Personal Data Protection

Introduction

With the advancement and sophistication of today’s technologies, the world is no longer safe from privacy. Worst of all, there is no law that is able to govern or defend against data privacy or personal data in the Cyberworld. As a result, hackers/perpetrators breach into the privacy of victims, stealing valuable and personal information without victim’s knowledge for various purposes, usually to commit frauds. With the rise of cybercrimes and data frauds, protection of personal information and data becomes more crucial. Therefore, a statute was proposed in Malaysia and was named the Personal Data Protection Act 2010 (PDPA) that seeks to regulate processing of personal data of individuals that are involved in commercial transactions. More importantly, it was drafted to provide protection to any individual’s personal data. The act was gazetted in the year June 2010 but was not put into force until November 2013. On the other hand, there are other countries that already have governing statutes to protect personal data since a long time ago. As such, the United Kingdom has amended such an act to safeguard the information for the interests of individuals. The act was called Data Protection Act 1998 (DPA). It was first composed in 1984 and was updated in 1998. Since the law of Malaysia is mainly based on the common law legal system, both acts might share similarities which will be further elaborated in the later sections.

Personal Data Protection Act 2010

The Malaysia PDPA 2010 has important details that should be noted and elaborated in this assignment. First of all, PDPA is applicable through certain scenarios that must be fulfilled to have the personal data be protected. Furthermore, the processing of personal data should also comply with PDPA 2010 7 principles which are the General Principle, Notice & Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle. Besides that, knowing the rights of data subject is important as a mean to protect the interest and confidentiality of the data subject. Lastly, failure to adhere or comply with the act leads to consequences and penalties which will also be described here.

Application

The act is only applicable to :

1. anyone who processes, or has authorization of the processing any personal data for any commercial transactions.
2. anyone who in not established in Malaysia but uses equipment in Malaysia to process personal data otherwise than for purposes of transit through Malaysia

However, there are certain exceptions where the act does not apply to such as :

1. Federal Government & State Governments for legal administrative purposes
2. personal data that is processed outside of Malaysia unless data is to be further processed in Malaysia

Principles

General Principle

This principle disallows the data user from processing personal data unless the data subject has given permission to the data user to do so. Still, this principle is exempted from certain situations such as performance of a contract where data subject is involved, protecting vital interests of data subject, administration of justice many more. Moreover, the principle also states that personal data can be processed only if the data is processed for legal purpose related to an activity of the data user, or processing the data is necessary for that mentioned purpose and that the personal data is just enough and not excessive for the purpose.

Notice & Choice Principle

This principle requires the data user to notify the data subject via written form as a consent to the data subject. The contents of the written form would be :

1. acknowledgement that the data subject’s personal data is being processed
2. description as well as purpose of that data will be provided to the data subject
3. data subject’s right to request access and correction of data with contact details of data user
4. mention of third parties whom the data user has exposed the personal data to
5. choices and means offered by data user to data subject to limit the personal data that is to be processed
6. question to data subject whether data to be supplied is obligatory or voluntary
7. consequences of data subject should he/she fail to supply the data

The written form to be sent to the data subject must be written in English and Bahasa Malaysia. Furthermore, a clear and readily accessible means shall be provided to the data subject to make a choice in both the languages.

Disclosure Principle

With the acknowledgement of the data subject, the personal data can be revealed to parties and for purposes that has been granted by data subject only. The exception where disclosure can be done are :

1. with intention to prevent or detect a crime
2. data user has the right in law to disclose the personal data to other people
3. disclosure is in public interest which is decided by the Minister

Security Principle

Precaution and necessary steps are to be taken by the data user to protect the data from any loss, abuse, modification, unauthorized access, disclosure or destruction when the data user processes the data. The data user has to take into consideration of :

1. where the data is stored
2. the consequence of the data due to protection failure
3. security measures taken to secure equipment where data is stored
4. ensuring that personnel having access to data is trustworthy and reliable
5. steps taken to ensure the safety of transfer of personal data[3]

Retention Principle

Under this principle, it is stated that processed personal data for any purpose is not allowed to be kept longer than necessary for the completion of the purpose. The data user will be responsible to conduct measures to ensure that data is deleted permanently once the data is no longer required.

