Singapore strata company to pay SGD 5k privacy fine

On 02/Mar/2020, Management Corporation Strata Title Plan No. 3593 received a privacy fine of SGD 5,000. The enforcement authority (Personal Data Protection Commission) has cited these legal provisions in imposing the fine on Management Corporation Strata Title Plan No. 3593: PDPA2012/Section 24 PDPA2012/

Essentials

Date of enforcement action:
02/Mar/2020
Jurisdiction: Fine imposed:
Singapore Flag for Singapore, which is the jurisdiction taking enforcement action SGD 5,000 (US$3,500)
Defendant company or entity: Industry segment:
Management Corporation Strata Title Plan No. 3593 Real Estate /

Case summary

The case related to unauthorized disclosure of CCTV footage by Management Corporation Strata Title Plan No. 3593, which is a company administering a number of apartments in a complex. A SGD 5,000 fine was imposed on the company.

Facts

On 1 February 2019, an owner resident of a unit at the Condominium (the “Resident”) approached the security supervisor on duty, who was an employee of New-E (the “Security Supervisor”), to request a copy of the CCTV footage of the Condominium’s lobby on 29 January 2019 between 9.00 pm to 9.30pm (the “Requested CCTV Footage”). The Requested CCTV Footage had captured images of identifiable individuals who had passed through the common property during that period, and hence contained personal data of those individuals.The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone to record a copy of the Requested CCTV Footage.

The Security Supervisor then sent a copy of the Requested CCTV Footage which he had recorded on his mobile phone to the Resident using WhatsApp messenger. The Security Supervisor also sent a copy of the same footage to the residence manager of the Condominium, who was an employee of ETCPM (the “Residence Manager”). Upon receiving the copy of the Requested CCTV Footage, the Residence Manager contacted the Security Supervisor who informed him of the Resident’s request. The Residence Manager instructed the Security Supervisor not to release the Requested CCTV Footage to the Resident and to await further instructions. At that time, the Security Supervisor did not inform the Residence Manager that he had already sent a copy of the Requested CCTV Footage to the Resident.

On 2 February 2019, ETCPM informed MCST 3593 of the Resident’s request. MCST 3593 decided not to disclose the Requested CCTV Footage to the Residen tand the Residence Manager conveyed MCST 3593’s decision to the Security Supervisor. Both MCST 3593 and ETCPM remained unaware that the Security Supervisor had already sent a copy of the Requested CCTV Footage to the Resident.

Reasoning of the Commissioner

As an “organisation” under the PDPA, MCST 3593 had the primary responsibility of ensuring that there are reasonable security arrangements in place to protect personal data in its possession or under its control. It is not disputed that MCST 3593 had possession and/or control of the Requested CCTV Footage. To the extent that an MCST has appointed a managing agent or vendor to process personal data on its behalf, its should have in place a written agreement with clauses requiring them to comply with the data protection provisions under the PDPA, and carried these contractual obligations through into implementing practices like standard operating procedures.

In the present case, MCST 3593 had engaged New-E to provide security services (including the management of CCTV footage) for the Condominium. In the course of providing security services, New-E was engaged to process personal data on behalf of MCST 3593, to wit, New-E had to process video footage captured by the CCTV network and system. In this case, the Security Supervisor retrieved CCTV footage, made a recording of an extract, and transmitted it. These actions amount to “processing” as the term is defined in section 2(1) of the PDPA. Hence, the true nature of the relationship between MCST 3593 and New-E is that of a data controller and data intermediary. However, the contract between MCST 3593 and New-E did not contain any clauses relating to the protection of personal data or any reference to the PDPA. There were no written instructions in the contract in relation to the management of CCTV footage, and MCST 3593 admitted to the Commission that it had not communicated any data protection requirements to ETCPM or New-E. In the circumstances, I find MCST 3593 in breach of Section 24 of the PDPA.

In addition, during the course of investigations, MCST 3593 admitted that it had not appointed any DPO and it had not developed and put in place any data protection policies, as required under Sections 11(3) and 12 respectively of the PDPA. The importance of these requirements have been emphasized multiple times in previous decisions, as well as the Commission’s Advisory Guidelines for Management Corporations (issued on 11 March 2019) at [2.6]. In the circumstances, MCST 3593 was also in breach of Sections 11(3) and 12 of the PDPA.

(Personal Data Protection Commission Singapore)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Personal Data Protection Commission Flag for Singapore, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

File or case number

DP-1903-B3554; [2020] SGPDPC 6

Cite this fine in your work

Data Privacy Fines Index. (2020-03-02 09:17) Singapore strata company to pay SGD 5k privacy fine. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/singapore-strata-company-to-pay-sgd-5k-privacy-fine/

Entry last updated: 2020-05-05 08:47 GMT.