governance. Other considerations include:

  • whether the anonymization method chosen to be employed is reversible;
  • Data set disclosure scope and target recipients
  • Can motivated individuals find a way to re-identify de-identified datasets?
  • Are there sufficient controls in place to prevent re-identification?

2. Deployment

Organizations are required to comply with the PDPA’s consent, notice, and accountability obligations.

In particular, organizations are encouraged to provide users with the following information:

  • Product features that require processing of personal data (e.g. movie recommendations)
  • A general description of the type of data processed (e.g. movies you’ve watched in the past)
  • How the processing of personal data relates to product functionality
  • Certain features that may affect product functionality (e.g. number of movie views)

Organizations should also consider including the following in their policies:

  • During model development and testing, measures taken to achieve fairness and rationality in recommendations, predictions, and decisions for the benefit of consumers, including assessing bias and ensuring the quality of training data. )
  • Technical and other safeguards to protect personal data, including anonymization of datasets;
  • How human agency and oversight are enforced for outcomes that have a significant impact on individuals.

Technological tools such as Singapore’s AI Verify[3] Together with Singapore’s model AI governance framework, it can be considered to validate the performance of AI systems.[4] To manage stakeholder interactions.

3. Procurement

Finally, system integrators and other service providers involved in the development and deployment of bespoke AI systems are generally considered data intermediaries for purposes of the PDPA.

Good practices that such intermediaries can adopt include:

  • Data mapping and labeling of the training dataset
  • Maintain records of data source provenance and track data transformed during data preparation

Ultimately, service providers will need to help their customer organizations comply with the consent, notice, accountability, and other applicable obligations set forth in the PDPA as applicable to the development and deployment of AI. there is. That said, organizations have the primary responsibility for ensuring that the AI ​​systems they choose to use meet their obligations under the PDPA.

[1] https://www.pdpc.gov.sg/guidelines-and-consultation/2023/07/public-consultation-for-the-proposed-advisory-guidelines-on-use-of-personal-data-in-ai- Recommendation and decision system/response received on August 31, 2023

[2] https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the- pdpa-17-may-2022.pdf

[3] https://aiverifyfoundation.sg/what-is-ai-verify/

[4] http://go.gov.sg/ai-gov-mf-2



Source link

Share.

Related Posts

Leave A Reply