_commit_at,_commit_hash,_id,_item,_version,_commit,description,tags,date,pdf-url,nature,title,url,timestamp,pdf-content,decision,_item_full_hash,_changed_columns
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,103,103,1,952,A warning was issued to SSA Group International for failing to put in place reasonable security arrangements to prevent the unauthorised access of 53 individuals’ course registration information which were publicly available via its webpage.,"[""Protection"", ""Warning""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/SSA-Group-International-Pte-Ltd---Summary-of-Decision---02032020.pdf,Protection,Breach of the Protection Obligation by SSA Group International,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-obligation-by-ssa-group-international,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION
Case No. DP-1909-B4729
In the matter of an investigation under section 50(1) of the
Personal Data Protection Act 2012
And
SSA Group International Pte Ltd

SUMMARY OF THE DECISION
1.

The Personal Data Protection Commission (the “Commission”) received a complaint on
6 September 2019 that individuals’ course registration information were publicly
accessible via a webpage (the “Webpage”) maintained by SSA Group International Pte
Ltd (the “Organisation”). The Webpage contained 53 individuals’ names. Other
information disclosed via the Webpage included course titles, sponsorship type,
information on how the registrant knew about the Organisation and date of transaction.

2.

The Commission found that the Organisation did not adopt reasonable steps to protect
personal data in its possession or control against risk of unauthorised access. First, there
were no authentication mechanisms in place to limit access to the Webpage. As such, the
Webpage was indexed by search engines and made publicly searchable online. Second,
there were no formal instructions provided to the developer of the Webpage to protect
the contents during its creation in April 2018. Finally, there were no security reviews,
including vulnerability scanning, conducted for the Webpage by the Organisation since

its creation. As such, the fact that the Webpage was freely accessible from the Internet
went undetected for more than a year.

3.

On the facts above, the Deputy Commissioner for Personal Data Protection found the
Organisation in breach of section 24 of the Personal Data Protection Act 2012.

4.

In deciding to issue a warning to the Organisation, the Deputy Commissioner also took
into account the following considerations:
a) The Organisation’s representation that the Webpage had not been easy to locate was
incorrect. An online search of the names of the 53 affected individuals produced the
Webpage’s URL.
b) The remedial measures taken by the Organisation, the type of personal data at risk,
the inadvertent nature of the breach and the absence of a previous breach, all
mentioned by the Organisation in its representations, had also been duly considered.
c) The Commission’s previous decisions, including as Re Watami Food Service Pte Ltd
[2018] SGPDPC [12] and Re Jade E-Services Singapore Pte Ltd [2018] SGPDPC 21
which had similar case facts.

5.

No directions are required as the Organisation has implemented corrective measures that
addressed the gaps in its security arrangements.

",Warning,4704e4fd9c80a645d09bbc78969a691237116a56,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,104,104,1,952,Both MCST 3593 and New-E Security failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of a common property at Marina Bay Residences. MCST3593 also failed to appoint a data protection officer and put in place policies and practices necessary for the organisation to comply with the PDPA.,"[""Protection"", ""Accountability"", ""Financial Penalty"", ""Directions""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---MCST-3593-and-Others---02032020.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by MCST 3593 and Breach of the Protection Obligation by New-E Security,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-3593-and-breach-of-the-protection-obligation-by-new-e-security,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 6
Case No DP-1903-B3554

In the matter of an investigation under section 50(1) of the Personal
Data Protection Act 2012

And

(1) Management Corporation
Strata Title Plan No. 3593
(2) Edmund Tie & Company
Property Management Services
Pte Ltd
(3) New-E Security Pte Ltd
… Organisations

DECISION

1

Management Corporation Strata Title Plan No. 3593 & Others
[2020] SGPDPC 6
Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3554
2 March 2020
Introduction
1

On 19 March 2019, Edmund Tie & Company Property Management Services Pte Ltd

(“ETCPM”) on behalf of Management Corporation Strata Title Plan No. 3593 (“MCST
3593”) notified the Personal Data Protection Commission (the “Commission”) of
unauthorised disclosure of closed-circuit television (“CCTV”) footage recorded at the
premises of MCST 3593, known as Marina Bay Residences (the “Condominium”), by NewE Security Pte Ltd (“New-E”), a company providing security services at the Condominium, to
an owner resident of a unit at the condominium (the “Incident”).
Facts of the Case
2

