A documented grievance · Personal Data Protection Act

I asked for my own CCTV footage. I was refused. The footage was deleted. The regulator found no breach.

The only footage I ever obtained came from outside the PDPA framework — from my own phone, not the condominium’s CCTV that the law was supposed to give me access to.

This site documents the grievance, links every claim to its source, and is written in the explicit spirit that “I am willing to be corrected, and I do not insist that I must be right.”

Read the 3-minute summary

Executive summary · ~3-minute read

What happened, and why it matters beyond one case

On 13 April 2024, I was injured in a road accident outside a condominium. I asked — verbally, then in writing — for the CCTV footage that captured it. Both condominiums refused, the footage was overwritten, and when I complained, the Personal Data Protection Commission (PDPC) accepted the organisations’ explanations and found no breach of the Access Obligation.

The grievance spans two parallel PDPC cases with different findings (kept strictly distinct below). One was dismissed on the basis that a silhouette is “not personal data”; the other accepted that footage was overwritten before any formal refusal — so no preservation breach — while still finding the organisation had no Data Protection Officer and no policy in place.

After 19 months and the exhaustion of every executive oversight channel — PDPC, IMDA, the Public Service Division, the Public Service Commission, and two MP appeals — the matter remains unresolved. The concerns are systemic: they affect every member of the public who relies on the statutory right to access their own personal data.

For Members of Parliament The reform case Three concrete legislative gaps, four questions to pose. Read the reform case → For the public Rights on paper The PDPA promises every Singaporean the right to access their own personal data. PDPC’s rulings and conduct have left that right unenforceable in practice. See what the record shows. See the record → For lawyers & DPOs The technical analysis Fourteen documented failures, each cited to its PDPA section and source. Examine the 14 failures →

Also: ten contradictions — precedents and guidelines PDPC set aside

The story in full

What happened — and the only explanation that fits all of it

A motorcyclist suffers a traumatic brain injury in a road accident. He has no memory of what happened to him. He asks the two condominiums flanking the road for the CCTV footage that captured the event — not only for his civil case, but to understand what happened to him at all. Both refuse. The footage is overwritten. The regulator accepts the condominiums’ explanations and finds no breach. Every legal challenge receives the same one-line response. The oversight body mirrors the same pattern. Across 374 published enforcement cases (at the time of this compilation), the Access Obligation has produced zero breach findings. This is not a sequence of unrelated failures. It has one explanation.

1. What the Complainant needed

On 13 April 2024, the Complainant was injured when a taxi cut into his lane on Cairnhill Road. The impact caused a traumatic brain injury — a subarachnoid haemorrhage — and the Complainant lost all memory of the accident and the period surrounding it. The taxi driver was subsequently charged under the Road Traffic Act for drink driving.

The Complainant needed the CCTV footage from the two condominiums flanking the road for two distinct reasons: first, to understand what had happened to him — the footage was the only record of an event he has no memory of; second, to support an insurance claim and civil proceedings against the driver. Security staff at both condominiums had already identified the relevant footage within minutes of the accident. It existed, it was findable, and it showed the taxi cutting into the lane.

Source: PDPC Decision — MCST 4599 (2025 SGPDPC 3) ↗ · NUH discharge records (subarachnoid haemorrhage, April 2024) — in the Complainant’s possession

2. What both condominiums did

Both condominiums refused on grounds that do not appear in s.21(3) or the Fifth Schedule of the PDPA — the only provisions that authorise a lawful refusal of an access request. The Scotts Tower (MCST 4599) cited “privacy” as a blanket reason; when challenged, claimed no footage existed. PDPC’s own finding later confirmed footage existed until 30 April — 13 days after that verbal denial. Suites@Cairnhill (MCST 3615) provided its DPO, who told the Complainant in writing: “Only by police direct/order the MCST to disclose the footage that MCST is obliged to do so.” When the Complainant cited the correct PDPA Advisory Guidelines in reply, the DPO responded: “It seems to me you are having difficulty understanding our position” — and refused further communication.

Neither organisation was acting recklessly. They were acting in a regulatory environment where the Access Obligation has never produced a breach finding — and in this case, it did not.

Source: PDPA 2012, s.21(3) and Fifth Schedule — Singapore Statutes Online ↗ · PDPC Advisory Guidelines for Management Corporations, 17 May 2022, §3.7

3. What PDPC did

PDPC did not test the condominiums’ stated refusal grounds against s.21(3) or the Fifth Schedule. Instead, it substituted its own reasoning in each case: “not personal data” for MCST 3615 (the MCST had not said this); “footage overwritten before formal refusal” for MCST 4599 (ignoring the verbal refusal and the false “no footage” claim that preceded the overwrite). To reach the MCST 3615 finding, PDPC applied a “clarity” standard — face or licence plate must be visible — that does not appear in the PDPA. The statute defines personal data by identifiability, not image quality.

When the Complainant challenged these findings across nine legal questions spanning six PDPA sections, PDPC’s response to every question was identical: “The Guidelines are not determinative; the PDPA takes precedence.” PDPC did not name which guideline, which PDPA clause, or how they conflict. The decisions were withheld until the Complainant escalated to the Prime Minister’s Office, government ministers, and the President’s Office. PDPC then declared the matter closed.

Source: Decision — MCST 4599 ↗ · Summary — MCST 3615 ↗ · PDPA 2012, s.2(1) ↗

4. What the enforcement register shows

These cases were not outliers. Across 374 published enforcement actions in PDPC’s public register (at the time of this compilation), the Access Obligation (s.21) has produced zero breach findings. Not one. The dominant pattern of enforcement is protection of data (s.24) and consent violations (s.13) — obligations that run against organisations mishandling data they hold. The access obligation — the right of a citizen to retrieve their own data from an organisation — is the least-enforced provision in the entire register.

The clarity test PDPC invented in MCST 3615, applied consistently, explains this. If face or licence plate must be visible for CCTV footage to qualify as personal data, the majority of real-world CCTV footage falls outside access protection entirely. Any organisation can deny an access request simply by asserting the footage is too unclear to identify anyone. PDPC has given no tools to challenge that assertion.

Source: enforcement-index.html — this site, generated from the public PDPC register

5. The explanation that fits

Ordinary regulatory failure is uneven. It makes mistakes in different directions, produces inconsistent outcomes, and responds differently to different challenges. What is documented here is coherent: every decision, at every level, in the same direction. PDPC substituted invented reasoning for the MCSTs’ actual stated grounds. IMDA, the oversight body, replicated the same pattern of delay and non-engagement. The IAU found “no wrongdoing” without addressing the material facts. Nine legal questions received one identical non-answer. Zero breach findings across 374 cases.

The explanation that requires the fewest additional assumptions and accounts for all of these facts simultaneously: PDPC operates a de facto policy of non-enforcement of the Access Obligation for CCTV footage. The clarity test is the legal mechanism. The zero breach history is the outcome. The non-engagement is what follows when a regulator cannot defend its position on the merits without acknowledging the policy.

This site does not assert that this policy was explicitly decided or that any individual acted in bad faith. It asserts that the documented record — primary sources, on the record, linked throughout — is consistent with that explanation and inconsistent with ordinary regulatory failure. The Complainant has asked PDPC to correct this record nine times. The nine questions and PDPC’s responses are in the narrative section of this site.

The credibility foundation

Two parallel cases — different findings, kept distinct

The grievance spans two separate PDPC cases. They reached different conclusions and must not be conflated — collapsing them is exactly how a hostile reader would dismiss the whole record.

