关于在 AI 推荐与决策系统中使用个人数据的咨询指南

组织可在获得有意义同意的情况下使用个人数据。

Organisations can use personal data where there is meaningful consent.

组织可依赖PDPA下的同意例外，例如用于业务改进或研究目的。

Organisations can rely on exceptions to consent under the PDPA, e.g., for business improvement or research purposes.

服务提供商应防止未经授权修改其处理的个人数据。

Service Providers should guard against unauthorised modification of the personal data they are processing.

服务提供商可采取的良好实践包括数据映射和标记，以及维护来源记录。

Good practices that Service Providers could undertake include data mapping and labelling, as well as the maintenance of provenance records.

鼓励组织在其书面政策中包括为确保AI系统可信而采取的保护措施和实践，特别是在结果对消费者影响较大的情况下。

Organisations are encouraged to include in their written policies about safeguards and practices they put in place to ensure that AI Systems are trustworthy, especially where the outcome has high impact on consumers.

鼓励组织在数据收集时提供相关信息，以便消费者给予有意义同意。

Organisations are encouraged to provide relevant information at the point of data collection so that consumers can give meaningful consent.

在可能的情况下，应引入改进。

Where possible, improvements should be introduced.

在需要时，例如AI系统较复杂，为参与AI辅助决策过程的人类决策者提供充分的指示、培训或信息，以确保他们具备适当的使用知识。

Where needed e.g., where the AI System is more complex, sufficient instructions, training, or information for human decision-makers involved in the AI-assisted decision-making process to ensure that they have adequate and appropriate knowledge of how to use the AI System.

当AI系统用于自主决策时，提供培训或清晰解释，以确保部署AI系统的用户组织正确理解其运作方式。

Where the AI System is intended for autonomous decision-making, providing training or a clear explanation to ensure that user organisations deploying the AI System properly understand how the AI System operates.

组织可考虑使用AI Verify等技术工具来验证AI系统的性能。

Organisations can consider using technical tools such as AI Verify to validate the performance of AI Systems.

组织应制定流程，定期审查所提供信息的质量以及通知、政策和实践的有效性。

It is good practice for organisations to develop processes to regularly review the quality of the information provided, as well as the effectiveness of its notifications, policies, and practices for their intended audience.

鼓励组织在认为有用时进行影响评估，特别是数据保护影响评估。

Organisations are also encouraged to perform impact assessments, particularly data protection impact assessments, where these are deemed to be useful.

PDPA第12条要求组织制定政策和实践以履行其义务。

Section 12 of the PDPA requires organisations to develop policies and practices to meet its obligations under the PDPA.

使用AI系统的组织应透明，并在书面政策中包括相关实践和保障措施以实现公平合理。

Organisations that make use of AI Systems should be transparent and include in their written policies relevant practices and safeguards to achieve fairness and reasonableness.

组织还应考虑以简单、清晰、简洁的简短政策形式提供政策。

Organisations should also consider making policies available in the form of short policy that is simple, clear, and concise.

PDPA第12(d)条要求组织应个人请求提供有关政策和实践的信息。

Section 12(d) requires organisations to make information about such policies and practices available to individuals upon request.

组织应考虑主动在其网站上提供此类书面政策，而不仅仅是在请求时提供。

Organisations should consider pre-emptively making such written policies available through their website, and not only upon request.

书面政策应包含为获取有意义同意而需提供的详细信息。

Written policies can house more detailed information that organisations ought to provide to obtain meaningful consent.

制定行业最佳实践（如模型卡和系统卡）也可作为组织书面政策的一部分。

Developing industry best practices, such as model cards and system cards, can also form part of an organisation’s written policies.

政策可包括为确保AI系统中个人数据安全可信使用而采取的后台措施。

Policies could therefore include behind-the-scenes measures taken to ensure that the personal data is used in a safe and trusted manner within the AI System.

在模型开发和测试阶段采取公平合理措施，以利于消费者的推荐、预测和决策。

Measures taken to achieve fairness and reasonableness for recommendations, predictions, and decisions for the benefit of consumers during model development and testing stages.

可包括偏差评估、确保训练数据质量或其他数据治理措施，以及使用个人数据的结果可重复性/再现性。

These can include measures relating to bias assessment, ensuring quality of training data or other data governance measures, or the repeatability/reproducibility of results using personal data.

可包括模型开发和测试期间保护个人数据的措施（如假名化和数据最小化），或通过确保AI系统部署前后的安全来保护个人数据的步骤。

These can include measures to protect personal data during model development and testing (e.g., pseudonymisation and data minimisation), or steps to ensure personal data is protected in the AI System via ensuring the security of such systems before and after they are deployed.

