1.0INTRODUCTIONWith the advancement and sophistication of todayâ€™s technologies, the world is no longer safe from privacy. Worst of all, there is no law that is able to govern or defend against data privacy or personal data in the Cyberworld. As a result, hackers/perpetrators breach into the privacy of victims, stealing valuable and personal information without victimâ€™s knowledge for various purposes, usually to commit frauds. With the rise of cybercrimes and data frauds, protection of personal information and data becomes more crucial. Therefore, a statute was proposed in Malaysia and was named the Personal Data Protection Act 2010 (PDPA) that seeks to regulate processing of personal data of individuals that are involved in commercial transactions. More importantly, it was drafted to provide protection to any individualâ€™s personal data. The act was gazetted in the year June 2010 but was not put into force until November 2013. On the other hand, there are other countries that already have governing statutes to protect personal data since a long time ago. As such, the United Kingdom has amended such an act to safeguard the information for the interests of individuals. The act was called Data Protection Act 1998 (DPA). It was first composed in 1984 and was updated in 1998. Since the law of Malaysia is mainly based on the common law legal system, both acts might share similarities which will be further elaborated in the later sections.
2.0PERSONAL DATA PROTECTION ACT 2010The Malaysia PDPA 2010 has important details that should be noted and elaborated in this assignment. First of all, PDPA is applicable through certain scenarios that must be fulfilled to have the personal data be protected. Furthermore, the processing of personal data should also comply with PDPA 2010 7 principles which are the General Principle, Notice & Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle. Besides that, knowing the rights of data subject is important as a mean to protect the interest and confidentiality of the data subject. Lastly, failure to adhere or comply with the act leads to consequences and penalties which will also be described here.
2.1ApplicationThe act is only applicable to :
- anyone who processes, or has authorization of the processing any personal data for any commercial transactions.
- anyone who in not established in Malaysia but uses equipment in Malaysia to process personal data otherwise than for purposes of transit through Malaysia
- Federal Government & State Governments for legal administrative purposes
- personal data that is processed outside of Malaysia unless data is to be further processed in Malaysia
2.2.1General PrincipleThis principle disallows the data user from processing personal data unless the data subject has given permission to the data user to do so. Still, this principle is exempted from certain situations such as performance of a contract where data subject is involved, protecting vital interests of data subject, administration of justice many more. Moreover, the principle also states that personal data can be processed only if the data is processed for legal purpose related to an activity of the data user, or processing the data is necessary for that mentioned purpose and that the personal data is just enough and not excessive for the purpose.
2.2.2Notice & Choice PrincipleThis principle requires the data user to notify the data subject via written form as a consent to the data subject. The contents of the written form would be :
- acknowledgement that the data subjectâ€™s personal data is being processed
- description as well as purpose of that data will be provided to the data subject
- data subjectâ€™s right to request access and correction of data with contact details of data user
- mention of third parties whom the data user has exposed the personal data to
- choices and means offered by data user to data subject to limit the personal data that is to be processed
- question to data subject whether data to be supplied is obligatory or voluntary
- consequences of data subject should he/she fail to supply the data
2.2.3Disclosure PrincipleWith the acknowledgement of the data subject, the personal data can be revealed to parties and for purposes that has been granted by data subject only. The exception where disclosure can be done are :
- with intention to prevent or detect a crime
- data user has the right in law to disclose the personal data to other people
- disclosure is in public interest which is decided by the Minister
2.2.4Security PrinciplePrecaution and necessary steps are to be taken by the data user to protect the data from any loss, abuse, modification, unauthorized access, disclosure or destruction when the data user processes the data. The data user has to take into consideration of :
- where the data is stored
- the consequence of the data due to protection failure
- security measures taken to secure equipment where data is stored
- ensuring that personnel having access to data is trustworthy and reliable
- steps taken to ensure the safety of transfer of personal data
2.2.5Retention PrincipleUnder this principle, it is stated that processed personal data for any purpose is not allowed to be kept longer than necessary for the completion of the purpose. The data user will be responsible to conduct measures to ensure that data is deleted permanently once the data is no longer required.
2.2.6Data Integrity PrincipleThe data user is required to verify and make sure that the data maintains its integrity that the data is still intact, up-to-date and has not changed. This way, data that is disclosed to other third parties is the same to avoid any further confusion. Not only that, it becomes an obligation for the data user also to obtain updates from the data subject on a regular basis for data integrity.
2.2.7Access PrincipleUnder this principle, the data subject has the right to access his/her own personal data that is held by the data user. In the event that the personal data might be wrong or inaccurate, the data subject is able to alter and correct the data. However, there are certain exceptions in the Act where the data user may refuse the right to access under certain circumstances such as an element of confidentiality involved.
2.3Right of Data SubjectAs a personal data belongs to a data subject, the data subject is entitled to several rights to the data.
- Rights to access personal data
- Right to correct personal data
- Right to withdrawal of consent
- Right to prevent processing likely to cause damage or distress
- Right to prevent processing for purpose of direct marketing
2.4PenaltiesThere are several punishments or liabilities that are enforced for certain offences made. Each offence carry different severity of liability and/or punishment.