MCST 3593 had appointed ETCPM as the managing agent of the Condominium since

2012. In November 2014, MCST 3593 had also engaged New-E to provide security services at
the Condominium. ETCPM’s scope of work as managing agent included supervising New-E
to ensure it carried out its duties properly.
3

On 1 February 2019, an owner resident of a unit at the Condominium (the “Resident”)

approached the security supervisor on duty, who was an employee of New-E (the “Security
Supervisor”), to request a copy of the CCTV footage of the Condominium’s lobby on 29
January 2019 between 9.00 pm to 9.30 pm (the “Requested CCTV Footage”). The Requested
CCTV Footage had captured images of identifiable individuals who had passed through the
common property during that period, and hence contained personal data of those individuals.
The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone
to record a copy of the Requested CCTV Footage. The Security Supervisor then sent a copy of
the Requested CCTV Footage which he had recorded on his mobile phone to the Resident using
WhatsApp messenger. The Security Supervisor also sent a copy of the same footage to the
residence manager of the Condominium, who was an employee of ETCPM (the “Residence
2

Manager”). Upon receiving the copy of the Requested CCTV Footage, the Residence Manager
contacted the Security Supervisor who informed him of the Resident’s request. The Residence
Manager instructed the Security Supervisor not to release the Requested CCTV Footage to the
Resident and to await further instructions. At that time, the Security Supervisor did not inform
the Residence Manager that he had already sent a copy of the Requested CCTV Footage to the
Resident.
4

On 2 February 2019, ETCPM informed MCST 3593 of the Resident’s request. MCST

3593 decided not to disclose the Requested CCTV Footage to the Resident and the Residence
Manager conveyed MCST 3593’s decision to the Security Supervisor. Both MCST 3593 and
ETCPM remained unaware that the Security Supervisor had already sent a copy of the
Requested CCTV Footage to the Resident.
5

On 9 February 2019, the Residence Manager was notified that the Resident’s Facebook

page contained a post with a copy of the Requested CCTV Footage (the “Facebook Post”). On
11 February 2019, the Residence Manager contacted the operations director of New-E to
inform him of the matter. On the same day, the Security Supervisor admitted to the Operation
Director of New-E that he had sent a copy of the Requested CCTV Footage to the Resident on
1 February 2019. On 13 February 2019, ETCPM informed MCST 3593 of the unauthorised
disclosure of the Requested CCTV Footage by the Security Supervisor to the Resident and the
Facebook Post.
6

Since the discovery of the Incident, the following remedial actions have been taken:
(a)

MCST 3593 appointed a Data Protection Officer (“DPO”) and implemented its

Personal Data Protection Policy and Standard Operating Procedure to comply with the
Personal Data Protection Act 2012 (“PDPA”). MCST 3593 also informed the
Commission that it will also be preparing and including additional data processing
provisions in addendum(s) to the respective contracts with its managing agent and
security company; and
(b)

New-E developed a personal data protection policy and operational procedure

on personal data protection for all its employees.

3

Findings and Basis for Determination
7

For the reasons set out below, I find MCST 3593 in breach of Sections 11(3), 12 and

24 of the PDPA and New-E in breach of section 24 of the PDPA. I find ETCPM not to be in
breach of any of its obligations under the PDPA in relation to the Incident.
Breach of Sections 11(3), 12 and 24 of the PDPA by MCST 3593
8

As an “organisation” under the PDPA, MCST 3593 had the primary responsibility of

ensuring that there are reasonable security arrangements in place to protect personal data in its
possession or under its control. 1 It is not disputed that MCST 3593 had possession and/or
control of the Requested CCTV Footage. To the extent that an MCST has appointed a
managing agent or vendor to process personal data on its behalf, it should have in place a
written agreement with clauses requiring them to comply with the data protection provisions
under the PDPA, and carried these contractual obligations through into implementing practices
like standard operating procedures.2
9