Data Integrity Principle

The data user is required to verify and make sure that the data maintains its integrity that the data is still intact, up-to-date and has not changed. This way, data that is disclosed to other third parties is the same to avoid any further confusion. Not only that, it becomes an obligation for the data user also to obtain updates from the data subject on a regular basis for data integrity.

Access Principle

Under this principle, the data subject has the right to access his/her own personal data that is held by the data user. In the event that the personal data might be wrong or inaccurate, the data subject is able to alter and correct the data. However, there are certain exceptions in the Act where the data user may refuse the right to access under certain circumstances such as an element of confidentiality involved.

Right of Data Subject

As a personal data belongs to a data subject, the data subject is entitled to several rights to the data.

1. Rights to access personal data

The data user needs to inform the data subject whether the data is being processed. A requestor (can be the data subject) may write to the data user to make a data access request upon payment of a fee. From there, a copy of the personal data can be sent to the requestor.

2. Right to correct personal data

In the event that the requestor considers that the copy of data supplied to the requestor is inaccurate, not up-to-date or incomplete, the requestor may make a data correction request to the data user to make the necessary correction to the personal data.

3. Right to withdrawal of consent

A data subject has the rights to withdraw his consent to the processing of his personal data. This can be done by writing a notice to the data user to inform of the consent where the data user shall cease the processing upon receiving the notice.

4. Right to prevent processing likely to cause damage or distress

For reasons that the personal data belonging to the data subject might cause damage to himself or to another person or cause damage that would be unwarranted, the data subject can write a notice to the data user to stop the processing of personal data. However, this right shall not be applied for the same reasons that are stated in the exemptions of the General Principle such as the performance of a contract where data subject is involved.

5. Right to prevent processing for purpose of direct marketing

If the personal data is processed for the purpose of direct marketing, the data subject has the rights to require the data user to halt the processing. The data subject, where he may be dissatisfied with the failure of the data user to comply with the notice written to him, an application can be submitted to the Commissioner to assert the data user to comply with the notice.

Penalties

There are several punishments or liabilities that are enforced for certain offences made. Each offence carry different severity of liability and/or punishment.

1. Failure to comply with PDPA 2010 Principles[5]

The data user is liable to a fine that does not exceed RM300,000 and/or imprisonment for a term of not more than 2 years.

2. Failure of a data user processing personal data without certificate of registration[6]

Fine of not more than RM500,00 and/or imprisonment for a term of not more than 3 years.

3. Data user continues to process personal data after registration revoked[7]

Fine of not more than RM500,000 and/or imprisonment for a term of not more than 3 years.

4. Failure of data user to comply with code of practice[8]

Fine of not more than RM100,000 and/or imprisonment for a term of not more than 1 year.

5. Refusal to comply with commissioner’s requirements to cease processing of personal data that is likely to cause damage or distress[9]

Fine of not more than RM200,000 and/or imprisonment for a term of not more than 2 years.

Data Protection Act 1998

The Data Protection Act 1998 covers not only personal data but ‘data’ in general as a whole as compared to the PDPA 2010 which legislates personal data alone. Even so, DPA 1998 comes first before the PDPA 2010 was even drafted, the DPA 1998 would have enough laws to protect the personal data of the people of the United Kingdom(UK). PDPA 2010 only involves the data subject and data user/processer, this is however, different for DPA 1998 which consists of a data controller, data processor and data subject. A data controller is someone who decides on the purposes of the data that is to be processed whereas the data processor is an individual who processes the data on behalf of the data controller.

Application

The Act applies to a data controller in 2 scenarios :

1. only if he is established in UK and that the data are processed there
2. established outside of UK and European Economic Area (EEA) state but uses equipment in UK for processing. A UK representative must be nominated in this case for the purpose of this Act.

Besides that, an invidual is considered as being established in UK through these several options :

1. resident of UK
2. a body under the any part of the law of UK
3. a partnership/association that is formed under any part of the law of UK
4. an office/branch/agency in UK and any EEA state
5. performing practice in UK and any EEA state

Principles

Processed Fairly & Lawfully

The First principle specifies that the processing of data must be done fairly and lawfully.

