Responsibility of MCST for the protection of Personal Data under the Personal Data Protection Act

CLIENT UPDATE

The Management Corporation Strata Title Plan No. 3696 Eagle Eye Security Management Services Pte Ltd [2017] SGPDPC 11 (“Eagle Eye Case”)

In the Eagle Eye Case, a logbook which contained personal data of the coaches who attended and conducted swimming lessons at the Condominium was left unattended. The Personal Data Protection Commission (the “Commission”) found that both the MCST 3696 and the security company that the MCST 3696 hired, namely Eagle Eye Security Management Services Pte Ltd, had breached s24 of the PDPA.

The Commission found that Eagle Eye was a data intermediary to MCST 3696 as Eagle Eye was hired to, amongst other things, process personal data*. The personal data processing was the recording of persons who entered and left the premises and the maintaining of the logbook of coaches who were entering or leaving the premises of the Condominium.

As an organization, MCST 3696 has a primary role and duty to protect personal data in its possession or control under s24 of the PDPA, even though it had engaged a data intermediary to protect the personal data. Eagle Eye, as a data intermediary, also has a duty to protect personal data in its possession under s24 of the PDPA.

The Commission found the MCST 3696 ought to have exercised closer supervision over the implementation and adoption of policies and practices to protect the personal data collected by the Condominium. This ought to have been done by engaging in the planning and development of policies and practices or having general oversight of the security of the personal data breach, and/or sharing lessons and improvements to be made after having gone through the previous experience of the data breach incident.

This case is important insofar as it expressly states that the MCST has a shared responsibility with the security company it hires in ensuring sufficient administrative security arrangements to protect personal data. Although the maintenance of visitor logbooks (which usually requires visitors to state provide personal data) is usually left to the security companies hired by the MCSTs, this does not absolve the MCST from its duty to protect personal data. MCSTs should review their policies from time to time and work together with their security companies in developing and implementing strong data protection policies within the condominiums.

Please note that whilst the information in this Update is correct to the best of our understanding and knowledge at the time of writing, this Update only serves as a general guide to the subject matter and should not be treated as a substitute for specific professional advice for any particular course of action that you may require.

If you have any queries relating to the matters discussed above, you may contact our Ms Valerie Ang at valerieang@straitslaw.com.sg or the Straits Law Director who usually attends to your matters.

 


*As defined under section 2(1) of the PDPA