← Back to the grievance

Recreated source · email

Final email to Parliament — statutory and regulatory loophole

Faithful, verbatim recreation of the original email; the sender's name, email addresses and phone number have been removed.

From:

The complainant

Date:

18 January 2026

To:

Member of Parliament; Info (PDPC)

Cc:

the Commissioner; IMDA CEO

Subject:

RE: Request for Parliamentary Review of Conflicts Between PDPC Practice and the PDPA

Dear Member of Parliament, I am writing one final time to present the issue in the simplest possible terms, focusing only on statutory operation and regulatory interpretation. This submission is independent of any personal grievance. Importantly, the regulatory loophole described below was acknowledged by the PDPC itself in its email correspondence to me, and is reflected in the enforcement outcome. This therefore raises a matter of legislative intent and policy clarity. Issue 1: Access Requested, Data Deleted, No Breach Found The factual sequence is undisputed:  17 April I requested CCTV footage from the Managing Agent (MA). Access was rejected.  25 April I made a further written access request.  30 April The CCTV footage was automatically deleted under the system’s retention cycle.  2 May A formal refusal letter was issued. Although access was requested while the data existed and was never provided, the PDPC found no breach of Section 21, on the basis that there was “no data” remaining to assess whether Section 21 had been breached. In its email to me, the PDPC expressly acknowledged that Section 22A did not apply because the data was deleted before a formal refusal was issued. 2 Issue 2: Section 22A Excluded by Formality and Characterisation of the Request The PDPC further took the position that Section 22A did not apply because:

1. The deletion occurred before a formal refusal, and 2. The initial rejection on 17 April was characterised as: o not a written access request, and o made by the Managing Agent rather than the MCST. This characterisation was adopted notwithstanding the fact that the Managing Agent declined to provide the MCST’s Data Protection Officer contact details or any escalation channel, which prevented the request from being formally escalated in writing at that stage. The practical outcome is that an access request can be rejected, the data can be deleted before a formal reply, and no preservation obligation arises because the request is treated as either “not written” or directed at the “wrong entity”. Structural Result Under the Current Framework Given that:  Organisations are allowed up to 30 days to respond to an access request,  CCTV data commonly auto deletes within 14 to 30 days, and  Section 22A only applies after a formal refusal, the PDPC has acknowledged that a practical loophole exists under the current statutory framework. This outcome arises directly from how the law is presently interpreted and applied. Issue 3: Narrow Interpretation of “Personal Data” for CCTV Separately, the PDPC has taken the position that CCTV footage captured on a public road is not personal data if the condominium cannot identify the individual from the footage alone. Because the condominium does not itself hold the individual’s details, and the PDPC has treated data passed to the 3 condominium as falling outside the “access” definition, this interpretation effectively allows a person who was clearly identifiable in context to be redefined as not identifiable. On the face of the statute, excluding such footage is not supported, which means most people captured by public CCTV will not be considered personal data and will fall outside the PDPA, and they will not have access to it, contrary to the guidelines published by the PDPC. Questions for Parliamentary Consideration Even based on the PDPC’s own correspondence and enforcement position, the following questions remain unanswered:

1. Section 21 requires access to be provided as soon as reasonably possible. Where an access request is made while data exists, the data is never provided, and the data is subsequently deleted, why is no breach of Section 21 found merely because the data no longer exists at the point of assessment? 2. Managing Agents act on behalf of MCSTs. Why are the Managing Agent and MCST treated as legally separate for the purpose of rejecting an access request, when the MCST remains responsible for compliance with Section 21 and other PDPA obligations, and the individual has no practical means of bypassing the Managing Agent? 3. Interpretation of “personal data” in CCTV footage. Given that Section 2(1) defines personal data to include information that can identify an individual “from that data or from that data and other information to which the organisation has or is likely to have access,” why does the PDPC interpret CCTV footage on a public road as not constituting personal data when the organisation can readily identify the individual using data given by the individual? 4. Application of Sections 24 and 25 in the context of access requests. How do the obligations under Section 24 (Protection of Personal Data) and Section 25 (Retention Limitation Obligation) apply when an access request is made? Specifically, should these provisions require an organisation to preserve data once an access request is received, or are they considered inapplicable in such circumstances? 5. Rights of Individuals on their Data Given that Section 3 of the PDPA guarantees the "right of individuals to protect their personal 4 data," how does the Ministry justify a regulatory interpretation of Section 22A that allows organisations to irretrievably delete data after receiving an access request, simply because they have not yet issued a formal refusal letter? As the regulator has itself acknowledged the effect of this interpretation, I respectfully submit that it is important for lawmakers to understand how the PDPA access obligation currently operates in practice, and how this loophole is intended to be addressed. I will append the relevant statutory provisions as Annexes for ease of reference. Thank you for your time and consideration. Yours sincerely, the complainant Annex on Definitions

