Personal Data Protection Act 2010

pdpa

There has been a lot of buzz recently about this new legislation (i.e. the Personal Data Protection Act 2010, hereinafter referred to as "the Act") which purports to keep safe an individual's personal data from abuse. But many are uncertain as to the implications of the Act. 

.

It would be useful to use the following illustration from the outset:

Let us say you want to sign upfor a mobile-phone package by Telco A. In doing so, you would naturally fill in an application from in which you would disclose your personal information; typically your I/C number, address, other contact numbers, emails, etc. Under the Act, the Telco is referred to as the "data user" and you the "data subject".

Now, the Act seeks to regulate the data user's treatment of your personal information via guidance through a set of seven (7) principles:

 

1. General Principle: The processing of data requires consent.

This is self-explanatory but it should be noted that even if you do give your consent, Telco A may only use your data for lawful purposes only, and for purposes directly related to the activities of the Telco and only to such an extent as is necessary and not excessive in relation to that purpose. The method of giving consent is not specified but iti s reasonably assumed that consent cannot be inferred but must be given through some positive act. However, it does nt last forever. You may, by notice in writing, revoke your consent and the data user must cease processing your data.

2. Notice and Choice Principle.

This principle sets out requirements which, among others, state that the data user must inform you in writing that your personal data is being processed (by the data user itself or by third parties) and for what purpose. You must also be informed of your right ot access and correct your data and choose, if there is a choice, how to limit the processing of your data. In addition to that, you must also be informed of what data is voluntary or obligatory; if obligatory, then waht are the consequences of failing to supply that said data.

3. Disclosure Principle.

The disclosure principle has two aspects:

  • First, data users are only allowed to disclose data for the purpose or directly related purpose of which it was collected; and
  • Data users can only disclose to the data to a third party or a class of third parties who are stated in the written notice to you.

4. Security Principle.

The data user must take practical steps to protect the personal data from any loss, misuse; modification; unauthorised or accidental access or disclosure, alteration or destruction.

However, "practical steps" is not defined but arguably the measures that need to be taken would vary with regard to the risk and sensitivity of the data in question and hence the practical steps that need to be taken by a hospital would differ from a telco or bank.

5. Retention Principle.

This principle provides that data shall be kept and/or processed for so long as is necessary only. Once the purpose for which the data was collected is achieved, it is mandatory for the data to be disposed. For example, if your loan application was rejected by the bank, arguably then, your data must be destroyed or permanently deleted.

6. Data Integrity Principle.

This principle imposes a duty on the data user to ensure that the personal data is accurate, complete, not misleading and up-to-date for its purpose or directly related purpose. This is important with regards to the legal status of an individual, e.g. a discharged bankrupt. Obviously, if his status as a discharged bankrupt is not updated it would be detrimental to him.

7. Access Principle.

The right to access your data and correct it if inaccurate is ancillary to the Data Integrity Principle above. For obvious reasons, if you are not allowed to access and correct your data, then there cannot be integrity in it. However, there are circumstances where the data user may refuse your request to correct your data but the data user must give you notice of it.

Furthermore, it is an offence to transfer data to a country outside of Malaysia if that country has no law similar to the Act or if there is no adequate level of protection in that country. But notwithstanding, a data user may do so if a data subject has consented to it, or is necessary for the performance of a contract, or if the data user has taken reasonable steps to ensure that the data would be protected.

While the above are merely general principles with regards to the application of the Act, there are provisions for industry led forums to take the initiative to draft industry-specific codes of practice that set out in more detail with more appropriate sub-principles, rules and processes for processing data with particular regard to their own industry.

While this is a step forward for Malaysia in acknowledging the need for the protection of personal data with the advent of new technologies and changing market trends where personal information is a valuable commodity, the Act has a few apparent shortcomings and limitations.

'Commercial transactions'

The Act only applies to personal data in 'commercial transactions' only. It would not apply to, for example, religious and educational institutions, and non-profit organizations. But a point to note is that it is not easy to draw the line between a commercial and non-commercial transaction.

