On 11 March 2019, the Personal Data Protection Commission of Singapore (PDPC) issued a set of advisory guidelines for management corporations of strata title plans (MCSTs), which were developed in consultation with Singapore's Building and Construction Authority.
The guidelines provide guidance to MCSTs on complying with Singapore's Personal Data Protection Act (PDPA), and some key aspects are as follows:
- As an MCST comprises the subsidiary proprietors of all lots within the strata title plan of a residential or commercial building in Singapore, it is an "organization" as defined in the PDPA.
- MCSTs are required to comply with other laws such as the Building Maintenance and Strata Management Act (BMSMA) and its subsidiary legislation including the Building Maintenance (Strata Management) Regulations 2005 (BMSMR), and the Land Titles (Strata) Act. For instance, they may be required under these laws to collect and use certain personal data, such as that of the subsidiary proprietors and mortgagee names or for preparing and maintaining a strata roll.
- The PDPA does not affect these other laws, and if there is any inconsistency among them, the other laws will prevail over the PDPA. Hence, where an MCST is required or authorised to collect, use or disclose personal data without consent under other laws, it may do so without the need for consent under the PDPA.
- Where MCSTs appoint managing agents to carry out their duties or functions on their behalf, such managing agents may be considered data intermediaries under the PDPA. MCSTs retain primary responsibility to comply with the PDPA, and they must undertake appropriate due diligence to ensure that the managing agents are able to comply with the PDPA. They can also enter into suitable data processing agreements with such agents.
The guidelines also clarify on the applicability of the PDPA to some common activities carried out by the MCSTs involving personal data, as follows:
- Voter list – MCSTs are required under the BMSMA to display a list of the names of persons entitled to vote and addresses of the lots owned by these persons on the estate's notice board. Consent is not required under the PDPA for this purpose but will be necessary if MCSTs wish to display additional personal data. As good practice, voter lists should only be displayed for a reasonable duration.
- Meeting minutes – MCST councils or executive committees are required to keep minutes of general meetings under the BMSMA. These may include the personal data of estate residents or invitees in attendance, and the minutes may be displayed on the estate's notice board for a period of not less than 14 days. As good practice, however, MCSTs should only display such minutes for a reasonable duration. Also, they should notify all subsidiary proprietors and estate residents that their personal data will be used in the meeting minutes in accordance with the BMSMA, which can be done through a policy or notice of general meeting.
- Access and correction requests – The PDPA requires MCSTs to comply with access and correction requests from individuals, including access to their CCTV footage. As good practice, MCSTs can ask applicants to be more specific as to the type of personal data requested, and the time that it was collected, to determine if any exceptions apply under the Fifth or Sixth Schedules to the PDPA.
- Estate security – MCSTs may collect the personal data of visitors for security purposes, such as their name, vehicle number, contact information and unit numbers they are visiting. They may also capture CCTV footage of such visitors to the buildings. MCSTs should only collect personal data that is necessary for security purposes and should assess whether there is a need to identity visitors to a high degree of fidelity where they collect any national identification information such as NRIC numbers.
- Subsidiary proprietors – In the application for access cards, MCSTs may require the contact details of individuals who hold such access cards. Consent (including deemed consent) of these individuals must be obtained for this purpose.
- Photographs and video recordings of social activities – Where MCSTs organise social functions for estate residents, they must notify and obtain consent from attendees before taking and using their photographs and/or video recordings.
Finally, the guidelines remind MCSTs that they are required to comply with the protection and retention limitation obligations under the PDPA. Specifically, MCSTs should make reasonable security arrangements to protect personal data in their possession or control to prevent unauthorised access and similar risks, and must also have a retention policy in place so as not to retain personal data where they no longer have any legal or business purpose for doing so.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.