Date Published: 5 August 2021
The Access Obligation
Under section 21(1) of the Personal Data Protection Act 2012 (“PDPA”), an individual has the right to access personal data about him that is in an organisation’s possession or under its control, and information on how such personal data has been collected, used or disclosed. This is termed as the Access Obligation of an organisation. However, the Access Obligation is also subject to section 21(2) of the PDPA, which allows an organisation to invoke any of the exceptions listed in the Fifth Schedule to the PDPA to decline the access request made by an individual.
Can a credit card applicant inquire into the opinion data behind the outcome of his credit card application by relying on his right to access his personal data under the PDPA? In [redacted] v HSBC Bank (Singapore) Limited  SGPDPC 3, a review application heard by the Personal Data Protection Commission (the “PDPC”) of Singapore, the PDPC held that evaluative opinions behind assessments of credit card applications constituted an evaluative purpose, which is an exception under the PDPA that allows an organisation to not disclose such personal data.
The Respondent, HSBC Bank (Singapore) Limited (“HSBC”), is a full-service bank in Singapore while the Applicant is an individual who applied to HSBC for a credit card. Following his unsuccessful application, the Applicant requested a copy of HSBC’s internal evaluation report prepared for the purpose of evaluating his credit card application (“the Report”). In response, HSBC provided a copy of the Report but with some fields redacted (“the Redacted Data”). HSBC took the position that they were not obliged to disclose the Redacted Data, which constituted opinion data kept solely for an evaluative purpose, an exception to the Access Obligation under paragraph 1(a) of the Fifth Schedule (“the Evaluative Purpose Exception”). The Applicant subsequently elected to make a review application under the then section 28 of the PDPA (now, section 48H(1)(a) of the PDPA) (“the Review Application”).
In this Review Application, the issues to be determined were: (a) whether the Report is personal data of the Applicant; and (b) if so, whether the Evaluative Purpose Exception (or any other exception under the PDPA or other written law) applies so as to justify HSBC’s refusal to give the Applicant access to the Redacted Data.
Whether the Report is personal data of the Applicant
Section 2(1) of the PDPA defines “personal data” as data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. In the PDPC’s Advisory Guidelines on Key Concepts in the PDPA, the two key considerations in determining if data constitutes “personal data” are: (a) first, the nature or purpose of the information is to be data about an individual or which relates to the individual; and (b) second, the individual should be identifiable from the data on its own or from that data and other information to which the organisation has or is likely to have access.
In the present case, the Report was prepared for the purposes of evaluating the Applicant’s application for credit card facilities and contained information about him that was relevant to deciding whether credit card facilities should be extended by HSBC to the Applicant. The Report contained various data fields, some of which were redacted by HSBC when a copy was provided to the Applicant. As the Report contained information about the Applicant, who was identifiable from the information, and the Report was prepared for the purpose of making a decision concerning the Applicant’s application for credit card facilities, the Report therefore constituted the personal data of the Applicant.
Although HSBC described the Redacted Data as opinion data auto-generated by HSCB’s proprietary algorithm that determined an individual’s suitability for a credit card, the PDPC did not consider the fact that the Redacted Data was algorithmically generated to be relevant in determining whether it constituted personal data. This is because the main inquiry is whether the information is about an identified or identifiable individual, regardless of whether the information was collected directly from the individual or derived from data from other sources.
Whether HSBC can rely on the Evaluative Purpose Exception to decline access to the Redacted Data
The Evaluative Purpose Exception is captured in para 1(a) of the Fifth Schedule of the PDPA, which allows an organisation to decline access to “opinion data kept solely for an evaluative purpose”.
First, the PDPC was satisfied that the Redacted Data was considered as opinion data. This is supported by the fact that the Redacted Data was neither a reproduction of personal data obtained from a third-party source, nor was it the result of simple arithmetic operations. Instead, the Redacted Data was derived after an analysis of primary data based on business rules expressed in HSBC’s proprietary algorithm. Hence, the Redacted Data were considered to be expressions of opinions after HSBC has conducted its data processing, and forms part of the Applicant’s personal data that HSBC has in its possession and control.
Next, the PDPC considered whether the data was kept solely for an “evaluative purpose”, as defined under section 2(1) of the PDPA. The PDPC found that the Evaluative Purpose Exception is intended to keep opinions that form part of an organisation’s decision-making process (i.e., the evaluation before a decision is made) confidential. Accordingly, individuals do not have the right to access personal data contained in such opinions.
In the present case, HSBC was evaluating the Applicant’s suitability for credit card facilities and whether to extend the said facilities to him, which would entail the award of a contract. This fell within the definition of “evaluative purpose” in section 2(1)(a)(v) of the PDPA: “for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits”. The PDPC therefore found that HSBC was entitled to rely on the Evaluative Purpose Exception to decline giving the Applicant access to the Redacted Data.
