PDPA
PDPA COMPLIANCE FOR MCST
A Management Corporation of Strata Title (“MCST”) is considered an “organisation” in the Personal Data Protection Act 2012 (“PDPA”). Thus, a MCST is subject to the obligations within the PDPA in relation to collection, use and disclosure of personal data in Singapore.
Introduction
A MCST is responsible for the management of the day-to-day operations in a strata title development. Some of its duties include maintaining a register of subsidiary proprietors, keeping the property in a state of good and serviceable repair, installing safety equipment and convening annual general meetings.
In the course of carrying out its duties, a MCST may be required to collect, use or disclosure personal information either from subsidiary proprietors or from visitors to the development.
Since the PDPA governs the collection, use and disclosure of personal data by organisations, a MCST should ensure that it is well aware of its data protection obligations under the PDPA and comply with such obligations.
According to section 48J of the PDPA, failure to comply with the obligations can result in financial penalties of up to $1 million.
Collection of personal data
If a MCST is statutorily authorised under written law to collect personal data, it may do so without the consent of the subsidiary proprietors. For instance, under section 46 of the Building Maintenance and Strata Management (Cap. 30C) (Rev. Ed. 2008) (“BMSAM”), a MCST is required to prepare a strata roll containing information such as the name of the subsidiary proprietor and his Singapore address for service of notices. In such a situation, the MCST would not need to obtain consent from the individual before collection.
If a MCST is not statutorily authorised to collect personal data, then it would need to seek prior consent before collection. For instance, in the issuance of car decals, if the MCST requires the mobile numbers of the subsidiary proprietors, it would need to seek consent before collection, because such collection of personal information for purposes of issuance of car decals is not authorised under any written law.1
With regards to seeking consent, the PDPA allows an organisation to rely on the concept of deemed consent. An individual is deemed to have given consent so long as they have voluntarily provided their consent. Thus, if a security guard informs a visitor that his name and phone number need to be collected and the visitor proceeds to fill up his details in the visitor logbook, the visitor is deemed to have given consent to the collection of his personal data.2
Engaging external vendors
A MCST may appoint managing agents to assist it in carrying out its duties. If the managing agents are involved in the processing of personal data on the MCST’s behalf, the managing agents would be considered data intermediaries.
In engaging data intermediaries, a MCST still remains responsible for all its data obligations under the PDPA. Thus, it should ensure that sufficient measures are implemented so that its managing agents are compliant with the PDPA.3 For instance, the MCST should ensure that there are data protection clauses and written policies in its contracts with its managing agent.
Engaging a Data Protection Officer (“DPO”)
Under sections 11 and 12 of the PDPA, a MCST is required to designate at least one individual as a DPO. The duties of the DPO include ensuring that the MCST complies with the PDPA, developing data protection policies and practices, alerting the MCST of any personal data risk and serving as a point of contact for personal data related enquiries.
Access/ Correction Requests
Under section 21 of the PDPA, a MCST is required, upon request by the individual, to provide personal data about that individual that is in the MCST’s possession. Thus, for instance, upon request by an individual, the MCST is obliged to provide the individual with access to the closed-circuit television (“CCTV”) footage capturing that individual, unless an exception applies. The MCST is not allowed to limit the access of the CCTV footage to law enforcement or investigation purposes.4
A MCST should respond to access requests as soon as reasonably possible. If it is not able to respond to the request within 30 days, it must inform the individual of the time which it will be able to respond.5
Protection of personal data
Under section 24 of the PDPA, a MCST is required to implement reasonable security measures to protect the personal data in its possession and prevent unauthorised disclosure of such data. For instance, a MCST should ensure that its visitor logbooks containing a visitor’s personal information are not left open for other visitors or residents to see.6
Retention of personal data
Under section 25 of the PDPA, a MCST must cease to retain its records containing personal data as soon as such purpose for which the personal data was collected is no longer being served and such retention is no longer necessary for legal or business purposes. In this regard, a MCST may retain its records of personal data for period not less than 5 years from the end of the financial year to which the operations relating to the records are completed.7
Recent decisions involving MCSTs
Management Corporation Strata Title Plan No. 3593 & others [2020] SGPDPC 6
In its management of Marina Bay Residences (the “Condominium”), MCST 3593 engaged New E Security Pte Ltd (“New E”) to provide security services at the Condominium.
On 1 February 2019, a resident of the Condominium requested a copy of the lobby’s CCTV footage on 29 January 2019 from the security supervisor on duty. The security supervisor was employed by New E.
The requested footage contained the images of identifiable individuals who had passed through the lobby and hence included personal data of those individuals. Upon request, the security supervisor proceeded to use his mobile phone to record the CCTV footage and send the recording to the resident via WhatsApp.
At the same time, the security supervisor also sent a copy of the phone recording to the Condominium’s residence manager. When MCST 3593 was alerted of the resident’s request for the CCTV footage, it decided against the disclosure of the footage. However, unbeknownst to MCST 3593, the footage had already been sent to the resident. The CCTV footage was subsequently found on the resident’s Facebook post.