MCST 3615

Suites@Cairnhill · Case DP-2405-C2445

Managing agent: Property Facility Services Pte Ltd (PFS) — unnamed in the published summary
Access request: 20 May 2024 (refused 21 May)
Stated refusal grounds: “Police-only access” — not listed in s.21(3) or the Fifth Schedule of the PDPA. PDPC did not test this ground against the statute; it substituted its own reasoning (“no personal data”) instead.
DPO conduct: Mohamed Nasir Mustaffa (Director/DPO, PFS) told the Complainant in writing on 21 May 2024: “Only by police direct/order the MCST to disclose the footage that MCST is obliged to do so.” When the Complainant responded on 23 May citing the correct PDPA advisory guidelines, the DPO replied: “It seems to me you are having difficulty understanding our position” and refused further communication.
PDPC finding: No “personal data.” Silhouette only — no face or plate — so no Access Obligation breach.
Outcome: Voluntary undertaking (executed 8 May 2025)
Decision form: Anonymised “Summary of Commission’s Findings”

Summary of Commission’s Findings — MCST 3615

MCST 4599

The Scotts Tower · Case DP-2405-C2318

Managing agent: Knight Frank (KFPFM) → Ohmyhome (from 1 Jun 2024)
Access request: 17 Apr 2024 — verbal refusal: management cited privacy as a blanket reason; when challenged, claimed no footage existed; refused to provide DPO contact, company name, or escalation path. 25 Apr — written request (refused 2 May). PDPC’s own finding: footage existed until 30 Apr — 13 days after the verbal denial.
Stated refusal grounds: “Privacy” (blanket) and “no footage” (false) — neither is listed in s.21(3) or the Fifth Schedule of the PDPA. PDPC did not test these grounds against the statute; it substituted its own reasoning (footage overwritten before formal refusal) instead.
PDPC finding: Footage overwritten before refusal → no s.22A breach; but accountability breaches (no DPO, no policy) found.
Outcome: Directions to develop policies within 60 days
Decision form: Published-style signed Decision (2025 SGPDPC 3)

Decision — MCST 4599 (2025 SGPDPC 3)

Organisations are named as they appear in the findings and the letter to Parliament: Knight Frank (KFPFM), Ohmyhome, The Scotts Tower (MCST 4599), Suites@Cairnhill (MCST 3615), and ComfortDelGro (the taxi operator). PDPC officers are named where on record (e.g. Deputy Commissioner Wong Huiwen Denise; officer “Ahmad” per the email files).

For Members of Parliament

The reform case

The individual outcome matters, but the gaps it exposes are general. Three concrete legislative asks, drawn from the core regulatory failures, would close them.

Ask 1
Clarify the s.22A trigger date for data preservation

Close the “deleted-before-refusal” loophole, so the duty to preserve data attaches when the request is made — not when a formal refusal is issued.
Ask 2
Prohibit non-statutory refusal grounds

Bar grounds the PDPA does not provide — e.g. “go to the police” — as a basis for refusing a s.21 access request.
Ask 3
Mandate verification of retention policies

Require independent verification where an organisation claims auto-deletion, rather than accepting the claim at face value.

Four questions for Parliament to pose

How many complaints have been filed with PDPC under the Access Obligation (s.21) since the PDPA came into force, and how many resulted in a finding of breach? If the answer is zero breach findings, what is PDPC’s explanation for why no organisation has ever been found in breach of the Access Obligation?
Why was the managing agent’s refusal on “police access only” grounds not deemed a PDPA breach?
How does PDPC ensure statutory preservation when organisations use short auto-overwrite cycles?
What prevents the regulator from retrospectively justifying refusal grounds the organisation never cited at the time?

Read “Core regulatory failures” Read the letter to Parliament

Level 1.5 · Why this matters to every Singaporean

The footage is gone. The consequences are not.

The footage is gone. The consequences are not. The insurance claim could not be verified; the lawsuit with the taxi driver is more contentious for the lack of the central piece of evidence. And the regulator’s own findings have not closed the matter — they have shaped it. The MCST treated public data as its own. The MCST disregarded personal-data laws. PDPC endorsed this. The MCST continues to make a mockery of the PDPA. This site documents that pattern.

1. Real consequences

My CCTV footage was deleted on 30 April 2024 — 17 days after I made my access request, 5 days before PDPC began investigating. Without the footage, my insurance claim could not be verified. Without the footage, my lawsuit with the taxi driver is more contentious for the lack of the central piece of evidence. These are the practical consequences of the access obligation not being enforced.

Source: PDPC’s own Undertaking by The Management Corporation Strata Title Plan No. 3615 documents the deletion date; Final Email to Parliament documents the timeline.

2. The pattern that made this possible

The MCST treated public CCTV footage as its own property — refusing access, then deleting the footage on its own auto-overwrite cycle. The MCST disregarded the PDPA — relying on a managing agent to deflect the request, then letting the cycle run. PDPC endorsed this conduct — accepting the “17-day retention” figure without independent verification, finding the silhouette “not personal data” despite its own Guidelines saying otherwise, and refusing to assess the security company under s.24. The MCST continues to make a mockery of the PDPA — the same footage is still denied, the same request process is still followed, and there is no record of any consequence.

The ask of Parliament is not to revisit my case. It is to ensure that this pattern cannot be reproduced against another Singaporean. The legislative asks are in the Reform case; the procedural asks are in the documented pattern above.

3. The enforcer became the damager

The PDPC is supposed to enforce the PDPA. By finding the silhouette in MCST 3615 to be “not personal data” — when PDPC’s own Guidelines say otherwise — PDPC’s own investigation defeated the access right the statute was written to protect.

The implications extend far beyond one case. PDPC applied a “clarity” test: because no face or licence plate was visible, the footage was not personal data. The word “clarity” does not appear in the PDPA. The statute’s definition turns on identifiability — whether an individual can be identified from the data, alone or combined with other information. PDPC replaced that contextual, statutory test with a pixel-clarity standard of its own invention. Any organisation can now cite this ruling to deny access to CCTV footage by claiming the footage is too unclear to identify anyone. In practice, this renders the majority of real-world CCTV footage outside the PDPA’s access protection — not because the statute says so, but because PDPC said so.

Across the 374 enforcement actions in the public register, the dominant pattern is enforcement of the protection obligation (s.24, the obligation to keep data safe) and enforcement against consent violations (s.13). The access obligation (s.21) and the retention obligation (s.25) — the obligations that protect individual citizens’ rights against organisations — are the least-enforced. The breakdown of investigation is heavily tilted to protection, while denying citizens’ rights of access.

Source: enforcement-index.html on this site (generated from the public PDPC register); PDPC, Summary of Commission’s Findings, MCST 3615 (DP-2405-C2445); PDPA 2012, s.2(1) — Singapore Statutes Online ↗

4. Street View of the building is gone too

Google Street View imagery of 79 Cairnhill Road — the location of The Scotts Tower, the subject of my MCST 4599 complaint — was removed at some point between my complaint and now. The cause is unknown. It may have been requested by the MCST, the managing agent, or another party. It may have been incidental.

I used Street View to document the CCTV camera positions on the building before they could be moved. Whether or not the removal was related to my complaint, the fact remains: the public record of those camera positions is gone, while the cameras themselves remain.

Source: TST CCTV location in the case folder records the original Google Maps URL (which previously resolved to Street View imagery of the building); the URL no longer resolves to Street View imagery as of this writing.

5. The access obligation is how the public supervises private power

A regulator cannot watch every CCTV camera. A regulator cannot interview every witness. The public acts as the regulator’s distributed check-and-balance — when citizens can access their own data, they verify what organisations say. When access is denied or footage is deleted before the regulator investigates, that check-and-balance fails. The access obligation is not a procedural right; it is the mechanism by which a free society supervises private power.

6. Who guards the guards?

A private citizen complained about a statutory board. The board’s oversight body shared a Chief Executive with the board. The oversight body’s Internal Audit Unit cleared the board, finding it “acted in accordance with its protocols.” The Public Service Division referred the complaint back to the board. The Public Service Commission deferred to the oversight body. The President’s Office forwarded the complaint to the same agencies. No external body with the mandate to independently review PDPC’s conduct was ever engaged.