保护个人数据的保障措施和技术措施。

Safeguards and technical measures taken to protect personal data.

提供AI系统安全性和/或稳健性的信息（即系统在遇到对抗性或意外输入时的运行方式）也可能有用。

It may also be useful to provide information on safety and/or robustness of the AI System i.e., how the AI System will operate when encountering adversarial or unexpected input.

对于对个人影响较大的结果，组织可考虑是否提供有关问责机制及人类代理和监督实施情况的信息。

For outcomes that have a higher impact on the individual, organisations may wish to consider whether it is useful to provide information on how proper accountability mechanisms and human agency and oversight have been implemented.

使用个人数据进行模型开发和测试以及在已部署AI系统中的组织应考虑采取合理人认为适当的措施。

Organisations using personal data for model development and testing, and in deployed AI Systems, should consider adopting measures that a reasonable person would consider appropriate in the circumstances.

在采取这些措施后，鼓励组织考虑提供有关这些措施的充分信息，以建立消费者信任和信心。

Having done so, organisations are encouraged to consider providing sufficient information about such measures to build consumer trust and confidence.

通常鼓励组织提供更多关于AI系统开发过程中采取的数据质量和治理措施的信息。

Organisations are generally encouraged to provide more information on data quality and governance measures taken during AI System development.

确保训练数据集中个人数据质量的步骤（例如，数据对市场的代表性以及最近编译的时间）以提高模型准确性和性能。

Steps taken to ensure the quality of personal data in the training dataset (e.g., how representative it is of the market and how recently it was compiled) to improve model accuracy and performance.

模型开发是否使用假名化数据进行，如果没有，采取了哪些组织、流程或技术保障措施来限制对个人数据的访问仅限于有权限的开发者和/或测试人员。

Whether model development was conducted using pseudonymised data, and if not, what organisation, process or technical safeguards were adopted to restrict access to personal data to developers and/or testers who had access.

在进行偏见评估时是否有必要使用个人数据，以检查受保护特征（如种族或宗教）在训练数据集中是否得到充分代表，或评估训练数据集的偏见。

Whether it was necessary to use personal data when conducting bias assessment to check if protected characteristics, such as race or religion, are well represented in the training dataset or to assess the bias of the training dataset.

如果使用了个人数据，采取了哪些流程或技术保障措施来保护测试环境并限制测试人员的访问。

If personal data was used, what process or technical safeguards were adopted to secure the testing environment and to limit access to testers.

在模型和/或AI系统开发和测试的所有阶段是否实践了数据最小化。

Whether data minimisation was practised at all stages of model and/or AI System development and testing.

组织可参考模型AI治理框架以获取管理利益相关者互动的进一步建议。

Organisations may wish to refer to the Model AI Governance Framework for further suggestions on managing stakeholder interaction.

在预处理阶段，使用数据映射和标记等技术来跟踪用于形成训练数据集的数据。

At pre-processing stage, use techniques such as data mapping and labelling to keep track of data that was used to form the training dataset.

维护来源记录，记录训练数据的谱系，识别训练数据的来源并跟踪其在数据准备过程中的转换方式。

Maintain a provenance record to document the lineage of the training data that identifies the source of training data and tracks how it has been transformed during data preparation.

鼓励开发定制或完全可定制AI系统的服务提供商支持组织履行通知、同意和问责义务。

Service Providers developing bespoke or fully customisable AI Systems are encouraged to support organisations in meeting their Notification, Consent and Accountability Obligations.

服务提供商必须关注AI系统对个人的背景和影响。

Service Providers will have to pay attention to the context and impact the AI System will have on individuals.

应识别可能相关的信息，并鼓励服务提供商与客户沟通哪些信息对他们有帮助。

Information that is likely to be relevant should be identified, and these Service Providers are encouraged to engage their customers on what will be helpful for them.

鼓励服务提供商熟悉第9.5和10.6-10.8段所述的信息类型，这些信息有助于满足客户的同意、通知和问责义务。

Service Providers are encouraged to be familiar with the types of information described in paragraphs 9.5 and 10.6 – 10.8 above that contribute towards meeting their customers’ Consent, Notification and Accountability Obligations.

鼓励服务提供商在设计定制或可定制的AI系统时，建立有助于提取满足客户PDPA义务相关信息的过程。

Service Providers are encouraged to build in processes when designing bespoke or customisable AI System that facilitate the extraction of information relevant to meeting their customers’ PDPA obligations.

使用AI Verify等技术工具来帮助开发各种类型的解释。

Use technical tools such as AI Verify to aid in the development of various types of explanations.