In the present case, MCST 3593 had engaged New-E to provide security services

(including the management of CCTV footage) for the Condominium. In the course of providing
security services, New-E was engaged to process personal data on behalf of MCST 3593, to
wit, New-E had to process video footages captured by the CCTV network and system. In this
case, the Security Supervisor retrieved CCTV footage, made a recording of an extract, and
transmitted it. These actions amount to “processing” as the term is defined in section 2(1) of
the PDPA. Hence, the true nature of the relationship between MCST 3593 and New-E is that
of a data controller and data intermediary. However, the contract between MCST 3593 and
New-E did not contain any clauses relating to the protection of personal data or any reference
to the PDPA. There were no written instructions in the contract in relation to the management
of CCTV footage, and MCST 3593 admitted to the Commission that it had not communicated
any data protection requirements to ETCPM or New-E. In the circumstances, I find MCST
3593 in breach of Section 24 of the PDPA.

1

Section 24 of the PDPA
See Re KBox Entertainment Group Pte. Ltd. [2016] SGPDPC 1 at [12] and 29(b)(ii); the Commission’s Guide
on Data Protection Clauses for Agreements Relating to the Processing of Personal Data (20 July 2016) which
provides sample data protection clauses that organisations may find helpful
2

4

10

In addition, during the course of investigations, MCST 3593 admitted that it had not

appointed any DPO and it had not developed and put in place any data protection policies, as
required under Sections 11(3) and 12 respectively of the PDPA. The importance of these
requirements have been emphasized multiple times in previous decisions, 3 as well as the
Commission’s Advisory Guidelines for Management Corporations (issued on 11 March 2019)
at [2.6]. In the circumstances, MCST 3593 was also in breach of Sections 11(3) and 12 of the
PDPA.
Breach of Section 24 of the PDPA by New-E
11

As mentioned at [9], the security services provided by New-E included the management

of CCTV footage. This amounted to “processing” of personal data as defined in section 2(1)
of the PDPA. New-E was accordingly acting as a data intermediary of MCST 3593 with respect
to the Requested CCTV Footage.
12

In my view, New-E failed to put in place reasonable security arrangements to protect

the Requested CCTV Footage and was in breach of section 24 of the PDPA for the following
reasons:
(a)

According to New-E, it had a practice of only releasing CCTV footage to

representatives of ETCPM which was communicated verbally to New-E’s employees
and ETCPM. However, New-E conceded that it did not have any written policies to
instruct and guide its employees with respect to their obligations under the PDPA, in
particular the usage of mobile phones to record CCTV footage. In the present case, the
Security Supervisor did not adhere to New-E’s practice and this may be due, at least in
part, to the lack of a written policy which clearly sets out the relevant procedures to be
followed before CCTV footage is disclosed.
(b)

New-E did not provide data protection training for its employees. It is well-

established that proper training is a key security arrangement in an organisation’s
compliance with the protection obligation under section 24 of the PDPA.4 Proper staff

3

See Re Aviva Ltd 2017 SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd [2017]
SGPDPC 15 at [31] to [37]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [5]
4
Re National University of Singapore [2017] SGPDPC 5 at [15] – [28]; Re SLF Green Maid Agency [2018]
SGPDPC 27 at [12]; Re SME Motor Pte Ltd [2019] SGPDPC 21 at [10] and Advisory Guidelines On Key
Concepts in the Personal Data Protection Act (Revised 9 Oct 2019) at [17.5]

5

training – which creates data protection awareness amongst employees, imparts good
practices in handling personal data, and puts employees on the alert for threats to the
security of personal data – is necessary to complement an organisation’s data protection
policies.
No Breach of the PDPA by ETCPM
13

ETCPM was a data intermediary of MCST 3593 in relation to the personal data it

processed on their behalf when carrying out its duties as managing agent. As a data
intermediary, ETCPM had an obligation under section 24 of the PDPA to put in place
reasonable security arrangements to protect such personal data which was in its possession or
under its control.
14

