- Four regulatory frameworks directly affect how MCST security systems must be installed, operated, and maintained: PDPA, BMSMA, the SCDF Fire Code, and PSIA.
- Under PDPA, CCTV footage, vehicle plate records, and access logs are personal data. The MCST must have a stated purpose for collection, defined retention periods, restricted access, and a documented process for handling footage requests.
- BMSMA Section 29 imposes a legal duty on the MCST to keep common property in good repair. Security systems in common areas are common property; deferred maintenance that leads to failure is a potential breach of this duty.
- The SCDF Fire Code requires all electronically locked doors on evacuation routes to unlock automatically; fail-safe, when the fire alarm activates. Integration between the access control system and the fire alarm panel is mandatory, not optional.
- Under PSIA, only SPF-licensed contractors may install or maintain security systems. The obligation to verify licensing rests with the MCST, not the contractor.
- Good compliance is not about avoiding penalties. It is about reducing uncertainty, protecting residents, and ensuring the estate can respond appropriately when incidents occur.
Why MCST committees need to understand security obligations
Most MCST committee members in Singapore manage their estate's security the way it has always been managed; using the same systems the developer installed, serviced by whoever the previous committee appointed, with decisions made based on what seems reasonable rather than what the law requires. Committee members are residents who have stepped forward to help manage their community, and they are doing so in their spare time with limited technical support. Legal obligations, however, do not adjust for good intentions.
Three regulatory frameworks directly affect how estate security systems must be installed, operated, and maintained: the Personal Data Protection Act (PDPA), the Building Maintenance and Strata Management Act (BMSMA), and the SCDF Fire Code. A fourth; the Private Security Industry Act (PSIA); governs who is permitted to carry out the installation and maintenance work. Understanding these obligations is not about discovering how much trouble the estate is in. It is about making informed decisions and protecting the estate from avoidable liability before an incident creates urgency.
The compliance gaps we encounter most frequently on site are not the result of deliberate neglect. They are the result of committees inheriting systems installed years ago by teams that have since moved on, with documentation that was never properly completed or handed over. A periodic review of the estate's security systems against these four frameworks; conducted before a complaint or incident prompts the question; is a straightforward investment in the committee's ability to act with confidence when it is needed.
KEY POINT
Committee members are not expected to be lawyers, security engineers, or fire safety consultants. They are expected to understand enough to ask the right questions, make informed decisions, and engage the appropriate professionals when required. The five questions at the end of this article provide a practical starting point.
PDPA; managing CCTV footage and resident data
The Personal Data Protection Act governs how organisations, including MCSTs, collect, use, and retain personal data. In the context of estate security systems, PDPA applies directly to CCTV footage, which records the faces and movements of residents, visitors, and delivery personnel, as well as to vehicle plate records captured by gantry cameras and to access log data showing who entered which area at what time. All of these constitute personal data under PDPA and must be managed accordingly.
The MCST must have a stated, reasonable purpose for each camera placement; resident safety, incident investigation, and vehicle management are common legitimate purposes. Cameras should not be positioned to capture areas where residents have a reasonable expectation of privacy, such as within residential units or in areas not related to the estate's operational needs. Access to recorded footage must be restricted to authorised personnel only. A system where any guard can export footage to a USB drive without a log, or where NVR login credentials are shared widely without documentation, has a compliance gap that creates risk for the MCST.
Retention periods must be defined and enforced. Securevision's standard recommendation is 30 days of continuous recording. This is not a statutory requirement under PDPA, but it reflects the practical balance between retaining footage long enough to be useful for incident investigation and not holding personal data for longer than necessary, which PDPA requires. Footage held indefinitely without a stated purpose creates greater legal exposure than footage deleted on a defined schedule. The MCST should also have a documented process for handling requests for footage, from residents, from third parties, and from the police; so that requests are handled consistently and with appropriate authority rather than ad hoc. For a detailed treatment of PDPA obligations specific to CCTV systems, see CCTV and PDPA Compliance in Singapore.
KEY POINT
One of the most common misunderstandings is the assumption that any resident can automatically obtain CCTV footage on request. In practice, residents are data subjects rather than data controllers; they do not have an unconditional right to footage simply because they appear in it. Requests should be assessed against PDPA's access and disclosure provisions and handled through a documented process, not on a case-by-case verbal basis.
Securevision's View
Ask your integrator whether the NVR is configured with role-based access controls, automatic retention enforcement, and access audit logging; meaning a record of who accessed recordings, when, and what was retrieved. If the system cannot produce an access log, the MCST cannot demonstrate to the PDPC that footage access was properly controlled. That is a gap worth closing before a complaint makes it urgent.
