Case Details
- Citation: [2020] SGPDPC 6
- Court: Personal Data Protection Commission
- Date: 2020-03-02
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Management Corporation Strata Title Plan No. 3593 & Others
- Legal Areas: Data Protection – Protection obligation, Data Protection – Data intermediary, Data Protection – Accountability obligation
- Statutes Referenced: Advisory Guidelines On Key Concepts in the Personal Data Protection Act, Personal Data Protection Act
- Cases Cited: [2016] SGPDPC 1, [2017] SGPDPC 15, [2017] SGPDPC 5, [2018] SGPDPC 27, [2019] SGPDPC 21, [2019] SGPDPC 23, [2020] SGPDPC 6
- Judgment Length: 9 pages, 2,778 words
Summary
This case involves a breach of the Personal Data Protection Act (PDPA) by a management corporation (MCST 3593) and a security services provider (New-E) in relation to the unauthorized disclosure of closed-circuit television (CCTV) footage containing personal data. The Personal Data Protection Commission (PDPC) found MCST 3593 in breach of its obligations under the PDPA for failing to have reasonable security arrangements in place and for not appointing a data protection officer or implementing data protection policies. The PDPC also found New-E in breach of its obligations as a data intermediary for failing to have adequate security measures and training for its employees. However, the PDPC did not find the managing agent (ETCPM) in breach of the PDPA.
What Were the Facts of This Case?
MCST 3593 had appointed ETCPM as the managing agent of the Marina Bay Residences condominium since 2012. In November 2014, MCST 3593 had also engaged New-E to provide security services at the condominium. On 1 February 2019, a resident of the condominium (the "Resident") approached the security supervisor on duty, who was an employee of New-E (the "Security Supervisor"), to request a copy of the CCTV footage of the condominium's lobby on 29 January 2019 between 9.00 pm to 9.30 pm (the "Requested CCTV Footage").
The Security Supervisor proceeded to review the CCTV recordings and used his mobile phone to record a copy of the Requested CCTV Footage, which contained personal data of identifiable individuals. The Security Supervisor then sent a copy of the Requested CCTV Footage to the Resident using WhatsApp messenger. The Security Supervisor also sent a copy of the same footage to the residence manager of the condominium, who was an employee of ETCPM (the "Residence Manager").
On 2 February 2019, ETCPM informed MCST 3593 of the Resident's request. MCST 3593 decided not to disclose the Requested CCTV Footage to the Resident, and the Residence Manager conveyed this decision to the Security Supervisor. However, both MCST 3593 and ETCPM remained unaware that the Security Supervisor had already sent a copy of the Requested CCTV Footage to the Resident.
On 9 February 2019, the Residence Manager was notified that the Resident's Facebook page contained a post with a copy of the Requested CCTV Footage. On 11 February 2019, the Security Supervisor admitted to the operations director of New-E that he had sent a copy of the Requested CCTV Footage to the Resident on 1 February 2019. On 13 February 2019, ETCPM informed MCST 3593 of the unauthorized disclosure of the Requested CCTV Footage by the Security Supervisor to the Resident and the Facebook post.
What Were the Key Legal Issues?
The key legal issues in this case were:
1. Whether MCST 3593 breached its obligations under the PDPA, specifically Sections 11(3), 12, and 24, in relation to the unauthorized disclosure of the Requested CCTV Footage.
2. Whether New-E, as a data intermediary, breached its obligations under Section 24 of the PDPA in relation to the unauthorized disclosure of the Requested CCTV Footage.
3. Whether ETCPM, as the managing agent of MCST 3593, breached any of its obligations under the PDPA in relation to the unauthorized disclosure of the Requested CCTV Footage.
How Did the Court Analyse the Issues?
The PDPC first examined MCST 3593's obligations as an "organisation" under the PDPA. The PDPC found that MCST 3593 had the primary responsibility of ensuring that there were reasonable security arrangements in place to protect the personal data in its possession or under its control, including the Requested CCTV Footage.
The PDPC noted that MCST 3593 had engaged New-E to provide security services, including the management of CCTV footage, which amounted to the processing of personal data on behalf of MCST 3593. However, the contract between MCST 3593 and New-E did not contain any clauses relating to the protection of personal data or any reference to the PDPA. MCST 3593 also admitted that it had not communicated any data protection requirements to ETCPM or New-E. As such, the PDPC found MCST 3593 in breach of Section 24 of the PDPA for failing to have a written agreement with New-E that included data protection obligations.
Additionally, the PDPC found that MCST 3593 had not appointed a data protection officer and had not developed and put in place any data protection policies, as required under Sections 11(3) and 12 of the PDPA. The PDPC emphasized the importance of these requirements in ensuring an organization's compliance with the PDPA.
Regarding New-E, the PDPC found that it had failed to put in place reasonable security arrangements to protect the Requested CCTV Footage and was in breach of Section 24 of the PDPA. The PDPC noted that New-E did not have any written policies to instruct and guide its employees on their obligations under the PDPA, particularly regarding the use of mobile phones to record CCTV footage. The PDPC also found that New-E did not provide data protection training for its employees, which is a key security arrangement for compliance with the PDPA.
Finally, the PDPC did not find ETCPM in breach of any of its obligations under the PDPA. The PDPC determined that the Requested CCTV Footage was not in the possession or under the control of ETCPM, as it was within the scope of New-E's responsibilities as the security services provider. The PDPC also noted that ETCPM had properly supervised New-E and conveyed MCST 3593's instructions to the Security Supervisor not to disclose the CCTV footage.
What Was the Outcome?
Based on its findings, the PDPC concluded that MCST 3593 was in breach of Sections 11(3), 12, and 24 of the PDPA, and that New-E was in breach of Section 24 of the PDPA. However, the PDPC did not find ETCPM in breach of any of its obligations under the PDPA in relation to the incident.
Since the discovery of the incident, MCST 3593 has taken remedial actions, including appointing a data protection officer, implementing a personal data protection policy and standard operating procedure, and informing the PDPC that it will be preparing and including additional data processing provisions in its contracts with the managing agent and security company. New-E has also developed a personal data protection policy and operational procedure on personal data protection for all its employees.
Why Does This Case Matter?
This case is significant for several reasons:
1. It highlights the importance of organizations, such as management corporations, having proper data protection policies, practices, and contractual arrangements in place when engaging third-party service providers, such as security companies, to process personal data on their behalf.
2. The case emphasizes the need for organizations to appoint a data protection officer and implement comprehensive data protection policies, as required under the PDPA, to ensure compliance and accountability.
3. The case underscores the obligations of data intermediaries, such as security companies, to have reasonable security arrangements, including written policies and employee training, to protect the personal data they process on behalf of their clients.
4. The case provides guidance on the respective responsibilities of an organization and its managing agent in relation to the protection of personal data, and the circumstances under which the managing agent may or may not be held responsible for a breach of the PDPA.
Overall, this case serves as an important precedent for organizations and data intermediaries in Singapore on the practical implementation of their data protection obligations under the PDPA.
Legislation Referenced
- Advisory Guidelines On Key Concepts in the Personal Data Protection Act
- Personal Data Protection Act
Cases Cited
- [2016] SGPDPC 1
- [2017] SGPDPC 15
- [2017] SGPDPC 5
- [2018] SGPDPC 27
- [2019] SGPDPC 21
- [2019] SGPDPC 23
- [2020] SGPDPC 6
Source Documents
This article analyses [2020] SGPDPC 6 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.