1) PERSONAL DATA

S2(1) “personal data” means data, whether true or not, about an individual who can be identified — (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access;

Note: The PDPC ruled that your CCTV footage was "not personal data" because you could not be identified from the footage alone. This ruling ignores limb (b) of the definition. The organisation had "other information" (your police report, logs, and security guard verification) to which they had access. By ignoring limb (b), the regulator effectively removed low-resolution CCTV from the protection of the Act.

2) Responsibility for Data Intermediaries (Managing Agents) and MCST S4(3)

S4 (2) Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.

S4(3) An organisation has the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.

Note: Section 4(2) confirms that the Managing Agent (Data Intermediary) is independently liable for Section 24 (Protection) and Section 25 (Retention). They failed to retain the data despite your request. 5 Section 4(3) confirms the MCST (Organisation) is fully liable for the actions of the Managing Agent. The PDPC cannot excuse the MCST because the Managing Agent was slow to act; the law treats the Managing Agent's processing as the MCST's own processing. 3) The Access Obligation

S21.—(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation must, as soon as reasonably possible, provide the individual with — (a) personal data about the individual that is in the possession or under the control of the organisation; and (b) information about the ways in which the personal data mentioned in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.

Note: The law commands the organisation to act "as soon as reasonably possible." It does not grant a "grace period" to allow data to be auto-deleted. By delaying action until the CCTV system overwrote the footage (30 April), the organisation failed to provide access "as soon as reasonably possible" (dating back to your requests on 17 & 25 April).

4) Preservation of Copies (The "Loophole")

Preservation of copies of personal data S22A.—(1) Where — (a) an individual, on or after 1 February 2021, makes a request under section 21(1)(a) to an organisation to provide personal data about the individual that is in the possession or under the control of the organisation; and (b) the organisation refuses to provide that personal data, the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned. (2) The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned.

Note: This is the specific section the PDPC used to excuse the data deletion. Because the organisation deleted the data (30 April) before they formally refused you (2 May), the PDPC ruled that the obligation to preserve under Section 22A had not yet triggered. This interpretation creates a perverse incentive: organisations can avoid the preservation duty simply by deleting data before issuing a rejection letter.

5) Protection Obligation S24. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent — (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.

Note: Even if Section 22A (Preservation) had not technically triggered, Section 24 requires protection against 6 "unauthorised... disposal." Once you made a request (17 April), the disposal of that specific footage became unauthorised. The PDPC failed to enforce this section.

6) Retention Limitation Obligation

S25. An organisation must cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that — (a) the purpose for which that personal data was collected is no longer being served by retention of the personal data; and (b) retention is no longer necessary for legal or business purposes. Note: The law mandates deletion unless there is a "legal or business purpose." Your pending access request constituted a clear "legal or business purpose" to retain that specific footage beyond the 30-day cycle. By allowing the data to be overwritten, the organisation breached Section 25(b). The PDPC’s ruling ignored this obligation entirely.

7) Purpose

S3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Note: Section 3 states the Act governs data in a manner that recognizes "the right of individuals to protect their personal data." The PDPC appears to have zero visible enforcement precedents for breaches of the Access Obligation (Section 21). In your case, allowing the organisation to delete data you asked for suggests that the regulator does not view "access" as a form of "protection." The PDPC aggressively enforces Section 24 (Protection) against data leaks and hackers (e.g., the Marina Bay Sands decision). This protects data from outsiders.

From: [email removed] <[email removed]> Sent: Monday, 8 December 2025 3:14 am To: 'Info (PDPC)' <[email removed]> Cc: [email removed]; [email removed] Subject: RE: Request for Parliamentary Review of Conflicts Between PDPC Practice and the PDPA

Dear Members of Parliament,

I write to provide a concise follow up containing new information that strengthens the concerns raised earlier.