BMSMA; maintenance obligations for common property
The Building Maintenance and Strata Management Act defines the MCST's responsibilities in relation to common property. Security systems installed in common areas; CCTV cameras in corridors and car parks, access control readers at lobby entrances, gantry barriers, intercom panels at the main gate; are common property. They are therefore subject to the MCST's maintenance obligations under the Act.
Section 29 of the BMSMA places a duty on the MCST to keep common property in good repair and maintain it in a proper and clean state. This is not a discretionary standard; it is a legal duty. Allowing security systems to deteriorate to the point of failure, or deferring maintenance to the point where systems can no longer perform their intended function, is a potential breach of this obligation. The fact that a camera is still displaying a live image, or that an access control reader is still unlocking doors, does not mean the system is in good repair, as discussed in the context of silent failures, many components degrade without visible indication.
Capital expenditure for security upgrades above certain thresholds requires a resolution at a general meeting; either the AGM or an EGM convened for the purpose. The sinking fund, which MCSTs are required to maintain under the BMSMA, is available for exactly this purpose: major repairs and replacement of common property, including security infrastructure that has reached the end of its useful life. Committees that are uncertain whether a proposed expenditure requires a general meeting resolution should seek advice from the managing agent or a strata management professional before committing.
Documentation is as important as the maintenance itself. Records of all service visits, fault reports, remedial actions, and expenditure must be kept for auditing and compliance verification. An MCST that has maintained its systems diligently but has no records to demonstrate it is in a weaker position than one with comprehensive documentation; because it cannot evidence that it has discharged its obligations. Signed service reports after every maintenance visit, retained in the estate management records, are not administrative formality. They are evidence of due diligence.
PLANNING POINT
Ask your managing agent for the current condition report on all estate security systems, not just a confirmation that they are operational, but an assessment of component age, support status, and whether any deferred maintenance creates a compliance risk under Section 29. If this report does not exist, commissioning one before the next AGM is a reasonable starting point.
SCDF Fire Code; access control and emergency egress
Security systems do not operate in isolation from fire safety systems, in many estates, they are physically integrated. Electronic locks on doors that form part of the building's evacuation routes, lift access controls, vehicle barriers at estate entrances, and intercom systems may all interact with the fire alarm system in ways that have safety implications during an emergency.
The SCDF Fire Code requires that all electronically locked doors on means of egress; evacuation routes that residents must be able to use to exit the building during a fire; must be fail-safe. Fail-safe in this context means the lock releases, that is, unlocks, when power is lost. In a fire emergency, when the fire alarm activates, electronically locked doors on evacuation routes must unlock automatically and without manual intervention. This requires integration between the access control system and the fire alarm panel. That integration is not optional; it is a mandatory requirement, and it must be documented and verifiable.
The practical implication for MCST committees is that any proposed modification to access control systems; new electronic locks, door replacements, changes to evacuation route configurations; must be evaluated against fire safety requirements before implementation. A security upgrade that improves access control while inadvertently compromising emergency egress is not a compliant outcome. Where the interaction between security and fire safety systems is unclear, a qualified fire safety engineer should be consulted as part of the planning process, not after the installation is complete. For wider context on the regulatory drivers affecting access control upgrades in Singapore, including workplace safety and cybersecurity obligations, see Access Control Upgrade Drivers in Singapore.
KEY POINT
If the estate has electronic locks on any door that forms part of an evacuation route, the committee should be able to confirm two things: that the lock is fail-safe (releases when power is lost), and that it is integrated with the fire alarm panel so that it releases automatically when the alarm activates. Both conditions must be met, and both should be documented. If either cannot be confirmed, this is a priority item for the next maintenance review.
PSIA; using a licensed security contractor
The Private Security Industry Act (PSIA) requires that only contractors licensed by the Singapore Police Force may install or maintain security systems in Singapore. This licensing requirement exists to ensure that the individuals and companies responsible for designing and maintaining security infrastructure meet defined competency and accountability standards. The obligation to verify licensing rests with the MCST as the engaging party, not with the contractor to volunteer the information.
Verifying a contractor's licence status is straightforward. The SPF maintains a register of licensed security service providers that can be checked before signing or renewing any maintenance or installation contract. The MCST should confirm the contractor's licence number, the categories of security work it covers, and the expiry date, and should retain that confirmation in the estate's records as evidence that due diligence was performed. Engaging an unlicensed contractor, even inadvertently, exposes the MCST to regulatory risk and may affect the validity of any insurance claims arising from security incidents involving that contractor's work.
Licensing is a necessary condition for engaging a contractor but not a sufficient one on its own. A licensed contractor that does not maintain adequate documentation, does not understand fire safety integration requirements, or does not provide signed service reports is still a contractor that creates compliance risk for the MCST. Committees should evaluate contractors based on competence, documentation practices, support capability, and long-term reliability, not on licence status and price alone.
