T : +(603) 7806 3550   |   F : +(603) 7806 5586

Thursday 18 September 2014

Principles of PDPA 2010 (Malaysia)

Malaysia recently implemented the Personal Data Protection Act and there has been a great buzz of late as to what it is, and what it might encompass to how it actually affects online business in Malaysia. 

This is a follow up post from the earlier post: The Personal Data Protection Act 2010 (Malaysia).

Disclaimer: This post has been put together based on information that have been researched online for general use only, and may only be adequately accurate. This post does not constitute of legal advice, or in any way constitute to be of solicitation. Although all attempts have been made to ensure that the information represented in this post is free from error, please seek advice from a professional legal advisor ("lawyer") to accurately identify areas in which your business could improve, and how it can accommodate this new Act.

The principles of the Personal Data Protection Act 2010 (Malaysia):

  1. General
  2. Notice and Choice
  3. Disclosure 
  4. Security
  5. Retention
  6. Data Integrity
  7. Access
A breach of any of the above principles will result in a fine not exceeding RM300,000 and/or jail term of 2 years. As a rule of thumb, users who fall under the umbrella of the act are called 'Data Users'; Data users are defined as a person or persons who has control over or is able to authorize the accessing of personal data. 

the General Principle:

Generally it is required that the consent of an individual must be obtained, to process personal data. However, there are exceptions whereby the processing of personal data is required for entering or performing a contract, required legal obligations, for the administration of justice, or the protection of the vital interest of an individual. For example, if you were to have a website that asks someone for their information, it must be made known to them what their personal information would be used for; however unless there is a need to disclose that someone's personal information to help with an ongoing investigation that could help aid the administration of justice.

the Notice and Choice Principle:

Getting consent is generally required, and additionally there should be adequate notice provided to the individual. According to the Personal Data Protection Act 2010 (MY) you need to provide a written notice that includes:

  1. a description of the data being processed, the purpose, 
  2. the source, 
  3. right to access the individual's own personal data and how to contact you in any situation required to amend or revoke rights to that individual's personal data, 
  4. disclosure of data to third parties, 
  5. ability to limit access to personal data, 
  6. notice of whether the data submitted is compulsory or optional, 
  7. and in the case that the data being submitted is compulsory it must be made known to the individual.
Tip 1: These information although should be made readily available under the Data Protection Policies or Privacy Policy of your websites, it should be made clear during the process of signing up so that the individual is adequately informed that there are statements of clarity that clarifies any uncertainties in regards to how their personal information is being managed.

Tip 2: It is also required that notices be provided in both English and Bahasa Malaysia languages so that the individual has a choice in selecting either language that they prefer.

Tip 3: When to notify? At the point data is collected or requested, when using data for other purposes, or disclosure of data to a third party.

the Disclosure Principle:

It is required to gain the consent of the individual when data is used for purposes other than what it is intended for, or disclosure to a third party of a different class.

the Security Principle:

Reasonable precautions must have been taken to ensure the safety of the data collected. The data being processed or through the use of an external data processor, sufficient guarantees in respect to the technical and organizational security measures, governing the processing must be carried out to reasonable measures to ensure compliance with those measures.

the Retention Principle:

Data collected cannot be retained for longer periods than what is necessary and when it has fulfilled its task all reasonable measures must be taken to destroy or permanently delete the data.

the Data Integrity Principle:

It is required that the inquirer's responsibility to take reasonable steps to ensure that data collected is accurate, complete, not misleading and kept up-to-date.

the Access Principle:

An individual must be given right to access his/her own personal data to make corrections unless the Personal Data Protection Act 2010 (MY) expressly refuses to.

The Personal Data Protection Act 2010 (MY) has caused a huge stir in Malaysia. Are you PDPA compliant?

referenced from Malaysian Bar  | Cloud Rock 


Post a Comment

Related Posts Plugin for WordPress, Blogger...