The public has no whistleblowing channel against public agencies. When PSD was asked what channels are available to a private citizen to report suspected wrongdoing by public officers, PSD replied: “the whistleblowing channels mentioned in the article are specifically for public officers to report wrongdoing by other public officers within the Public Service.” There is no external body. There is no independent review. There is no escalation route beyond the agencies themselves.

Sources: PSD, email to the Complainant (16 Jun 2025): “For members of the public, you may wish to channel your feedback or complaints through the respective agency’s Quality Service Manager (QSM) channels.” · IMDA QSM, email to the Complainant (21 Aug 2025): “The IMDA whistleblowing framework does not include an escalation route beyond the current process.”

Level 1 · A documented pattern

PDPC ceased communication. External agencies were told the issues were addressed. The published-decisions filter has no obligation-type filter.

“Please do not respond to this e-mail.”
— PDPC officer to the Complainant, May 2024

Three patterns recur across the 19-month record: PDPC wrote one letter on 4 May 2024 and then told the Complainant not to respond; external agencies (PSD, IMDA, PSC) were informed that “the issues had been addressed” while email records show no such reply existed; and PDPC’s published-decisions page offers no filter by obligation, even though such a filter would surface the contradiction pattern across PDPC’s own register.

1. PDPC ceased correspondence

“Please do not respond to this e-mail.”

PDPC officer Ahmad to the Complainant, May 2024

“we will not be responding to further correspondence on this matter, unless there is new information”

PDPC formal letter to the Complainant

After these two communications, the Complainant sent follow-up correspondence on 7 May, 10 May, 22 June, and 12 July 2024. None received a substantive response. PDPC has not responded to correspondence on this matter since.

2. PSC relied on PDPC’s claim of reply — but no such reply exists

“Public Service Commission (PSC) — When I approached PSC, IMDA informed them that the issues had been addressed. This representation was factually incorrect. PSC understandably relied on IMDA’s statement...”

the Complainant’s letter to Parliament

“PSC relied on IMDA’s statement that matters had been addressed, even though email records show no such reply existed.”

the Complainant’s final email to Parliament

Ministerial assurance — the public record

Minister for Communications and Information: “The PDPA already closes the gap.”

the Complainant, in correspondence: “If the PDPA is already robust, then PDPC has failed in enforcement.”

3. The filter PDPC removed

PDPC’s published-decisions page previously allowed the public to filter enforcement actions by obligation type, making it possible to see, for example, all Access Obligation cases, all Protection Obligation cases, and which obligations had zero breach findings. That filter has been removed. The page now offers only Type (All / Commission’s Decisions / Voluntary Undertakings), Year, and Sort.

Verified state of PDPC’s published-decisions page (19 Jun 2026): there is no obligation-type filter. A user cannot surface all Access Obligation cases or all Protection Obligation cases without opening every individual decision.

The irony is direct. Before the filter was removed, the public could see that the Access Obligation, the right the Complainant was trying to exercise, had zero breach findings across PDPC’s entire enforcement history. The new layout makes that pattern invisible. The obligation that was never enforced is now also the obligation you can no longer search for.

This site documents all 374 published enforcement actions in the enforcement index by obligation (at the time of this compilation) — every one extracted by obligation from the case titles, rebuilding the view PDPC’s own site no longer provides.

What we ask of Parliament

The contradictions section that follows documents ten specific legal inconsistencies between PDPC’s own guidelines and its decisions in MCST 3615 / MCST 4599. This section documents the procedural pattern around those decisions. We ask Parliament to:

require PDPC to respond substantively to the correspondence dated May–September 2024
require PDPC to publish a verified record of correspondence between the Complainant and PDPC
require the addition of an obligation-type filter to the published-decisions page so the pattern is publicly visible

Credibility centrepiece

PDPC’s narrative vs. the record

Five documented challenges, presented claim by claim: PDPC’s official account on one side, the documented record on the other.

1. The investigation was late and reactive

PDPC’s account
The decisions present the timeline neutrally — as a matter handled in due course.

The record
PDPC only began investigating in August 2024 — about four months after the 4 May 2024 complaint, and only after sustained effort on my part. By then the footage was already deleted.
2. The “not identifiable” finding rests on footage PDPC never properly examined

PDPC’s account
The footage showed only a silhouette — no identifying features — so it was not personal data.

The record
The condo CCTV was deleted. The video that actually shows the rider was obtained by me outside the PDPA, from my own phone — not the condo’s verified CCTV. PDPC made an identifiability determination without examining the actual source system.
3. PDPC did not verify the condos’ CCTV systems

PDPC’s account
The organisations’ explanations — “silhouette only / no identifying features” and a “17-day retention” cycle — were treated as established.

The record
Those claims were accepted at face value, without independent verification of the actual CCTV systems or retention settings.

The retention claim was internally inconsistent before PDPC ever examined it. The MCST’s own security guards said footage was kept for many months; the managing agent had previously said the cycle was 20–30 days. The “17-day retention” figure PDPC accepted lies between those two statements and matches neither. PDPC did not investigate the discrepancy.
4. The decisions were published only after escalation — then treated as closed without engagement

PDPC’s account
The decisions speak for themselves; all of my questions have been answered and the reasons for the outcomes are self-explanatory on the face of the reports.

The record
PDPC initially did not publish the decisions, indicating it could take up to a year to post them online. They were posted after I escalated to the Prime Minister’s Office, government ministers, and the President’s Office. PDPC then declared the matter closed — asserting the reports were self-explanatory — without engaging the substantive issues I raised.
5. The statute is adequate; its application is not

PDPC’s account (and the Ministerial assurance)
Parliament was assured that “organisations are required to implement policies and practices to handle access requests” including “appropriate measures to preserve the requested personal data while the request is being processed”, and that “criminal penalties for intentional concealment or destruction of records” exist. The PDPA framework, the Minister indicated, is adequate.

Source: Singapore Parliament Written Answer 19596 (Minister Josephine Teo, in reply to Mr Zhulkarnain Abdul Rahim).

The record
If the framework is adequate (and we accept that it is), then the problem is in the application. PDPC’s own Advisory Guidelines say a combination test applies to identifiability; PDPC applied a silhouette-only test in MCST 3615. PDPC found a security company liable as a data intermediary in MCST 4375 and MCST 3593; in MCST 4599 no such finding was made. PDPC concluded in MCST 4436 that s.4(6) PDPA required the footage to be provided; that reasoning was never applied in MCST 3615. These are not interpretation gaps: they are departures, by the same regulator, from its own Guidelines and its own prior decisions on directly comparable facts.

Sources: enforcement-index.html (this site, from the public PDPC register); MCST 4436, MCST 4375, MCST 3593 (documented in contradiction cards #8–#10 on this site).
6. The stated refusal grounds were never tested against the Fifth Schedule

PDPC’s account
PDPC investigated the complaints and found no breach of the Access Obligation. The decisions address whether the footage was personal data and whether formal preservation obligations applied.

The record
PDPA s.21(3) and the Fifth Schedule set out the only grounds on which an organisation may lawfully refuse an access request. The MCST 3615 DPO stated that only police could compel access. MCST 4599 cited “privacy” as a blanket reason and, when challenged, claimed no footage existed. Neither stated ground appears in s.21(3) or the Fifth Schedule.

PDPC did not test either refusal against those provisions. Instead, PDPC substituted its own reasoning in each case: “not personal data” for MCST 3615; “footage overwritten before formal refusal” for MCST 4599. Those rationales were not advanced by the organisations. By deciding on grounds the organisations had not raised rather than the stated ones, PDPC did not make a finding on whether the actual refusals were lawful under s.21.

Source: PDPA 2012, s.21(3) and Fifth Schedule — Singapore Statutes Online ↗

The investigation itself is an acknowledgment

PDPC’s own Advisory Guidelines on Enforcement provide that the Commissioner may dismiss a complaint that is “frivolous or vexatious or is not made in good faith.” Neither PDPC nor IMDA dismissed these complaints on that ground. Both investigated: PDPC after four months, IMDA after seven, and both only under sustained external pressure.