However, the personal data which is the subject of the present case was not in the

possession or under the control of ETCPM. In particular, the Requested CCTV Footage was in
the possession and under the control of New-E and was within the scope of New-E’s
responsibilities as MCST 3593’s security services provider, as mentioned at [11]. Accordingly,
it was not ETCPM’s responsibility in the present case to put in place reasonable security
arrangements to protect the Requested CCTV Footage.
15

For completeness, I note that pursuant to the written agreement between the MCST

3593 and ETCPM, ETCPM’s scope of services as managing agent included supervising NewE and ensuring that it carried out its duties and responsibilities properly and efficiently. The
Incident did not arise due to ETCPM’s lack of supervision over New-E. As mentioned at [3]
and [4] above, the Residence Manager instructed the Security Supervisor not to disclose the
CCTV Footage to the Resident without further instructions, and subsequently conveyed MCST
3593’s instructions to the Security Supervisor that the Requested CCTV Footage should not be
disclosed. Unbeknown to the Residence Manager, his instructions came too late because the
Security Supervisor had already disclosed a copy of the Requested CCTV Footage to the
Resident before then.
16

In the circumstances, I find that ETCPM was not in breach of any of its obligations

under the PDPA in relation to the Incident.

6

Representations by MCST 3593

17

In the course of settling this decision, MCST 3593 made representations regarding the

findings as set out at [8] to [10], and on the quantum of financial penalty . The Organisation
raised the following factors:
(a)

MCST 3593 comprises of subsidiary proprietors, and its council is elected

annually at the annual general meeting to represent all subsidiary proprietors. All
members of the council serve on a voluntary basis;
(b)

MCST 3593 appointed ETCPM to advise on its obligations and act on its behalf.

MCST 3593’s management council relies on ETCPM to guide and help put in place
measures to comply with the PDPA. According to MCST 3593, measures and
safeguards had already been put in place to ensure that collection, use, disclosure of
personal data, as well as protection and retention of personal data are in compliance
with the PDPA;
(c)

The Security Supervisor disclosed the Requested CCTV Footage against the

Resident Manager’s instructions and usual standard operating procedures. The Resident
Manager’s instructions to the Security Supervisor was for and on behalf of the MCST
3593. No measures or safeguards could have prevented such wilful acts by the Security
Supervisor; and
(d)

MCST 3593 took immediate remedial actions to address the matter, including

voluntarily informing the Commission of the Incident.
18

Having carefully considered the representations, I have decided to maintain the

quantum of financial penalty set out at [19(a)] for the following reasons:
(a)

In relation to MCST 3593’s representations on its constitution and the voluntary

nature of the members of MCST 3593’s council, it is not disputed that MCST 3593 is
an “organisation” as defined in section 2(1) of the PDPA and is therefore required to
comply with the data protection provisions. The fact that the members of MCST 3593’s

7

council are volunteers does not lower the standard expected of MCST 3593 in
complying with its obligations under the PDPA.
(b)

It is not disputed that one of the roles that ETCPM had to perform as managing

agent was the supervision of New-E. However, the gravamen of the breach lies in the
fact that when MCST 3593 appointed New-E, there was nothing in the contract between
them, or any written instructions thereafter, that dealt with the protection of personal
data in the management of CCTV footage. New-E is a data intermediary to MCST 3593
insofar as it was managing personal data captured and stored in the CCTV system. As
such, the contract between MCST 3593 and New-E has to deal with the protection and
retention limitation obligations under the PDPA over this set of personal data. This
ought to be followed through in their standard operating procedures, which in this case
could either be supplied by ETCPM in its capacity as managing agent and supervisor
of New-E or put in place between MCST 3593 and New-E. A review of the contract
between MCST 3593 and New-E discloses this omission; and no written policies
concerning the management of personal data stored in CCTV footage has been
produced during investigations. On the contrary, New-E has admitted that there was
nothing written up and they relied on verbal instructions of practices: at [12(a)]; and
MCST 3593 admitted that it has not given any data protection instructions to either
ETCPM or New-E: at [9].
(c)

