← Back to “Seven Contradictions”
Evidence subpage
Source citations — “Seven Contradictions”
The full text of every document cited in the Seven
Contradictions section. Each source has a stable anchor (#src-N) and can
be linked to directly. Where the source is already a public PDPC document, this page
provides only the operative excerpt — the full document lives on pdpc.gov.sg.
1. Personal-data definition
PDPC Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.2, p. 12
‘The term ‘personal data’ is not intended to be narrowly construed and may cover different types of data about an individual and from which an individual can be identified, regardless of whether such data is true or accurate, or whether the data exists in electronic or other form.’
2. Combination test
PDPC Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.1(b) and §5.7
‘The PDPA does not apply in relation to certain categories of personal data which are expressly excluded from the application of the PDPA. These are highlighted in the sections later.’
‘In determining whether the dataset is personal data, an organisation should not overlook the availability of other information it has or is likely to have access to.’
3. Law-enforcement exclusivity
Advisory Guidelines for Management Corporations, 17 May 2022, §3.7, p. 10
‘To be clear, MCSTs may not limit the provision of access to personal data only to law enforcement or other relevant authorities, or for the purposes of investigations by such authorities.’
4. Preservation framework
Advisory Guidelines for Management Corporations, 17 May 2022, footnote 27, p. 10
‘If the organisation determines that it is appropriate under section 21 of the PDPA and Part II of the Personal Data Protection Regulations 2021 to not provide some or all of the personal data requested, the organisation should keep the withheld personal data for a reasonable period — minimally 30 calendar days or longer after rejecting the access request — as the individual may wish to seek a review of the decision.’
5. Retention while legal purpose exists
PDPC enforcement register — s.25 cases
See the enforcement index page, filtered to “Retention Limitation.” Eight cases find breach for retention while a legal purpose exists; Ray’s case (MCST 4599) is the only outlier.
6. Accountability breach as root cause
PDPC Decision, MCST 4599 (DP-2405-C2318) (2025 SGPDPC 3), §23
‘If the Organisation had applied its mind to this issue, it would have also identified that the security company did not have the requisite administrator credentials to download CCTV footage, and would have rectified that gap.’
7. KFPFM data-intermediary liability
PDPC public decisions — MCST 3593, MCST 4375, MCST 3696 (security-company s.24 breaches)
Three precedents find that security companies acting as data intermediaries are in breach of the Protection Obligation (s.24) for failing to put in place reasonable security arrangements for CCTV footage. Each case is publicly searchable on PDPC’s enforcement-decisions register.
- MCST 3593 — New-E Security found in breach of s.24
- MCST 4375 — A Best Security found in breach of s.24
- MCST 3696 — security company found in breach of s.24 (decision not independently verified — search pdpc.gov.sg)
8. CCTV as “document” and section 4(6) subordination
PDPC, No Breach of the Access Obligation by MCST 4436 (River Isles)
“It is trite law that the meaning of the word ‘document’ given the broadest definition and is capable of accommodating any form or medium on which information can be recorded in a material form. The courts have held that documents include electronic documents like emails, audio and video files, and even storage media and recording devices like hard disks.”
“In the face of this inconsistency, I am obliged by section 4(6) of the PDPA to decide that section 47 of the BMSMA shall prevail over section 21 of the PDPA in the present case, to the extent that the Organisation can provide inspection of CCTV footages to the subsidiary proprietor without the need to redact personal data of other individuals or to seek their consent for such disclosure.”
9. Security company as data intermediary — s.24 applied vs not applied
PDPC, MCST 4599 (DP-2405-C2318), Decision (2025 SGPDPC 3), §28
“The Access and Accountability Obligations do not apply to data intermediaries. The Commission’s assessment is therefore focused on the Organisation’s compliance with the PDPA.”
Companion precedents — MCST 4375, MCST 3593
In two earlier decisions involving security companies managing CCTV on behalf of MCSTs, PDPC applied s.24 PDPA directly to the security company as a data intermediary. The MCST 4375 / A Best Security Management decision and the MCST 3593 / New-E Security decision both reached the same framework: security companies acting as data intermediaries are assessed under s.24. MCST 4599 (2025) silently departs from this framework.
10. The identification irony — PDPC’s own finding proves the footage is personal data
PDPC, Advisory Guidelines on Key Concepts in the PDPA, 17 May 2022, §5.7
“an organisation should not overlook the availability of other information it has or is likely to have access to.”
PDPC, MCST 3615 (DP-2405-C2445), Summary of Commission’s Findings
“MCST 3615 also did not possess any other information to identify the individual from the footage. As MCST 3615 was not in the possession of the Complainant’s personal data from the CCTV footage, MCST 3615 was not obliged under the Access Obligation to provide access to the Complainant.”