In [redacted] v HSBC Bank (Singapore) Limited [2021] SGPDPC 3, the Personal Data Protection Commission (“PDPC“) issued its decision on the obligation to provide access to personal data in an organisation’s possession as well as the exception allowing organisations to deny access to opinion data for evaluative purposes, both in the context of Artificial Intelligence (“AI“) systems and deterministic algorithms. The PDPC affirmed the Respondent Bank’s decision to redact certain opinion data when providing to the Applicant individual an internal evaluation report regarding his unsuccessful credit card application, finding that the redaction fell within the applicable exception to the Access Obligation. The pragmatism exhibited by the PDPC in this decision is exemplary. It places Singapore squarely as one of the best jurisdictions in the world, from a regulatory standpoint, to run AI systems and conduct data analytics. This is so provided organisations ensure adequate transparency and accountability policies are maintained.
Notably, the redacted data pertained to opinion data auto-generated by the Bank’s Artificial Intelligence algorithms, which makes the decision a significant one for all organisations that utilise AI systems to make business evaluations. The Bank was successfully represented by Rajesh Sreenivasan and Justin Lee of Rajah & Tann Singapore LLP. In this Update, we provide a summary of the case and highlight the key points and impact of the decision.
For more information, click here to read the full Legal Update.