As for MCST 3593’s representations on the Resident Manager’s instructions to

the Security Supervisor and the Security Supervisor’s wilful conduct, this does not
absolve MCST 3593 from the requirement of having data protection clauses in its
respective contracts with ETCPM and New-E and implementing standard operating
procedures. The lack of these are sufficient reasons to find a contravention of section
24 of the PDPA by MCST 3593.
(d)

MCST 3593’s prompt remedial actions and voluntary notification to the

Commission of the Incident had already been taken into consideration in my
determination of the quantum of financial penalty.
The Deputy Commissioner’s Directions
19

Having considered all the relevant factors in this case, I hereby direct:
8

(a)

MCST 3593 to pay a financial penalty of $5,000 within 30 days from the date

of the directions, failing which interest at the rate specified in the Rules of Court in
respect of judgment debts shall accrue and be payable on the outstanding amount of
such financial penalty until the financial penalty is paid in full; and
(b)

New-E to:
(i)

put in place a data protection policy and internal guidelines, including

procedures for proper management and access control in respect of CCTV
footage within 30 days from the date of this direction; and
(ii)

inform the Commission of the completion of the above within 7 days of

implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

9

","Financial Penalty, Directions",eeb49dfd4acb4b4db0e54f38d3c03d45e12085b1,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"
2023-10-01T11:02:10+08:00,fbd32491db44d3d0c97aa12a99cefd61ec954264,105,105,1,952,Both MCST 4375 and A Best Security Management failed to put in place reasonable security arrangements to prevent the unauthorised disclosure of CCTV footage of an individual injured by a falling glass door at Alexandra Central Mall. MCST 4375 also failed to put in place policies and practices necessary for the organisation to comply with the PDPA.,"[""Protection"", ""Accountability"", ""Directions""]",2020-03-19,https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/MCST-4375-and-Others---Decision---03022020.pdf,"Protection, Accountability",Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management,https://www.pdpc.gov.sg/all-commissions-decisions/2020/03/breach-of-the-protection-and-accountability-obligations-by-mcst-4375-and-breach-of-the-protection-obligation-by-a-best-security-management,2020-03-19,"PERSONAL DATA PROTECTION COMMISSION

[2020] SGPDPC 4

Case No. DP-1903-B3437

In the matter of an investigation under section 50(1) of the Personal Data
Protection Act 2012

And

(1) Management
Corporation
Strata Title Plan No. 4375
(2) Smart Property Management
(Singapore) Pte Ltd
(3) A Best Security Management
Pte Ltd
… Organisations

DECISION

Management Corporation Strata Title Plan No. 4375 & Others
[2020] SGPDPC 4

Yeong Zee Kin, Deputy Commissioner — Case No DP-1903-B3437
3 February 2020

Introduction
1

In late February 2019, a woman was injured when a glass door fell on

her at the premises of Management Corporation Strata Title Plan No. 4375
(“MCST 4375”), also known as Alexandra Central Mall (the “Mall”). The
Personal Data Protection Commission (the “Commission”) subsequently
became aware that closed-circuit television (“CCTV”) footage showing the
glass door falling on the woman was disclosed on the Internet (the “Incident”).
Facts of the Case
2

At the time of the incident, MCST 4375 had appointed Smart Property

Management (Singapore) Pte Ltd (“SPMS”) as its managing agent and A Best
Security Management Pte Ltd (“ABSM”) to provide security services at the
Mall. These appointments took effect from 1 July 2018 and 1 June 2018
respectively. SPMS’ scope of work as managing agent included supervising
service providers such as ABSM to ensure it carried out its duties properly.
3

On 24 February 2019, the senior security supervisor from ABSM (the

“SSS”) who was on duty at the Mall’s Fire Control Centre, saw a glass door fall
on a woman at Level 4 of the Mall’s car park lift lobby (the “Accident”) through