Obtained only for One/ More Specified & Lawful Purposes

Every data that is collected and processed must have its purpose and its reasons which should be stated in a notice by the data controller to the data subject. With that, the data can only be processed for that stated purpose and no other. The Commissioner is also to be notified by the data controller regarding the purpose of the data processing.

Adequate, Relevant & Not Excessive

The information collected should just be enough and not more than necessary nor any less. As an example, filling up a form of membership card only requires full name, race, address, phone number and identification number. Other sensitive personal information that was not asked for such as birth identification number, religion and others are not required.

Accurate & Where Necessary, Kept Up to Date

This principle requires that data should be accurate at all times and should be constantly updated where necessary. Information obtained and recorded by the data controller from the data subject should be accurate by having regards that the data controller have taken reasonable precautions for the ensuring that the data is accurate. The data subject may notify the data controller that the data is inaccurate with the data in hand as proof and fact that it is inaccurate.

Processed Data Not Kept for Longer Than is Necessary

Once the data has served its purpose, it must be disposed as it is no longer required and is not necessary. In conjunction to the third principle, data would be deemed excessive as the data no longer has any purpose.

Processed in Accordance with Rights of Data Subject

Any processing of data conducted by the data controller has to be regarded with the rights of the data subject such as rights to access personal data, prevent automated decisions for processing of personal data, preventing the processing of personal data for the purposes of direct marketing and others. There is a timescale where the responses to subject access requests have to be made within 40 days of the receipt of request.

Taking Appropriate Measures Against Unauthorised/Unlawful Processing & Against Loss/Damage

The data controller must be aware of the harm that might result from the unauthorized or unlawful processing or loss or damages that is done to the data. Therefore, it is important to uphold aspects of security to ensure that data is not disclosed or altered in any way. Since the data might have been accessed by employees of the data controller, he has to make sure that the employees are reliable and trustable for the confidentiality of the data. Besides that, the data controller has to pick a reliable data processor so that data is safe. Then, the data processor has to carry out the processing under a contract with the data controller and only to act upon the instructions of the data controller.

Personal Data shall Not be Transferred to Countries outside of EEA without Adequate Protection

As the Act is legislated in UK, protection towards the data is legit even in EEA. Once data is transferred outside of EEA, protection of the data is not guaranteed to be safe and may be abused for various purposes whilst not protected under this Act. Consent should be given to data subject beforehand for the opinion on the data being transferred outside of the EEA and UK.

Rights of Data Subject

1. Right of Access to Personal Data

The data subject has the rights to access personal data that is stored by the data controller. Therefore, the data controller should supply any the personal data of the data subject, purpose of the data and parties who the data controller has disclosed to. There is a small fee of 0 for supplying the information to the data subject. A request in writing must be made to the data controller by the data subject in order to be supplied with the required information.

2. Rights of Correction of Personal Data

Should there be any inaccuracy to the personal data held by the data controller, the data subject is entitled the right to force the data controller to correct the mistakes in the data.

3. Rights to Prevent Processing likely to Cause Damage/Distress

The data subject is entitled the power to write a notice to the data controller to end the processing of the personal data for a specified purpose and reasons such as the likely of the data to cause damage or distress as well as causing damage/distress to other parties.

4. Rights to Prevent Processing for Purposes of Direct Marketing

Personal data that is used for direct marketing attempts can be stopped by the data subject. Likewise, a written notice need to be sent to the data controller to cease the processing of the personal data. With the failure of the data controller to comply, the court can order him to take such steps for complying with the notice if the court is satisfied and thinks fit.

5. Rights to Prevent Automatic Decisions

The data subject can specify to require the data controller to ensure that the decisions taken on behalf of the data controller is not done automatically towards the processing of the personal data. The data controller then has to write a notice to the data subject that specifies the steps he intends to take to comply with the requirement of the data subject.

6. Rights to Complain to Information Commissioner

If an issue between the data subject and the data controller got out of hand, the data subject can seek the Information Commissioner to review the user of the personal data belonging to the data subject. The Information Commissioner has the power to enforce the ruling of DPA and penalize the data controller under any offence that the data controller has violated.

1. Rights of Compensation

In the event that damage or dissatisfaction has invaded to the data subject, the data subject has the right to use the law to obtain compensation for damages that have been caused from inaccuracy, disclosure or loss of the data.

 

Cite this page