Principles of PDPA 2010 (Malaysia)

Malaysia recently implemented the Personal Data Protection Act and there has been a great buzz of late as to what it is, and what it might encompass to how it actually affects online business in Malaysia. 

This is a follow up post from the earlier post: The Personal Data Protection Act 2010 (Malaysia).

Disclaimer: This post has been put together based on information that have been researched online for general use only, and may only be adequately accurate. This post does not constitute of legal advice, or in any way constitute to be of solicitation. Although all attempts have been made to ensure that the information represented in this post is free from error, please seek advice from a professional legal advisor ("lawyer") to accurately identify areas in which your business could improve, and how it can accommodate this new Act.

The principles of the Personal Data Protection Act 2010 (Malaysia):

1. General
2. Notice and Choice
3. Disclosure 
4. Security
5. Retention
6. Data Integrity
7. Access

A breach of any of the above principles will result in a fine not exceeding RM300,000 and/or jail term of 2 years. As a rule of thumb, users who fall under the umbrella of the act are called 'Data Users'; Data users are defined as a person or persons who has control over or is able to authorize the accessing of personal data. 

the General Principle:

Generally it is required that the consent of an individual must be obtained, to process personal data. However, there are exceptions whereby the processing of personal data is required for entering or performing a contract, required legal obligations, for the administration of justice, or the protection of the vital interest of an individual. For example, if you were to have a website that asks someone for their information, it must be made known to them what their personal information would be used for; however unless there is a need to disclose that someone's personal information to help with an ongoing investigation that could help aid the administration of justice.

the Notice and Choice Principle:

Getting consent is generally required, and additionally there should be adequate notice provided to the individual. According to the Personal Data Protection Act 2010 (MY) you need to provide a written notice that includes:

1. a description of the data being processed, the purpose, 
2. the source, 
3. right to access the individual's own personal data and how to contact you in any situation required to amend or revoke rights to that individual's personal data, 
4. disclosure of data to third parties, 
5. ability to limit access to personal data, 
6. notice of whether the data submitted is compulsory or optional, 
7. and in the case that the data being submitted is compulsory it must be made known to the individual.

Tip 1: These information although should be made readily available under the Data Protection Policies or Privacy Policy of your websites, it should be made clear during the process of signing up so that the individual is adequately informed that there are statements of clarity that clarifies any uncertainties in regards to how their personal information is being managed.

Tip 2: It is also required that notices be provided in both English and Bahasa Malaysia languages so that the individual has a choice in selecting either language that they prefer.

Tip 3: When to notify? At the point data is collected or requested, when using data for other purposes, or disclosure of data to a third party.

the Disclosure Principle:

It is required to gain the consent of the individual when data is used for purposes other than what it is intended for, or disclosure to a third party of a different class.

the Security Principle:

Reasonable precautions must have been taken to ensure the safety of the data collected. The data being processed or through the use of an external data processor, sufficient guarantees in respect to the technical and organizational security measures, governing the processing must be carried out to reasonable measures to ensure compliance with those measures.

the Retention Principle:

Data collected cannot be retained for longer periods than what is necessary and when it has fulfilled its task all reasonable measures must be taken to destroy or permanently delete the data.

the Data Integrity Principle:

It is required that the inquirer's responsibility to take reasonable steps to ensure that data collected is accurate, complete, not misleading and kept up-to-date.

the Access Principle:

An individual must be given right to access his/her own personal data to make corrections unless the Personal Data Protection Act 2010 (MY) expressly refuses to.

The Personal Data Protection Act 2010 (MY) has caused a huge stir in Malaysia. Are you PDPA compliant?

referenced from Malaysian Bar  | Cloud Rock 

Read More

The Personal Data Protection Act 2010 (Malaysia)

What is the Personal Data Protection Act 2010 (Malaysia)? This Act regulates the processing of personal data in regards to commercial transaction. It was gazetted in June 2010. 

The penalty for non-compliance will be between RM100,000 - RM500,000 and/or imprisonment of between 1 - 3 years.

How does this affect your business?

This Act applies to any person who collects and processes personal data in regards to commercial transactions. The 7 principles of the Act are general, notice and choice, disclosure, retention, security, access and data integrity principles. 

Personal data relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive data, and expression of opinion about the data subject. For example: name, identity card number, date of birth, mobile number and etc.

In the case where personal data processing is outsourced to a third party, known as the data processor, it is the responsibility for the data user to ensure that the data processor provides sufficient guarantees to protect the person data from any loss, misses, modification, unauthorized or accidental access or disclosure, alteration or destruction.

What are the main Challenges?

Increased complexity: This Act affects personal data management from the point data is collected, used, stored, and destroyed. This Act also applies to customers, employees, and third party service providers that handle personal data. Companies businesses will be affected as processes will be required to be refined to comply with the Act's requirements.

The process of personal data life cycle management becomes more complex with the involvement of International data transfer.

What should be the next steps?

The Personal Data Protection Act 2010, has already been effect and companies were required to register by 15 February 2014 or face penalties under section 16(4) of The Personal Data Protection Act 2010.

1. Identify the gaps to meet the legal requirements and industry standards.
2. Develop a strategic roadmap to address the gaps
3. Develop structure, roles and responsibilities, policies and procedures.
4. Audit processes and systems to assess compliance with policies, standards, and legal requirements.

Further reading: Malaysian Bar | PDPA 2010 Registration Notice & Pikom | Are You Ready for The Personal Data Protection Act 2010

Find the Personal Data Protection Act 2010 (Malaysia) from the Official Portal of the Ministry of Communication and Multimedia Malaysia. For more legal information you can refer to the Malaysian Bar.

EVERWORKS is Malaysia's leading Server Colocation, Server Colocation Hosting Services, and Mobile Hosting Provider. EVERWORKS has worked with prominent clients as the Ministry of Health Malaysia, PriceWaterhouse Coopers Malaysia, Media Prima Berhad, GAC Shipping, KLIA Express, CIMB Bank, Hong Leong Bank Berhad, and many others.

Further reading: Your Data is Your Data

Read More