The PDPC’s Proposed Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems provides organisations with guidance on baseline policies and best practices for protecting personal data when using AI systems.


Proposed PDPC Advisory Guidelines on Personal Data Use in AI Systems

July 21, 2023

On 18 July 2023, the Personal Data Protection Commission (PDPC) published the Proposed Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (Proposed Guidelines).  The Proposed Guidelines clarify how the Personal Data Protection Act 2012 (PDPA) applies to the collection and processing of personal data to develop and train systems that embed machine learning models to make autonomous decisions or to generate recommendations and predictions (AI Systems).  

Comments on the Proposed Guidelines are accepted until 31 August 2023.

AI System Development, Testing and Monitoring

Consent Exceptions

When using personal data to develop an AI System, organisations may rely on the Business Improvement Exception or Research Exception in lieu of obtaining individuals’ consent.  However, organisations are urged to conduct a data protection impact assessment to identify and mitigate potential risks.  

Business Improvement Exception Research Exception
Application Relevant for:
• product/service or business system development or improvement; or
• identifying preferences or personalising products/services.
Relevant for research and development without any immediate application.
Key Conditions • Using personal data in individually identifiable form is necessary to achieve the business improvement purposes.
• A reasonable person would consider the use of personal data for business improvement purposes as appropriate.
• Using personal data in individually identifiable form is necessary to achieve the research purposes.
• Using personal data for the research has a clear public benefit.
• The research results will not be used to make any decision affecting the individual concerned (i.e., the individual whose personal data are used).
• Published results must not identify the individual concerned.
Data Sharing Within a group of companies or within departments in a company. With unrelated companies for joint commercial research purposes, provided that it is impracticable to seek the consent of the individual concerned for the disclosure.
Relevant Considerations • Whether using personal data helps improve the effectiveness or quality of the AI System and its output.
• Whether it is technically possible or cost effective to develop, train or monitor the AI System without personal data.
• Standard industry practices on how to develop, train or monitor the AI System.
• Whether using personal data helps with the effectiveness or improved quality of new product features that help the organisation innovate or enhance consumer experience.
• Whether developing the AI System will improve the development of science and engineering.
• Whether the AI System can increase innovation in products or services that improve the quality of life.
• Whether using personal data helps improve the quality or performance of the AI System.
• Developing industry practices to develop or deploy AI Systems.

Good Data Protection Practices

In any event, when designing, training, testing or monitoring AI Systems using personal data, organisations should:

  • include appropriate technical, process or legal controls for data protection;
  • de-identify personal data, if possible;
  • use only the minimum amount of personal data required;
  • assess and mitigate possible risks to the personal data; and
  • update data protection policies and practices to take into account the use of personal data to develop AI Systems.  

AI System Deployment

Consent must be obtained to collect and use personal data for processing by an AI System, unless an exception applies.  

Before obtaining such consent, individuals must be sufficiently informed about the types of personal data that will be collected and processed and the purpose for their processing, including the function of the product that uses an AI System (e.g., to suggest a shop), why processing personal data is relevant to the product feature (e.g., suggestions rely on an analysis of previous shopping habits) and what specific personal data will influence the product feature (e.g., amount spent or items purchased).  

To be fair and reasonable, organisations should be transparent in their data protection policies about their practices and safeguards when using personal data in AI Systems.  

Bespoke AI System Procurement

A service provider that develops and deploys bespoke AI Systems for an organisation is a data intermediary under the PDPA.  As a data intermediary, a service provider should keep track of data that were used to form training datasets and log the transformation of those data and support the organisation in complying with its PDPA obligations (e.g., by explaining how the AI System operates in simple language, so that the organisation can provide the necessary notices to individuals concerned).  

While service providers should provide support as data intermediaries, organisations still bear primary responsibility for ensuring that the AI System they use enables their compliance with the PDPA.

Key Takeaway

As organisations eagerly incorporate AI Systems in their operations to improve efficiency, they should also be mindful of their regulatory obligations when using personal data to develop or deploy AI Systems.  The Proposed Guidelines are helpful in guiding organisations on using AI Systems in a manner that complies with the PDPA.    

For More Information

OrionW regularly advises clients on data protection matters.  For more information about how to comply with the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at

Disclaimer: This article is for general information only and does not constitute legal advice.


Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.