pdpc_decisions_version: 63
This data as json
| _id | _item | _version | _commit | description | tags | date | pdf-url | nature | title | url | timestamp | pdf-content | decision | _item_full_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 63 | 63 | 1 | 1016 | A review application under section 28 (now known as section 48H(1)(a)) of the PDPA was conducted following a failed request by an individual to obtain his full unredacted internal evaluation report prepared by HSBC Bank (Singapore) Limited for the purpose of evaluating his credit card application. | [
"Finance and Insurance",
"Access and Correction",
"Evaluation",
"Opinion Data"
] |
2021-05-12 | https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision--HSBC-Bank-Singapore-Limited--10032021.pdf | Outcome of a Review Application Involving an Individual and HSBC Bank | https://www.pdpc.gov.sg/all-commissions-decisions/2021/05/outcome-of-a-review-application-involving-an-individual-and-hsbc-bank | 2021-05-12 | PERSONAL DATA PROTECTION COMMISSION [2021] SGPDPC 3 Case No. DP-1810-B2892R In the matter of a review under section 48H(1)(a) of the Personal Data Protection Act 2012 and of the Personal Data Protection (Enforcement) Regulations 2021 Between [Redacted] … Applicant And HSBC Bank (Singapore) Limited … Respondent DECISION HSBC Bank (Singapore) Limited Yeong Zee Kin, Deputy Commissioner — Case No. DP-1810-B2892R 10 March 2021 Background 1 The Respondent, HSBC Bank (Singapore) Limited (“HSBC”), is a full-service bank in Singapore. HSBC’s personal banking offerings include credit card facilities to individuals, offered subject to a process of application and approval by the bank. Sometime in 2018, the Applicant applied to HSBC for a credit card, but was unsuccessful. Dissatisfied, he requested HSBC to provide him with a copy of the bank’s internal evaluation report prepared for the purpose of evaluating his credit card application (“the Report”). 2 In response to the Applicant’s request, HSBC furnished a copy of the Report but with some fields redacted (“the Redacted Data”). HSBC’s position was that they were not obliged to disclose the Redacted Data to the Applicant, as the Redacted Data constituted opinion data kept solely for an evaluative purpose, an exception to the Access Obligation under paragraph 1(a) of the Fifth Schedule (“the Evaluative Purpose Exception”). 3 The Applicant maintained that he was entitled to the full unredacted Report, and approached the Personal Data Protection Commission (the “Commission”) for assistance. The Commission attempted to facilitate an amicable resolution between the parties. When attempts to facilitate an amicable resolution were unsuccessful, the Commission informed the Applicant of his option to make a review application under the then section 28 of the PDPA (now, section 48H(1)(a) of the PDPA) (“the Review Application”). 4 The Applicant elected to take this option on 18 March 2020. As HSBC’s position on the Review Application was extensively set out in its prior correspondence with the Commission, these were (with HSBC’s consent) treated as the Respondent’s response for the purposes of Regulation 6 of the Personal Data Protection (Enforcement) Regulations 2014 (“the Response”). In the Response, in addition to the Evaluative Purpose Exception, HSBC cited additional grounds to justify not disclosing the Redacted Data to the Applicant. Despite the Commission’s invitation, the Applicant did not submit any reply to the Response. Findings and basis for determination 5 The issues that arise for my determination in this Review Application are: (a) Whether the Report is personal data of the Applicant; and (b) If so, whether the Evaluative Purpose Exception (or any other exception under the PDPA or other written law) applies so as to justify HSBC’s refusal to give the Applicant access to the Redacted Data. The Access Obligation 6 The Applicant’s request for access to the Report should be viewed as a data subject access request made pursuant to section 21(1) of the Personal Data Protection Act 2012 (“PDPA”). Section 21(1) of the PDPA gives a data subject the right to access personal data about him that is in an organisation’s possession or under its control (“the Access Obligation”). The data subject’s right of access is moderated by section 21(2) of the PDPA which allows an organisation to invoke any of the exceptions listed in the Fifth Schedule of the PDPA to decline the data subject access request. 7 The Access Obligation should not be examined in isolation. The Access Obligation enables a number of neighbouring obligations: the Purpose Limitation Obligation (section 18 of the PDPA), the Correction Obligation (section 22 of the PDPA) and the Accuracy Obligation (section 23 of the PDPA). The Access Obligation enables the data subject to ascertain what personal data about him an Organisation possesses or controls, and also how it has been used or disclosed. It empowers the data subject to ask for an account of how personal data about him has been collected, used or disclosed: section 21(1)(b) of the PDPA. It also enables the data subject to ascertain that personal data about him is correct, and to request for correction of errors or omissions: section 22(1) of the PDPA. This in turn supports the organisation’s use of personal data. The Accuracy Obligation requires an organisation to ensure that personal data that it uses when making decisions that affect an individual is accurate and complete: section 23(a). 2 8 The PDPA respects a fundamental distinction between ensuring that good quality data is available to organisations that make use of them to make decisions, and the decision and decision-making process. Whereas the Access and Correction Obligations support the former by empowering the individual in the manner described in the preceding paragraph, the Fifth and Sixth Schedules contain a number of exceptions that are intended to preserve the confidentiality of the decision-making process e.g. evaluative purpose and trust administration. 