Personal Data Protection in Malaysia

Data Protection in Malaysia

by Foong Cheng [email protected] | [email protected]

www.foongchengleong.com

Personal Data Protection Act 2010[Act 709]

Gazetted: 10 June 2010(not yet in force)

Highlights of the Act

• Overview of the Act– Regulates “processing” of personal data – Only “commercial transactions” – Not Federal and State Government– Not data processed outside Malaysia– 7 Principles– Criminal offences– No civil remedies

Highlights of the Act

• Definitions– Data User– Data Subject– Data Processor – Personal Data – Sensitive Personal Data – Commercial Transactions– Processing

Highlights of the Act

• “Personal data” – means any information in respect of commercial

transactions that• relates directly or indirectly to a data subject• who is identified or identifiable from that information or

from that and other information in the possession of a data user

• including any sensitive personal data and expression of opinion about the data subject

Highlights of the Act

• “Personal data”– may be in any form, so long its can “identify” a

data subject. For example:• Name • Passport / Identity Card Number• Phone number • Photograph • Email• Finger print • DNA

Highlights of the Act

• Email– It is not personal data per se, it depends on the

circumstances of the case – Hong Kong Complaint Case No. 2008005

• IP address – Hong Kong Complaint Case No. 2007006 – IP address itself cannot be personal data as it is a specific

machine address assigned to an inanimate computer– However, IP address together with other information disclosed

constituted "personal data" may consider as personal data.

Highlights of the Act

• “Commercial Transaction ”– Any transaction of a commercial nature, whether

contractual or not. – Includes matters relating to: • The supply or exchange of goods or services (HR?);• Agency;• Investments;• Financing;• Banking; and • Insurance; but• Does not include a credit reporting business

Highlights of the Act

• “Sensitive personal data” – any personal data consisting of information as to:• the physical or mental health or condition of a data subject;• his political opinions;• his religious beliefs or other beliefs of a similar nature;• the commission or alleged commission by him of any

offence;• or any other personal data determined by the Minister

Highlights of the Act

• “Processing” – means collecting, recording, holding or storing the

personal data or carrying out any operation or set of operations on the personal data.

Highlights of the Act

7 Principles

Highlights of the Act

• Principles of Data Protection– For data to be processed lawfully in Malaysia, a

data user shall comply with the following principles, namely—

(1) the General Principle;(2) the Notice and Choice Principle;(3) the Disclosure Principle;(4) the Security Principle;(5) the Retention Principle;(6) the Data Integrity Principle; and(7) the Access Principle.

Highlights of the Act

General Principle • A data user shall not process personal data about a

data subject unless the data subject has given his consent to the processing of the personal data

Highlights of the Act

Processing – means collecting, recording, holding or storing the personal data

or carrying out any operation or set of operations on the personal data.

General Principle Exceptions • for the performance of a contract to which the data

subject is a party;• for the taking of steps at the request of the data

subject with a view to entering into a contract;• for compliance with any legal obligation to which the

data user is the subject, other than an obligation imposed by a contract;

Highlights of the Act

General Principle Exceptions • in order to protect the vital interests of the data

subject;• for the administration of justice; or • for the exercise of any functions conferred on any

person by or under any law.

Highlights of the Act

Notice and Choice Principle • When a data user shall provide a written notice to the

data subject. • The written notice shall include, among others, that

personal data of the data subject is being processed by or on behalf of the data user, the purpose it is collected and whether it is obligatory for the data subject to provide the personal data.

• Notice must be in national language and English.

Highlights of the Act

Disclosure Principle personal data shall not without the consent of the data subject, be disclosed for • any purpose other than the purpose disclosed at the

time of collection or related purpose; or • to any party other than third parties whom the data

subject has permitted.

Highlights of the Act

Security Principle • A data user shall take practical steps to protect the

personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

• Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and takes reasonable steps to ensure compliance with those measures

Highlights of the Act

Retention Principle• The personal data processed for any purpose shall not

be kept longer than is necessary for the fulfilment of that purpose.

• No time limit but if it is not required for its initial purpose, it must be destroyed.

Highlights of the Act

Data Integrity PrincipleA data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

Highlights of the Act

Access PrincipleA data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.

