Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS

Similar presentations


Presentation on theme: "THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS"— Presentation transcript:

1 THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS
FIDE Forum – Breakfast Talk 11 April 2013 Adlin Abdul Majid

2 Content Introduction The 7 Principles Compliance

3 Why is data protection law important?
Prevent abuse of personal data Ensure that data is kept securely Ensure that data is accurate Prevent direct marketing

4 Joining the global privacy & data protection community

5 PERSONAL DATA PROTECTION ACT 2010
Introduction PERSONAL DATA PROTECTION ACT 2010 Application Applies to any person who: Processes Has control over or authorises processing of personal data in respect of commercial transactions Applies if: Person is established in Malaysia & personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment Person not established in Malaysia, but uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia) Written / Oral First, no merger control. However, joint ventures are regulated. [Form vs substance? Avoid Competition Act by structuring joint venture as a merger? Extend the prohibition on anti-competitive agreements to cover agreements to merge?]

6 PERSONAL DATA PROTECTION ACT 2010
Introduction PERSONAL DATA PROTECTION ACT 2010 NOT applicable Federal & State Governments Personal data processed outside Malaysia, unless intended to be further processed in Malaysia Written / Oral First, no merger control. However, joint ventures are regulated. [Form vs substance? Avoid Competition Act by structuring joint venture as a merger? Extend the prohibition on anti-competitive agreements to cover agreements to merge?]

7 Introduction data subject data user Written / Oral data processor
Individual who is subject of personal data data user Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data Does not include data processor Written / Oral data processor Person (other than data user’s employee) who processes personal data solely on behalf of data user Does not process for own purpose

8 Introduction personal data
Any information in respect of commercial transactions: that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that & other information in the possession of a data user includes any sensitive personal data & expression of opinion about the data subject May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone no, photograph, address, fingerprint, DNA)

9 sensitive personal data
Introduction sensitive personal data Any personal data consisting of information as to: the physical or mental health or condition of a data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; the commission or alleged commission by him of any offence; or any other personal data determined by the Minister Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject)

10 Introduction PROCESSING Disclosure
Collecting Disclosure Alignment, combination, correction, erasure, destruction Recording Holding Storing Organisation, adaptation, alteration

11 commercial transactions
Introduction commercial transactions Any transaction of a commercial nature, whether contractual or not Includes matters relating to: Supply or exchange of goods or services; Agency; Investments; Financing; Banking; & Insurance Does not include a credit reporting business

12 commercial transactions
Introduction commercial transactions The Personal Information Protection & Electronic Documents Act (PIPEDA) Ferenczy v MCI Medical Clinics Collection of personal data by a private investigator to be used in legal proceeding is not a commercial transaction The transaction itself is not conclusive, but rather the intention in using the personal data

13 commercial transactions Commercial Transaction?
Introduction commercial transactions Case Facts Commercial Transaction? PIPEDA Case Summary #342 Collection of personal data of tenants by landlords Yes PIPEDA Case Summary #309 Collection of information of a child in a daycare organisation Yes PIPEDA Case Summary #345 Collection of information by a private school No, look at the core activity of the school’s services Rodgers v. Calvert, ON SC (CanLII) Collection of personal information in a membership list, which charged membership fees No, charging a fee for membership does not mean it is for a commercial transaction PIPEDA Case Summary # Collection of personal information by a social networking site Yes, the personal data is used for the success of the website. 13

14 Content Introduction The 7 Principles Compliance

15 Principles of data protection
For data to be processed lawfully in Malaysia, data user shall comply with following principles: General Principle Notice & Choice Principle Disclosure Principle Security Principle Retention Principle Data Integrity Principle Access Principle

16 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle

17 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle 1 Data user shall not process a personal data about a data subject UNLESS the data subject has given his consent to the processing of the personal data Personal data shall not be processed UNLESS: For lawful purpose directly related to activity of data user Necessary for or directly related to purpose Adequate but not excessive in relation to purpose * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle

18 What do you need consent for?
Non-sensitive personal data Disclosure of personal data to third parties Transfer of personal data overseas Sensitive personal data (explicit consent) Written / Oral

19 Exemptions to consent No Exemption Example (a)
For the performance of a contract to which the data subject is a party Employment contracts (b) For the taking of steps at the request of the data subject with a view to entering into a contract Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract (c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities (d) In order to protect the vital interests of the data subject In a situation where a person is unconscious & needs medical treatment to save his life (e) For the administration of justice For the enforcement of a court order (f) For the exercise of any functions conferred on any person by or under any law If an organisation is tasked to perform a service by a law

20 Sensitive personal data may only be processed if…
Explicit consent given by data subject Processing is necessary Personal data has been made public Written / Oral

