← Back to the grievance

Recreated source · email

Email to the IMDA CEO — review of PDPC's handling

Faithful, verbatim recreation of the original email; the sender's name, email addresses and phone number have been removed.

From:

The complainant

Date:

15 October 2024

To:

IMDA CEO; the Commissioner; IMDA whistleblowing; Quality Service Manager

Subject:

Re: Request for Review of PDPC's Handling of PDPA Access Rights Complaint

Dear Mr. Lew, QSM, and Audit Officers, I hope this message finds you well. I am writing to follow up on my previous email, as I have yet to receive a response. I addressed this email to three different branches of IMDA because I am uncertain which department is best suited to handle my feedback. My concerns may involve operational, policy-related, or individual issues, as outlined below: Operational Issue: The delays and lack of timely investigation by the PDPC only occurred after considerable effort on my part. Despite the emotional distress caused by the situation, the PDPC’s response was slow. Without the support of ground security staff who provided key evidence, the managing agents and DPO would likely have avoided scrutiny. Based on the email replies from the PDPC, there has been minimal inclination to properly investigate my access complaints. Quality/ Policy Issue: There appears to be a lack of motivation within the PDPC to investigate access request issues, particularly in cases like mine. This suggests that there may be a broader policy concern regarding how the PDPC prioritizes and enforces access obligations under the PDPA. Individual Issue: It is possible that the officer handling my case did not adhere to the required standard operating procedures (SOP), leading to improper management of my requests. This may be an isolated case, but it raises concerns about the adherence to proper procedures in handling individual complaints. To summarize my initial feedback: Access to CCTV Footage: My requests for access to my personal data (CCTV footage) were denied by the managing agents without valid reasons under the PDPA. Lack of Investigation by PDPC: Rather than investigating the actions of the managing agents, the PDPC provided justifications on their behalf without supporting evidence. My queries were also ignored. Delayed Response from PDPC: The PDPC only reached out to the managing agents several months after my requests, by which time the footage had already been deleted. Without the crucial evidence provided by ground security staff, this issue would have been disregarded. As a member of the public, I do not presume to expect a response directly from the executive branch. However, I would appreciate from IMDA on clarification on whether my concerns are being addressed, and if my feedback should be redirected to another ministry or statutory board. Thank you for your attention, and I look forward to any guidance or advice on how this matter will proceed. Kind regards, the complainant [phone removed] On 8 Sep 2024, at 7:32 PM, [email removed] wrote: Dear Mr. Lew Chuen Hong, I hope this message finds you well. I am writing to share my experience regarding the handling of my Personal Data Protection Act (PDPA) access rights complaint by the Personal Data Protection Commission (PDPC) and to seek clarity on whether this experience reflects broader operational practices. For your reference, the log case numbers are as follows: • [Log No: DP-2405-C2445] Property Facility Services Pte. Ltd. • [Log No: DP-2405-C2318] Knight Frank Property & Facilities Management Pte Ltd Before I continue, let me state upfront that, despite my timely request for help from the PDPC, the PDPC only reached out to the managing agents about three months later, after they had already deleted my personal data. Only one of my complaints is currently being investigated. I hope this makes it clear that the current process may not be adequate to uphold the rights that the PDPA is intended to provide. After requesting access to my personal data from two managing agents, one managing agent claimed that no footage existed (despite security guards informing me otherwise) after citing privacy concerns, while the other stated that only enforcement agencies could access the footage. Despite this, no valid reasons under the PDPA were provided to justify denying my requests. As a former civil servant, I have always trusted the government and statutory boards to handle matters fairly and in accordance with the law. Naturally, I sought the help of the PDPC. To my great surprise, however, the PDPC introduced various exceptions and justifications on behalf of the managing agents, without any apparent basis or evidence. Throughout this process, my complaint was misconstrued, and communication from the PDPC was stopped after their second email reply, despite my pleas and the evidence I provided. Even intervention from my Member of Parliament—on two occasions—did not yield any resolution. We also need to be mindful that the PDPA itself was used by the managing agents to reject my request (citing privacy concerns), and many individuals, like myself, may not be familiar with the intricacies of the PDPA, making it all the more difficult to navigate these issues. Additionally, it took more than three months before the PDPC even reached out to the managing agents to understand what had happened. Unfortunately, by that time, the footage had already been deleted before any action was taken, despite the managing agents not adhering to the access obligation guidelines published by the PDPC. To be clear, the data I am requesting access to is my personal data, as I am the individual captured in the CCTV footage. I fully understand the challenges involved in accessing such data and have been very willing to cooperate with any reasonable accommodations that might be