Case Details
- Citation: [2020] SGPDPC 4
- Court: Personal Data Protection Commission
- Date: 2020-02-03
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: N/A
- Defendant/Respondent: (1) Management Corporation Strata Title Plan No. 4375, (2) Smart Property Management (Singapore) Pte Ltd, (3) A Best Security Management Pte Ltd
- Legal Areas: Data Protection – Protection obligation, Data Protection – Data intermediary, Data Protection – Accountability obligation
- Statutes Referenced: Advisory Guidelines On Key Concepts in the Personal Data Protection Act, Personal Data Protection Act
- Cases Cited: [2016] SGPDPC 1, [2017] SGPDPC 15, [2017] SGPDPC 5, [2018] SGPDPC 27, [2019] SGPDPC 21, [2019] SGPDPC 23, [2020] SGPDPC 4
- Judgment Length: 11 pages, 2,655 words
Summary
This case concerns the unauthorized disclosure of CCTV footage showing a woman being injured by a falling glass door at a shopping mall managed by the Management Corporation Strata Title Plan No. 4375 (MCST 4375). The Personal Data Protection Commission (PDPC) found that MCST 4375 breached its obligations under the Personal Data Protection Act (PDPA) by failing to have reasonable security arrangements and data protection policies in place. The PDPC also found that one of MCST 4375's service providers, A Best Security Management Pte Ltd (ABSM), breached its obligations as a data intermediary by improperly disclosing the CCTV footage.
What Were the Facts of This Case?
In late February 2019, a woman was injured when a glass door fell on her at the premises of MCST 4375, also known as Alexandra Central Mall. The PDPC subsequently became aware that CCTV footage showing the glass door falling on the woman was disclosed on the Internet.
At the time of the incident, MCST 4375 had appointed Smart Property Management (Singapore) Pte Ltd (SPMS) as its managing agent and ABSM to provide security services at the mall. On the day of the accident, the senior security supervisor from ABSM who was on duty saw the incident on the CCTV monitors and immediately called for an ambulance and notified MCST 4375's representatives. MCST 4375's property officer then asked the security supervisor to send her a copy of the CCTV footage of the incident.
In response, the security supervisor replayed the relevant CCTV footage and recorded it on his mobile phone. He then sent the recording to a WhatsApp group chat with MCST 4375's property officer and an ABSM security executive who was also on duty. The security executive later forwarded the footage to the cleaning supervisor engaged by MCST 4375.
On the following day, a member of MCST 4375's management council requested a copy of the CCTV footage from the security supervisor and forwarded it to the other council members. Subsequently, the CCTV footage was posted on the video-sharing website YouTube and made available through various websites on the Internet.
What Were the Key Legal Issues?
The key legal issues in this case were:
- Whether MCST 4375 breached its obligations under Sections 12 and 24 of the PDPA by failing to have reasonable security arrangements and data protection policies in place.
- Whether ABSM, as a data intermediary engaged by MCST 4375, breached its obligations under Section 24 of the PDPA by improperly disclosing the CCTV footage.
How Did the Court Analyse the Issues?
The PDPC found that MCST 4375 had breached Sections 12 and 24 of the PDPA. Under Section 24, MCST 4375 had the primary responsibility of ensuring reasonable security arrangements were in place to protect the personal data in its possession or control, which included the CCTV footage. However, the PDPC found that MCST 4375 did not provide any instructions to ABSM or SPMS regarding requests for access to or disclosure of the CCTV footage.
Additionally, the PDPC found that MCST 4375 had not developed or put in place any data protection policies, in breach of Section 12 of the PDPA. MCST 4375 had expected its managing agent SPMS to implement the necessary policies and practices, but there were no contractual requirements or instructions to that effect.
As for ABSM, the PDPC determined that it was acting as a data intermediary of MCST 4375 in respect of the CCTV footage. While ABSM had a personal data protection policy prohibiting the disclosure of personal data without consent, its standard operating procedures did not include provisions on the handling of CCTV footage. The PDPC found that the disclosure of the footage by ABSM's security executive to the cleaning supervisor was unauthorized and in breach of ABSM's own policy.
The PDPC noted that proper staff training is a key security arrangement for compliance with the PDPA's protection obligation. Although ABSM claimed its staff were briefed on the PDPA, the lack of clear procedures in its standard operating procedures contributed to the unauthorized disclosure.
What Was the Outcome?
Based on its findings, the PDPC concluded that MCST 4375 was in breach of Sections 12 and 24 of the PDPA, while ABSM was in breach of Section 24. The PDPC did not find SPMS, MCST 4375's managing agent, to be in breach of any obligations under the PDPA in relation to this incident.
As a result of the breaches, the PDPC directed MCST 4375 and ABSM to implement appropriate policies, practices and security arrangements to comply with the PDPA. The PDPC also required MCST 4375 to engage an independent third party to review its data protection practices and provide a report to the PDPC.
Why Does This Case Matter?
This case highlights the importance of organisations, particularly those handling personal data, having robust data protection policies, practices and security arrangements in place. The PDPC's findings emphasize that organisations cannot simply rely on their service providers to fulfill their data protection obligations under the PDPA.
The case also underscores the need for clear procedures and proper staff training to ensure personal data is handled appropriately, even in emergency situations. The unauthorized disclosure of the CCTV footage, despite ABSM's existing data protection policy, demonstrates the importance of implementing comprehensive data protection measures that are effectively communicated to and followed by all employees.
This decision serves as a valuable precedent for organisations to review and strengthen their data protection compliance, particularly in relation to the management of CCTV footage and other forms of personal data processed by third-party service providers. It reinforces the PDPC's expectations for organisations to take ownership of their data protection responsibilities and implement the necessary safeguards.
Legislation Referenced
- Personal Data Protection Act
- Advisory Guidelines On Key Concepts in the Personal Data Protection Act
Cases Cited
- [2016] SGPDPC 1
- [2017] SGPDPC 15
- [2017] SGPDPC 5
- [2018] SGPDPC 27
- [2019] SGPDPC 21
- [2019] SGPDPC 23
- [2020] SGPDPC 4
Source Documents
This article analyses [2020] SGPDPC 4 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.