MCST PDPA Assessment Form

Assessor Information

Please provide your details as the individual completing this assessment. This information is essential for us to understand the context of your responses and to facilitate any necessary follow-up communications.

🔒 Your information is kept strictly confidential and used only for assessment purposes.

First Name

Last Name

What is your role in relation to this MCST?

MCST Council Member (Chairman / Vice Chairman / Secretary)

Managing Agent (Property Executive / Manager)

MCST Staff (Admin / Operations / IT)

External Consultant

Others (please specify)

Other roles

A. GOVERNANCE & ACCOUNTABILITY

Governance & Accountability focuses on how the MCST establishes oversight, responsibility, and control over personal data within estate operations. This includes the appointment of a Data Protection Officer (DPO), implementation of policies and procedures, and ensuring that Managing Agents and service providers operate under clear data protection guidelines. A strong governance framework enables the MCST council to maintain visibility over how personal data is handled, demonstrate compliance with the PDPA, and ensure accountability across all stakeholders involved in estate management.

Q1. Has the MCST appointed a Data Protection Officer (DPO) responsible for overseeing PDPA compliance?

Yes

Q1a. Is the DPO trained and equipped to manage data protection responsibilities in estate operations?

Yes

Q1b. Is the DPO’s contact information publicly available to Subsidiary Proprietors, residents, and stakeholders?

Yes

Q2. Does the MCST have documented policies governing the collection, use, and disclosure of personal data (e.g. SP records, visitor logs, CCTV)?

Q3. Are PDPA policies reviewed periodically and endorsed by the MCST council or management?

Q4. Are Managing Agents and estate staff provided with PDPA awareness training relevant to estate operations?

Q5. Does the MCST have a defined process to handle data protection queries or complaints from residents, Subsidiary Proprietors, or visitors?

Q6. Does the MCST conduct risk or impact assessments (e.g. DPIA) when introducing new systems such as CCTV, visitor systems, or access control?

Q7. Are data collection purposes (e.g. visitor registration, access control) periodically reviewed to ensure they remain necessary and appropriate?

B. OPERATIONAL DATA HANDLING

Operational Data Handling examines how personal data is collected, used, and managed in the course of daily estate operations. This includes activities such as visitor registration, CCTV monitoring, access control systems, and handling of Subsidiary Proprietor records. The focus is on ensuring that personal data is handled appropriately at the point of collection and use, with proper consent, notification, and controls in place. Effective operational practices reduce the risk of improper disclosure and ensure that estate processes align with PDPA requirements.

Q8. Are data collection practices at operational points (e.g. guardhouse, visitor logs, access systems) aligned with defined data minimisation principles?

Q9. Does the MCST ensure personal data is used and disclosed only for purposes communicated to residents and stakeholders?

Q10. Are proper consent or notification mechanisms in place for CCTV recording, visitor logging, and access control systems?

Q11. Does the MCST have processes to manage consent withdrawal or objections from residents?

Q12. Are there controls to verify authority when individuals act on behalf of Subsidiary Proprietors (e.g. tenants, agents)?

Q13. Are PDPA exceptions (e.g. disclosure of CCTV footage, incident-related data, or requests from authorities) applied consistently and properly documented during estate operations?

Q14. Are clear privacy notices provided at data collection points (e.g. guardhouse, forms, digital systems)?

Q15. Does the MCST ensure personal data (e.g. SP records) is accurate and up to date?

Q16. Are procedures in place when sharing personal data with Managing Agents, vendors, or contractors?

C. DATA SECURITY & RISK MANAGEMENT

Data Security & Risk Management evaluates the safeguards in place to protect personal data from unauthorized access, disclosure, or loss. This includes physical, technical, and administrative controls over systems such as CCTV, visitor management platforms, and estate management software. It also covers how the MCST manages risks associated with vendors and service providers who may handle personal data. A structured approach to security and risk management helps the MCST identify vulnerabilities, implement appropriate controls, and maintain the integrity of personal data across estate operations.

Q17. Does the MCST have security measures in place to protect personal data across physical records, IT systems, and CCTV systems?

Q18. Are security measures regularly reviewed and updated (e.g. access controls, passwords, system permissions)

Q19. Does the MCST conduct periodic security risk assessments for estate systems (e.g. CCTV, visitor systems)?

Q20. Are there controls in place to prevent unauthorised access or disclosure of personal data, including CCTV footage and visitor logs?

Q21. Are vendor systems (e.g. FSM software, access control, CCTV providers) assessed for data protection risks?

Q22. Are there safeguards to prevent accidental disclosure (e.g. email errors, document sharing)?

Q23. Does the MCST ensure software and systems used for estate management meet basic security standards?

Q24. Does the MCST have defined retention policies for personal data, including CCTV footage, visitor logs, and Subsidiary Proprietor records?

Q25. Are retention periods reviewed regularly and aligned with operational and legal requirements?

Q26. Does the MCST have procedures to cease retention of, dispose of, or anonymise personal data when it is no longer required for its original purpose and there is no legal or business need to retain it?

MCST PDPA Assesment

Assessor Information

MCST Profile & Estate Overview

A. GOVERNANCE & ACCOUNTABILITY

B. OPERATIONAL DATA HANDLING

C. DATA SECURITY & RISK MANAGEMENT

D. MONITORING & RESILIENCE