Download presentation
Published byOctavia Shana Spencer Modified over 9 years ago
1
THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS
FIDE Forum – Breakfast Talk 11 April 2013 Adlin Abdul Majid
2
Content Introduction The 7 Principles Compliance
3
Why is data protection law important?
Prevent abuse of personal data Ensure that data is kept securely Ensure that data is accurate Prevent direct marketing
4
Joining the global privacy & data protection community
5
PERSONAL DATA PROTECTION ACT 2010
Introduction PERSONAL DATA PROTECTION ACT 2010 Application Applies to any person who: Processes Has control over or authorises processing of personal data in respect of commercial transactions Applies if: Person is established in Malaysia & personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment Person not established in Malaysia, but uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia) Written / Oral First, no merger control. However, joint ventures are regulated. [Form vs substance? Avoid Competition Act by structuring joint venture as a merger? Extend the prohibition on anti-competitive agreements to cover agreements to merge?]
6
PERSONAL DATA PROTECTION ACT 2010
Introduction PERSONAL DATA PROTECTION ACT 2010 NOT applicable Federal & State Governments Personal data processed outside Malaysia, unless intended to be further processed in Malaysia Written / Oral First, no merger control. However, joint ventures are regulated. [Form vs substance? Avoid Competition Act by structuring joint venture as a merger? Extend the prohibition on anti-competitive agreements to cover agreements to merge?]
7
Introduction data subject data user Written / Oral data processor
Individual who is subject of personal data data user Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data Does not include data processor Written / Oral data processor Person (other than data user’s employee) who processes personal data solely on behalf of data user Does not process for own purpose
8
Introduction personal data
Any information in respect of commercial transactions: that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that & other information in the possession of a data user includes any sensitive personal data & expression of opinion about the data subject May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone no, photograph, address, fingerprint, DNA)
9
sensitive personal data
Introduction sensitive personal data Any personal data consisting of information as to: the physical or mental health or condition of a data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; the commission or alleged commission by him of any offence; or any other personal data determined by the Minister Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject)
10
Introduction PROCESSING Disclosure
Collecting Disclosure Alignment, combination, correction, erasure, destruction Recording Holding Storing Organisation, adaptation, alteration
11
commercial transactions
Introduction commercial transactions Any transaction of a commercial nature, whether contractual or not Includes matters relating to: Supply or exchange of goods or services; Agency; Investments; Financing; Banking; & Insurance Does not include a credit reporting business
12
commercial transactions
Introduction commercial transactions The Personal Information Protection & Electronic Documents Act (PIPEDA) Ferenczy v MCI Medical Clinics Collection of personal data by a private investigator to be used in legal proceeding is not a commercial transaction The transaction itself is not conclusive, but rather the intention in using the personal data
13
commercial transactions Commercial Transaction?
Introduction commercial transactions Case Facts Commercial Transaction? PIPEDA Case Summary #342 Collection of personal data of tenants by landlords Yes PIPEDA Case Summary #309 Collection of information of a child in a daycare organisation Yes PIPEDA Case Summary #345 Collection of information by a private school No, look at the core activity of the school’s services Rodgers v. Calvert, ON SC (CanLII) Collection of personal information in a membership list, which charged membership fees No, charging a fee for membership does not mean it is for a commercial transaction PIPEDA Case Summary # Collection of personal information by a social networking site Yes, the personal data is used for the success of the website. 13
14
Content Introduction The 7 Principles Compliance
15
Principles of data protection
For data to be processed lawfully in Malaysia, data user shall comply with following principles: General Principle Notice & Choice Principle Disclosure Principle Security Principle Retention Principle Data Integrity Principle Access Principle
16
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle
17
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle 1 Data user shall not process a personal data about a data subject UNLESS the data subject has given his consent to the processing of the personal data Personal data shall not be processed UNLESS: For lawful purpose directly related to activity of data user Necessary for or directly related to purpose Adequate but not excessive in relation to purpose * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle
18
What do you need consent for?
