Recreated source · structured summary

Notice of appeal

Structured summary of the original notice of appeal; the appellant's name has been removed, and private third-party staff are referred to by role rather than by name.

Notice of appeal under Regulation 3 of the Personal Data Protection (Appeal) Regulations 2021

To:: Chairman of the Data Protection Appeal Panel
Appellant:: The complainant
Respondents:: Knight Frank Property & Facilities Management Pte Ltd; Ohmyhome Property Management; Property Facility Services Pte. Ltd.
Decision appealed:: Rejection of access request and decision not to investigate the managing agents

Introduction and context

The appeal is brought because the managing agents of The Scotts Tower and Suites@Cairnhill did not adhere to the PDPA in handling the access request. Knight Frank cited “privacy” to reject the request, then declared no footage existed and stopped communicating; the data was erased when management was handed over to Ohmyhome, without protecting it. Property Facility Services (managing Suites@Cairnhill) rejected the request outright without citing any specific provision. None of the PDPA’s exceptions to access apply.

Grounds of appeal

The right to access personal data under the PDPA.
The importance of the CCTV footage for understanding the incident.
The PDPC’s failure to investigate Knight Frank’s handling of the data and Property Facility Services’ non-compliance.
The deletion of the data within 30 days of the rejection — highlighting the PDPA’s failure to protect access rights.
That the appellant seeks access within the PDPA and advisory guidelines (supervised viewing, with masking of others if needed) — not to “obtain the video.”

Key arguments

Right of access. Denial infringes a statutory right; the PDPA should offer a straightforward access mechanism without resorting to alternative legal methods.
Importance of the footage. It is crucial to understanding events on 13 April 2024 at ~5:04 AM; due to a concussion, the appellant has no memory of the incident and remained at the scene until 6:07 AM before brain bleeding was later discovered.
Failure to preserve data. Knight Frank failed to preserve the requested data during the transition to Ohmyhome. After rejecting an access request, organisations should preserve the data for at least 30 days (and longer if a review/appeal is pending); deletion within that period is a failure to protect access rights.
Non-compliance by Property Facility Services. Its DPO incorrectly said access could only be granted to enforcement agencies — contrary to PDPA guidelines — and this was not adequately addressed by the PDPC.
Inadequate PDPC response. The PDPC officer ceased communication and repeatedly cited exceptions that do not apply; the PDPC failed to mediate before it was too late, appearing to assist the managing agents rather than address the access request.

Timeline of events

13 Apr 2024 — Two security guards confirmed the footage existed and suggested obtaining a police report to request viewing.
17 Apr 2024 — Attempt to view the footage with a police report was rejected by a Knight Frank staff member citing “PDPA privacy,” who refused to confirm the footage existed and gave no route to escalate to the DPO.
25 Apr 2024 — Formal email request to Knight Frank.
2 May 2024 — Denied by a Knight Frank officer citing “privacy.”
3 May 2024 — Told there was no footage after supervised viewing was proposed; a First Schedule waiver was cited.
~6–7 May 2024 — Another executive contacted the Investigating Officer without permission, then repeated the “no footage” claim; explicit request to preserve the data was made (6 May).
20 May 2024 — A lawyer’s formal preservation request was sent after the PDPC rejected the request on grounds Knight Frank had not cited; the PDPC officer then unilaterally ceased communication.
Change of managing agent — Knight Frank did not pass the request to Ohmyhome, which later claimed data is erased every 20–30 days — contrary to security guards’ statements that footage was kept for several months.

Clarification of intent

The request was for personal understanding of the incident (akin to the PDPA guideline example of a person seeking to understand losing a wallet), seeking supervised viewing — not to obtain the footage — and open to masking others’ identities. The incident occurred on a public road, engaging the First Schedule.

Conclusion

The deletion of the data within 30 days of the rejection highlights the PDPA’s failure to protect access rights. Despite efforts to work with the PDPC and willingness to comply with reasonable privacy measures, the access request was denied without valid justification. The appeal committee is asked to consider the case thoroughly to ensure justice is served.