9 I thought it helpful to preface the relationships of these obligations before providing the reasons for my decision on this Review Application. Is the Report personal data of the Applicant? 10 Section 2(1) of the PDPA defines “personal data” as data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access. In the Commission’s Advisory Guidelines on Key Concepts in the PDPA, the following guidance has been provided on when data would be considered “personal data” for the purposes of the PDPA, at [5.2] and [5.4]: (a) The term “personal data” is not intended to be narrowly construed and may cover different types of data about an individual and from which an individual can be identified, regardless of whether such data is true or accurate, or whether the data exists in electronic or other form. (b) There are two principal considerations. First, is the nature or purpose of the information to be data about an individual or which relates to the individual. Second, the individual should be identifiable from the data on its own, or from that data and other information to which the organisation has or is likely to have access. 11 The Report was prepared for the purposes of evaluating the Applicant’s application for credit card facilities. It contained information about him that was relevant to deciding whether credit card facilities should be extended by HSBC. The Report contained various data fields, some of which were populated with text, and some left blank. Some of the populated fields in the Report were redacted by HSBC when a copy was provided to the Applicant (i.e. the Redacted Data). Since the Report contains information about the Applicant, who is identifiable from the information, and the Report was prepared for the purpose of making a decision 3 concerning his application for credit card facilities, the Report is therefore the personal data of the Applicant. 12 In its Response, HSBC described the Redacted Data as opinion data auto-generated by HSBC’s proprietary algorithm that determined an individual’s suitability for a credit card by analysing data from various sources. The data analysed included (i) information provided by the Applicant in his credit card application form such as his age, education level, income and employment information, and (ii) data obtained from third parties such as other banks or the Credit Bureau Singapore. HSBC also explained that the Redacted Data did not comprise of actual data from these sources, but was data derived from information obtained from these sources. 13 I did not consider the fact that the Redacted Data was algorithmically generated data to be relevant in determining whether they formed part of the Applicant’s personal data. The primary focus is whether the information is about an identified or identifiable individual. It matters not whether the data was collected directly from the data subject, from a third-party source or derived from data from either (or both) of such sources. So long as the information is about the individual and it is in the possession or under the custody of the organisation, it is personal data. 14 For the purpose of deciding the applicability of the Evaluative Purpose Exception subsequently, I need to be satisfied that the Redacted Data is opinion data. HSBC’s argument is that the Redacted Data was derived after an analysis of primary data based on business rules that are expressed in its proprietary algorithm. For the purpose of this Review Application, HSBC provided the Report in the clear. There are five fields that were redacted: four were algorithmically generated and one contained type-written information. I am satisfied that the Redacted Data is not merely a reproduction of personal data obtained from a third-party source nor are they the result of simple arithmetic operations; they are expressions of opinions after data processing. I therefore accept the argument that the application of business rules in the algorithmic analysis yielded opinions, and by virtue of this, the Redacted Data is opinion data. Therefore, the Redacted Data is opinion data that forms part of the Applicant’s personal data that HSBC has in its possession and control; and the Redacted Data is potentially subject to the Access Obligation, unless HSBC is able to rely on an applicable exception. 4 Can HSBC rely on the Evaluative Purpose Exception (or other grounds) to decline access to the Redacted Data? 15 The Fifth Schedule allows an organisation to decline providing access to “opinion data kept solely for an evaluative purpose”: para 1(a) of the Fifth Schedule. Section 2(1) of the PDPA defines “evaluative purpose” to mean: “(a) for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates — (i) for employment or for appointment to office; (ii) for promotion in employment or office or for continuance in employment or office; (iii) for removal from employment or office; (iv) for admission to an education institution; (v) for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits; (vi) for selection for an athletic or artistic purpose; or (vii) for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency; (b) for the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled; (c) for the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or (d) for such other similar purposes as may be prescribed by the Minister” [emphasis added] 16 It is clear from the words emphasised in bold in the definition above that the Evaluative Purpose Exception is intended to cover the decision-making process: in other words, the evaluation before a decision is made. The definition enumerates a number of decisions that organisations have to make from time to time: see the words emphasised in italics. Thus, the Evaluative Purpose Exception operates to keep opinions that form part of the decision-making process confidential. Data subjects do not have the right to access personal data that is contained in such opinions: section 21(2) read with para 1(a) of the Fifth Schedule; nor do they have the right to request corrections: section 22(6) and 22(7) read with para 1(a) of the Sixth Schedule. 