Non-sensitive personal data Disclosure of personal data to third parties Transfer of personal data overseas Sensitive personal data (explicit consent) Written / Oral
19
Exemptions to consent No Exemption Example (a)
For the performance of a contract to which the data subject is a party Employment contracts (b) For the taking of steps at the request of the data subject with a view to entering into a contract Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract (c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities (d) In order to protect the vital interests of the data subject In a situation where a person is unconscious & needs medical treatment to save his life (e) For the administration of justice For the enforcement of a court order (f) For the exercise of any functions conferred on any person by or under any law If an organisation is tasked to perform a service by a law
20
Sensitive personal data may only be processed if…
Explicit consent given by data subject Processing is necessary Personal data has been made public Written / Oral
21
Principles of data protection
Data user shall provide a written notice to the data subject. To include: That personal data of the data subject is being processed by or on behalf of the data user Description of the personal data Purpose it is collected & further processed Class of 3rd parties to whom data user discloses / may disclose the personal data Whether it is obligatory for the data subject to provide the personal data Must be given as soon as practicable In national language & English Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle 2 * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle
22
Channels of serving notice
External personal data: Customers, vendors, consultants Internal personal data: Employees Application forms Terms & conditions RFQs / RFPs Agreements Letters of employment Salary slips s
23
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle Personal data shall not without the consent of the data subject, be disclosed: For any purpose other than the purpose disclosed at the time of collection or related purpose; or To any party other than 3rd parties of the class in notice * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle 3
24
Disclosure to third parties
Malaysia Related companies / affiliates / consultants Notification of disclosure to 3rd parties Authorities Personal data Notification of disclosure to 3rd parties Data processors’ compliance with PDPA Data processors
25
Disclosure to third parties
Malaysia Overseas Related companies / affiliates / consultants Notification of disclosure to 3rd parties Notification of transfer out of Malaysia Authorities Personal data Notification of disclosure to 3rd parties Data processors’ compliance with PDPA Data processors
26
Principles of data protection
A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor: provides sufficient guarantees in respect of the technical & organisational security measures governing the processing takes reasonable steps to ensure compliance with those measures Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral *Access Principle 4 * Disclosure Principle
27
What is “adequate”? Written / Oral
28
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose No time limit but if it is not required for its initial purpose, it must be destroyed * Notice & Choice Principle Written / Oral *Access Principle 5 * Disclosure Principle
29
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected & further processed * Notice & Choice Principle Written / Oral *Access Principle 6 * Disclosure Principle
30
Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral 7 *Access Principle A data subject shall be given access to his personal data held by a data user Able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date EXCEPT where compliance with a request to such access or correction is refused under PDPA * Disclosure Principle
31
Other key provisions Rights of data subject
Right to access personal data Right to correct personal data Right to withdraw consent Right to prevent processing likely to cause damage or distress Right to prevent processing for purpose of direct marketing
32
Data user registration
Other key provisions Data user registration Data user forum
33
Content Introduction The 7 Principles Compliance
36
Why is compliance important?
Written / Oral
37
Why is compliance important?
Offence Liability Contravention of the personal data protection principles RM300,000 or imprisonment of 2 years or both Failure to register as data user for specified class of data users RM500,000 or imprisonment of 3 years or both Data users continue to process personal data after the registration is revoked Processing of sensitive personal data in contravention with s40 RM200,000 or imprisonment of 2 years or both Failure to comply with the Commissioner's requirements to cease processing of personal data likely to cause damage or distress Unlawful collection or disclosure of personal data: RM500,000 or imprisonment 3 years or to both Transfer of personal data overseas Written / Oral
38
Analysis of status quo & existing gaps
Compliance Top-down approach Analysis of status quo & existing gaps Written / Oral Solutions should address gaps by complying with legal requirements in an effective manner
39
TOP MANAGEMENT COMMITMENT
Compliance TOP MANAGEMENT COMMITMENT Prevent Detect Respond Risk assessment & regular re- assessment Policies Guidelines Training Monitoring Compliance Audit Concern / incident reporting Internal Investigations Dealings with authorities Employment related consequences
40
Privacy Impact Assessment
Compliance Privacy Impact Assessment Compliance Written / Oral
41
Compliance Privacy Impact Assessment LOOK OUT FOR:
Description of personal data How personal data is collected Was consent sought? How? Purpose of processing How personal data is kept – security? Procedures to ensure accuracy? Access? Retention period? Is personal data destroyed? Disclosure / transfer
42
Compliance Compliance Types of Documents Description
Type A: Policies & Procedures Internal Data Protection Policy External Data Protection Policy Type B: Agreements Guide to amend agreements Amended agreements Supplementary agreement Type C: Notices Recruitment Employment Customers Vendors
43
Compliance: Policies General IT & Security Access Written / Oral
Retention Access Written / Oral
44
Compliance: Documents
Application forms Terms & conditions Contracts of employment Employee handbooks Service agreements Notices
45
Transitional provision
Remember: Transitional provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into operation of PDPA
46
Adlin Abdul Majid (aam@lh-ag.com) Lyssa Loh (lll@lh-ag.com)
Thank you Adlin Abdul Majid Lyssa Loh
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.