The Interplay Between BMSMA and PDPA: Ensuring Data Protection for Singapore’s MCSTs
In March 2019, the Personal Data Protection Commission (PDPC) of Singapore released a comprehensive set of advisory guidelines tailored specifically for management corporations of strata title plans (MCSTs). These guidelines, meticulously crafted in collaboration with Singapore’s Building and Construction Authority (BCA), represent a significant step forward in the area of data protection within the unique context of strata-titled properties.
MCSTs fall under PDPA purview
MCSTs, by their very nature, encapsulate the essence of an “organisation” as defined under the Personal Data Protection Act (PDPA). Comprising Subsidiary Proprietors (SPs) of lots within strata title plans, MCSTs act as custodians of not just physical properties but also of the personal data inherent to these properties.
This recognition within the PDPA framework underscores the importance of delineating the roles and responsibilities of MCSTs in safeguarding personal data.
Sectorial Legislations: BMSMA Takes Precedence over PDPA
A critical aspect explained in the guidelines is the symbiotic relationship between the PDPA and other relevant legislations, most notably the Building Maintenance and Strata Management Act (BMSMA).
MCSTs are mandated to comply with a myriad of laws, including the BMSMA and its subsidiary legislations such as the Building Maintenance (Strata Management) Regulations 2005 (BMSMR), and the Land Titles (Strata) Act. These laws may necessitate the collection and utilisation of personal data, an area where the PDPA intersects.
However, the guidelines highlight a significant principle: in cases of inconsistency between the PDPA and other laws governing MCSTs, the latter prevails. This emphasises the legislative hierarchy, ensuring that obligations mandated by the BMSMA take precedence over PDPA requirements.
Consequently, MCSTs find themselves manoeuvring through a legal landscape where compliance with BMSMA obligations may entail actions that, under the PDPA, might otherwise necessitate consent.
MCSTs and Managing Agents: Core Responsibilities
The guidelines also shed light on the complex relationship between MCSTs and managing agents, who often serve as intermediaries in executing various duties and functions on behalf of MCSTs.
Despite this delegation of tasks, MCSTs retain primary responsibility for PDPA compliance. This requires a proactive approach, wherein MCSTs must conduct thorough due diligence to determine the capability of managing agents to adhere to PDPA requirements.
Moreover, the guidelines advocate for the establishment of robust data processing agreements between MCSTs and managing agents. These agreements serve as a contractual framework outlining the respective responsibilities and obligations of each party concerning personal data processing. By formalising these arrangements, MCSTs can not only ensure compliance with the PDPA but also mitigate potential risks associated with data processing activities.
Data Protection Policies and Data Protection Officer
In complying with the PDPA, a MCST is required to develop and implement policies and practices that are necessary for it to meet its obligations under the PDPA, and to make information about the data protection policies and practices available on request. A MCST is also required to designate at least one individual to be responsible for ensuring its compliance with the PDPA, commonly known as the Data Protection Officer (DPO).
PDPC Sector Specific Advisory for MCSTs: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Sector-Specific-Advisory/Advisory-Guidelines-for-Management-Corporations—110319.pdf
A pertinent example highlighting the consequences of non-compliance is the case of MCST 3593, which was required to pay a financial penalty of $5,000 for failing to appoint a Data Protection Officer, as mandated by the PDPA. This serves as a clear indication that failure to abide by the regulations may result in financial penalties for an MCST.
PDPA Obligations on MCST Activities
One of the important things that the guideline pertains to is the application of the PDPA to common activities undertaken by MCSTs. From the compilation of voter lists to the dissemination of meeting minutes, MCSTs regularly engage in activities involving the processing of personal data. However, the guidelines provide clarity on the extent to which PDPA requirements apply to these activities.
For instance, while the BMSMA mandates the display of voter lists and meeting minutes, consent under the PDPA is not required for these specific purposes. Nevertheless, MCSTs are encouraged to exercise discretion and prudence in handling personal data, ensuring that only necessary information is disclosed.
Additionally, the guidelines advocate for transparency, emphasising the importance of notifying individuals about the intended use of their personal data in accordance with the BMSMA.
Section 47 of BMSMA: Balancing Access & Disclosure of Personal Data for MCSTs
The balance between ensuring security and respecting data protection is often delicate. Section 47 (BMSMA) grants authorised individuals access to raw information, records, and files within the purview of the MCST without the need for explicit reasons or consent from third parties, regardless when personal data is involved. This provision aims to facilitate swift actions necessary for the effective management of a property.
However, such access must still take into consideration first the Personal Data Protection Act (PDPA), then any superseding laws which governs the collection, use, and disclosure of personal data concerning external stakeholders such as visitors, contractors, and suppliers. These regulations serve to safeguard individuals’ personal data.
PDPA Compliance & Financial Penalties
The main focus of the guidelines is for MCSTs to adhere to the regulations outlined in the PDPA. This involves implementing various measures to ensure the safety and responsible handling of personal data throughout its lifecycle. From implementing robust security arrangements to devising retention policies aligned with legal and business imperatives, MCSTs are tasked with fostering a culture of data protection within their organisational framework.
Case Study 1: Marina Bay Residences Received $5000 Financial Penalty
In the case of Marina Bay Residences (MCST 3593). A resident owner requested CCTV footage of the condominium’s lobby, containing identifiable individuals, under the guise of Section 47 (BMSMA). The Security Supervisor, in compliance with the request, reviewed and recorded the footage using his mobile phone.
However, in a breach of protocol, the Security Supervisor shared the footage via WhatsApp with the resident owner and the residence manager without proper authorization. Despite subsequent instructions from the residence manager to refrain from releasing the footage, the damage had been done—the footage was already in the hands of the resident owner.
Case Study 2: Vision Crest Apartment Received Warning
Similarly, in the case of MCST 3400, the organisation received a warning when it was discovered that its Directory containing the personal data of 562 individuals, stored on a Network Attached Storage (NAS), collected for compliance with the Building Maintenance and Strata Management Act and Regulations, could be accessed through an Internet Protocol address without requiring any login credentials.
These instances underscore the importance of strict adherence to PDPA guidelines for MCSTs to avoid potential penalties and protect the personal data entrusted to them.
Conclusion
The advisory guidelines serve as a clear guide for MCSTs navigating the intricate terrain of data protection within the confines of strata-titled properties. By explaining the interplay between the BMSMA and the PDPA, these guidelines empower MCSTs to fulfil their statutory obligations while safeguarding the personal data entrusted to them. Moving forward, adherence to these guidelines not only ensures regulatory compliance but also fosters trust and confidence among stakeholders in the area of data protection.
To safeguard sensitive data effectively, it’s imperative for organisations to take their data protection responsibilities seriously. One crucial step in this direction is appointing a Data Protection Officer (DPO). The DPO plays a pivotal role in ensuring compliance with data protection regulations, implementing robust security measures, and overseeing data handling practices.
By having a designated expert focused on data protection, organisations can enhance their ability to mitigate risks, maintain regulatory compliance, and uphold customer trust. Take action today to prioritise data protection by appointing a dedicated Data Protection Officer within your organisation.
0 Comments