21 Principles of data protection
Data user shall provide a written notice to the data subject. To include: That personal data of the data subject is being processed by or on behalf of the data user Description of the personal data Purpose it is collected & further processed Class of 3rd parties to whom data user discloses / may disclose the personal data Whether it is obligatory for the data subject to provide the personal data Must be given as soon as practicable In national language & English Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle 2 * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle

22 Channels of serving notice
External personal data: Customers, vendors, consultants Internal personal data: Employees Application forms Terms & conditions RFQs / RFPs Agreements Letters of employment Salary slips s

23 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle Personal data shall not without the consent of the data subject, be disclosed: For any purpose other than the purpose disclosed at the time of collection or related purpose; or To any party other than 3rd parties of the class in notice * Notice & Choice Principle Written / Oral *Access Principle * Disclosure Principle 3

24 Disclosure to third parties
Malaysia Related companies / affiliates / consultants Notification of disclosure to 3rd parties Authorities Personal data Notification of disclosure to 3rd parties Data processors’ compliance with PDPA Data processors

25 Disclosure to third parties
Malaysia Overseas Related companies / affiliates / consultants Notification of disclosure to 3rd parties Notification of transfer out of Malaysia Authorities Personal data Notification of disclosure to 3rd parties Data processors’ compliance with PDPA Data processors

26 Principles of data protection
A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor: provides sufficient guarantees in respect of the technical & organisational security measures governing the processing takes reasonable steps to ensure compliance with those measures Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral *Access Principle 4 * Disclosure Principle

27 What is “adequate”? Written / Oral

28 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose No time limit but if it is not required for its initial purpose, it must be destroyed * Notice & Choice Principle Written / Oral *Access Principle 5 * Disclosure Principle

29 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected & further processed * Notice & Choice Principle Written / Oral *Access Principle 6 * Disclosure Principle

30 Principles of data protection
Data Subjec t * General Principle Data Proces sor/ rd Party Data User * Security Principle * Retentio n Principle * Integrity Principle * Notice & Choice Principle Written / Oral 7 *Access Principle A data subject shall be given access to his personal data held by a data user Able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date EXCEPT where compliance with a request to such access or correction is refused under PDPA * Disclosure Principle

31 Other key provisions Rights of data subject
Right to access personal data Right to correct personal data Right to withdraw consent Right to prevent processing likely to cause damage or distress Right to prevent processing for purpose of direct marketing

32 Data user registration
Other key provisions Data user registration Data user forum

33 Content Introduction The 7 Principles Compliance

34

35

36 Why is compliance important?
Written / Oral

37 Why is compliance important?
Offence Liability Contravention of the personal data protection principles RM300,000 or imprisonment of 2 years or both Failure to register as data user for specified class of data users RM500,000 or imprisonment of 3 years or both Data users continue to process personal data after the registration is revoked Processing of sensitive personal data in contravention with s40 RM200,000 or imprisonment of 2 years or both Failure to comply with the Commissioner's requirements to cease processing of personal data likely to cause damage or distress Unlawful collection or disclosure of personal data: RM500,000 or imprisonment 3 years or to both Transfer of personal data overseas Written / Oral

38 Analysis of status quo & existing gaps
Compliance Top-down approach Analysis of status quo & existing gaps Written / Oral Solutions should address gaps by complying with legal requirements in an effective manner

39 TOP MANAGEMENT COMMITMENT
Compliance TOP MANAGEMENT COMMITMENT Prevent Detect Respond Risk assessment & regular re- assessment Policies Guidelines Training Monitoring Compliance Audit Concern / incident reporting Internal Investigations Dealings with authorities Employment related consequences

40 Privacy Impact Assessment
Compliance Privacy Impact Assessment Compliance Written / Oral

41 Compliance Privacy Impact Assessment LOOK OUT FOR:
Description of personal data How personal data is collected Was consent sought? How? Purpose of processing How personal data is kept – security? Procedures to ensure accuracy? Access? Retention period? Is personal data destroyed? Disclosure / transfer

42 Compliance Compliance Types of Documents Description
Type A: Policies & Procedures Internal Data Protection Policy External Data Protection Policy Type B: Agreements Guide to amend agreements Amended agreements Supplementary agreement Type C: Notices Recruitment Employment Customers Vendors

43 Compliance: Policies General IT & Security Access Written / Oral
Retention Access Written / Oral

44 Compliance: Documents
Application forms Terms & conditions Contracts of employment Employee handbooks Service agreements Notices

45 Transitional provision
Remember: Transitional provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into operation of PDPA

46 Adlin Abdul Majid (aam@lh-ag.com) Lyssa Loh (lll@lh-ag.com)
Thank you Adlin Abdul Majid Lyssa Loh


Download ppt "THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS"

Similar presentations


Ads by Google