The Complainant explicitly asked for an explanation, and an apology if the concerns were validated. Neither body provided one. PDPC declared the matter closed; IMDA said “all was according to protocol.” The findings in both cases departed from PDPC’s own Advisory Guidelines, the PDPA, and prior rulings on directly comparable facts. The gap between what the investigation implicitly acknowledged (a complaint worth examining) and what the findings produced (departures from established law, with no explanation) has not been documented or explained by either body.

PDPA 2012 — Singapore Statutes Online ↗ · PDPC Advisory Guidelines on Enforcement of Data Protection Provisions — PDPC website ↗

Nine questions PDPC has declined to answer

These questions were raised directly with PDPC across multiple correspondence items, emails, and documents submitted to Parliament. None received a substantive response.

s.2(1)(b) — Contextual identifiability. How is CCTV footage “not personal data” when s.2(1)(b) allows identification using other information the organisation has or is likely to have access to? In both cases, security staff identified the incident within minutes using the timestamp and context.
s.2(1) — Reasonableness filter. Why did PDPC insert a “reasonableness” test from s.11 into the definition of personal data under s.2(1), when definitional clauses cannot be narrowed by organisational convenience?
ss.4(2) and 4(3) — MCST responsibility for managing agents. How does PDPC’s ruling reconcile with ss.4(2) and 4(3), which make MCSTs fully responsible for their managing agents? The decisions appear to allow MCSTs to evade statutory duties through outsourcing.
s.21 — Fifth Schedule. What is the statutory basis for treating s.21 access as limited to criminal or civil discovery, when discovery is not listed in s.21(3) or the Fifth Schedule as a ground for refusal?
ss.22A, 24, and 25 — Selective application. Why did PDPC apply s.22A but overlook ss.24 and 25, which require organisations to protect and retain personal data when there is an active legal purpose?
s.22A — Pre-refusal gap. PDPC acknowledged in writing that s.22A contains a “pre-refusal gap.” Will the Ministry amend the PDPA to prevent organisations from deleting data by simply delaying formal rejection?
Advisory Guidelines — Declared inconsistent without explanation. Why did PDPC declare its own Advisory Guidelines “inconsistent with the PDPA” without issuing a public explanation of which passages are inconsistent and why?
Advisory Guidelines — Police referral as enforcement stop. Why did PDPC and IMDA treat “referral to the police” as a ground to stop enforcement, contrary to PDPC’s own guidelines, which explicitly state that MCSTs may not limit access to law enforcement only?
s.2(1) — Identifiability threshold and the invented “clarity” test. PDPC applied a pixel-clarity standard — face or licence plate must be visible — as its test for whether CCTV footage is personal data. The word “clarity” does not appear in the PDPA. The statute defines personal data by identifiability, not image quality. Any organisation can now cite this ruling to deny access to CCTV footage simply by asserting the footage is too unclear to identify anyone — a subjective claim PDPC has given no tools to challenge. What is the statutory basis for the clarity test? And does PDPC accept that this ruling effectively removes the majority of real-world CCTV footage from PDPA access protection?

PDPA 2012 — Singapore Statutes Online ↗ · PDPC Advisory Guidelines on Key Concepts in the PDPA — PDPC website ↗

PDPC’s response to every one of these questions was the same single line: “The Guidelines are not determinative; the PDPA takes precedence.” Across nine questions spanning six different PDPA sections, PDPC did not name which guideline was inconsistent with the PDPA, did not name which PDPA clause made it inconsistent, and did not explain how the two conflict. Declaring your own published guidelines “wrong” without specifying what makes them wrong is not an explanation. It is a formula that closes every line of inquiry while answering none of them.

Level 2.5 · The legal precedents PDPC set aside

Ten contradictions — and one explanation that never names an operative PDPA clause

“When I cited PDPC’s own binding Advisory Guidelines, the Commission declared them ‘wrong’ — without saying which part, and without saying which part of the PDPA makes them wrong.”

Ten documented contradictions follow. Three come from PDPC’s own May 2022 Advisory Guidelines. Two more come from precedents in other public decisions that PDPC did not apply. In each case, when challenged, PDPC’s response is the same circular formulation — and that pattern is itself a contradiction.

1Personal-data definition
2Combination test ignored
3Law-enforcement exclusivity
4Preservation framework
5Retention while legal purpose exists
6Accountability breach as root cause
7KFPFM data-intermediary liability
8CCTV as “document” and s.4(6) subordination
9Security company as data intermediary — s.24 applied vs not applied
10The identification irony — PDPC’s own finding proves the footage is personal data

1
Personal-data definition

Their own guideline
‘The term ‘personal data’ is not intended to be narrowly construed and may cover different types of data about an individual and from which an individual can be identified, regardless of whether such data is true or accurate, or whether the data exists in electronic or other form.’

PDPC Advisory Guidelines on Key Concepts, 17 May 2022, §5.2, p. 12

What they did in 3615
‘the Complainant could not be identified from the CCTV footage, whether by itself or with other information to which MCST 3615 has or is likely to have access. The Condominium’s CCTV had captured footage of a motorcycle riding along Cairnhill Road at the time of the accident. However, it had only captured the silhouette of the rider and did not capture any identifying features such as facial features or the license plate of the motorcycle.’

MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings, §3

Why it contradicts
The narrowest possible test was applied (face/plate required), directly contradicting the Guideline’s instruction that the definition “is not intended to be narrowly construed.”

Their response — and what’s missing
“The Guidelines are not determinative; the PDPA takes precedence.”
Which PDPA clause? — None named.

↗ Reference: PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.2 · PDPC website ↗

Further reading: correspondence record.
2
Combination test ignored

Their own guideline
‘The PDPA does not apply in relation to certain categories of personal data which are expressly excluded from the application of the PDPA. These are highlighted in the sections later.’

PDPC Advisory Guidelines on Key Concepts, 17 May 2022, p. 12

‘In determining whether the dataset is personal data, an organisation should not overlook the availability of other information it has or is likely to have access to.’

PDPC Advisory Guidelines on Key Concepts, 17 May 2022, p. 13

What they did in 3615
‘the Complainant could not be identified from the CCTV footage, whether by itself or with other information to which MCST 3615 has or is likely to have access. The Condominium’s CCTV had captured footage of a motorcycle riding along Cairnhill Road at the time of the accident. However, it had only captured the silhouette of the rider and did not capture any identifying features such as facial features or the license plate of the motorcycle.’

MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings, §3

Why it contradicts
The Guidelines require including “other information to which the organisation has or is likely to have access.” The Complainant’s access-request letter, naming him, the time, and the location, was in the MCST’s possession. That information was not combined with the footage.

The real-world result confirms this. At The Scotts Tower (MCST 4599), security staff identified the Complainant’s accident within minutes using the timestamp and context, locating footage showing the taxi cutting into the lane. At Suites@Cairnhill (MCST 3615), the on-site manager permitted a screen recording; the Complainant obtained the footage, used it in civil proceedings, and provided it to PDPC. PDPC then examined that same footage and concluded the individual could not be identified from it. The footage was obtained through on-site identification, then used to rule out identifiability.

Their response — and what’s missing
“The Guidelines are not determinative; the PDPA takes precedence.”
Which PDPA clause? — None named. The on-site identification in both cases was not addressed.

↗ Reference: PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.1(b) and §5.7 · PDPC website ↗ · the Complainant, White Paper — PDPA CCTV Loophole (20 Aug 2025): “security staff located the exact footage and the on-site manager permitted a short screen recording. The requestor had provided (or was ready to provide) time, location, and incident context which, together with the footage, identified the individual. PDPC’s write-up recited the definition but did not address this ‘other information’ limb in its analysis.”