There is also a 'media exemption' whereby personal data may be published but the publisher must reasonably believe that the publication would be "in the interest of the public". With so much controversy about the content of blogs and social networking sites which have victimised and vilified private individuals, it is unclear how the "in the interest of the public" exception would be exercised.

The largest omission is however, that the public sector is not at all subject to the provisions in the Act. There is no law in the country which limit State abuses of personal data should it occur. In light of the fact that state agencies hold a lot of very private and vital information like personal data in the MyKad, income tax returns, criminal records, etc, it can be a point of concern tha the State is not regulated by this ACt especially if proposals like the 1Malaysia e-mail takes off.

Disclosure for 'the purpose or directly related purpose'

As explained earlier, data collected can only be used or disclosed for the purpose of which it was collected or for a directly related purpose. The data user must give written notice of the purpose of the collection of your data to you. They must also give written notice of any related purposes or disclosure of the same. You may, however, revoke your consent of the use of your data if you are somehow unhappy with the related purpose. Thus far, it seems that your data is adequately protected.

But there seems to be a small loophole in this provision. Instead of revealing the "related purpose", the data user can choose to simply obtain your consent for the purposes of disclosure to a "class of third parties". The term is a little bit ambiguous and vague. Provided that the data user makes a statement about such a possibility in the written notice, this may possibly give them an avenue to disclose your data to almost anyone. Nonetheless, the safeguard here is that you can always revoke your consent any time you like. However, some damage may have already been done by the time you decide to do so.

Furthermore, it is conspicuous, with regards to security, that the Act requires the data user to take 'practical steps' and not 'reasonable steps' to ensure the security of your personal data. This may leave open arguments of 'impracticality' as a defence to the lack of security of your personal data; i.e. they are under no obligation to protect your personal data if it is impracticable to do so. It is foreseeable that data users might even argue that prohibitive costs prevented them from adequately protecting your information because it was not 'practical' to install new and expensive firewall software, or hire more staff to manage client's data security, etc. Absurd results may follow if excuses like "We did the best we could, we're sorry it wasn't enough" are accepted as a sufficient defence.

Now more importantly, how are you affected? 

The most common predicament would be: Does the Act empower me as an individual to take action? If my company is found guilty, as a director, am I also liable? If liable, what is the Act's reach in terms of punishment?

Can an individual enforce his rights against the Data Usre in his personal capacity?

The simple answer is NO. Despite being coined as Personal Data Protection Act, it must be noted that this is not an act that allows you to bring an action in your personal capacity for a purported contravention of the Act. You would have to address your complaint to the Commissioner. 

 

[Updated: The Act is effective as of 15th November 2013, with Abu Hassan Ismail appointed as the Personal Data Protection Commissioner.]


What form of penalties exists?

It would be worthy to note that the Act covers certain penalties which can reach up to fines of RM300,000.00 (Ringgit Malaysia Three Hundred Thousand), three (3) years jail or both. CEOs, Directors and persons who can be deemed as having management control can also be jointly and severally liable in a case where a body corporate is found guilty.

Also, an employer or principal can also be found liable for the acts of their employees and agents in certain instances. The enforcement is undertaken akin to a criminal offence whre officers (when appointed) will be given powers similar to that afforded to our police force. The rights to investigate, search and seize is afforded to these officers.

Conclusion

Despite these few shortcomings, the Act has not been tested yet and it may fare better than expected: enforceability of legislation has always been supplemented by the wisdom and good sense of the courtroom judge. While express provisions may be lacking, it is a step forward allowing individuals to have their demands met out of fear of the sanctions set out by the Act. Data Users, in our commercial environment it would be wise to consult and seek appropriate advice on what the Act means for your day-to-day business. For Data Subjects, at least we may finally have an avenue to put an end to the continued harassment of marketing gimmicks.

 

This article was written by Mr Ganesheraj Selvarajah, Partner for Corporate & Commercial Department for the Legal Cauldron, Issue 1 of 2011

All information provided in this article is accurate to the time of writing.

 

back to top

Legal Updates (EVERY FORTNIGHT) >  ALL


Legal Cauldron (BI-ANNUAL) >  ALL