Good data protection practices for MCSTs: How PDPA Applies
The Personal Data Protection Act also applies to the MCST. One, because it is an organisation based in Singapore, and two, because it is fundamental for them to collect, use, disclose, and manage personal data. Therefore, the MCST must comply with the Act’s data protection requirements.
Exceltec Property Management and Eagle Eye Security Management Services: Case studies
The decisions and undertakings regarding the alleged data breach of Exceltec Property Management Pte Ltd and Eagle Eye Security Management Services Pte Ltd highlight the crucial aspect of PDPA compliance for MCSTs.
For Exceltec Property Management, the PDPC ruled that when there is a disclosure of individual personal data, and the disclosure was necessary as part of the dissemination of minutes of meetings and voter lists, and such data was already publicly available, then such disclosure does not violate the PDPA.
As for the Eagle Eye Security Management Services, the PDPC issued a warning regarding the failure to safeguard the visitor logbook of the Condominium containing personal data. Such logbook includes the dates and times of entry and the visitor’s NRIC numbers. The PDPC highlights that the security company should secure the logbook and lay adequate policies and processes to prevent this from happening again.
We can infer from these decisions that when the personal information is not to be subject to disclosure, such as personal address, name, and NRIC information, except in cases where the data is already made public, the PDPC can go after organisations when there is a breach, even if the breach was due to a simple logbook disclosure. With this, PDPA Compliance for MCST is necessary or else they can face a hefty fine of up to 1,000,000 SGD.
Also Read: A beginner’s guide to the Singapore PDPA
Common activities that involve the collection, use, or disclosure of personal data for MCSTs
The following are common activities faced by MCSTs where personal data is managed. We lay out examples as well as good data protection practices that can be applied in each scenario.
Dissemination of notices containing personal data: Voter list
The Building Maintenance and Strata Management Act (BMSMA) requires MCSTs to post a list of the names of those entitled to vote, as well as the addresses of the lots owned by these people on the estate’s notice board at least 48 hours before the public meeting.
Here, although there is a disclosure of personal data, MCSTs are still in compliance with PDPA as the posting of voter’s list does not need the consent of those in the list pursuant to BMSMA unless their email addresses are the one that is disclosed.
Dissemination of notices containing personal data: Minutes of meeting
In addition to MCST general meetings, MCST councils and executive committees are required to convene their own meetings. Under the BMSMA, the council or executive committee of the MCST is expected to “cause the recording of minutes of general meetings” and to maintain “complete and accurate minutes” of its proceedings.
Since meeting minutes’ function and purpose is to record what transpired at the meeting accurately, the minutes may include the personal data of estate residents or invitees to identify and record the individuals in attendance or arising from discussions regarding these individuals during the meetings.
When a complaint arises due to the disclosure of personal data, MCSTs can explain to the complainant that the full and accurate meeting minutes that were captured and posted were necessary to record what transpired at the meeting accurately.
Furthermore, suppose the MCST councils wish to audio record their meetings to ensure that full and accurate meeting minutes are captured. In that case, they can gladly do so provided that they have notified subsidiary proprietors and residents, such as through the MCST’s personal data protection policy or notice of general meeting, that audio recordings of the proceedings will be taken during the meeting. The meeting attendees would be deemed to have granted their implied approval for such audio recordings to be made.
Handling access and correction requests
Under the PDPA, MCSTs are required to provide access to or make a correction to the individual’s personal data in the MCSTs’ possession or under their control upon the individual’s request, unless a relevant exception under sections 21 or 22 of the PDPA applies27. For example, MCSTs must provide access to an individual’s personal data captured in close-circuit television camera (CCTV) footage requested by the individual unless an exception applies.
However, suppose the CCTV footage no longer exists. In that case, the MCST must provide a reply even if it is not providing access to the requested personal data, and as good practice, inform the person requesting of the relevant reasons for rejecting the access request. The MCST should also have in place a retention policy that sets out when the MCST ceases to retain personal data contained in the CCTV footage.
In cases of an individual requesting access request for CCTV footage capturing personal data of other individuals, it may only be given if the other individuals have given consent to it. Otherwise, only the one requesting may access their personal data captured in the CCTV.
While the PDPA does not require that an access request be accompanied by a reason for making the request, as a matter of good practice, MCSTs could ask the applicant to be more specific as to what type of personal data is required, as well as the time and date the personal data was collected, in order to facilitate the processing of the access request or to determine whether the request falls within one of the prohibitions under section 21(3) of the PDPA or an exception in the Fifth or Sixth Schedules.
In order to fulfill the access request in the most cost-effective manner, MCSTs could additionally ask the applicant what form a CCTV footage extract could be delivered in (such as a screenshot or video clip).
To ensure compliance with the PDPA when managing agents handle access and correction requests, MCSTs should create clear policies and processes for the handling of access and correction requests by these managing agents.
Estate security: Visitors and invitees
Visitors’ and invitees’ (such as subcontractors’) personal information may be routinely collected for security purposes. This can be achieved in numerous ways. Before being allowed to enter, visitors may be required to provide estate security with their name, vehicle number (if applicable), contact information, and the unit number they are visiting by filling out a visitor log book at the guard house of a condominium or the reception desk of a commercial building. There may also obtain CCTV images of the guests and invited guests.
This is why when someone was asked to record the vehicle number and contact details of those visiting, and they do it accordingly by logging it in the security guard’s log book, it is deemed to have consented to the collection, use, or disclosure of her personal data under the PDPA.