将AI系统的操作转化为易于理解的语言，以便操作员了解结果是如何得出的。

Translate the operation of the AI System into easily understandable language for operators so that they can understand how the outcome is arrived at.

虽然服务提供商可以支持组织履行同意、通知和问责义务，但委员会重申，组织对确保其选择的AI系统能够满足PDPA下的义务负有主要责任。

While Service Providers can support organisations in achieving their Consent and Notification Obligations as well as Accountability Obligation, the Commission reiterates that organisations bear the primary responsibility for ensuring that the AI System they have chosen to use can meet their obligations under the PDPA.

PDPA适用于组织收集和使用个人数据的所有情况，包括为开发、测试和监控AI系统或作为其部署过程的一部分而收集和/或处理个人数据。

The PDPA applies to all collection and use of personal data by an organisation, including the collection and/or processing of personal data to develop, test and monitor AI Systems, or as part of their deployment process.

这些指南应与委员会关于PDPA关键概念的咨询指南、关于选定主题的咨询指南以及基本匿名化指南一起阅读。

These Guidelines should be read in conjunction with the Commission’s Advisory Guidelines on Key Concepts in the PDPA, Advisory Guidelines on Selected Topics as well as its Guide to Basic Anonymisation.

数据中介分别受PDPA第24条和第25条的保护义务和保留义务的约束。

Data intermediaries are subject to the Protection Obligation and Retention obligation under S. 24 of and S. 25 of the PDPA respectively.

根据PDPA第26C条，数据中介有义务将其处理的数据泄露报告给其代表处理数据的组织。

Data intermediaries have a duty under S. 26C of the PDPA to report data breaches of data they are processing to the organization they are processing the data on behalf of.

组织可以担任AI开发者的角色，内部开发AI模型或委托服务提供商使用其拥有的个人数据开发定制AI应用。

Organisations may occupy the role of an AI developer by developing AI models in-house, or engaging Service Providers to develop bespoke AI applications using personal data in the organisations’ possession.

以下章节涵盖AI开发者应注意的PDPA义务。

The following sections cover the PDPA obligations that AI developers should pay attention to.

除了寻求同意使用个人数据训练AI系统外，AI开发者组织可考虑依赖业务改进或研究例外。

Besides seeking consent to use personal data to train an AI System, organisations who are AI developers may wish to consider relying on the Business Improvement or Research Exceptions.

业务改进例外允许组织在无需同意的情况下使用根据PDPA收集的个人数据，前提是使用目的属于以下相关目的：a) 改进、增强现有商品或服务或开发新商品或服务；b) 改进、增强现有方法或流程或开发新方法或流程；c) 学习或了解个人行为与偏好；d) 识别适合个人的商品或服务或个性化定制。

The Business Improvement Exception enables organisations to use, without consent, personal data that they had collected in accordance with the PDPA, where such use falls within the scope of the following relevant purposes: a) Improving, enhancing existing goods and services or developing new goods or services; b) Improving, enhancing existing methods or processes or developing new methods or processes for business operations in relation to the organisations’ goods and services; c) Learning or understanding the behaviour and preferences of individuals (including groups of individuals segmented

此外，组织需确保：a) 业务改进目的无法在不使用可识别个人身份的数据的情况下合理实现；b) 组织使用个人数据的方式是合理人士认为适当的。

In addition, organisations will need to ensure the following: a) The business improvement purposes cannot reasonably be achieved without using the personal data in an individually identifiable form; and b) The organisation’s use of personal data for business improvement purpose(s) is that which a reasonable person would consider appropriate in the circumstances.

组织应考虑是否技术上可行且/或成本效益高，使用其他方式开发、测试或监控AI系统而不使用个人数据。

Organisations should consider whether it is technically possible and/or cost-effective to use other means to develop, test or monitor the AI Systems without using personal data.

组织应考虑使用个人数据是否有助于提高AI系统及其输出的有效性或质量。

Organisations should consider whether using personal data contributes towards improving the effectiveness or quality of the AI Systems and their output.

组织应考虑此类使用是否有助于提高新产品特性和功能的有效性或质量，从而帮助组织创新、提高竞争力、提高效率/效果，并增强消费者选择、体验和可用性。

Organisations should consider whether such use will contribute to the effectiveness or improved quality of new product features and functionalities that help organisations innovate, improve competitiveness, become more efficient/effective, and enhance consumer choice, experience, and usability.

组织应考虑关于如何开发、测试和监控此类AI系统的常见行业实践或标准。

Organisations should consider common industry practices or standards on how to develop, test and monitor such AI Systems.