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

the CCTV monitors. The SSS immediately called for an ambulance and notified
MCST 4375’s Property Officer and ABSM’s Operations Manager of the
Accident. Shortly thereafter, MCST 4375’s Property Officer asked the SSS to
send her a copy of CCTV footage of the Accident. In response to this request,
the SSS replayed the portion of the CCTV footage showing the Accident (the
“Relevant CCTV Footage”) and recorded it with his mobile phone. The SSS
then sent the copy of the Relevant CCTV Footage which he had recorded on his
mobile phone to a WhatsApp group chat consisting of the SSS, the Security
Executive from ABSM (the “SE”) who was also on duty at the time of the
Accident, and MCST 4375’s Property Officer. The SSS also sent a copy of the
same footage to ABSM’s Operations Manager in a separate WhatsApp message.
Subsequently, the SE forwarded a copy of the Relevant CCTV Footage to the
cleaning supervisor (engaged by MCST 4375) on duty at the time of the
Accident (the “Cleaning Supervisor”). The SE also told the Cleaning
Supervisor to inform the cleaners not to enter the barricaded area (where the
Accident occurred) when carrying out their cleaning duties.
4

On 25 February 2019, a member of the management council of MCST

4375 (the “Management Council Member”) requested a copy of the Relevant
CCTV Footage from the SSS for purposes of relating to an emergency meeting
of MCST 4375’s management council. The SSS sent the Management Council
Member a copy of the Relevant CCTV Footage. The Management Council
Member then forwarded the Relevant CCTV Footage via WhatsApp to the other
members of MCST 4375’s management council for their information.
5

On or around 26 February 2019, a copy of the Relevant CCTV Footage

was posted onto the video-sharing website YouTube. The YouTube video
containing a copy of the Relevant CCTV Footage was subsequently made
available through various websites on the Internet.

2

Management Corporation Strata Title Plan No. 4375 & Others

6

[2020] SGPDPC 4

Since the discovery of the Incident, MCST 4375 took the following

remedial actions:
(a)

MCST 4375 replaced SPMS with a new managing agent with

effect from 18 March 2019; and
(b)

An internal memorandum was issued to all MCST 4375

employees specifying that there shall be no distribution of any
documents or media materials from the management office of MCST
4375, without prior approval from MCST 4375’s management council.
Findings and Basis for Determination
7

For the reasons set out below, I find MCST 4375 in breach of Sections

12 and 24 of the PDPA and ABSM in breach of section 24 of the PDPA. I find
SPMS not to be in breach of any of its obligations under the PDPA in relation
to the Incident.
Breach of Sections 12 and 24 of the PDPA by MCST 4375
8

Under section 24 of the PDPA, MCST 4375 had the primary

responsibility of ensuring that there are reasonable security arrangements in
place to protect personal data in its possession or under its control. It is not
disputed that MCST 4375 had possession and/or control of the Relevant CCTV
Footage. To the extent that an MCST has appointed a managing agent or vendor
to process personal data on its behalf, it should have in place a written agreement

3

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

with clauses requiring them to comply with the relevant data protection
provisions under the PDPA1.
9

In the present case, MCST 4375 had engaged ABSM to provide security

services which included management of CCTV footage recorded via the Mall’s
CCTV system. In the course of providing security services, ABSM was engaged
to process personal data on behalf of MCST 4375, to wit, ABSM had to process
video footages captured by the Mall’s CCTV network and system. In this case,
the SSS retrieved CCTV footage recorded by the Mall’s CCTV system, made a
recording of an extract (i.e. the Relevant CCTV Footage) and transmitted it to
various parties. These actions amount to “processing” as the term is defined in
section 2(1) of the PDPA. Hence, the true nature of the relationship between
MCST 4375 and ABSM is that of a data controller and data intermediary.
10

The Commission’s investigations revealed that MCST 4375 had security

arrangements in place to restrict access to the Fire Control Centre (which was
the only place where CCTV footage could be viewed). However, MCST 4375
did not provide any instructions to ABSM or SPMS in relation to requests for
access to personal data, as well as the management of CCTV footage in general.
Given its duties (which included processing CCTV footage on behalf of MCST
4375), MCST 4375 should have had written instructions clearly setting out the
relevant procedures to be followed by ABSM and SPMS if they received a
request for access to, or disclosure of, any CCTV footage recorded at the Mall.
In the circumstances, I find MCST 4375 in breach of Section 24 of the PDPA.