5 17 In the present Review Application, the Applicant had applied for credit card facilities. Limb (a) of the definition is the relevant one. HSBC is evaluating his suitability or eligibility for the credit card facilities. The evaluation will result in a decision whether to extend to him the credit card facilities that he had applied for, which will entail the award of a contract: i.e. sub-section (v) “for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits”. The operative decision here is to make an award; the subject matter of the decision covers a range of things. Some are in the nature of a bilateral relationship, eg contracts, bursaries and scholarships; some a unilateral conferment of a status, eg honours or similar benefits. Thus, HSBC was using the opinion data to evaluate whether to award the contract to the Applicant. I therefore find that HSBC was entitled to rely on the Evaluative Purpose Exception to decline giving the Applicant access to the Redacted Data. 18 Section 21(5) of the PDPA contemplates occasions, such as the present, where documents may contain personal data that the data subject is entitled to access commingled with other personal data that the organisation may decline to provide access to. Thus, HSBC is entitled to rely on the Evaluative Purpose Exception to exclude the Redacted Data from the copy of the Report that was furnished to the Applicant. 19 Even though HSBC declined to disclose the Redacted Data, it had provided to the Applicant two publications: (a) HSBC’s Principle for the Ethical Use of Big Data and AI and (b) HSBC’s Credit Decisioning Policy Statement. These publications provide information about how AI and Big Data are used in an ethical manner by HSBC and how technology is used to conduct credit facility assessments. I found the Credit Decisioning Policy Statement relevant. It provides a description of the type of opinions that the majority of the Redacted Data conveyed. Even though HSBC was entitled to decline providing access to the Redacted Data, it had acted reasonably by providing information about how it uses data and technology to conduct credit facility assessments. From the perspective of accountability and disclosure of policies and practices, HSBC had acquitted itself. 20 For completeness, HSBC also cited various other reasons in its Response to justify its refusal to give the Applicant access to the Redacted Data. In view of my conclusion that HSBC was entitled to rely on the Evaluative Purpose Exception to decline providing access to the Redacted Data, it is unnecessary for me to consider these additional grounds put forth by HSBC 6 in full. Nevertheless, I set out these additional grounds and the reasons why I did not think that they merited full consideration: (a) Citing paragraph 1(g) of the Fifth Schedule of the PDPA, HSBC argued that disclosure of the Redacted Data would reveal confidential commercial information that would affect HSBC’s competitive position. From my perusal of the Report, I did not think that the Redacted Data would disclose or allow for the reverse-engineering of “confidential commercial information” pertaining to HSBC’s credit card application evaluation process that would affect its competitive position. On the contrary, their Credit Decisioning Policy Statement provided an ample description of the majority of the Redacted Data. (b) Citing paragraph 1(h) of the Fifth Schedule of the PDPA, HSBC argued that the Redacted Data was personal data collected for the purposes of an investigation and that this investigation and associated proceedings and appeals had not yet been completed. Based on the information provided, there was no ongoing ‘investigation” within the meaning of section 2(1) of the PDPA. Client due diligence or customer information checks for the purposes of a credit card application were not “investigations” in this sense. (c) Citing paragraph 1(j)(ii) of the Fifth Schedule of the PDPA, HSBC argued that the burden or expense of providing access to the Redacted Data would be unreasonable considering the volume of credit application applications that HSBC received daily. This was an assertion unsupported by evidence. It was not unreasonably burdensome or expensive for HSBC to respond to the Applicant’s access request, and the fact that the Applicant’s request might lead to other individuals making similar requests was not a relevant consideration. (d) Citing paragraph 1(j)(v) of the Fifth Schedule to the PDPA, HSBC argued that the Applicant’s request was frivolous and vexatious as the Applicant had full knowledge of the personal data and financial information that he had himself provided by way of his credit card application only some 2 weeks prior to his access request. I did not consider the Applicant’s request to be frivolous or vexatious as he had not requested for the same data which he had provided to HSBC in his credit card 7 application form, but had requested for the bank’s opinion data in the Report, which he had no knowledge of but was interested in. (e) Finally, HSBC argued that MAS Notice 626 issued on 24 April 2015 (pursuant to section 27B of the Monetary Authority of Singapore Act) took precedence over HSBC’s obligations under the PDPA by virtue of section 4(6) of the PDPA, and allowed HSBC to refuse access to the Redacted Data. MAS Notice 626 deals with anti-money laundering and terrorism financing. Having considered the Redacted Data in the clear, I did not think that this MAS Notice was relevant. The Deputy Commissioner’s Decision 21 Pursuant to section 48H(2)(a) of the PDPA, and for the reasons set out above, I confirm HSBC’s refusal to provide the Applicant with access to the Redacted Data. YEONG ZEE KIN DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION 8 | c714658b21945c62deecbceeab6abcc2739aa9f8 |
Links from other tables
- 10 rows from item_version in pdpc_decisions_changed