PLANNING POINT
Securevision's current SPF licence number is . When evaluating any security contractor, request their licence number, verify it against the SPF register, and confirm that the licence covers the categories of work being proposed. Retain the verification record in the estate management files alongside the contract.
Documentation; why records matter as much as equipment
One of the most consistent findings when we assist estates with a contractor transition or a compliance review is that the documentation is incomplete. As-built drawings that no longer reflect the actual installation. Maintenance records with gaps spanning years. Software licences that cannot be located. NVR and access control passwords that were never documented and are now held only by an individual who has moved on. Device inventories that were accurate at handover but were never updated as the system evolved.
These are not unusual findings; they are the norm on estates where documentation was not treated as a deliverable at the same level as the equipment itself. The consequence is that troubleshooting takes longer, upgrade planning is harder, contractor transitions are more disruptive and expensive, and the MCST's ability to demonstrate that it has discharged its obligations under the BMSMA is compromised. A system that is well-maintained but poorly documented provides less protection than a system that is both well-maintained and comprehensively documented.
The documentation the estate should hold independently of any contractor includes as-built drawings reflecting the current installation, a device inventory updated whenever equipment changes, all system access credentials including NVR logins and access control software passwords, software licence records with expiry dates, signed service reports from every maintenance visit, and the emergency contact details for every contractor responsible for every system on the estate. This documentation should be held in the estate management office, not only in the contractor's records; so that a change of contractor does not leave the MCST without access to its own system information.
KEY POINT
If the estate's security system documentation cannot be located within a few minutes, the MCST should treat that as an action item at the next committee meeting, not a background concern. The cost of commissioning an as-built survey and documentation update is modest compared to the cost of the delays and investigations that incomplete documentation causes when a fault occurs or a contractor changes.
Five questions every committee should be able to answer
Regardless of the age of the estate or the systems installed, every MCST committee should be able to answer five questions confidently. These questions do not require legal expertise or technical knowledge; they require that the estate's security management has been approached with the same diligence as any other common property obligation.
The first question is who has access to CCTV footage and under what authority. Is access restricted to named, authorised personnel? Is there a documented process for handling requests from residents, third parties, and the police? If a resident requests footage tonight, does the committee know exactly what the process is and who is authorised to release it?
The second question is when the last preventive maintenance was performed and what it found. Are the service reports available? Were any recommendations made that have not yet been acted upon? A committee that cannot answer this question without asking the managing agent to check has a documentation gap.
The third question is how the estate's electronic access control systems interact with the fire alarm during an emergency. Are electronically locked doors on evacuation routes fail-safe; do they release when power is lost? Are they integrated with the fire alarm panel? Is that integration documented and tested?
The fourth question is whether the current security contractor is SPF-licensed, and whether the committee has a record of having verified it. The licence number, the categories covered, and the expiry date should be in the estate records.
The fifth question is whether the estate's security documentation is complete and current; drawings, device inventories, passwords, licence records, and maintenance history. If any of these cannot be located quickly, that is the starting point for a compliance review.
| Framework | What it covers | Key obligation for the MCST | Most common gap |
|---|---|---|---|
| PDPA | CCTV footage, access logs, vehicle plate records as personal data | Stated purpose for collection; restricted access; defined retention; documented request process | No access audit log on NVR; footage requests handled ad hoc |
| BMSMA (s.29) | Security systems in common areas as common property | Maintain in good repair; document all maintenance; obtain general meeting approval for significant capital expenditure | Deferred maintenance with no signed service records; upgrades approved without EGM resolution |
| SCDF Fire Code | Electronic locks on evacuation routes and fire alarm integration | All electronically locked egress doors must be fail-safe and integrated with the fire alarm panel | Access control installed without fire alarm integration; integration untested and undocumented |
| PSIA | Installation and maintenance of security systems | Engage only SPF-licensed contractors; verify licence before signing; retain verification record | Licence not verified at renewal; contractor licence expired without committee noticing |
Securevision's View
Committees that cannot answer all five of these questions are not necessarily in breach of their obligations, but they are operating with less certainty than they should have. In our experience, the estates that handle incidents, resident complaints, and contractor transitions most smoothly are the ones that had asked these questions and addressed the gaps before an event made them urgent. The investment in getting the answers is modest. The cost of not having them when they are needed is considerably higher.
In Short
MCST committees have legal obligations across four frameworks that directly affect their estate's security systems. PDPA governs how CCTV footage and access data are collected, retained, and disclosed. BMSMA Section 29 imposes a duty to keep security infrastructure in common areas in good repair, supported by documented maintenance records. The SCDF Fire Code requires that electronically locked doors on evacuation routes are fail-safe and integrated with the fire alarm panel. PSIA requires that only SPF-licensed contractors install or maintain security systems, and the obligation to verify licensing rests with the MCST. None of these frameworks require committees to become technical experts; they require that the right questions are asked, the right professionals are engaged, and the estate's records are maintained well enough to demonstrate that the MCST has discharged its responsibilities.