Further reading: accountability analysis (MCST 4599).
3
Law-enforcement exclusivity

Their own guideline
‘To be clear, MCSTs may not limit the provision of access to personal data only to law enforcement or other relevant authorities, or for the purposes of investigations by such authorities.’

Advisory Guidelines for Management Corporations, 17 May 2022, §3.7, p. 10

What they did in 3615 and 4599
MCST 3615 — DPO Mohamed Nasir Mustaffa (Director, PFS Pte Ltd), 21 May 2024

‘Only by police direct/order the MCST to disclose the footage that MCST is obliged to do so.’

When the Complainant cited the correct PDPA advisory guidelines in reply, the DPO responded: “It seems to me you are having difficulty understanding our position” and refused further communication.

MCST 4599

‘On 10 May 2024, PDPC told the requester to “go to the police” instead of investigating the MA — 10 days after the footage was already deleted (30 Apr).’

MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings; MCST 4599 (DP-2405-C2318), Decision — primary sources for both quotations above

Why it contradicts
The MCST Guideline §3.7 is on point: the very restriction it prohibits — limiting CCTV access to law enforcement or other relevant authorities — is the defence both MCSTs used, and that PDPC itself amplified.

Their response — and what’s missing
“The Guidelines are not determinative; the PDPA takes precedence.”
Which PDPA clause? — None named in the decision addressing §3.7.

↗ Reference: PDPC, Advisory Guidelines for Management Corporations, 17 May 2022, §3.7 · PDPC website ↗
4
Preservation framework

Their own guideline
‘If the organisation determines that it is appropriate under section 21 of the PDPA and Part II of the Personal Data Protection Regulations 2021 to not provide some or all of the personal data requested, the organisation should keep the withheld personal data for a reasonable period — minimally 30 calendar days or longer after rejecting the access request — as the individual may wish to seek a review of the decision.’

Advisory Guidelines for Management Corporations, 17 May 2022, footnote 27, p. 10

What they did in 4599
‘Section 22A presumes that, as an organisation can only provide access to personal data in its possession or control, it may only refuse access to existing personal data that is still in its possession or control. In the present case, the Organisation did refuse access, but the CCTV Footage no longer existed on the date the Organisation communicated its refusal.’

MCST 4599 (DP-2405-C2318), Decision, §17–18

Why it contradicts
The Guideline’s footnote 27 assumes footage still exists at the point of rejection — a preservation regime the MCST destroyed by deleting before refusing. The s.22A argument closes the loop: by deleting first, the organisation made the Guideline’s contemplated regime unreachable.

Their response — and what’s missing
“The Guidelines are not determinative; the PDPA takes precedence.”
Which PDPA clause? — None named.

↗ Reference: PDPC, Advisory Guidelines for Management Corporations, 17 May 2022, footnote 27 · PDPC website ↗

Further reading: PDPA CCTV loophole white paper.
5
Retention while legal purpose exists

Their own precedent (other decisions)
8 cases in the public enforcement register find breach of the Retention Limitation Obligation (s.25) for retaining personal data beyond the period required for the purpose for which it was collected. No outlier.

Source: enforcement-index.html — browse the register

What they did in 4599
‘Section 22A presumes that, as an organisation can only provide access to personal data in its possession or control, it may only refuse access to existing personal data that is still in its possession or control. In the present case, the Organisation did refuse access, but the CCTV Footage no longer existed on the date the Organisation communicated its refusal.’

MCST 4599 (DP-2405-C2318), Decision, §17–18

Why it contradicts
Every other s.25 case in the register finds breach when an organisation retains data beyond its legal purpose. In the Complainant’s case, the footage was deleted while a live access request was pending — the clearest possible case of post-purpose retention — yet no s.25 breach was found.

Their response — and what’s missing
Across 8 other s.25 cases in the public register, every one finds breach for retention while a legal purpose exists. the Complainant’s case is the only outlier.
No explanation given in the decision for treating this case differently.

↗ Reference: PDPC public enforcement register — 8 s.25 decisions; MCST 4599 (DP-2405-C2318), Decision, §17–18 · PDPC enforcement register ↗ · Browse in this site
6
Accountability breach as root cause

Their own precedent (4599 §23)
‘If the Organisation had applied its mind to this issue, it would have also identified that the security company did not have the requisite administrator credentials to download CCTV footage, and would have rectified that gap.’

MCST 4599 (DP-2405-C2318), Decision, §23

What they declined in 4599
MCST 4599 §28: KFPFM was held not to be in breach of any obligation. The Commission made no finding against KFPFM, despite its role as data intermediary.

MCST 4599 §17–18: No s.22A breach was found because the footage was already deleted before refusal.

MCST 4599 §24–25: DPO and policy breaches found; no directions extended to remedying the access failure.

Why it contradicts
PDPC’s own §23 reasoning establishes the root cause: absent proper procedures, the footage was not preserved and could not be provided. The accountability breach is directly causal to the access failure. Yet PDPC found the accountability breach — but did not extend the remedy to the access right that was the subject of the breach.

Their response — and what’s missing
PDPC’s own §23 finding linked the s.12 breach to the inability to preserve footage, but did not extend the remedy.
No explanation given in the decision for declining the remedy.

↗ Reference: PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §23 · PDPC website ↗

Further reading: PDPA CCTV loophole white paper.
7
KFPFM data-intermediary liability
Their own precedent (other decisions)
Three precedents find that security companies acting as data intermediaries are in breach of the Protection Obligation (s.24) for failing to put in place reasonable security arrangements for CCTV footage:
- MCST 3593 — New-E Security found in breach of s.24
- MCST 4375 — A Best Security found in breach of s.24
- MCST 3696 — security company found in breach of s.24 (decision not independently verified — search pdpc.gov.sg)
What they did in 4599
‘The Access and Accountability Obligations do not apply to data intermediaries. The Commission’s assessment is therefore focused on the Organisation’s compliance with the PDPA.’

MCST 4599 (DP-2405-C2318), Decision, §28

The Commission did not assess KFPFM under s.24 (Protection Obligation), despite KFPFM being identified as MCST 4599’s data intermediary at §3 of the Decision.

Why it contradicts
Security companies that manage CCTV on behalf of MCSTs have been consistently found in breach of s.24 in three other decisions. KFPFM — which also managed CCTV on behalf of an MCST — was assessed only against s.21 and s.12 (the inapplicable obligations for a data intermediary), with no s.24 assessment. No explanation was given for departing from the precedent.

Their response — and what’s missing
No explanation given in the decision for why the s.24 standard was not applied. Three precedents (MCST 3593, 4375, 3696) are publicly searchable.
No explanation given in the decision for why the s.24 standard was not applied. Two precedents (MCST 3593, 4375) are publicly verified on pdpc.gov.sg; MCST 3696 is referenced in the register but the URL could not be independently confirmed.
↗ Reference: PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §28; MCST 3593, MCST 4375, MCST 3696 (data-intermediary s.24 precedents) · PDPC website ↗

Further reading: accountability analysis (MCST 4599).
8
CCTV as “document” and s.4(6) subordination

Their own precedent
“It is trite law that the meaning of the word ‘document’ given the broadest definition and is capable of accommodating any form or medium on which information can be recorded in a material form. The courts have held that documents include electronic documents like emails, audio and video files, and even storage media and recording devices like hard disks.”

PDPC, No Breach of the Access Obligation by MCST 4436 (River Isles), p. 4

What they did in 3615
“the Complainant could not be identified from the CCTV footage, whether by itself or with other information to which MCST 3615 has or is likely to have access. ... it had only captured the silhouette of the rider and did not capture any identifying features such as facial features or the license plate of the motorcycle. MCST 3615 also did not possess any other information to identify the individual from the footage.”