Highlights of the Act

Personal Data Protection Commissioner

Highlights of the Act

• Commissioner– The Act provides for the appointment of a Personal

Data Protection Commissioner. – Any complaints made against a data user is

directed to the Commissioner– The Commissioner will conduct investigation and

issue an enforcement notice– Decision of Commissioner is appealable to the

Appeal Tribunal

Highlights of the Act

Registration of Data User

Highlights of the Act

• Registration of Data Users– Registration by class of data users prescribed by the

Minister – Commissioner will determine whether to approve

the application – Must be renewed from time to time

Highlights of the Act

Transfer of Personal Data Overseas

Highlights of the Act

• Transfer of Data Overseas– No transfer outside Malaysia unless to such place as

specified by the Minister – However, a data user may transfer if, among others:• consent was obtained;• necessary for performance of a contract between data

subject and data user;• purpose of legal proceedings or to obtain legal advice• protect vital interest of data subject and for public interest.

Highlights of the Act

Sensitive Personal Data

physical or mental health or condition, political opinions, religious beliefs, offences

Highlights of the Act

Sensitive Personal DataCan only be processed if, among others, • explicit consent has been given by data user• Employment purposes• Protect vital interest of data subject, in a case where

consent cannot be given by or on behalf of data subject or data user cannot reasonably be expected to obtain the consent of the data subject• Protect vital interest of another person, in a case

where consent by or on behalf of the data subject has been unreasonably withheld

Highlights of the Act

Sensitive Personal DataCan only be processed if, among others, • for medical purposes and is undertaken by (a) a

healthcare professional (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional• for the purpose of, or in connection with, any legal

proceedings;

Highlights of the Act

Sensitive Personal DataCan only be processed if, among others, • for obtaining legal advice; • for establishing, exercising or defending legal rights;• for the administration of justice; • to exercise of any functions conferred on any person by

or under any written law

Highlights of the Act

Rights of data subject

Highlights of the Act

Rights of data subject • Right to access personal data• Right to correct personal data• Right to withdrawn consent • Right to prevent processing likely to cause

damage or distress • Right to prevent processing for purpose of direct

marketing

Highlights of the Act

Offences and Liability

Punishment for contravention of the Act

Offences and Liability• Contravention of the personal data protection principles

RM300,000 or imprisonment 2 years or to both

• Failure to register as data user for specified class of data users RM500,000 or imprisonment 3 years or to both

• Data users continue to process personal data after the registration is revoked RM500,000 or imprisonment 3 years or to both

Punishment for contravention of Act

Offences and Liability• Processing of sensitive personal data in contravention to

s 40 RM200,000 or imprisonment 2 years or to both

• Failure to comply with commissioner's requirements to cease processing of personal data likely to cause damage or distress RM200,000 or imprisonment 2 years or to both

Punishment for contravention of Act

Offences and Liability• Unlawful collection or disclosure of personal data

RM500,000 or imprisonment 3 years or to both

• Transfer of personal data overseas RM300,000 or imprisonment 2 years or to both

Punishment for contravention of Act

Transitional Provision

Transitional Provision

Transitional ProvisionWhere a data user has collected personal data from the data subject or any third party before the date of coming into operation of the Act, he shall comply with the provisions of the Act within three (3) months from the date of coming into operation of the Act.

Transitional Provision

Proposed Action Plan

Proposed Action Plan

• Stage 1 – Prior to the coming into force of the Act

• Establish a data protection task force

• Conduct a Privacy Impact Assessment

• Obtain consent for use of personal data

• Prepare standard data protection notice

Proposed Action Plan

• Privacy Impact Assessment

• purpose - identify and recommend options for

managing, minimising or eradicating privacy impacts.

• Further reading: – The Information Commissioner’s Office PIA handbook

– Privacy Impact Assessment Guide - Australia Office of Privacy

Commissioner

Proposed Action Plan

Stage 2 – On the coming into force of the Act

• Review plans established during Stage 1 • Establish procedures and forms to handle data protection

complaints • Establish processes for training of relevant staff

Proposed Action Plan

Stage 2 – On the coming into force of the Act (cont’d)

• Implementation of security to protect data physical access electronic access

• Review contracts between your organisation and third parties who may use data on your behalf

• Prepare internal manual regarding data protection

• Inform customers and public of your initiatives to comply with the Act

Proposed Action Plan

Questions?

Thank you