Whether HSBC can rely on other exceptions to decline access to the Redacted Data
HSBC also sought to rely on, inter alia, other exceptions in the Fifth Schedule to the PDPA to justify its refusal to give the Applicant access to the Redacted Data, which the PDPC rejected for the following reasons.
HSBC’s argument in reliance on the exception under paragraph 1(g) of the Fifth Schedule was rejected as PDPC held that the Redacted Data would not disclose or allow for the reverse-engineering of “confidential commercial information” pertaining to HSBC’s credit card application evaluation process that would affect its competitive position. The argument in reliance on the exception under paragraph 1(h) of the Fifth Schedule was also rejected, as client due diligence and customer information checks for the purposes of a credit card application did not constitute an “investigation” within the meaning of the PDPA.
HSBC also argued, pursuant to the exception under paragraph 1(i)(ii) of the Fifth Schedule, that the burden of providing access to the Redacted Data was unreasonable considering the volume of credit application applications that HSBC received daily. This was an argument found to be unsupported by evidence. The PDPC held that it was neither unreasonably burdensome nor expensive for HSBC to respond to the Applicant’s access request, and the fact that the Applicant’s request might lead to other individuals making similar requests was not a relevant consideration.
Lastly, HSBC argued that the Applicant had full knowledge of the personal data and financial information he had provided by way of his credit card application, and the request was therefore frivolous and vexatious under the exception in paragraph 1(j)(v) of the Fifth Schedule to the PDPA. This was rejected as the Applicant had not requested such data, but had requested HSBC’s opinion data in the Report which he had no knowledge of.
Other Considerations and Conclusion
The case sheds some light on the scope of the exceptions to an individual’s right to access his personal data (which was derived from algorithms). Organisations, especially those which rely on algorithmic processes to process data, should note that data about an identified or identifiable individual would constitute personal data, regardless whether such data was derived from other sources.
However, organisations are entitled to not disclose any opinion data which forms part of an organisation’s decision-making process. It is also interesting to note that the PDPC had rejected one of the other exceptions tendered by HSBC, namely, that the Redacted Data may disclose or allow for the reverse-engineering of “confidential commercial information” pertaining to HSBC’s credit card application evaluation process that would affect its competitive position – as it is not inconceivable that with the use of technology, Redacted Data may be reverse-engineered to disclose confidential commercial information pertaining to an organisation’s credit card evaluation process.
In this case, although HSBC was entitled to decline the Applicant’s request to provide access to the Redacted Data, HSBC provided the Applicant with (a) HSBC’s Principle for the Ethical Use of Big Data and AI and (b) HSBC’s Credit Decisioning Policy Statement, two publications on how technology was used to conduct credit facility assessments. The PDPC commented that HSBC had acted reasonably by providing information about how it used data and technology to conduct credit facility assessments.
It is useful to note that the Monetary Authority of Singapore (“MAS”) has issued a set of Principles to Promote Fairness, Ethics, Accountability and Transparency in the Use of AI and Data Analytics in Singapore’s Financial Sector (“The AI Principles”) for the use of artificial intelligence and data analytics (“AIDA”) in decision-making in the provision of financial products and services, which may be read with the Model Artificial Intelligence (AI) Governance Framework published by the Infocomm Media Development Authority and the PDPC, when deploying AI technologies. Under the AI Principles, organisations are to inter alia, adopt principles of fairness in its governance framework to ensure that individuals or groups of individuals are not systematically disadvantaged through AIDA-driven decisions, unless these decisions can be justified. The AI Principles recommend that data subjects be provided with channels to enquire about, submit appeals for and request reviews of AIDA-driven decisions that affect them. Nevertheless, it remains to be seen if affected individuals are able to effectively request reviews of AIDA-driven decisions, if access requests to opinion data may be denied.
The Model AI Governance Framework also recommends that organisations put in place internal governance structures and measures to incorporate values, risks and responsibilities relating to algorithmic decision-making, determine acceptable risks for the use of AI and identify an appropriate level of human involvement in AI-augmented decision-making. As organisations are expected to make available, on request, policies and practices necessary for them to meet their obligations under the PDPA, it may be timely to consider if the policies and practices are to be updated to take into account the recommendations of the Model AI Governance Framework.
Please contact us if you require our advice and assistance on preparing or updating your organisation’s policies and practices.
Disclaimer: This update is provided to you for general information and should not be relied upon as legal advice. The editor and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents.
With the prevalence of technology and increasing connectivity through the internet, cybersecurity and data protection are areas that have grown more important in Singapore.
Since the introduction of the Personal Data Protection Act 2012 (“PDPA), it is mandatory for organisations to comply with data protection rules and we strive to help our clients understand that compliance with the PDPA is no longer an option.
At CNPLaw, we have worked with our clients and helped them navigate through a variety of data protection issues