1See Re KBox Entertainment Group Pte. Ltd. [2016] SGPDPC 1 at [12] and 29(b)(ii); the

Commission’s Guide on Data Protection Clauses for Agreements Relating to the Processing of
Personal Data (20 July 2016) which provides sample data protection clauses that organisations
may find helpful

4

Management Corporation Strata Title Plan No. 4375 & Others

11

[2020] SGPDPC 4

In addition, under section 12 of the PDPA, organisations are required to

develop and implement policies and practices that are necessary for the
organisation to meet the obligations of the organisation under the PDPA. The
importance of data protection policies have been emphasized multiple times in
previous decisions 2, as well as the Commission’s Advisory Guidelines for
Management Corporations (issued on 11 March 2019) at [2.6].
12

It emerged during the course of the Commission’s investigations that

MCST 4375 had not developed or put in place any data protection policies.
According to MCST 4375, it expected its managing agent (i.e. SPMS) to put in
place the necessary policies and practices for MCST 4375 to comply with the
PDPA. However, the contract between MCST 4375 and SPMS did not contain
any requirements or clauses to this effect. MCST 4375 also conceded that it had
not given any instructions to SPMS in this regard. In the circumstances, I also
find MCST 4375 in breach of Section 12 of the PDPA.
Breach of Section 24 of the PDPA by ABSM
13

As mentioned at [9], the security services provided by ABSM included

the management of CCTV footage. This amounted to “processing” of personal
data as defined in section 2(1) of the PDPA. ABSM was accordingly acting as
a data intermediary of MCST 4375 in respect of the Relevant CCTV Footage.
14

At the material time, ABSM had a Personal Data Protection Policy,

which specifically provided that ABSM would not disclose personal data to
third parties without MCST 4375’s consent. ABSM also had Standard

2See Re Aviva Ltd 2017 SGPDPC 14 at [32]; Re M Stars Movers & Logistics Specialist Pte Ltd

[2017] SGPDPC 15 at [31] to [37]; Re AgcDesign Pte Ltd [2019] SGPDPC 23 at [5]

5

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

Operating Procedures (“SOP”) outlining the standards of conduct expected of
its employees. However, the SOP did not include provisions in relation to the
recording, retrieving or disclosure of CCTV footage recorded at the Mall or the
personal data captured therein. In addition, ABSM had a Crisis Report Flow
Chart for the reporting of incidents (such as the Accident) which also did not
contain any provisions relating to the handling of personal data.
15

Although the Relevant CCTV Footage contained personal data that was

publicly available and consent for disclosure is not required, section 18(a) of the
PDPA overlays the requirement that disclosure must nevertheless be for a
reasonably appropriate purpose in the circumstances. In my view, the disclosure
of the Relevant CCTV Footage by the SSS to MCST 4375’s Property Officer,
ABSM’s Operation Manager, the SE and the Management Council Member was
for a reasonably appropriate purpose. Pursuant to the Crisis Report Flow Chart,
the SSS had to inform representatives of MCST 4375 and his supervisor (i.e.
the ABSM Operation Manager) of the Accident. The SE was on duty at the time
of the Accident and would have been working with the SSS to manage the
situation post-Accident. As for the disclosure to the Management Council
Member, members of the Management Council are representatives of an MCST
and disclosure to them was akin to disclosure to MCST 4375.
16

However, the disclosure of the Relevant CCTV Footage by SE to the

Cleaning Supervisor was unauthorised and in direct contravention of both
ABSM’s Personal Data Protection Policy and Crisis Report Flow Chart. Given
that the Relevant CCTV Footage contained personal data that was recorded in
the Mall, ABSM’s Personal Data Protection Policy required the SE to obtain
MCST 4375’s approval before sending a copy of the Relevant CCTV Footage
to the Cleaning Supervisor. The SE’s failure to do so may be due, at least in

6

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

part, to the lack of any provisions in the SOP setting out the procedures to be
followed before CCTV footage is disclosed.
17