PDPC, MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings, Access Obligation section

Why it contradicts
The same statutory conflict (BMSMA s.47 vs PDPA s.21) arises in both cases. In MCST 4436, PDPC applied section 4(6) PDPA’s subordination provision, held the BMSMA prevails, and concluded that the MCST could provide the CCTV footage to the requester without needing consent from other individuals visible in the footage. In MCST 3615, PDPC avoided the s.4(6) question entirely by finding the silhouette was not “personal data” at all, and therefore no obligation arose. Same regulator, same statutory regime, same fact pattern; opposite conclusions on whether the MCST should provide the footage.

Their response and what’s missing
No explanation given in the MCST 3615 finding for why section 4(6) PDPA’s subordination provision, which PDPC applied in MCST 4436 to the same statutory conflict, was not engaged.
No explanation given.

↗ Reference: PDPC, No Breach of the Access Obligation by MCST 4436 (River Isles); MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings · PDPC website ↗

Further reading: letter to Parliament on the MCST 3615 reasoning.
9
Security company as data intermediary — s.24 applied vs not applied

Their own precedent
“ABSM was accordingly acting as a data intermediary of MCST 4375 in respect of the Relevant CCTV Footage. ... In the circumstances, I find MCST 4375 in breach of Section 24 of the PDPA.”

PDPC, Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management, pp. 4–6

What they did in 4599
“The Access and Accountability Obligations do not apply to data intermediaries. The Commission’s assessment is therefore focused on the Organisation’s compliance with the PDPA.”

PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §28

Why it contradicts
Same fact pattern in both cases: a security company managing CCTV on behalf of an MCST. MCST 4375 (2019) and MCST 3593 (2018) directly applied s.24 PDPA to the security company as a data intermediary, both finding breach. MCST 4599 (2025) explicitly declined to apply s.24 to KFPFM because “the Access and Accountability Obligations do not apply to data intermediaries”, but PDPC did not separately assess KFPFM under s.24 either. The s.24 framework applied to data intermediaries in identical fact patterns from 2018–2019 was silently withdrawn in 2025.

Their response and what’s missing
Across 2 prior decisions (MCST 4375, MCST 3593) security companies managing CCTV were assessed under s.24 as data intermediaries and found in breach. MCST 4599 departs without explanation.
No explanation given in the decision for the departure from precedent.

↗ Reference: PDPC, Breach of the Protection and Accountability Obligations by MCST 4375 / A Best Security Management; MCST 3593 / New-E Security; MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §28 · PDPC website ↗

Further reading: accountability analysis (MCST 4599).
10
The identification irony — PDPC’s own finding proves the footage is personal data

Their own guideline
“an organisation should not overlook the availability of other information it has or is likely to have access to.”

PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.7

What they did in 3615
“MCST 3615 also did not possess any other information to identify the individual from the footage. As MCST 3615 was not in the possession of the Complainant’s personal data from the CCTV footage, MCST 3615 was not obliged under the Access Obligation to provide access to the Complainant.”

PDPC, MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings, Access Obligation section

Why it contradicts
PDPC’s own combination test (Guidelines §5.7) says personal data includes data that combined with other information the organisation holds can identify an individual. PDPC’s MCST 3615 finding applies that test: it concludes the footage alone doesn’t identify the complainant because the MA also has the complainant’s access-request letter (naming him, the date, the time, the location). But to reach that conclusion, PDPC had to combine the footage with the MA’s identifying information, which under §5.7 makes the footage personal data. The finding requires applying the combination test and then concludes the combination test doesn’t apply. PDPC cannot have it both ways.

Their response and what’s missing
PDPC did not address the fact that the MA received the complainant’s access request (naming him, the date, the time, the location) before refusing on 21 May 2024.
No explanation given for why the MA’s possession of the access-request information was not considered under the §5.7 combination test.

↗ Reference: PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.7; MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings · PDPC website ↗

Further reading: core regulatory failures - flags the MA’s possession of the access-request context as ignored.

Sources cited in this section

All quotations above are from the documents below

PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022 — §5.1(b), §5.2, §5.7.
PDPC, Advisory Guidelines for Management Corporations, 17 May 2022 — §3.7 and footnote 27.
PDPC, Summary of Commission’s Findings, MCST 3615 (DP-2405-C2445).
PDPC, Decision, MCST 4599 (DP-2405-C2318) (2025 SGPDPC 3), §23 and §28.
PDPC public enforcement register — enforcement index by obligation (this site, generated from pdpc.gov.sg data).
PDPC public decisions MCST 3593, MCST 4375, MCST 3696 (security-company data-intermediary liability under s.24).
PDPC, No Breach of the Access Obligation by MCST 4436 (River Isles) — verbatim definitions at p. 4 (document = “the broadest definition ... capable of accommodating any form or medium on which information can be recorded in a material form”) and s.4(6) subordination at p. 5.
PDPC, Breach of the Protection and Accountability Obligations by MCST 4375 and Breach of the Protection Obligation by A Best Security Management — data-intermediary reasoning at pp. 4–6 (security company acting as data intermediary assessed under s.24).
PDPC, Breach of the Protection and Accountability Obligations by MCST 3593 and Breach of the Protection Obligation by New-E Security — same data-intermediary framework applied (companion to fn-8).

The transparency irony

You cannot search PDPC’s decisions by breach type

After I raised with MPs and ministers that there appeared to be no Access Obligation breaches in PDPC’s enforcement history, the obvious way to check would be PDPC’s public enforcement-decisions page. It offers no way to do so.

The observation: rather than confronting the substantive concern directly, the absence of a breach-type filter keeps any pattern out of public view. This is presented as my documented observation alongside the verified current filter state — it does not assert what the filter showed previously, only that no obligation-type filtering exists today.

So I rebuilt the filter. Every case in PDPC’s public register, sorted by the obligation breached — showing that across 374 actions over 2015–2026 (at the time of this compilation), the Access Obligation has zero breach findings.

Browse the enforcement register by obligation →

Level 3 · the technical layer · for lawyers & DPOs

Fourteen documented failures

The following are independent analytical failures. The section above shows the precedents and binding guidelines they contradict.

Each failure below is expandable. Every one ties to a PDPA section, states PDPC’s reasoning and why it is wrong, and links to a source document. The failures span both cases.

1Misdefinition of personal datas.2(1)

PDPC’s reasoning “No visible face or licence plate, so it is not personal data.”

Why it’s wrong This contradicts the PDPA’s identifiability-based definition, which is technology- and clarity-neutral. Data can identify a person without a clear face or plate.

PDPC, MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings, §3 — PDPC website ↗

2Timeline manipulationss.21–22A

PDPC’s reasoning The relevant request date is the 29 Apr internal managing-agent-to-MCST date.

Why it’s wrong It disregards the 17 Apr verbal and 25 Apr written requests, conveniently excusing the 30 Apr auto-deletion.

PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §17–18 — PDPC website ↗

3The s.22A loopholes.22A

PDPC’s reasoning “Deleted before a formal refusal, therefore lawful.”

Why it’s wrong This negates the preservation obligation entirely — an organisation can always delete before formally refusing. The structural consequence: under PDPC’s enforcement framework, an organisation that wants to defeat an access request can route the refusal through a third party (the managing agent says “ask the MCST”) and then let the MCST’s short auto-overwrite cycle run. By the time the request reaches PDPC, the footage is gone. PDPC then applies s.22A and finds “no data to retrieve, therefore no breach” — and the deletion itself is not investigated. Seventeen days (the gap between the access request and the deletion in my case) was enough time for this sequence to complete and for PDPC to adopt the deletion as the operative fact. The loophole creates a structural incentive to delete: the fastest path to a “no breach” finding is to ensure no data exists when PDPC arrives.

PDPC’s own response (when challenged)

You have also pointed out areas where you consider the Advisory Guidelines to differ from what is set out in the Commission’s decisions on these two cases. As set out in the Introduction to the Guidelines, the guidelines do not constitute legal advice, and do not modify or supplement the PDPA, which shall prevail over the guidelines in the event of any inconsistency. The Commission is bound to consider every case on its individual facts and merits, in coming to its decisions. We nevertheless thank you for raising potential difficulties in reading the Advisory Guidelines and will consider your feedback for future revisions.

