← Back to the grievance

Recreated source · structured summary

Annex A — brief for parliamentary review

Structured summary with key verbatim questions of a longer brief; personal identifying details removed.

Brief for parliamentary review: PDPA governance and accountability failures

Overview

Addressed to Members of Parliament and relevant Ministers, this brief frames the case (MCST 4599 / 3615) as a systemic failure: the PDPC “improperly outsourced its statutory duty by prioritising a non-statutory ‘referral to police’ advisory,” thereby validating deletion of the complainant’s CCTV footage during a live statutory request; IMDA then endorsed these actions as “in accordance with its protocols.” It poses 13 questions across five themes.

I. Defeat of statutory access rights (s. 21, 22A, 24, 25)

• The s. 22A pre-refusal gap. Because preservation is read as triggered only after a formal refusal, data can be auto-deleted mid-process. Does Parliament agree this loophole defeats the s. 21 right of access — and should the PDPA be amended to mandate preservation upon receipt or once data is located?
• Preservation duties during processing (s. 24 & 25). Why did the PDPC decline to apply the Protection and Retention Obligations to compel preservation once the footage had been located?
• The “no data, no breach” posture. Is it acceptable that destroying data during a live access request becomes a defence against accountability under s. 21?

II. Enforcement credibility and retention methodology

• Faced with conflicting retention cycles (“many months” vs “20–30 days” vs an unverified “17 days”), how does the PDPC justify unilaterally adopting the shortest, unverified period — which minimised the preservation window and let it conclude intervention would have been “futile”?
• Does accepting an unverified minimal timeline effectively exempt organisations from s. 24 / s. 25 whenever deletion occurs mid-process?

III. Systemic regulatory deflection and accountability gaps

• “Referral to police” as a pseudo-exception. Advising a citizen to “go to the police” is a practical courtesy, not a statutory exception under s. 21(3) or the Fifth Schedule. Will Parliament direct the PDPC to stop using it to dismiss access requests — especially as the advice (10 May 2024) post-dated the deletion (30 April 2024)?
• Accountability of managing agents (data intermediaries). Given the MCST remains responsible under s. 4(2)–(3), why was no breach found against the agent that claimed it lacked credentials to preserve the data?
• IMDA oversight & conflict of interest. Why was the escalation ignored for ~seven months until PSD intervened — and, given the CEO of IMDA also heads the PDPC (“circular oversight”), what neutral external channel will be established?
• Compromised confidentiality. Confidential correspondence about PDPC conduct (sent to PSD) was allegedly “leaked in full” to the very PDPC officer under investigation. What will be done?

IV. Regulatory credibility and transparency

• Disavowing guidelines without clarity. The PDPC called parts of its own Advisory Guidelines “inconsistent with PDPA” but refused to say which passages or why. Will Parliament require it to clarify and correct its published guidance?
• Manipulation of the operative access date. The PDPC adopted 29 April, ignoring the verbal (17 April) and written (25 April) requests — minimising the preservation window before the 30 April deletion. Will Parliament confirm organisations cannot rely on their own procedural failures (e.g. withholding DPO contact) to defeat access rights?
• The “graininess loophole.” In MCST 3615, silhouette-only footage was found “not personal data.” Does this risk incentivising organisations to lower video quality to escape PDPA oversight, contrary to the s. 2(1) definition?

V. Governance, oversight, and accountability integrity

• Unilateral cessation of communication. The PDPC terminated correspondence multiple times after introducing new reasons, and allegedly failed to advise on reconsideration/appeal avenues. How is this “in accordance with its protocols”?
• IMDA’s justification of inaction rested on the same flawed “referral to police” reasoning. How can that constitute compliance with proper administrative protocols?
• Structural independence. Given the overlapping IMDA/PDPC leadership, will Parliament consider a neutral review mechanism or independent ombudsman?

Conclusion

A parliamentary review is essential to clarify the intent and scope of sections 21, 22A, 24 and 25; ensure independence in oversight and eliminate conflicts between IMDA and PDPC; and reinforce public confidence that data protection law in Singapore protects citizens not only in theory, but in practice.