组织可考虑依赖业务改进例外，使用个人数据测试AI系统或进行偏见评估。

Organisations may wish to consider relying on the Business Improvement Exception to use personal data to test AI Systems or for bias assessments.

组织可依赖业务改进例外，使用个人数据测试AI系统，并考虑第5.1至5.3段的要求。

Organisations could rely on the Business Improvement Exception to use personal data to test AI Systems, taking into consideration the requirements as set out in paragraphs 5.1 to 5.3 above.

组织应注意，根据所用数据类型，适用不同的数据集安全保护标准。

Organisations are to take note that different standards for securing and protecting the datasets apply, depending on the type of data used.

业务改进例外可适用于使用个人数据进行偏见评估。

The Business Improvement Exception could apply to the use of personal data for bias assessments.

组织应考虑是否技术上可行且成本有效，使用其他方法在不使用个人数据的情况下消除模型偏差。

Organisations should consider whether it is technically possible and cost-effective to use other means to debias models without using personal data.

组织应考虑使用个人数据是否与AI系统及其输出的有效性或质量改进相关。

Organisations should consider whether using personal data for this purpose is relevant for the effectiveness or improved quality of the AI Systems and its output.

组织应考虑关于如何消除AI系统数据集偏差的常见行业实践或标准。

Organisations should consider common industry practices or standards on how to debias datasets used for AI Systems.

组织可为研究目的使用个人数据，但须满足条件：研究目的无法合理实现除非数据以可识别形式提供；有明确公共利益；研究结果不用于影响个人的决策；若发表，须以不识别个人的形式发表。

Organisations may use personal data for a research purpose, subject to the following conditions: a) The research purposes cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form; b) There is a clear public benefit to using the personal data for the research purpose; c) The results of the research will not be used to make any decision that affects the individual; and d) If results of the research are published, the organisation must publish the results in a form that does not identify the individual.

组织可依赖研究例外条款，为研究目的披露个人数据，包括向另一公司联合研发AI系统。

Organisations may rely on the Research Exception to disclose personal data for a research purpose, including disclosure to another company for joint research and development of new AI Systems.

组织还需评估寻求个人同意是否不切实际。

Organisations will also need to assess whether it will be impracticable to seek the consent of the individual for such disclosure.

组织应限制训练AI系统所需的个人数据量，并基于相关时间段和其他相关过滤器。

Organisations should also limit the volume of personal data necessary to train the AI System and base this on relevant time periods and any other relevant filter e.g., market/customer segment, attributes, etc.

开发AI系统时，组织应实践数据最小化。

When developing AI Systems, organisations should practise data minimisation as good practice.

组织可以仅在不严重可能重新识别的程度上对数据集进行匿名化。

Organisations can seek to anonymise the dataset only to the extent that there is no serious possibility of reidentification.

组织应参考委员会《选定主题咨询指南》第3章，了解PDPA范围外匿名数据的标准。

Organisations should refer to Chapter 3 of the Commission’s Advisory Guidelines for Selected Topics for the Commission’s criteria on what constitutes anonymised data outside the scope of the PDPA.

组织在设计、训练、测试或监控使用个人数据的AI系统时，应包含适当的技术、流程和/或法律控制措施。

Organisations are reminded that when designing, training, testing, or monitoring AI Systems using personal data, appropriate technical, process and/or legal controls for data protection should be included.

在可能的情况下，鼓励组织对使用的个人数据进行假名化或去标识化。

Where possible, organisations are encouraged to pseudonymise or de-identify the personal data used as a basic control.

应特别注意开发环境的数据安全与保护措施，并鼓励组织进行数据保护影响评估。

Particular attention should be paid to the data security and protection measures around the development environment and organisations are encouraged to conduct a Data Protection Impact Assessment.

开发环境中的数据保护标准应与处理个人数据的系统所需的标准类似。

Standards for data protection in the development environment should be similar to the standards needed for systems handling personal data.

如果无法进行假名化而必须使用原始个人数据（例如面部图像），组织应牢记其在PDPA下的保护义务。

If pseudonymisation is not possible and raw personal data has to be used e.g., facial images, organisations are reminded of their Protection Obligation under the PDPA.

在决定实施何种数据保护控制措施时，公司应考虑个人数据面临的披露/盗窃风险类型以及所用个人数据的敏感性和数量。

When deciding what kind of controls for data protection should be implemented, companies should consider: a) The types of disclosure/theft risks that the personal data would be subject to; and b) The sensitivity and volume of the personal data used.

鼓励公司评估风险并为此类个人数据使用实施适当的法律、技术和流程控制。

Companies are encouraged to assess the risks and implement appropriate legal, technical and process controls for such personal data use.