Suppose the collection of personal data involved the NRIC of the individual. In that case, the MCST should adopt appropriate security arrangements that would meet the higher level of protection that is required, such as implementing an electronic visitor management system and/or activating auto screen lock mechanisms for the computer screen if left unattended. However, if there were only a collection of partial NRIC numbers, such as only the last three digits, then it would be deemed not to have collected the NRIC number.
The MCST must also comply with the PDPA’s requirement that it uses appropriate security measures to safeguard the personal information of visitors and invitees against unauthorized use or disclosure. In doing so, MCSTs should evaluate the type of personal data, the form in which it was gathered, and the impact on the subject if an unauthorized party obtained, modified, or disposed of the data.
For instance, an MCST that gathers the names and NRIC numbers of invitees must implement a higher level of protection to safeguard such sensitive information (e.g., employing a visitor management system with appropriate technical measures to control access).
This is due to the risk posed to individuals if NRIC numbers, which might be used to access vast amounts of personal information, were obtained and used for criminal purposes such as identity theft or fraud.
Estate security: Subsidiary proprietors
Typically, estate residents in a residential building and/or certain invitees of a commercial building (such as the occupant’s staff) are permitted to use access cards to enter and exit the estate premises. In the application for access cards and/or the maintenance of the access cards system, MCSTs may demand the contact information (i.e., names, phone numbers, and email addresses) of access card holders.
With this, MCSTs shall ensure that persons submit their consent (or deemed consent) for the collection, use, or disclosure of their personal data to give access via access cards, per the PDPA.
Estate security: Photographs or video recordings of social activities
MCSTs may occasionally organize social events or activities for estate residents. Suppose MCSTs intend to take and use images or video recordings of estate residents, visitors, or invitees attending these events for a specific purpose. In that case, they must notify these individuals and acquire their authorization to collect, use, or disclose their personal data for this purpose.
Organizers of social events, for instance, should advise attendees that images of them may be taken at the event for publication in an estate newsletter or annual general meeting presentation and provide information on how participants may withdraw consent. Alternately, the MCST could post a prominent sign at the entrance of the event venue to inform citizens that images would be taken for such purposes at the event.
The Data Protection Provisions do not specify the methods for obtaining consent. Depending on the circumstances, MCSTs may utilize the most efficient method. In certain instances, consent may be presumed to have been granted when the individual has been notified that a video recording will be made at an event and voluntarily participates in the event or when the individual voluntarily consents to a photograph or video recording being taken of him or her.
Protection and retention of personal data
The BMSMA does not specify the security procedures that MCSTs and managing agents must implement to protect the personal information in their custody or control. For instance, the visitor log book, access card system, facilities log book, documents containing residents’ feedback or complaints, and resident’s portal may contain personal information.
Consequently, MCSTs and managing agents must comply with the Data Protection Provisions of the PDPA and implement reasonable security measures to protect such personal data in their possession or under their control from accidental or unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Furthermore, individuals should not be able to access the personal data of other individuals, and the MCST should ensure that the visitor log book is kept in a secure place that is only accessible to authorized personnel.
Additionally, MCSTs and managing agents must have a retention policy that specifies when they will no longer retain documents containing personal data. Under the Retention Limitation Obligation, the PDPA requires an organization to cease retaining its documents containing personal data or remove the means by which the personal data can be associated with particular individuals
This is as soon as it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of the personal data, and retention of the personal data is no longer necessary for the purposes for which the personal data was collected. MCSTs and managing agents shall ensure the proper and secure disposal of personal data in this manner.
In this regard, as part of their retention policies, MCSTs and managing agents are permitted to retain all records, books of account, and other documents relating to any transactions or operations for a period of not less than five years from the end of the financial year in which the transactions or operations to which the documents relate were completed, as required by the BMSMA. Beyond this retention time, MCSTs and managing agents shall evaluate, based on reasonableness criteria, whether the purposes for which the personal data was obtained have been met or whether the personal data must be retained for additional legal or business purposes.
PDPA Compliance for MCSTs: Hiring a DPO and how it can help
Another way of limiting any breach and facing a hefty fine is hiring a Data Protection Officer (DPO). The DPO’s importance lies in ensuring that all the compliance with the PDPA is met. Under the PDPC, MCSTs are required to hire a DPO and have the following responsibilities laid in the Advisory Guidelines for Management Corporations:
a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the MCST as well as other data protection practices of the MCST to ensure compliance with the PDPA and making information about this policy available to all stakeholders;
b. Raising awareness and fostering a culture of data protection among staff (e.g., estate security guard), subsidiary proprietors, estate residents, and council as well as executive committee members of the MCST;
c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and
d. Alerting the MCST to any risks that might arise with regard to the collection, use, or disclosure of personal data.
PDPA Compliance for MCST is similar to any other organization. Since they handle data and manage it for day-to-day business, they are also liable for any personal data breaches. The good thing is they can outsource a DPO to meet the PDPA requirement and the DPO can in turn help with other PDPA compliance with the added benefit of it being affordable and readily available.
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, part of our scope of work is to conduct penetration testing to see if there are any loopholes within the organization’s system for bad actors to exploit. This is just one of the tactics employed by us to make sure that the personal data that MCSTs handle is secured and sound. In addition, Privacy Ninja currently serves as the appointed DPO of several MCSTs, ensuring that they fully complied with the PDPA.
DPOs complement the efforts of Organizations in making sure that the personal data collected and used is accurate. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
The PDPA Compliance for MCST is proof that in Singapore, when an organization involves personal data, it is strict in ensuring that it will not be breached for the security of everyone. As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is correct and concise as it affects me whenever a decision is made.
Also Read: Guarding against common types of data breaches in Singapore