- Failure to comply with PDPA 2010 Principles
- Failure of a data user processing personal data without certificate of registration
- Data user continues to process personal data after registration revoked
- Failure of data user to comply with code of practice
- Refusal to comply with commissionerâ€™s requirements to cease processing of personal data that is likely to cause damage or distress
3.0DATA PROTECTION ACT 1998The Data Protection Act 1998 covers not only personal data but â€˜dataâ€™ in general as a whole as compared to the PDPA 2010 which legislates personal data alone. Even so, DPA 1998 comes first before the PDPA 2010 was even drafted, the DPA 1998 would have enough laws to protect the personal data of the people of the United Kingdom(UK). PDPA 2010 only involves the data subject and data user/processer, this is however, different for DPA 1998 which consists of a data controller, data processor and data subject. A data controller is someone who decides on the purposes of the data that is to be processed whereas the data processor is an individual who processes the data on behalf of the data controller.
3.1ApplicationThe Act applies to a data controller in 2 scenarios :
- only if he is established in UK and that the data are processed there
- established outside of UK and European Economic Area (EEA) state but uses equipment in UK for processing. A UK representative must be nominated in this case for the purpose of this Act.
- resident of UK
- a body under the any part of the law of UK
- a partnership/association that is formed under any part of the law of UK
- an office/branch/agency in UK and any EEA state
- performing practice in UK and any EEA state
3.2.1Processed Fairly & LawfullyThe First principle specifies that the processing of data must be done fairly and lawfully.
3.2.2Obtained only for One/ More Specified & Lawful PurposesEvery data that is collected and processed must have its purpose and its reasons which should be stated in a notice by the data controller to the data subject. With that, the data can only be processed for that stated purpose and no other. The Commissioner is also to be notified by the data controller regarding the purpose of the data processing.
3.2.3Adequate, Relevant & Not ExcessiveThe information collected should just be enough and not more than necessary nor any less. As an example, filling up a form of membership card only requires full name, race, address, phone number and identification number. Other sensitive personal information that was not asked for such as birth identification number, religion and others are not required.
3.2.4Accurate & Where Necessary, Kept Up to DateThis principle requires that data should be accurate at all times and should be constantly updated where necessary. Information obtained and recorded by the data controller from the data subject should be accurate by having regards that the data controller have taken reasonable precautions for the ensuring that the data is accurate. The data subject may notify the data controller that the data is inaccurate with the data in hand as proof and fact that it is inaccurate.
3.2.5Processed Data Not Kept for Longer Than is NecessaryOnce the data has served its purpose, it must be disposed as it is no longer required and is not necessary. In conjunction to the third principle, data would be deemed excessive as the data no longer has any purpose.
3.2.6Processed in Accordance with Rights of Data SubjectAny processing of data conducted by the data controller has to be regarded with the rights of the data subject such as rights to access personal data, prevent automated decisions for processing of personal data, preventing the processing of personal data for the purposes of direct marketing and others. There is a timescale where the responses to subject access requests have to be made within 40 days of the receipt of request.
3.2.7Taking Appropriate Measures Against Unauthorised/Unlawful Processing & Against Loss/DamageThe data controller must be aware of the harm that might result from the unauthorized or unlawful processing or loss or damages that is done to the data. Therefore, it is important to uphold aspects of security to ensure that data is not disclosed or altered in any way. Since the data might have been accessed by employees of the data controller, he has to make sure that the employees are reliable and trustable for the confidentiality of the data. Besides that, the data controller has to pick a reliable data processor so that data is safe. Then, the data processor has to carry out the processing under a contract with the data controller and only to act upon the instructions of the data controller.
3.2.8Personal Data shall Not be Transferred to Countries outside of EEA without Adequate ProtectionAs the Act is legislated in UK, protection towards the data is legit even in EEA. Once data is transferred outside of EEA, protection of the data is not guaranteed to be safe and may be abused for various purposes whilst not protected under this Act. Consent should be given to data subject beforehand for the opinion on the data being transferred outside of the EEA and UK.
3.3Rights of Data Subject
- Right of Access to Personal Data
- Rights of Correction of Personal Data
- Rights to Prevent Processing likely to Cause Damage/Distress
- Rights to Prevent Processing for Purposes of Direct Marketing
- Rights to Prevent Automatic Decisions
- Rights to Complain to Information Commissioner
- Rights of Compensation
4.0SIMILARITIES BETWEEN PDPA 2010 AND DPA 1998
5.0EXAMPLE OF CASES
 (Yan Ping, n.d.)  (Jin Nee & Min Lee, n.d.)  (LAWS_OF_MALAYSIA_PDPA.pdf, 2010, page 7)  (Lee Hishammuddin Allen & GledHill Advocates & Solicitors, 2011)  (â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 17)  (â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 23)  (â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 24)  (â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 31)  (â€œJW515839 Act 709.indd - Personal Data Protection Act 2010.pdf,â€ 2010, page 43)  (â€œData Protection Act 1998 - data.pdf,â€ 2013, page 5)  (Belfast Education & Library Board, 2007)  (University of Dunham, 2013)  (â€œData Protection Act 1998 - data.pdf,â€ 2013, page 83)  (BBC UK, n.d.)  (â€œData Protection Act (DPA) Penalties,â€ 2013)