Navigating personal data protection pitholes in the MCST context: key takeaways from two recent decisions

Navigating personal data protection pitholes in the MCST context: key takeaways from two recent decisions
05 Dec 2017

The Personal Data Protection Act 2012 (“PDPA”) came into force in phases starting with the provisions relating to the formation of the Personal Data Protection Commission (“PDPC”) on 2 January 2013. The PDPC serves as Singapore’s main authority in matters relating to personal data. Through administering and enforcing the PDPA, the PDPC aims to balance the need to protect individuals’ personal data and the needs of organisations to use data for legitimate purposes.

Considering the inherent nature of MCST work and its constant handling of personal data of its subsidiary proprietors, the ambit of law regarding MCSTs’ protection of personal data has remained unsettled for a while.

Fortunately, two recent cases concerning investigations by the PDPC into four separate MCSTs for potential breaches of the PDPA have provided fresh perspective on the interpretation of some key statutory obligations that MCSTs should take note of. The two cases are:  Exceltec Property Management Pte Ltd; Management Corporation Strata Title Plan No 2956; Strata Land Property Consultants Pte Ltd - [2017] SGPDPC 08 (“Exceltec”), and The Management Corporation Strata Title Plan No. 3696 Eagle Eye Security Management Services Pte Ltd [2017] SGPDPC 11 (“Eagle Eye”).

Exceltec

   1. This was a joint decision on three separate cases involving MCSTs and managing agents of condominiums. The PDPC received a number of complaints from residents of three condominiums against their respective MCSTs, alleging that their personal data had been disclosed without their consent or notice. The personal data included (a) the residents’ names; (b) unit numbers, and (c) voting shares of the residents.

   2.  The key PDPA provisions that came under discussion in Exceltec were: -  

The Consent Obligation: This stipulates that an organisation is prohibited from disclosing an individual’s personal data without his or her consent unless exempted by statute.  
The Notification Obligation: This requires, amongst other things, that organisations notify individuals of (i) the purposes of collection, use or disclosure of personal data (prior to collection); and (ii) any other purpose of the use or disclosure of personal data of which the individual has not been informed of, unless exempted by statute.  
The Retention Obligation: This requires that an organisation cease to retain documents containing personal data, or remove any means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that such retention is no longer necessary.  
   3.  The PDPC found no infringement on the MCSTs’ part for 2 main reasons:(i) the disclosure of residents’ personal data was necessary as part of the dissemination of minutes of meetings and voter lists under Paragraph 3 of the Second Schedule to the Building Management and Strata Management Act (“BMSMA”); and (ii) the alleged personal data was already publicly available information. As such, the MCSTs had not breached their PDPA obligations.

Eagle Eye

   4.  This case concerned the Protection Obligation under section 24 of the PDPA, where the PDPC investigated into the failure of a security company to safeguard the visitor logbook of the Condominium containing personal data. This included the dates and times of entry and NRIC numbers.

   5.  The PDPC held that the MCST had a primary role and duty to protect personal data in its possession or control under the Protection Obligation, despite having engaged a data intermediary to protect the personal data.

   6.  The MCST had failed to meet this primary responsibility to protect personal data as evinced from their lack of adequate policies and processes in place to protect the said data.

   7.  As such, the PDPC issued a warning to both the security company and the MCST for failing to put in place any reasonable measures to prevent unauthorised access to the personal data.

What this means for MCSTs 

   8.  The BMSMA still takes prevalence over the PDPA insofar as they can be read together.  

   9.  In order to avoid falling afoul of PDPA obligations, it is critical to be aware of (i) when disclosure is required by law; and (ii) when personal data is considered a “publicly available” resource.

   10.  As a guideline, disclosure and/or publication of the following will not lead to a breach of the PDPA: (i) names; (ii) unit numbers; and (iii) voting shares of residents, as the PDPC views these as being generally available to the public. As for minutes of meetings, any recorded personal data should be relevant to the agenda of that meeting.

   11.  Further, MCSTs should note that disclosure of the strata roll under section 47 of the BMSMA is not a breach of the PDPA, as the PDPC has deemed information on the strata roll to be publicly available information.

   12.  The PDPC will also not hesitate to take appropriate enforcement and disciplinary action against MCSTs that are non-compliant. Note that section 29 of the PDPA empowers the PDPC to impose fines of up to S$1 million.

   13.  MCSTs should thus pay careful attention to ensure that they are in full compliance with their PDPA obligations.

Do’s and Don’ts for MCSTs

   14.  DO ensure that you have obtained consent and provided notice to the relevant individuals prior to the disclosure and/or publishing of personal data, especially where the said data is not publicly available information.  

   15.  DO ensure that any voter lists and/or minutes of meetings are kept on notice boards for only as long as they are necessary. Although the PDPC had noted that 2 months was a reasonable length of time in Exceltec, this is highly fact-specific and should be treated as a guideline.

   16.  DO ensure that the MCST has the necessary security arrangements in place to safeguard documents which contain information that allow for the identification of an individual. This may include the engagement of third-party providers to conduct vulnerability assessments prior to a system’s roll out and password protection policies where necessary.

   17.  DO limit copies of sensitive personal data to reduce the risk of PDPA breaches.

   18.  DON’T assume that responsibility to protect personal data lies solely with an engaged data intermediary, e.g. security services.

   19.  DON’T disclose or publish more personal data than necessary, and/or for longer than necessary.

NOTE: The content of this article is for general information only and does not constitute any form of legal advice. Please seek specific legal advice regarding your specific circumstances.

For more information, please contact our Business Development Manager, Ricky Soetikno, at RickySoetikno@eversheds-harryelias.com.