Written Answer · 2026-05-05 · Parliament 15
Review of Personal Data Protection Act 2012 to Address Use of Inferred or Derived Data Generated by AI
Workers' Party MP Dennis Tan Lip Fong asked the Ministry of Digital Development and Information in writing whether it intends to review the Personal Data Protection Act 2012 (PDPA) to address the use of inferred or derived data, including behavioural profiles generated by AI systems, and if so, what principles would guide such a review. Minister Josephine Teo replied that under the PDPA, data about an identifiable individual is personal data which organisations must safeguard when in their possession or control, and this also covers data about the individual that an organisation derives in the course of business from such personal data. She added that the Personal Data Protection Commission has published Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, setting out principles such as using data only for legitimate business purposes and limiting collection to what is needed. The reply effectively declines to commit to legislative review: the Government's position is that existing statutory definitions already cover derived data, supplemented by soft-law guidelines, leaving AI behavioural profiling without a dedicated legislative response.
Key Points
- • The Government holds that existing PDPA definitions already cover data derived in the course of business
- • PDPC has issued Advisory Guidelines on personal data use in AI recommendation and decision systems
- • Guideline principles: legitimate business purposes only, collection limited to what is needed
- • No commitment to a PDPA legislative review targeting AI behavioural profiling
The Government holds that the PDPA's existing definition of personal data already covers data organisations derive in the course of business, and that combined with PDPC's AI advisory guidelines, no immediate legislative amendment is needed.
Workers' Party MP Dennis Tan Lip Fong takes the view that AI-generated inferred data and behavioural profiles pose a new class of risk warranting a dedicated legislative response through a PDPA review.
Singapore is staying the course of "existing law plus soft guidelines" for data protection in the AI era, signalling no near-term standalone amendment for AI-inferred data.
"This also covers data about the individual that an organisation derives in the course of business from such personal data."
Participants (2)
Original Text (English)
SPRS Hansard · Fetched: 2026-06-09
39 Mr Dennis Tan Lip Fong asked the Minister for Digital Development and Information (a) whether the Ministry intends to review the Personal Data Protection Act 2012 to address the use of inferred or derived data, including behavioural profiles generated by Artificial Intelligence systems; and (b) if so, what principles will guide such a review.
Mrs Josephine Teo : Under the Personal Data Protection Act, data about an identifiable individual is considered personal data and an organisation has obligations to safeguard such data in its possession or control. This also covers data about the individual that an organisation derives in the course of business from such personal data.
The Personal Data Protection Commission has published Advisory Guidelines on the Use of Personal Data in Artificial Intelligence (AI) Recommendation and Decision Systems. It sets out principles to guide organisations and consumers on the responsible collection and use of personal data in AI systems, such as using data only for legitimate business purposes and limiting data collection to what is needed.