necessary to address those challenges. My intention has always been to resolve this in a cooperative and transparent manner, but the handling of my request has left me with serious concerns. My experience raises concerns about the overall handling of this process and whether my case reflects broader operational practices or potential policy issues at the PDPC. Specifically, I have several points of concern: • Denied Access Requests Without PDPA-Cited Reasons or Alternatives • My access requests for CCTV footage were rejected without any reasons cited under the PDPA. No alternative channels for accessing the data were suggested by the managing agents. This lack of transparency made it particularly challenging to understand why my request was denied or how I could otherwise proceed. To my great surprise, this was not considered a breach by the PDPC. • Delayed Action Leading to Data Deletion • Despite my timely requests, the footage at both Suites@Cairnhill and The Scotts Tower (TST) was deleted before any investigation by the PDPC. At TST, while the deletion of the data by Knight Frank is now being investigated by the PDPC’s investigation branch, I believe this could have been avoided entirely if the PDPC had reached out earlier. For Suites@Cairnhill, the PDPC accepted the claim that footage is deleted every 30 days without further investigation, despite my communications with the manager of the condo from the start, where neither she nor the DPO mentioned this. • Lack of Investigation into Rejection Reasons • The managing agents did not initially provide clear reasons for rejecting my access requests under the PDPA. Instead, the PDPC itself introduced potential exceptions under the Fifth Schedule and other PDPA clauses over several months, without any input from the managing agents or the parties I was complaining about. These possible reasons, raised by the PDPC on their own, were taken as fact, and communication was cut off immediately after, without any further investigation into their validity. This raises concerns about whether a thorough investigation into the facts of my case was conducted before citing these exceptions. • Failure to Uphold the Spirit and Purpose of the PDPA • The PDPA is intended to safeguard personal data and provide individuals with the right to access their data. In my case, however, I feel that the PDPC’s handling failed to uphold these core principles. By not thoroughly investigating my complaints and by introducing justifications without proper evidence, the PDPC did not adequately protect my right to access my personal data, which contradicts the spirit and purpose of the PDPA. • Apparent Lack of Impartiality • The PDPC appeared to side with the managing agents by introducing potential exceptions that the managing agents themselves did not cite. Instead of objectively investigating whether the managing agents complied with their obligations under the PDPA, the PDPC seemed to be searching for justifications to reject my access requests. This gives the impression of a lack of impartiality in the handling of my complaints, which raises concerns about how similar cases are being managed. • Arduous Process for Assistance from the PDPC • Throughout my efforts to obtain assistance from the PDPC, the process has been particularly arduous and slow. Communication was inconsistent, and no clear guidance was provided to help me navigate the situation. The challenges I faced in receiving timely and effective support made the situation more difficult than it should have been. Communication was unilaterally cut off by the PDPC without any appropriate closure. • Failure to Provide Advice on Escalation or Appeal Options • When I requested to escalate or appeal the PDPC’s decisions, my requests were ignored. Both the hotline and the officer I communicated with failed to provide me with any guidance on how to escalate my case or appeal the decision. It was only much later that I discovered the proper appeal process on my own. This lack of transparency and guidance in navigating the appeals process further hindered my ability to have my case reviewed fairly. • 8. Concerns About Policy or Systemic Issues • It is important to ensure that organizations do not misuse the PDPA to deny their obligations under the Access Obligation, knowing that the PDPC will not enforce these obligations. There are no enforcement decisions on the PDPC website related to access and correction obligations, which may give organizations the impression that they can deny individuals access to their personal data without any reprisal. This raises concerns about whether the PDPC's enforcement policies are sufficient to deter such practices. If you look into the handling of my case, it appears that as long as a managing agent claims no footage was captured, they can evade scrutiny as the PDPC will not investigate further. Given the impact of this case on my ability to understand the aftermath of my accident and the potential implications for others in similar situations, I respectfully request that you review the handling of my case to determine whether the process followed aligns with PDPC’s policies and goals. I am hopeful that this review will help clarify whether improvements in the handling of access requests can be made, particularly regarding the timely preservation of personal data, transparent communication, and adherence to PDPA guidelines. PS: I have since developed a mood disorder and will be going on a silent retreat for my mental wellness from 11 - 22 September. I will reply to your emails for additional information as soon as possible after my return. Thank you for taking the time to consider my feedback. I look forward to your response and remain hopeful that this matter will be addressed constructively. Yours sincerely, the complainant [phone removed]