1. Clear and Irreconcilable Double Standard 7 a. The PDPC’s treatment of DP 2310 C1622 (Marina Bay Sands) versus MCST 3615 reveals two incompatible definitions of “personal data”.

b. MBS Case i. Personal data was defined broadly and correctly. Names, emails, phone numbers, countries of residence and membership numbers were all protected, and a significant financial penalty was imposed. Context was considered, as required by Section 2(1)(b).

c. MCST Case i. Personal data was defined extremely narrowly. CCTV footage of an accident was deemed “not personal data” simply because the face was unclear, even though timestamps, police reports and GPS logs enabled immediate identification. No penalty was imposed despite deletion of data during a live request.

d. Result: A membership number receives stronger protection than CCTV footage of a citizen’s accident. This contradicts the PDPA, Ministerial assurances, and the PDPC’s own Guidelines.

2. New Enforcement Decisions Highlight the Contrast a. Several enforcement decisions and undertakings were recently uploaded by PDPC. These cases show:

i. consistent application of the law, ii. detailed written analysis, and iii. firm penalties for breaches.

b. This high standard applies to security breaches, but not to access requests, where the law is applied narrowly and inconsistently. The difference is so stark that it raises systemic concerns, not isolated error.

3. Governance Gaps Likely Due to Leadership Transitions a. New findings show why earlier escalations may have been ignored:

i. The IMDA Chief Executive changed in November 2025, ii. The Director of Internal Audit left after issuing an August letter stating without explanation that “all was according to protocol”, iii. The Assistant Commissioner (Data Innovation and Protection Group) disappeared from IMDA’s website around September or October.

b. If key officers were exiting, this may explain the silence, contradictory responses and lack of resolution. It also casts doubt on the continuity and reliability of internal audit conclusions issued immediately before their departure.

4. Independent Verification Tools for Parliament a. Video Overview:

i. https://youtu.be/ldJW-LeMsao AI Document Chatbot: ii. https://notebooklm.google.com/notebook/4e84e17b-8886-4f94-9414- a59de26bcc7f b. These contain the full documents, rulings, guidelines and correspondence for direct review.

5. Why Parliament’s Review Is Necessary a. The matter now concerns:

i. conflicting legal standards for personal data, ii. double standards in enforcement, iii. a deletion loophole that defeats Section 21, and 8 iv. possible governance failures during leadership transitions.

Only Parliament can determine whether the PDPA is being applied as intended and whether reforms are required to protect all residents.

Thank you for your consideration.

Respectfully, the complainant [phone removed]

From: the complainant <[email removed]> Sent: Sunday, 23 November 2025 5:57 pm To: 'Info (PDPC)' <[email removed]> Cc: [email removed] Subject: Request for Parliamentary Review of Conflicts Between PDPC Practice and the PDPA

Dear Members of Parliament,

This message will be brief. After nineteen months of escalation, the core issue is no longer my personal case. The real concern now is the conflict between:

 the text of the PDPA,  Ministerial assurances made to Parliament,  the PDPC’s own Advisory Guidelines, and  how the PDPC applies the law in practice.

These inconsistencies may affect all citizens who rely on Section 21 of the PDPA.

1. PDPC vs the PDPA, Minister and Their own guidelines Based on recent rulings and correspondence, the PDPC’s interpretations appear to diverge from:

 the actual text of the PDPA,  Ministerial explanations provided to Parliament,  and the PDPC’s own guidelines, which state they reflect the PDPA. Despite raising these concerns repeatedly over nineteen months, PDPC eventually stated that its own Advisory Guidelines were inconsistent with the PDPA but did not explain where or why, and then went silent. This left me unable to understand how PDPC interprets the Act, even though I was referencing the PDPA directly and only using the Guidelines to illustrate the contradictions. Even appeals filed by my MP received no substantive reply.

2. Video Overview A complete summary is available in this video: https://youtu.be/ldJW-LeMsao 9 3. PDPC Five-Part Analysis PDF This PDF summarises all issues at a glance. Even if we set aside all procedural and service standard concerns, simply comparing the rulings against the PDPA, PDPC’s own Advisory Guidelines, and the Minister’s statements already raises many serious questions about how the law was interpreted and applied.

Attached: PDPC_Analysis.pdf 4. NotebookLM Chatbot for Independent Verification To minimise any risk of personal bias, I have created a chatbot containing:

 the PDPA,  the PDPC’s Advisory Guidelines,  all correspondence with the PDPC and IMDA,  and all documentation I have compiled.

