Case Details
- Citation: [2021] SGPDPC 3
- Court: Personal Data Protection Commission
- Date: 2021-03-04
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: [Redacted]
- Defendant/Respondent: HSBC Bank (Singapore) Limited
- Legal Areas: Data Protection - Access obligation, Data Protection – Personal data, Data Protection - Exceptions to the access obligation
- Statutes Referenced: Monetary Authority of Singapore Act, Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2021] SGPDPC 3
- Judgment Length: 9 pages, 2,923 words
Summary
This case involves a dispute between an individual applicant and HSBC Bank (Singapore) Limited over the applicant's request to access the bank's internal evaluation report on his credit card application. HSBC provided a redacted version of the report, citing the "evaluative purpose" exception under the Personal Data Protection Act (PDPA) to withhold certain information. The applicant challenged this decision before the Personal Data Protection Commission, which had to determine whether the redacted information constituted the applicant's personal data, and whether HSBC was justified in relying on the evaluative purpose exception or other exceptions to deny full access.
What Were the Facts of This Case?
The respondent, HSBC Bank (Singapore) Limited, is a full-service bank in Singapore that offers personal banking services, including credit card facilities to individuals. In 2018, the applicant applied for a credit card with HSBC, but his application was unsuccessful. Dissatisfied with the outcome, the applicant requested HSBC to provide him with a copy of the bank's internal evaluation report prepared for the purpose of assessing his credit card application ("the Report").
In response, HSBC furnished the applicant with a redacted version of the Report, withholding certain fields of information ("the Redacted Data"). HSBC's position was that it was not obliged to disclose the Redacted Data to the applicant, as it constituted "opinion data kept solely for an evaluative purpose" - an exception to the access obligation under the PDPA.
The applicant maintained that he was entitled to the full, unredacted Report, and approached the Personal Data Protection Commission (the "Commission") for assistance. The Commission attempted to facilitate an amicable resolution between the parties, but when these attempts were unsuccessful, the applicant elected to make a review application under the PDPA.
What Were the Key Legal Issues?
The key issues for the Commission's determination in this review application were:
1. Whether the Report, including the Redacted Data, constituted the applicant's personal data under the PDPA.
2. If the Report was the applicant's personal data, whether HSBC could rely on the "evaluative purpose" exception or any other exception under the PDPA or other written law to justify its refusal to provide the applicant with full access to the Report.
How Did the Court Analyse the Issues?
On the first issue, the Commission found that the Report, including the Redacted Data, constituted the applicant's personal data under the PDPA. The Commission explained that personal data is broadly defined under the PDPA to cover different types of data about an individual from which the individual can be identified, regardless of whether the data is true or accurate, or whether it exists in electronic or other form.
The Commission noted that the Report was prepared for the purpose of evaluating the applicant's credit card application and contained information about him that was relevant to HSBC's decision-making. Even though the Redacted Data was algorithmically generated by HSBC's proprietary system, the Commission found that it still constituted the applicant's personal data, as the primary focus is whether the information is about an identified or identifiable individual, rather than the manner in which the data was collected or derived.
On the second issue, the Commission examined whether HSBC could rely on the "evaluative purpose" exception or any other exception under the PDPA or other written law to withhold the Redacted Data from the applicant.
The Commission acknowledged that the PDPA recognizes a distinction between ensuring good quality personal data is available to organizations for decision-making, and preserving the confidentiality of the decision-making process itself. While the access and correction obligations under the PDPA empower individuals to ensure the accuracy of their personal data, the Fifth and Sixth Schedules of the PDPA contain exceptions intended to protect the confidentiality of the decision-making process, such as the "evaluative purpose" exception.
The Commission found that the Redacted Data constituted "opinion data" that was kept by HSBC solely for the purpose of determining the applicant's suitability for a credit card, which fell within the definition of "evaluative purpose" under the PDPA. As such, the Commission concluded that HSBC was justified in relying on the "evaluative purpose" exception to withhold the Redacted Data from the applicant.
In addition, the Commission noted that HSBC had also cited other exceptions under the PDPA, such as the exceptions for confidential commercial information, investigations and associated proceedings, and unreasonable burden or expense, as well as the exception for frivolous and vexatious requests. However, the Commission did not need to consider the applicability of these other exceptions, as it had already determined that the "evaluative purpose" exception applied.
What Was the Outcome?
Based on the above analysis, the Commission dismissed the applicant's review application, finding that HSBC was justified in withholding the Redacted Data from the applicant under the "evaluative purpose" exception in the PDPA.
Why Does This Case Matter?
This case provides important guidance on the scope and application of the "evaluative purpose" exception under the PDPA, which allows organizations to withhold certain opinion data from data subjects in the context of decision-making processes.
The case clarifies that the "evaluative purpose" exception applies not only to personal data directly provided by the data subject, but also to opinion data that is algorithmically generated by the organization based on information obtained from the data subject and other sources. As long as the data is kept solely for the purpose of evaluating the suitability, eligibility or qualifications of the individual, the organization can rely on this exception to deny access.
This decision reinforces the balance struck by the PDPA between empowering individuals to ensure the accuracy of their personal data, and preserving the confidentiality of the decision-making process. It demonstrates that organizations can legitimately withhold certain information from data subjects where disclosure would compromise the integrity of their internal evaluation and decision-making procedures.
For legal practitioners, this case highlights the importance of carefully analyzing the specific exceptions under the PDPA when advising clients on data access requests. It shows that the "evaluative purpose" exception can be a valid basis for denying access, even where the requested information is algorithmically generated and constitutes the individual's personal data.
Legislation Referenced
- Monetary Authority of Singapore Act
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2021] SGPDPC 3
Source Documents
This article analyses [2021] SGPDPC 3 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.