It is well-established that proper training is a key security arrangement

in an organisation’s compliance with the protection obligation under section 24
of the PDPA3. Proper staff training – which creates data protection awareness
amongst employees, imparts good practices in handling personal data, and puts
employees on the alert for threats to the security of personal data – is necessary
to complement an organisation’s data protection policies. According to ABSM,
both the SSS and SE were briefed on the PDPA in August 2018 when they were
assigned to work at the Mall. However, the SE’s conduct evidenced a lack of
knowledge or understanding of ABSM’s internal policies and procedures.
18

In my view, ABSM failed to properly train and communicate its internal

policies and procedures in relation to the protection of personal data to its
employees. In particular, ABSM should have had a written policy setting out
the procedures to be followed in relation to the disclosure of CCTV footage and
the personal data therein. In the circumstances, I find ABSM in breach of
Section 24 of the PDPA.
No Breach of the PDPA by SPMS
19

SPMS was also a data intermediary of MCST 4375 in relation to the

personal data it processed on their behalf when carrying out its duties as
managing agent. As a data intermediary, SPMS had an obligation under section

3Re National University of Singapore [2017] SGPDPC 5 at [15] – [28]; Re SLF Green Maid

Agency [2018] SGPDPC 27 at [12]; Re SME Motor Pte Ltd [2019] SGPDPC 21 at [10] and
Advisory Guidelines On Key Concepts in the Personal Data Protection Act (Revised 9 Oct
2019) at [17.5]

7

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

24 of the PDPA to put in place reasonable security arrangements to protect such
personal data which was in its possession or under its control.
20

Notably, the personal data which is the subject of the present case was

not in the possession or under the control of SPMS. In particular, the Relevant
CCTV Footage was in the possession and under the control of ABSM and was
within the scope of ABSM’s responsibilities as MCST 4375’s security services
provider.

Accordingly, it was not SPMS’ responsibility to put in place

reasonable security arrangements to protect the Relevant CCTV Footage.
21

While SPMS’ duty as managing agent was to exercise a supervisory role

over ABSM, the Commission’s investigations revealed that this was limited to
exercising broad oversight over the attendance and performance of duties by
ABSM’s employees. In both ABSM’s Personal Data Protection Policy and
Crisis Report Flow Chart, SPMS did not have a role with respect to the
management or approval of requests for access or disclosure of personal data.
In particular, there was no requirement for ABSM’s employees to consult or
seek approval from SPMS in relation to the disclosure of CCTV footage. The
Incident accordingly did not arise due to SPMS’ lack of supervision over
ABSM.
22

In the circumstances, I find that SPMS was not in breach of any of its

obligations under the PDPA in relation to the Incident.

8

Management Corporation Strata Title Plan No. 4375 & Others

[2020] SGPDPC 4

The Deputy Commissioner’s Directions
23

Having considered all the relevant factors in this case, I hereby direct:
(a)

MCST 4375 to:
(i)

Develop and implement policies necessary for the

protection of personal data in its possession and/or under its
control to meet its obligations under Section 12 of the PDPA
within 60 days from the date of this decision;
(ii)

Put in place reasonable security arrangements, including

policies necessary for the protection of personal data in its
possession and/or under its control to meet its obligations under
Section 24 of the PDPA within 60 days from the date of this
decision;
(iii)

As part of the security arrangements to be put in place,

conduct training to ensure that its staff are aware of, and will
comply with, the requirements of the PDPA when handling
personal data within 60 days from date of decision; and
(iv)

Inform the Commission of the implementation of each of

the above within 1 week of implementation; and
(b)

ABSM to:
(i)

Put in place reasonable security arrangements, including

policies necessary for the protection of personal data in its
possession and/or under its control to meet its obligations under
Section 24 of the PDPA within 60 days from the date of this
decision; and

9

Management Corporation Strata Title Plan No. 4375 & Others

(ii)

[2020] SGPDPC 4

Inform the Commission of the implementation of the

above within 1 week of implementation.

YEONG ZEE KIN
DEPUTY COMMISSIONER
FOR PERSONAL DATA PROTECTION

10

",Directions,c9534d20c08d9b7217ff8dd7e875c02139ab7e2a,"[""pdf-content"",""timestamp"",""decision"",""pdf-url"",""tags"",""nature"",""url"",""title"",""date"",""description""]"