In relation to your feedback that s 22A of the PDPA as worded does not require Organisations to preserve personal data in the period while an access is under consideration between a request and a refusal, we are aware and presently reviewing this issue, which we will raise to the Ministry for their consideration.

Source: PDPC email to the Complainant, in response to feedback raising the s.22A preservation gap and the Guidelines / Decision inconsistency (PDPC’s own email; reproduced verbatim from a screenshot).

PDPC’s own email, in response to feedback that s.22A “as worded does not require Organisations to preserve personal data in the period while an access is under consideration between a request and a refusal”, states: “we are aware and presently reviewing this issue, which we will raise to the Ministry for their consideration.” PDPC’s email also confirms the PDPA prevails over the Advisory Guidelines in the event of any inconsistency. Two consequences: (1) PDPC itself acknowledged the s.22A preservation gap before the Ministerial question above, in writing, in response to direct feedback; (2) the “narrow silhouette” reading of personal data in MCST 3615 cannot be defended as a Guidelines requirement, because the Guidelines admit they do not override the PDPA. The fact-pattern gap is therefore a statutory one, not an interpretive one.

Minister’s response (in Parliament)

Mr Zhulkarnain Abdul Rahim asked the Minister for Digital Development and Information whether the Personal Data Protection Commission will consider reviewing the relevant legislation and regulations to mandate organisations to store video or CCTV footages for a certain period of time when a request for access of personal data under section 21 of the Personal Data Protection Act has been made.

Mrs Josephine Teo: Under the Personal Data Protection Act (PDPA), organisations are required to implement policies and practices to handle access requests. These typically include having appropriate measures to preserve the requested personal data while the request is being processed. There are also additional safeguards to ensure that lawful and valid requests are fulfilled, including data retention requirements in case there is a review of denied requests, and criminal penalties for intentional concealment or destruction of records to avoid access requests.

Source: Singapore Parliament Written Answer 19596 (Minister Josephine Teo, in reply to Mr Zhulkarnain Abdul Rahim).

The Ministerial assurance, on the parliamentary record, states the opposite of what happened in my case: (1) organisations are required to preserve requested personal data while the request is being processed — my footage was deleted before PDPC processed anything; (2) there are criminal penalties for intentional concealment or destruction of records to avoid access requests — my deletion was treated by PDPC as lawful under s.22A. The PDPA framework the Minister describes would prevent the loophole. PDPC’s own decisions in MCST 3615 and MCST 4599 used it.

PDPA 2012, s.22A — Singapore Statutes Online ↗

4Ignoring statutory retention dutiesss.23–25

PDPC’s reasoning No adverse finding despite footage being deleted during a live request.

Why it’s wrong It incentivises a delay-and-delete strategy and ignores the retention/disposal duties in ss.23–25.

PDPA 2012, ss.23–25 — Singapore Statutes Online ↗

5Unverified, convenient retention timelineAccountability

PDPC’s reasoning The “17-day retention” cycle is accepted as fact.

Why it’s wrong The MCST’s own security guards said footage was kept for many months; the managing agent had previously said the cycle was 20–30 days. The “17-day retention” figure PDPC accepted lies between those two statements and matches neither. The figure was accepted with no independent verification.

PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §17–18; PDPC public enforcement register (8 s.25 decisions) — PDPC website ↗

6Splitting managing agent from MCSTData intermediaries

PDPC’s reasoning Knight Frank (KFPFM) and the MCST are treated as distinct for responsibility.

Why it’s wrong MCSTs remain fully responsible for their data intermediaries; the split lets responsibility fall through the gap.

PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §28 — PDPC website ↗

7Misuse of “discovery”s.21

PDPC’s reasoning I was repeatedly pointed to civil/criminal discovery.

Why it’s wrong Discovery is irrelevant to a standard s.21 access request; pointing to it defers the regulator’s own statutory mandate.

PDPA 2012, s.21 — Singapore Statutes Online ↗

8Silent retraction of guidelinesAdvisory Guidelines

PDPC’s reasoning After I cited PDPC’s own published CCTV guidance, PDPC declared it “incorrect.”

Why it’s wrong The retraction came without explanation, and the guidance remains live for everyone else.

PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022 — PDPC website ↗ · Correspondence record (the retraction itself)

9Whistleblower correspondence forwarded to subject of complaintNatural justice

What happened The Complainant’s confidential complaints to PSD and MDDI about a named PDPC officer were forwarded in full to that officer. The officer subsequently quoted the Complainant’s own words verbatim in their reply. When the Complainant later filed a whistleblowing complaint with IMDA’s Internal Audit Unit about PDPC’s conduct, that complaint was also forwarded to PDPC — the very body being complained about. IMDA’s Head of Internal Audit stated: “We are not aware of this leak. To help us understand your concerns, could you please share with us the following: Could you specify when you sent the emails to PSD, and when you became aware that they had been with PDPC?”

Why it’s wrong A regulator conducting an investigation cannot simultaneously be the subject of a complaint about that investigation. The Complainant’s complaints were intended to trigger external review; instead they reached the person being reviewed, giving that officer advance knowledge of the Complainant’s position before responding. The fact that the whistleblowing complaint to IMDA’s Internal Audit was also forwarded to PDPC — and that IMDA was “not aware” it had happened — indicates a systemic failure in the confidentiality safeguards of the whistleblowing framework.

Sources: the Complainant, Letter to IMDA CEO (11 Mar 2025): “My emails to PSD was leaked to the PDPC department I am complaining about in full, which includes the officer I am dealing with.” · the Complainant, email to new IMDA CEO Ng Cher Pong (8 Dec 2025): “I also discovered that my whistleblowing complaint to IMDA was forwarded to PDPC, the very party I was complaining about. This is a serious procedural concern, as it undermines the independence and confidentiality expected of an audit function.” · IMDA Head of Internal Audit Yeong Wan Ling, reply (11 Mar 2025): “We are not aware of this leak.”

10IMDA Internal Audit found “no wrongdoing” then correspondence ceasedOversight

What happened PDPC took four months to begin investigating the access request complaint, and only after sustained effort by the Complainant and MP intervention. When the Complainant escalated to IMDA, the same pattern repeated: IMDA was silent for seven months until PSD stepped in, after which IMDA gave only brief replies before going silent again. The Complainant explicitly asked for a formal apology if the concerns were validated. None was given. The final IMDA output was the Internal Audit Unit’s conclusion that PDPC “acted in accordance with its protocols” — after which all correspondence ceased.

Why it’s wrong The IAU reviewed PDPC’s “go to the police” rationale: a rationale never cited by the MCSTs, issued ten days after the footage was already deleted, and never substantiated by any police receipt of footage. No footage was ever given to the police. A formal finding of “no wrongdoing” that does not address these facts is not a finding; it is a closure. Neither body explained the departures from PDPC’s own guidelines, the PDPA, or prior rulings.

Source: the Complainant, Part 4 correspondence: “When I escalated to IMDA, the same pattern repeated. They were initially silent for 7 months until PSD intervened, after which they gave only brief replies before going silent again.” · the Complainant, Part 1 correspondence: “If IMDA cannot provide a direct, substantive explanation or a formal apology at a senior level, I do not see a productive way forward.”

11PDPC demanded proof of data existence before investigatings.21

What happened A PDPC officer told the Complainant that PDPC would not investigate the access request complaint unless the Complainant first proved the CCTV footage existed. The organisation had denied the footage existed.

Why it’s wrong The PDPA grants individuals the right to apply to the Commissioner if an access request is refused. Requiring the complainant to prove the existence of data before the Commissioner will investigate inverts the burden and defeats the right: an organisation that denies data exists can never be investigated.

