← Back to the grievance

Recreated source · structured summary

White paper — accountability breach, MCST 4599

Structured summary with key verbatim quotes of a longer white paper; personal identifying details removed. (“The requester” is the complainant.)

Live access request, pre-refusal deletion — yet no breach

The core flaw

An access request was made before the footage was due to be overwritten, yet the data was deleted while the request was live. The PDPC found no breach for the deletion, recording only a minor process lapse. This exposes a dangerous gap: access rights under section 21 can be nullified simply by letting rolling systems like CCTV erase data during consideration.

Context for readers new to the PDPA

An individual may request access to their personal data unless a statutory exception applies. CCTV footage capturing an identifiable individual is personal data, so it can be requested under s. 21. The Advisory Guidelines’ own worked examples make clear that where a person seeks footage (e.g. to make a police report), the organisation is expected to (i) inform them of the appropriate avenue and (ii) retain the data while the request is active — “The advisory option is about directing the requester to a suitable channel, not about deleting the data and thereby extinguishing the right of access.”

Core issue — PDPA vs PDPC, both cannot be right

If PDPC’s interpretation is correct, then the PDPA itself is inadequate, because the law permits organisations to lawfully defeat access rights by deleting data while requests are still live. … If the PDPA is adequate, then PDPC failed in enforcement by declining to apply sections 21, 24, and 25 as practical preservation duties during consideration. … Either way, both cannot be right at once.

The contradiction arises because, on the PDPC’s reading, s. 22A (preservation) is triggered only after a refusal — leaving a pre-refusal gap — while ss. 24 and 25, read with s. 21, are treated as irrelevant even after the data was located.

Timeline (combining the report and the requester’s account)

• 16 Apr 2024 — Security confirmed the requester’s identity on CCTV.
• 17 Apr 2024 — On-site access request; agent refused citing “privacy”; no escalation path when the DPO contact was requested.
• 25 Apr 2024 — Written request to the agent’s DPO email; the agent located the footage but said it lacked credentials to export.
• 29 Apr 2024 — Agent escalated to the MCST; PDPC later adopted 29 Apr as the “access date.”
• 30 Apr 2024 — CCTV footage auto-overwritten.
• 2 May 2024 — Agent/MCST refused access and stated footage was “not captured” — materially false, given the 25 Apr record that it had been located.
• 25 Jun 2024 — New agent stated the retention cycle was “20–30 days” and confirmed deletion.
• 2 Aug 2024 — PDPC confirmed investigation (≥30 days after deletion was confirmed).
• 19 May 2025 — Decision: no breach of access/protection/retention; only an accountability lapse (no DPO / inadequate processes).
• 25 Jun 2025 — After escalation to PSD, PDPC acknowledged a preservation gap under s. 22A’s current wording; restated “discovery” as the proper channel; described its guidelines as “inconsistent with PDPA” without identifying which passages.
• 26 Jun 2025 — PDPC said the decision would be published “within a year” (no timeline), declined to say whether reports were confidential before publication, and ceased correspondence.
• 7 Aug 2025 — Decision published following escalations to national leadership.

Elapsed windows: 17→30 Apr = 13 days; 25→30 Apr = 5 days. Even at the PDPC’s “17 days,” a 13-day preservation window existed in which reasonable steps could have prevented loss while the s. 21 request was processed.

Requested action

• Loophole confirmation — confirm whether the loophole exists. If correct, the PDPA must be amended; if the Act is already adequate, explain why PDPC cited a loophole.
• Explain the dates — why 29 Apr was used over 17/25 Apr, whether retention claims were verified, and why s. 22A did not apply on 17 Apr 2024.
• Accountability in data-intermediary arrangements — how the MCST discharged responsibility where the agent lacked credentials, and why no access/protection/retention breach was found despite mid-process deletion.
• Accuracy of guidelines — state which parts PDPC considers “wrong” and update them (they remain publicly available).

Final position

This case shows either a statutory loophole or a regulatory failure. Both cannot be true at once. If PDPC’s reading is correct, the PDPA is inadequate and urgently requires amendment. If the PDPA is adequate, then PDPC’s enforcement has failed. In either case, the current outcome creates a perception of unfairness and undermines public trust in data protection enforcement.