FIRST PRINCIPLES.....
Your Trusted Consulting Partner!
Copyright © 2010 First Principles Sdn Bhd. All Rights Reserved
Developments
THE PERSONAL DATA PROTECTION ACT 2009 –
A Brief Overview
Introduction
Personal data protection, which is part of privacy law and also consumer protection, must be perceived as a basic right of the individual especially in this electronic age where huge amounts of information can be transferred in a matter of seconds. For many consumers in Malaysia, the lack of comprehensive legislation for protecting personal data has been a matter of serious concern given that many organizations wield so much power over our personal information. Therefore, it is with much relief that we can all herald the passing of the Personal Data Protection Act 2009 (PDPA) under the purview of the Ministry of Information, Communication and Culture. But we still have to wait with bated breath for the effective date of the PDPA to be gazette by the Minister.
The PDPA
The main stakeholders under the PDPA are:
The Salient points of the PDPA are:
1. The PDPA applies to any person who processes has control or authorizes the processing of personal data in respect of commercial transactions. However, it does not apply to the Federal Government and State Governments.
2. There are 7 Data Protection Principles that have to be complied with : - The General Principle which requires “consent” of the data subject for processing and clear indication of the purpose of the collection.
- The Notice and Choice Principle which requires the data user must to give written notice of certain matters and the choices to the data subject, where relevant, to limit the processing of personal data.
- The Disclosure Principle deals with the disclosure of data to 3rd parties or purposes.
- The Security Principle provides for the proper protection of personal data which especially in a highly connected environment.
- The Retention Principle states that personal data processed for any purpose shall not be kept longer than necessary for the fulfillment of the purpose.
- The Data Integrity Principle is to ensure that personal data is kept updated and accurate; and
- The Access Principle gives the data subject access to his personal data so that he may decide how it may continue to be processed.
At first glance, organizations who process personal data may feel that the 7 principles are somewhat onerous and restrictive, but most corporations would already be complying with a number of these principles, and all it takes is a compliance check-up to identify shortfalls and to become compliant.
3. Industry led Data User Forums and Codes of Practice
As the PDPA applies across all industries, there are provisions for industry led forums to take the initiative to draft industry specific codes of practice that sets out specific rules and processes for processing of data for their industry.
4. Rights of the data subject
Since the PDPA is Consumer related legislation, a number of specific rights have been accorded to the data subject (both consumers and employees) which includes rights of access, right to correct, processing of sensitive personal data and other related matters. It is important that every individual becomes aware of his rights under the PDPA and also takes the necessary action to ensure that his personal data is processed fairly and used for the purpose it was originally given.
5. The Commissioner, Advisory Committee and the Appeal Tribunal
A Data Protection Commissioner will be appointed by the Minister as the regulator to implement and enforce the PDPA. The Commissioner has wide powers including the right to investigate, issue enforcement notice and refer matters to the public prosecutor for prosecution of offences under the Act. Parties aggrieved by certain decisions of the Commissioner may appeal to the Appeal Tribunal.
6. Offences and Penalties
If an offence is committed by a body corporate, directors and senior officers of that company may be held liable. The penalties under the PDPA range from a fine of RM100,000 to RM500,000 and a jail term of between 1 to 3 years, depending on the nature of the offence.
Conclusion
In view of the serious implications of the PDPA and as an obligation to fulfill changing consumer/societal needs and expectation, it is advisable for data users to consider taking the following steps :
- be proactive to promote consumer and employee awareness of their personal rights and responsibilities in regard to their personal data
- review your current processes relating to data-flow within your organization (starting from the point of first collection right through until it is destroyed)
- review 3rd party contracts (to whom legal disclosure is made) and data base systems to ensure cost-effective compliance with the PDPA
- take the lead to have a data user forum designated for your own industry and ensure a code of practice is developed to regulate processing of personal data tailored for your own industry
- put in place processes for handling potential queries, complaints and legal suits in respect of personal data
- appoint a data protection compliance officer within your organisation to manage the PDPA
Being compliant with the PDPA is good business practice, and good for the image of a Company. Consumer protection in Malaysia hitherto has been piecemeal, but increasingly more consumer related legislation is being passed by Parliament which inevitably brings greater awareness of individual rights in various spheres, including personal data protection.