The Commission found that MCST 3593 had breached its obligation under section 24 of the PDPA to ensure that reasonable measures are put in place to protect personal data and prevent unauthorised collection, use, and disclosure of such data.8
In reaching its findings, the Commission recognised that the relationship between MCST 3593 and New E was one of data controller and data intermediary. This was because in the course of providing security services, New E had to process personal data in the form of CCTV footage captured on behalf of MCST 3593.9 Accordingly, the contract between MCST 3593 and New E should have included terms relating to the protection and limitation obligations under the PDPA.10
However, in the contract between MCST 3593 and New E, there were no such clauses. There were also no written policies concerning the management of the CCTV footage. MCST 3593 admitted that it had not given any instructions to New E about data protection.11
The Commission also noted the fact that the security supervisor had acted against MCST 3593’s instructions does not absolve MCST 3593’s responsibility of having data protection clauses in its contract with New E and implementing data protection procedures.12
Further, during investigations, MCST 3593 admitted that it had not appointed any Data Protection Officer, nor had it implemented any data protection policies. Thus, MCST 3593 was also in breach of sections 11(3) and 12 of the PDPA.13
Having considered all the relevant facts in the present case, MCST 3593 was ordered to pay a financial penalty of $5,000.14
Management Corporation Strata Title Plan No 2956 and others [2017] SGPDPC 8
The Commission received complaints from residents regarding the disclosure of their personal information (names, unit numbers and voting shares) in the postings of voter lists and minutes of meeting on notice boards within the compound of their respective condominiums.
The Commission found in favour of the MCSTs in that they did not breach their Consent and Notification Obligations under the PDPA.
Under the Consent Obligation, a MCST is required to obtain consent from the residents for the collection, use or disclosure of their personal data. Under the Notification Obligation, a MCST is required to give notice of the purposes for which it was collecting, using or disclosing the personal data.15
However, section 4(6) of the PDPA allows for the provisions of other written laws to prevail over the data protection obligations under the PDPA. Further, section 13(b) of the PDPA allows the collection, use or disclosure of personal information without consent if authorised under any other written law.16
The Commission found that even though the MCSTs did not obtain the residents’ consent to disclose their personal data nor did they notify the residents of the purpose of disclosing their data,17 they were still not in breach of their data protection obligations under the PDPA as they were statutorily allowed to disclose such data under the BMSAM.
Under paragraph 7 of the First Schedule of the BMSMA, a MCST is required to put up a list of the names of persons who are entitled to vote at a general meeting on the notice board maintained on the common property.18
Similarly, under section 3 of the Second Schedule of the BMSMA, a MCST is required to display the minutes of any meetings held by the MCST on the notice board. Since the purpose of the minutes is to record fully and accurately what happened during the meetings, it was implicitly understood the minutes of the meetings would contain the residents’ names and unit numbers to identify those present during the meeting.19
Accordingly, the MCSTs were not in breach of their data protection obligations when they disclosed the residents’ names.
In relation to the residents’ unit numbers and voting shares, the Commission noted that such information was publicly available. They could be found in the strata roll which was easily accessible to the public by simply making an online application and paying a fee. Additionally, a resident’s name and unit number could also be found on the Singapore Land Authority Registry which is accessible by the public.20
Thus, pursuant to section 17 of the PDPA, the MCSTs were allowed to disclose such personal information of the residents without prior consent.
In one of the complaints, it was alleged that the MCST had posted the personal data on the notice board longer than was necessary, as the voter list was displayed for 2 months. Thus, the MCST had breached its Retention Limitation Obligation under section 25 of the PDPA.21
The Commission recognised that the voter list was intended to supplement the minutes of meeting. Accordingly, the voter list may be displayed on the notice board for as long as the minutes of meeting.
Under Paragraph 3 of the Second Schedule of the BMSMA, the minutes of meeting must be displayed for at least 14 days. Using the minimum period of display for the minutes of meeting as a benchmark, the Commission held that keeping the voter list on the notice board for 2 months was not unduly long.22 Thus, the MCST was not in breach of section 25 of the PDPA.
Conclusion
In the course of managing the operations of a strata title development, a MCST may be required to handle personal data, either of the development’s subsidiary proprietors or of the visitors of the development.
Thus, it is imperative for a MCST to be well-informed about its personal data protection obligations under the PDPA and ensure that it comply with such obligations.
For PDF version of this article, please click here.
References
[1] Personal Data Protection Commission, “Advisory Guidelines for Management Corporations” (17 May 2022), at [2.3].
[2] Id, at [3.17].
[3] Id, at [2.5].
[4] Id, at [3.7].
[5] Id, at [3.8].
[6] Id, at [3.18].
[7] Id, at [4.3].
[8] Management Corporation Strata Title Plan No. 3593 & others [2020] SGPDPC 6, at [7].
[9] Id, at [9].
[10] Id, at [18].
[11] Ibid.
[12] Ibid.
[13] Id, at [10].
[14] Id, at [19].
[15] Management Corporation Strata Title Plan No 2956 and others [2017] SGPDPC 8, at [9].
[16] Id, at [10] and 19.
[17] Id, at [17].
[18] Id, at [20].
[19] Id, at [22] – [26].
[20] Id, at [33]-[38].
[21] Id, at [47] – [48].
[22] Id, [49] –[50].
At Infinity Legal LLC, we help clients navigate through a variety of legal issues relating to personal data protection and privacy.
© Infinity Legal LLC 2024
The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.
Infinity Legal LLC thanks and acknowledges Intern Valencia Wan for her contribution to this article.
[Last Updated: 21 March 2024, 4:18 pm]