Speech by David N Alfred, Chief Counsel of PDPC, at 6th World Internet Conference - Legal Forum on Security & Development: Data Governance and the Rule of Law on Sunday, 20 October 2019, at Wuzhen, Zhejiang, People’s Republic of China
20 Oct 2019
1. Honoured guests, distinguished colleagues, ladies and gentlemen, good afternoon. I would like to thank the Chinese Academy of Social Sciences (CASS) for inviting me to deliver this speech. This event is very timely, and highlights the unprecedented emphasis on data today and its role in driving technologies and smart cities.
2. I would like to share with you an overview of Singapore’s approach to trusted data sharing and data governance particularly in relation to Artificial Intelligence (AI).
Unexpected Secondary Use of Data
3. We operate today in an increasingly connected and competitive business environment. As we spend more time online and benefit from the latest technology trends, there is a proliferation of collection, use and transfer of personal data, locally and across borders.
4. From online user-provided data through account creations, feedback forms and preference selections, to smart devices that collect data with geolocation sensors, accelerometers and audio-visual sensors, to IoT devices, devices connected to the Internet of Things, this has allowed organisations to collect an unprecedented amount of personal data and leverage on data-driven insights to innovate and gain a competitive advantage.
5. More organisations are embracing new technologies, making better use of existing data to not only streamline business processes, but also to read their customer behaviour better to expand their profit margin. A critical example would be the use of artificial intelligence, which powers some of our day-to-day activities like virtual assistants, maps, recommender engines.
6. While data analytics and insights have undeniable benefits to both organisations and consumers, it also raises the concern that there will be re-purposing of the data collected. In this sense, consumers might feel like they have lost control over their data in this increasingly interconnected and complex world.
From Compliance to Accountability
7. For companies to optimise the benefits of technology, consumers need to be empowered to have better control over their data and trust the companies to handle them.
8. In Singapore, The Personal Data Protection Act or PDPA lays the foundation for this trusted ecosystem. The PDPA shares similarities with laws enacted in other countries, for example, requiring organisations to obtain consent from individuals for the collection, use and disclosure of their personal data.
9. Understanding that it will be challenging for organisations to obtain consent for secondary uses of the data collected, we have set in place plans for the PDPA to become a progressive data protection regime that promotes trust through the responsible use of data.
10. This includes our shift from compliance to accountability, where organisations need to be accountable in their policies, practices and people, to gain that trust from consumers. That is, organisations need to move away from a checklist approach to data protection compliance, to an approach which demonstrates their commitment to respecting and protecting personal data which has been entrusted to them by individuals at each stage of the data lifecycle. The PDPA already requires organisations to be responsible for personal data in their possession or under their control.
11. To facilitate this shift, we have rolled out accountability tools like the Data Protection Management Programme (DPMP), Data Protection Impact Assessment (DPIA), as well as launched the Data Protection Trustmark, which recognises organisations with accountable practices through certification systems.
12. There is also upcoming amendments to the PDPA, with the proposed enhanced consent regime and mandatory breach notification set to further accentuate and integrate accountability within the PDPA.
Data Sharing: Responsible and Responsive
13. To further boost trusted data flows between organisations and encourage the meaningful use of data to drive growth and innovation, we have also launched the first comprehensive Trusted Data Sharing Framework to facilitate data sharing between organisations.
14. The Framework addresses the challenges organisations face in sharing data assets, such as the lack of guidance and trust for data sharing, as well as the concern with whether they may be breaching the PDPA. By providing a common understanding, a common “data sharing language”, the Framework helps organisations establish a set of baseline practices, and provides clarity on how to form trusted data sharing partnerships.
15. The Framework encompasses content from existing guides on anonymisation and sharing, new materials like the guide to data valuation, as well as sample legal templates that can help with contractual data sharing. This Framework also guides organisations through regulatory considerations and various contractual, operational, technical safeguards necessary in a data sharing arrangement.
16. We are confident that this Framework will uplift practice norms to enable better, trusted data flows within the local ecosystem and across borders.
17. In addition, it can complement our efforts in AI governance by including accountability, transparency and human-centricity by-design at the onset. This brings me to my next point on the importance of governance and ethics in AI.
A Trusted Ecosystem to Support Artificial Intelligence
18. We believe that consumer confidence is vital in AI use and deployment, and only with accountability and responsible use can the public be assured of the value of this emerging technology.
19. Three initiatives bolster our support for AI development and adoption (through governance and ethics), namely:
The Setting up of the Advisory Council on the Ethical Use of AI and Data to advise on complex issues raised by AI;
Our Research Programme on Governance of AI and Data Use to contribute to global thought leadership by shaping cutting-edge thinking and practices in AI and data policy and regulation; and
The release of our Model AI Governance Framework.
20. Our Model AI Governance Framework, in particular, promotes responsible use of AI by organisations. The first of its kind in Asia, it is intended to be a living document that goes beyond discussion of data and algorithms and looks into 4 key areas. These are:
Internal Governance Structures and Measures;
Determining the AI Decision-Making Model;
Operations Management; and
Customer Relationship Management.
21. The Framework translates AI ethical principles into implementable practices so that organisations have a ready-to-use tool to help deploy AI in a responsible manner. More importantly, it allows organisations to demonstrate accountability in using AI by putting in place safeguards to mitigate risks that may arise from using AI at scale.
22. Understanding that rapid technological advances and evolutions in business models are still happening, we have decided not to rush into regulation so soon to avoid stifling innovation. We have chosen to adopt a progressive stance towards data use and sharing, and this is why the AI Model Framework is for voluntary adoption by organisations.
23. This approach will achieve twin goals of promoting AI adoption while ensuring that regulatory safety precautions are met while we continue to monitor developments in AI and consider how our framework can be improved. With this, we seek to continuously reassure and inspire public confidence in AI technologies, and contribute to the broader global discourse on AI ethics and governance.
24. The initiatives that I have highlighted today are part of the work of Singapore’s Personal Data Protection Commission and Infocomm Media Development Authority supporting the development of good data protection practices within an organisation and the development of a trusted data ecosystem.
25. The ultimate goal of our shift from compliance to accountability is to establish a high level of consumer trust as the bedrock of our data protection regime, thereby enabling data innovation to thrive for the benefit of consumers, organisations and society as a while.
26. With this, I wish everyone a fruitful session today. Thank you.