Source: the Complainant, Fact Sheet (2024): “A PDPC officer informed me that they would not investigate unless I could first prove that the CCTV footage existed.” · PDPA 2012, s.21 — Singapore Statutes Online ↗

12Broad personal-data definition for a casino; narrow for a condominiums.2(1)

What PDPC did In DP 2310 C1622 (Marina Bay Sands, 2024), PDPC defined personal data broadly: a membership number was sufficient to identify an individual, and a significant financial penalty was imposed. In MCST 3615, PDPC defined personal data so narrowly that CCTV footage of a motorcycle accident (silhouette, timestamp, location on a named road) was “not personal data.”

Why it’s wrong The PDPA’s definition of personal data does not vary by organisation type. A membership number and CCTV footage of a named individual’s accident are both data about an identifiable person. PDPC has offered no explanation for the difference in treatment.

Source: the Complainant, Final Email to Parliament (2025): “A membership number receives stronger protection than CCTV footage of a citizen’s accident.” · Comparator: PDPC, DP 2310 C1622 (Marina Bay Sands, 2024) — PDPC website ↗

13The escalation loop: every oversight body deferred to the accusedAccountability

What happened The Complainant escalated through every available oversight channel. PDPC closed the complaint and ceased communication. IMDA’s Quality Service Manager was silent for seven months, replying only after PSD intervention. IMDA’s Internal Audit Unit found “no wrongful practices” and declared its findings “final and conclusive.” PSD closed the case and referred it back to PDPC/IMDA. The Public Service Commission stated “IMDA has looked into the matter and given you a full reply” and refused further engagement. The President’s Office forwarded the complaint to “the relevant agencies” (PDPC/IMDA themselves). The Prime Minister’s Office gave no substantive response. The Complainant’s MP, after appointment as Minister of State, could no longer ask parliamentary questions.

Why it’s wrong Every body either deferred to another or referred the complaint back to the agency being complained about. No external body with an independent mandate to review PDPC’s conduct was ever engaged. The result is a closed-loop accountability system in which the regulator reviews itself, its parent body clears it, and every oversight channel eventually points back to the same two agencies.

Sources: IMDA IAU outcome letter (20 Aug 2025): “PDPC and its officers did not commit any wrongful practices … IAU’s findings above are final and conclusive.” · PSC Secretariat reply (3 Oct 2025): “IMDA has looked into the matter and given you a full reply. We will not be giving a further response on this matter unless there are new information raised.” · President’s Office reply (31 Jul 2025): “we have brought your matter to the attention of the relevant agencies.” · PSD case closure (16 Jun 2025): “PSD will not be providing further replies on the matter.”

14IMDA CEO simultaneously served as PDPC CommissionerConflict of interest

What happened IMDA’s Chief Executive, Lew Chuen Hong, simultaneously served as the Commissioner of PDPC. When the Complainant filed a whistleblowing complaint about PDPC’s conduct with IMDA’s Internal Audit Unit, the complaint was forwarded to PDPC — the very body being complained about. IMDA’s IAU then cleared PDPC of any wrongdoing. IMDA acknowledged that it was “not aware” the complaint had been forwarded to PDPC and asked the Complainant to provide specifics, but did not explain how the forwarding occurred or what safeguards existed.

Why it’s wrong The CEO of the oversight body was also the head of the body being investigated. The IAU that cleared PDPC sits within IMDA, the same organisation whose CEO leads PDPC. There is no structural independence between the investigator and the investigated. When the whistleblowing complaint itself was forwarded to the subject of the complaint, the confidentiality that a whistleblowing framework depends on was breached. The Complainant subsequently discovered this and raised it; IMDA did not dispute that the forwarding occurred.

Sources: The Complainant, email to new IMDA CEO Ng Cher Pong (8 Dec 2025): “I also discovered that my whistleblowing complaint to IMDA was forwarded to PDPC, the very party I was complaining about.” · IMDA Head of Internal Audit, reply (11 Mar 2025): “We are not aware of this leak. To help us understand your concerns, could you please share with us the following: Could you specify when you sent the emails to PSD, and when you became aware that they had been with PDPC?” · IMDA organisational structure (2024–2025) listed the same individual as CEO of IMDA and Commissioner of PDPC.

Administrative & oversight failures

Nineteen months, every channel exhausted

The grievance was escalated through every executive oversight channel available. None resolved it.

13 Apr 2024
Road accident outside the condominium.
17 Apr 2024
Verbal request for the CCTV footage.
25 Apr 2024
Written access request.
30 Apr 2024
Footage overwritten.
4 May 2024
Complaint lodged with PDPC.
May–Aug 2024
PDPC adopts the managing agents’ explanations and ceases communication.
Aug 2024
Investigation finally opened — after the footage was already deleted.
Sep–Oct 2024
Escalation to IMDA / Quality Service Manager; no reply.
Nov 2024
Public Service Division (PSD) intervenes.
19 May 2025
Two decisions issued (MCST 3615 and MCST 4599).
27 Jun 2025
PDPC ceases communication.
2025
Escalation to PSD (not empowered to act) and the Public Service Commission (PSC) — IMDA told them the matter was “addressed,” which was incorrect.
2025
Two MP appeals — both ignored.
26 Nov 2025
Letter to Parliament.
2025
PDPC declines to publish the two decisions online, indicating it could take up to a year to post them.
After escalation
Decisions posted online only after escalation to the Prime Minister’s Office, government ministers, and the President’s Office.
After publication
PDPC declares the matter closed — “all questions answered,” reports “self-explanatory” — without engaging the substantive issues raised.

Fact sheet — chronology & oversight concerns

Don’t take my word for it

Verify it yourself

A six-minute overview, and the full underlying research notebook — both public.

6-minute overview

Open on YouTube

The research notebook

A public NotebookLM notebook holds the source documents and analysis. Ask it questions directly against the record.

Open the NotebookLM notebook

Opens in a new tab — NotebookLM is interactive and cannot be embedded inline.

Level 4 · evidence appendix

Source documents

Every factual claim links to a source. Official documents open on the relevant government site (AGC or PDPC); the author’s own documents have been recreated here as anonymized web pages — no personal files are hosted.

PDPC decisions & analysis

Complaint & white papers

To Parliament & oversight

Correspondence

Statutory references

Legal notice

Disclaimer

Opinion and experience. This site represents the author’s documented personal experience and honestly held opinions on matters of public interest, specifically the enforcement of the Personal Data Protection Act 2012 (PDPA) by the Personal Data Protection Commission (PDPC) and related agencies.

Source discipline. Every factual claim on this site is grounded in a primary-source document (PDPC decisions, PDPA statute, parliamentary records, official correspondence) or a verifiable public URL. Sources are linked throughout. Claims drawn from the author’s own correspondence are identified as such.

No intent to defame. The author does not intend to defame any individual, organisation, or public body. The site documents institutional conduct and systemic patterns, not personal attacks. Where individuals are named, they are named in their official capacities and the statements attributed to them are sourced to the public record or to correspondence in the author’s possession.

Anonymisation. The author is referred to throughout as “the Complainant” or “the Complainant’s” to separate the individual from the institutional grievance.

Corrections. The author invites correction of any factual error. If you believe any statement on this site is factually inaccurate, please write to the contact address in the site footer with the specific claim, the correction, and the supporting source. Verified errors will be corrected promptly and noted as such.

Public interest. This site is published in the public interest. The PDPA creates statutory rights for every individual in Singapore. Whether those rights are enforceable in practice is a question of public concern. The site invites independent scrutiny of the documented record by Members of Parliament, the legal community, the press, and the public.

Scope. This site addresses the PDPC / PDPA grievance only. The civil claim (GCW.PI.6806.2024) and criminal matter (GCW.CRIM.6805.2024) arising from the road accident on 13 April 2024 are out of scope except where they intersect with the PDPA access request.

Last updated: 21 June 2026.