by Teng Teng Koh
Share
Share
While managing agents and security vendors may handle personal data on the ground, the MCST remains responsible for how personal data is managed. The May 2025 PDPC enforcement case (Case No. DP-2405-C2318) have made this clear: when something goes wrong, the MCST— not the contractor— is held accountable.
When Someone Requests Access to Their Data
From time to time, residents, visitors, or third parties may ask for access to personal data about themselves, most commonly CCTV footage after an incident.
These requests cannot be ignored, delayed indefinitely, or rejected outright just because other people appear in the footage. The PDPC expects MCSTs to:
Acknowledge and assess the request properly
Consider practical steps such as masking other individuals
Respond within a reasonable timeframe
Keep clear records of how the decision was made
Many MCSTs run into trouble simply because there is no clear process. Requests are passed between managing agents and security teams, CCTV footage is overwritten, or no one is sure who should decide what can be released.
Delegating the Work Does Not Remove Responsibility
Even if a managing agent or security contractor handles CCTV systems or access requests, the MCST is still expected to:
Appoint a Data Protection Officer (DPO)
Have clear, MCST-specific data protection procedures
Ensure contractors know exactly what to do when a request comes in
Using a generic policy from a managing agent is usually not enough. Policies and processes must reflect how the MCST actually operates on the ground.
How We Help MCSTs
Our outsourced compliance and DPO services are designed to make this simple and practical for MCSTs.
We help by:
Acting as the MCST’s appointed DPO
Putting clear, easy-to-follow processes in place for access requests
Drafting responses and assessments so the council is not left guessing
Supporting the MCST if a complaint or regulatory query arises
The goal is for your peace of mind. With clear processes in place, MCSTs can respond confidently, fairly, and in line with PDPC expectations.
Good data protection is not about doing more, but knowing what to do when it matters.
Most MCSTs assume data protection issues only arise when there is a complaint. In reality, many breaches happen quietly. Weak passwords, unsecured systems, or unclear responsibilities between managing agents and vendors. By the time something goes wrong, it is often too late.
When a resident asks for CCTV footage, it rarely comes with a manual. Do you check with the managing agent? Security? The council? PDPA expectations are clear, but day-to-day handling often isn’t.
On 25 September 2025, the Monetary Authority of Singapore (MAS) issued the Guidelines on Standards of Conduct for Digital Advertising Activities. These new rules, effective 25 March 2026, apply to all financial institutions (FIs) and their appointed digital marketers — including agencies, affiliates, and influencers (“finfluencers”).
