Background

The Management Corporation Strata Title Plan No. 3615 (“MCST 3615”) is responsible for the managing and maintaining common areas in the Suites@Cairnhill Condominium (the “Condominium”). MCST 3615 had engaged a managing agent (“MA”) for the Condominium. On 23 May 2024, the Personal Data Protection Commission (the “Commission”) received a complaint from a member of public (the “Complainant”) that he was denied access to CCTV footage allegedly containing his personal data for which he had raised an access request. The Complainant also alleged that the access request had not been handled in accordance with the Personal Data Protection Act 2012 (the “PDPA”).

On 13 April 2024 at approximately 5am, the Complainant was riding a motorcycle along the Condominium’s Cairnhill Road perimeter when he collided with a taxi. The Complainant found that the Condominium had a CCTV camera facing its Cairnhill Road perimeter. On 20 May 2024, the Complainant submitted a written request for access to CCTV footage of the Cairnhill Road perimeter at the material time, which could have captured himself and/or the accident. The MA refused the request on 21 May 2024.

Access Obligation

 Investigations revealed that MCST 3615 did not possess the personal data of the Complainant, as the Complainant could not be identified from the CCTV footage, whether by itself or with other information to which MCST 3615 has or is likely to have access. The Condominium’s CCTV had captured footage of a motorcycle riding along Cairnhill Road at the time of the accident. However, it had only captured the silhouette of the rider and did not capture any identifying features such as facial features or the license plate of the motorcycle. MCST 3615 also did not possess any other information to identify the individual from the footage. As MCST 3615 was not in the possession of the Complainant’s personal data from the CCTV footage, MCST 3615 was not obliged under the Access Obligation to provide access to the Complainant.

Accountability Obligation

Investigations also revealed that, prior to 3 October 2024 and at the time of the incident, MCST 3615 did not have a data protection officer.

MCST 3615 also admitted to not having any data protection policies nor internal guidelines prior to 8 October 2024. In addition, MCST 3615 did not communicate clear instructions to its MA on how it should handle access requests for personal data.

Voluntary Undertaking

Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) from MCST 3615 to improve its compliance with the PDPA. The Undertaking was executed on 8 May 2025.

As part of the Undertaking, MCST 3615 will be implementing the following:

(a) Conduct training for the MA as the data intermediary for MCST 3615.

(b) Provide instructions to the MA in relation to access requests for personal data, review its contract with the MA, and document such instructions.

(c) Improve and put into writing communication protocols with the MA.

(d) Review the requirements of the Access and Correction Obligations and document suitable practices for MCST 3615.

(e) Conduct training for its MA and security vendor.

(f) Review and document the procedures for the recording, retrieval, and backup of CCTV footages.

(g) Use the above documents to produce standing instructions for its security vendor.

(h) Review and implement information security and technical measures to protect personal data.

(i) Review its newly implemented Privacy Policy and Data Protection Guidance Manual, and document specific actions that have been taken to comply with the PDPA.

The Commission will verify MCST 3615’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.