Frequently asked questions
Is the MCST legally responsible for security systems on the estate?
Yes, to the extent that those systems are installed in common areas. Under the BMSMA, the MCST has a duty to maintain common property in good repair. Security systems in common areas; CCTV cameras, access control readers, intercom panels, gantry barriers; are common property. Allowing them to deteriorate to the point of failure without taking reasonable steps to maintain or replace them is a potential breach of the MCST's statutory duty under Section 29.
Does the MCST need a CCTV policy?
Not as a formal written document in every case, but the functions a policy performs are required. The MCST must have a stated purpose for each camera placement, defined retention periods, restricted access to recordings, and a documented process for handling footage requests. Whether these are captured in a formal policy document or in operational procedures held by the managing agent, the substance must be in place and demonstrable if the PDPC raises questions.
How long should CCTV footage be retained?
Securevision's standard recommendation is 30 days of continuous recording. This is not a statutory figure under PDPA, but it reflects the practical balance between retaining footage long enough for incident investigation and not holding personal data for longer than necessary, which PDPA requires. The MCST should document its retention period and the rationale for it. Footage held indefinitely without a stated purpose creates greater exposure than footage deleted on a defined, documented schedule.
Can a resident request CCTV footage of themselves?
Residents are data subjects under PDPA and have the right to request access to their personal data, which may include footage in which they appear. However, this right is not unconditional; the MCST may decline or limit access where disclosure would reveal the personal data of other individuals, where it would prejudice an ongoing investigation, or where other legitimate grounds for refusal apply. All requests should be handled through a documented process with a named authorised person, not on an ad hoc basis at the discretion of individual guard team members.
What does fail-safe mean for electronic locks?
A fail-safe lock releases; unlocks, when power is lost. On evacuation routes, this is the required behaviour: if power fails during a fire or emergency, the door must be passable without requiring a credential, a code, or manual intervention. The opposite is fail-secure, where the lock remains locked when power is lost; appropriate for server rooms and secure storage areas, but not for any door on an evacuation route. The SCDF Fire Code requires that all electronically locked doors on means of egress are fail-safe and integrated with the fire alarm panel so they release automatically when the alarm activates.
How does the committee verify that a contractor is SPF-licensed?
The Singapore Police Force maintains a register of licensed security service providers. Committees should request the contractor's licence number before signing any contract, verify it against the SPF register, confirm the licence covers the categories of work being proposed, and check the expiry date. The verification record should be retained in the estate management files alongside the contract. This process takes minutes and provides a documented record that due diligence was performed.
Does capital expenditure on security upgrades require a general meeting?
It depends on the quantum and the nature of the expenditure. Under the BMSMA, expenditure above certain thresholds, or expenditure that constitutes a significant change to common property rather than routine maintenance, typically requires a resolution at a general meeting; either the AGM or an EGM convened for the purpose. The managing agent or a strata management professional should be consulted before committing to significant security expenditure to confirm the correct approval process.
What security system documentation should the estate hold?
As-built drawings reflecting the current installation, a complete device inventory updated whenever equipment changes, all system access credentials including NVR and access control software logins, software licence records with expiry dates, signed service reports from every maintenance visit, and the emergency contact details for every current contractor. All of this should be held in the estate management office, not only in the contractor's records; so that it remains accessible if the contractor relationship ends.
What happens if the MCST engages an unlicensed contractor?
Engaging an unlicensed contractor exposes the MCST to regulatory risk under PSIA and may affect the validity of insurance claims arising from security incidents involving that contractor's work. The PSIA places the obligation to use a licensed contractor on the engaging party, in this case the MCST, not on the contractor to disclose its status unprompted. Verifying licensing before engagement is the committee's responsibility, not an optional precaution.
How often should the estate's security systems be formally reviewed?
A formal review; covering all installed systems, their current condition, support status, compliance with the four frameworks discussed in this article, and projected replacement timeline; should be conducted at least every two to three years, or following any significant incident, resident complaint, or change of contractor. Annual preventive maintenance visits are not a substitute for a structured compliance review; they confirm that existing systems are functioning, not whether the MCST's obligations across PDPA, BMSMA, SCDF, and PSIA are being met.
What is the biggest compliance risk for most MCST committees?
In our experience, it is not deliberate non-compliance; it is assuming that everything is in order because no issues have been reported. A CCTV system that stopped recording six months ago, an electronic lock on an evacuation route that was never integrated with the fire alarm panel, a contractor whose licence expired at renewal without anyone noticing; none of these announce themselves. The estates that manage compliance risks most effectively are the ones that ask the five questions in this article before an incident makes the answers urgent.