← Back to the grievance

Recreated source · structured summary

White paper — the PDPA CCTV loophole

Structured summary with key verbatim quotes of a 30-page white paper (dated 20 August 2025); personal identifying details removed. Prepared for Ministers, Members of Parliament, senior civil servants, and the legal community.

Disclaimer (as stated in the paper)

This document … does not assert that the author’s interpretation is necessarily correct; rather, it raises substantive legal and policy questions based on a comparison between the Commission’s decision, the Personal Data Protection Act 2012 (PDPA), and PDPC’s own published guidelines. The author had previously raised similar questions directly with the PDPC, but no substantive clarifications were provided despite repeated requests.

Executive map: access rights defeated by auto-deletion

The problem

• A citizen requested CCTV footage before the overwrite cycle expired.
• The Managing Agent confirmed footage existed.
• While the request was live, the footage was auto-deleted (30 Apr).
• The PDPC found no breach of s. 21 — only a minor accountability lapse.

Loophole: access rights can be nullified if organisations simply wait for rolling CCTV systems to erase data. Unlawful reasoning: the PDPC dismissed the complaint by directing the citizen to the police — a ground not in s. 21 or the Fifth Schedule, and not even the redirection advised by the Managing Agent.

What the law says

• s. 21 — right of access, subject only to statutory exceptions.
• Reg. 3, PDPR 2021 — requests must be in writing; but organisations must publish DPO details (s. 11, Reg. 1A) so individuals can comply.
• s. 24 — obligation to protect personal data against unauthorised loss.
• s. 25 — retention only until data is no longer needed.
• s. 22A & Reg. 8 — where access is refused, the organisation must preserve a copy.
• s. 4(2)–(3) — the organisation remains responsible for its data intermediaries.

Together, these create an expectation that data is preserved during live access requests.

Why this matters

• Rights defeated: valid access requests can be lost to routine deletion.
• Timing misapplied: requests on 17 Apr (verbal) and 25 Apr (written) were ignored in favour of 29 Apr, even though the overwrite was on 30 Apr.
• Accountability gap: MCSTs outsource to Managing Agents who claim a lack of credentials.
• Regulatory credibility weakened: the PDPC admitted a “preservation gap” but declined to enforce ss. 21/24/25.
• Police referral misused: on 10 May 2024 the PDPC told the requester to “go to the police” — 10 days after the footage was already deleted; in Aug 2024 the PDPC confirmed the footage was gone, making any referral meaningless. IMDA’s internal audit (20 Aug 2025) then repeated the same referral-to-police reasoning to conclude the PDPC “acted in accordance with its protocols.”

Key questions for Parliament

1. Do ss. 24/25 require preservation once data is located, so s. 21 access can be provided “as soon as reasonably possible”?
2. Should a request to a Managing Agent (data intermediary) be treated as a request to the MCST under s. 4(3)?
3. Why was 29 Apr adopted as the operative date when requests were made on 17 Apr (verbal) and 25 Apr (written)?
4. Why did the PDPC declare its own guidance “inconsistent with PDPA” without correcting it?
5. How can the PDPC justify reliance on “referral to police” when it advised that route only after the footage was gone, and later confirmed deletion?

Requested action

• Confirm if the loophole exists. If s. 22A truly leaves a preservation gap, amend the PDPA.
• Clarify how ss. 21, 24, 25 apply during the window between request and deletion.
• Ensure accountability — MCSTs cannot outsource away their duties under s. 4(2)–(3).
• Provide neutral oversight outside IMDA/PSD where the PDPC’s own conduct is in question.

Final position

Either a statutory loophole — then the PDPA is inadequate; or a regulatory failure — then the PDPC misapplied ss. 21/24/25. Both cannot be true. Parliament must urgently act to close this gap.

What the full paper also contains

The complete white paper develops these points across detailed annexes:

• Annex A — detailed analysis of seven key issues (misapplied access date; s. 22A read too narrowly; data-intermediary duties not enforced; inconsistent MCST-vs-agent timing; no adverse inference from deletion; unverified retention period; guidelines discounted without clarification).
• Annex B — the related case (MCST 3615): the misdefinition of “personal data,” treating silhouette-only footage as outside the PDPA.
• Annex C — references and source materials.
• Annex D — an incorrect BCA listing for MCST 4599.
• Annex E — the full timeline of events and preservation windows.
• Annex F — the relevant statutory provisions and guidance, expanded.