组织应采取隐私设计方法，评估此类隐私攻击的风险，并尽可能在AI系统中寻求缓解此类风险。

Organisations should take a privacy-by-design approach and assess the risk of such privacy attacks as well as seek to mitigate such risks where possible within the AI System.

组织必须确保其关于在开发AI系统中使用个人数据的政策得到更新并建立实践。

Organisations must ensure that their policies regarding the use of personal data in their organisations to develop AI Systems are updated and practices are established.

在使用或披露匿名数据时，应建立适当的法律、技术和流程控制。

Appropriate legal, technical and process controls should be instituted when using or disclosing anonymised data.

鼓励组织尽可能匿名化其数据集，而不是使用个人数据。

Organisations are encouraged to anonymise their datasets as far as possible instead of using personal data.

组织应采用适当的公司治理方法做出此类决策，包括咨询相关利益相关者，并由适当的高级管理层做出决策。

Organisations should employ appropriate corporate governance methods to make such decisions, including consulting relevant stakeholders and having such decisions made at an appropriately senior management level.

组织应仔细权衡使用两种数据的利弊，并在内部明确记录选择使用个人数据而非匿名数据的理由。

Organisations should carefully weigh the pros and cons of using both types of data, and clearly document internally the reasons for choosing to use personal data over anonymised data.

组织应注意以下PDPA义务：同意与通知以及问责制。

Organisations should be mindful of the following PDPA obligations: Consent and Notification as well as Accountability.

除非适用视为同意或同意义务的例外（例如合法利益例外），根据PDPA第13条，收集和使用个人数据以提供推荐、预测或决策时需要获得同意。

Unless deemed consent or exceptions to the Consent Obligation apply, e.g., Legitimate Interests Exception, pursuant to Section 13 of the PDPA, consent will be required for the collection and use of personal data to provide recommendations, predictions, or decisions.

依赖此例外的组织必须告知个人其依赖该例外收集和使用个人数据。

Organisations who rely on this exception must make it known to individuals that they are relying on this exception to collect and use personal data.

同意义务由通知义务补充，要求用户在同意时被告知收集目的和预期用途。

The Consent Obligation is complemented by the Notification Obligation, which requires that users be notified of the purpose of the collection and intended use of their personal data when seeking their consent.

第20(1)条要求组织在收集个人数据之前或之时告知个人其收集、使用和披露的目的。

Section 20(1) requires an organisation to inform the individual of the purposes for the collection, use and disclosure of their personal data, on or before collecting the personal data.

通知要求向个人提供将收集和处理的个人数据类型以及处理目的的信息。

Notification requires giving individuals information about the types of personal data that will be collected and processed and the purpose for the processing.

通知不必过于技术性或详细，应与每个用例的风险相称。

Notifications need not be overly technical or detailed and should be proportionate to the risks of each use-case.

组织应设身处地为消费者着想，制作通知使个人理解个人数据将如何被处理以实现预期目的。

Organisations should place themselves in the shoes of consumers and craft notifications that will enable individuals to understand how personal data will be processed to achieve the intended purpose.

鼓励组织识别更可能影响产品功能的个人数据的具体特征。

Organisations are encouraged to identify specific features of personal data that are more likely to influence the product feature (e.g., whether movie was viewed completely, viewed multiple times, etc).

鼓励组织提供将收集和处理的个人数据类型的通用描述。

Organisations are encouraged to provide a general description of types of personal data that will be collected and processed (e.g., movie viewing history).

鼓励组织解释收集的个人数据的处理如何与产品功能相关。

Organisations are encouraged to explain how the processing of personal data collected is relevant to the product feature (e.g., analysis of users’ viewing history to make movie recommendations).

鼓励组织提供其产品需要收集和处理个人数据的功能信息。

Organisations are encouraged to provide information on the function of their product that requires collection and processing of personal data (e.g., recommendation of movies).

组织应根据自身评估决定提供此类信息的方式，以支持其业务目标和用户体验。

Organisations should decide the mode of providing such information, based on their own assessment of how this supports their business objectives vis-à-vis user experience.

组织可通过模型卡或系统卡提供满足同意和通知义务所需的信息。

Organisations may provide information necessary to meet the Consent and Notification Obligations through model and/or system cards, if the organisation adopts this practice or assesses it to be useful.

组织评估认为有必要限制或省略细节时，应内部记录并证明这些决定。

Where organisations assess that it is necessary to limit or omit detail and, if appropriate, provide a more general explanation instead, it is good practice for these decisions to be justified and documented clearly internally.