Members may use it to verify any point directly. https://notebooklm.google.com/notebook/4e84e17b- 8886-4f94-9414-a59de26bcc7f 5. Past Submissions Attempts to Seek Clarity That Received No Reply I made multiple attempts to seek clarity from PDPC by submitting detailed documents, timelines, and questions. These materials were sent specifically to request an explanation of how PDPC was interpreting the PDPA. However, none of these submissions received a substantive reply. Without any clarification, I was unable to understand how PDPC justified its position under the Act. These materials were previously sent to the PDPC:

Attachments:

 White Paper - PDPA CCTV Loophole (20 Aug 2025).pdf  No_Data_No_Breach_of_S21.png  Minister_Teo_Assurance_of_Adequacy_of_PDPA.png  PDPC_Claim_Own_Guideline_Wrong_And_Loophole_In_PDPA.png 6. Rulings Attached For completeness, I also attach the two PDPC rulings that form part of the concerns, together with the forensic timeline that documents the sequence of events and key contradictions:

Attachments:

 Summary_of_Commission_Findings_MCST_3615_DP2405C2445.pdf  Decision_MCST_4599_DP2405C2318.pdf  Forensic Timeline_ Regulatory Accountability Failure.pdf 7. Why Parliament Needs to Review This 10 This matter concerns statutory interpretation, regulatory norms, and the accuracy of assurances provided to Parliament. These issues cannot be reviewed internally by PDPC or IMDA because they relate directly to their own decisions and interpretations. Only Parliament has the authority to determine whether the PDPA is being applied according to legislative intent. I escalated through the entire chain of command, but each oversight step failed to resolve the core contradictions.  PSC relied on IMDA’s statement that matters had been addressed, even though email records show no such reply existed.  PSD assisted by prompting IMDA to respond after seven months of silence, and I thank PSD sincerely for this, although PDPC’s rulings fall outside their purview.  IMDA maintained that everything was “according to protocol” and used referral to the police as a blanket justification for all lapses, including the silence, cessation of communication, and unresolved contradictions. In reality, I never received my data at all because it had already been deleted, and PDPC declined to investigate early on. This created a circular oversight loop where each authority deferred to another, leaving no pathway for accountability. For these reasons, only Parliament can review the matter impartially and determine whether the PDPA is being interpreted and applied as Parliament intended. Personal Note I thank my MP sincerely for his sustained help and support since May 2024. His efforts have been invaluable. However, I recognise that this issue may extend beyond the capacity of any individual to resolve.

While I have suffered greatly throughout this process, I understand that Parliament is not a forum for personal grievance. I raise this matter because the inconsistencies appear systemic and may affect many others. I respectfully hope that Ministers will consider an independent review, outside of IMDA, to ensure a fair and objective process.

Thank you for your time and attention.

Respectfully submitted, the complainant [phone removed] Disclaimer I want to state clearly that I do not insist that I am correct, and I fully accept that I can be truly wrong. If I am mistaken, I welcome being shown where and how. However, after nineteen months, I was never educated on how PDPC interprets the PDPA. For context, I was the victim of a car accident and I have been formally cleared of any careless or reckless driving. The other driver remains under investigation, and the police did not require the CCTV video to reach that assessment. My intention from the beginning was simply to understand what happened to me and to obtain my own personal data. 11 Throughout this period, PDPC and IMDA did not explain their statutory reasoning, did not address the materials I submitted, and did not respond meaningfully to the appeals filed by my MP. Because no explanation was ever provided, I had no choice but to study the PDPA, the Ministerial assurances, the Advisory Guidelines, and the PDPC rulings myself in order to understand how the law was being applied. Any conclusion I reached arose only from necessity, not certainty. To be fair, PDPC did give reasons at certain points, but when I challenged those reasons using the PDPA, the Minister’s statements, and PDPC’s own Guidelines, PDPC introduced new reasonings without explaining the earlier ones or the new ones. Once these contradictions were pointed out, PDPC eventually went silent. This left me unable to understand how PDPC interprets the Act or why its conclusions changed. If my understanding is incorrect, it would have been simple for PDPC or IMDA to clarify it at any point. Instead, the prolonged silence, combined with rulings that appear inconsistent with the PDPA and with Ministerial statements, left me without any authoritative guidance. For the record, I did not complain about the police. My access request was rejected using the PDPA. I am not sure why PDPC attempted to outsource responsibility to the police when their own investigation documents state that the data was deleted and that the organisation’s reasons were privacy, no data, and only law enforcement can access. All data was deleted. If I am accusing PDPC or IMDA wrongly, I sincerely apologise. I am coming from a position where my questions were declined, my submissions received no explanation, and even my MP’s appeals did not receive substantive replies. I am therefore unable to understand how the law was interpreted in my case. For these reasons, I am respectfully asking Parliament to review the matter directly and determine whether the PDPA is being interpreted and applied in the manner Parliament intended. My only goal is to understand how the law is supposed to work and to ensure that future citizens do not face the same uncertainty.