Intro of PDPA
Regulation of the processing, use and disclosure of the personal data in our country, Malaysia has been a subject of the interest as well as hot debate topic started since the late of 1990s. Even though the use, disclosure and processing of personal data in the certain industries, for example the banking and also finance, telecommunications industries as well as healthcare, is regulated and controlled by the some industry-specific legislation, but there has not been any about data protection legislation of the general application in our country Malaysia until 2010. There are several data protection legislation have been drafted and proposed over these years, which including the proposed of Data Protection Bill 2001 as well as the Data Protection Bill 1998, but none of these came to the fruition. Then, a new Personal Data Protection Act 2010 known as PDPA has recently finally enacted successfully due to the serious increasing need to curb those unauthorised use of the personal data in our country, Malaysia. The Personal Data Protection Act 2010 was passed through Malaysian Parliament in month of May 2010 while received the Royal Assent on date 2 June 2010 and then legislations will be come into operation on date which appointed by minister of Information Communications and Culture with notification in Gazette. The Personal Data Protection purposely to protect and safeguard personal data by requiring those data user to comply with some certain obligations as well as conferring some certain rights to the data subject which in relation to his personal data. Reason of PDPA enactment
Malaysia, after such a long wait, finally (PDPA) Personal Data Protection Act 2010 has finally been passed and came into fruition. PDPA 2010 actually seeks to regulate and control the processing of the personal data of oneâ€™s involved in the commercial transactions by the data users so as to safeguard and provide protection to individualâ€™s personal data, by that safeguarding the interests of individual. The passing and enactment of the PDPA is timely, in order for the information can be transferred as well as transmitted seamlessly and that sometimes, effortlessly. As we know, from the traditional snail mail to those social networking tool like â€œTweet-ingâ€, personal and often such vital and very important information of individuals can now be very easily shared just with a click perhaps. New technologies nowadays and the flow of changing market trends are big contributing to the increasingly important role of the information in this global market economy. Such information, in particular the personal data of the individuals which involved in the commercial transactions, has come into a valuable commodity. Last but not least, such legislation to protect and safeguard personal data has been enacted and applied in jurisdictions such as Canada, European Union, New Zealand and Hong Kong. The Act in PDPA is similar to legislation which enacted in those countries. Comparison with Foreign Statutes
There has been much expectation on the Personal Data Protection Act 2010 (â€œPDPAâ€) as it would be the legislation in Malaysia which handles with the protection of personal data. The Act was enacted and passed in 2010 and was recently published on the newspaper on 15th November 2013. It should be noted that the principles of data protection laws included in the PDPA are quite identical to the principles in other jurisdictions such as the UK and Singapore. The PDPA handles to any personal data processed in Malaysia or is planned to be processed in Malaysia regarding commercial transactions by any person settled in Malaysia or person who is not settled in Malaysia but applies the equipment in Malaysia and the desire is not to transit through Malaysia. â€œCommercial transactionsâ€ under the PDPA is defined as any transaction of a commercial nature which contains swap of goods or services, agency, investments, financing, banking and insurance but does not contain a credit reporting business. Credit reporting business such as CTOS explorations would not be classified as a commercial transaction under the Act. â€œPersonal Dataâ€ under the PDPA seems to be adequately broad to protect the common types of personal information gathered in day to day transactions for instance; name, address, telephone number, email address, banking details and identification card numbers. However, as mentioned, the information has to be related to commercial transactions. As contrast with the UK DPA 1998 as the act emphasis on the capability to classify an individual relies partially on the data held and partially on other information, the data adhered will still be â€œpersonal dataâ€. The definition also particularly contains views about the individual, or what is intended for them. Hence, we can assume that UK act does cover generally on the definition of the â€˜Personal Dataâ€™. PDPA 2010 regulates the data by processing of personal data under the virtue of the section 5 and there are seven principles in â€œProcessingâ€ of personal data includes collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data which includes: i) organisation, adaptation or alteration; ii) retrieval, consultation or use; iii) disclosure by transmission, transfer, dissemination, or otherwise making available; iv) alignment, combination, correction, erasure or destruction. The PDPA does not apply to non-commercial transactions, the Federal and State Governments of Malaysia nor does it apply to any personal data processed outside Malaysia. Whereas in United kingdom, the legislation regulating personal data and processing personal information will have several ways in determining it and the Directive and the DPA protect two usual categories of information: information processed, or intended to be processed, fully or partially by electronic means; and information processed alternatively than by automatic means which form part of, or are intended to form part of, a â€˜applicable filing systemâ€™. In most circumstances it will be a relatively straight forward task to determine: (a) whether the information is â€˜dataâ€™ for the purposes of the DPA; and (b) whether the information in question relates to anâ€˜identifiable individualâ€™ and consequently, to determine whether â€˜personal dataâ€™ is being processed. Furthermore,the DPA introduces two more types of manual processing of information which, if the information relates to an identifiable individual, will involve processing of â€˜personal dataâ€™. These extra categories of processing are implemented in the DPA definition of â€˜dataâ€™ and involve: processing information as part of an â€˜accessible recordâ€™; and processing recorded information held by a public authority. Sensitive data
Under the Act, a difference has been classified between â€œsensitive personal dataâ€ and â€œpersonal dataâ€. â€œSensitive personal dataâ€ is: â€œâ€¦ any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazetteâ€.
Any revelation of sensitive personal data must be done in accordance with s.40 of the Act, which wishes a data user to be more cautious in processing sensitive personal data. Due to the attributes of sensitive personal data, a greater limits is imposed for data users in processing it. A data user must not process sensitive personal data unless with the clear permission of the data subject. While â€˜â€™clear permissionâ€™â€™ is not defined in the Act, arguably, the data subject should be mandatory to provide his exact and precise permission to the processing of his sensitive personal data. However the requirement for precise permission from the data subject, The Act also grants the processing of sensitive personal data where it is illustrated under section 40 of the Personal Data Protection Act 2010.While the United Kingdomâ€™s Data Protection Act 1998 stated that whereby Sensitive personal data
means personal data consisting of information as to - (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) Whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
The classification of sensitive personal data in United kingdom are widely drafted so that, for example, information that someone has a broken hand is categorized as sensitive personal data, even though such information is comparatively matter of fact and clear to anyone seeing the individual regarding with their leg in plaster and using crutches. Obviously, features about an individualâ€™s mental health, for example, are basically much more â€œsensitiveâ€ than whether they have a broken hand. Religion or race, or both, can always be understood with changing degrees of credence from dress or name. For instance, many surnames are identified with a specific race or religion, or both, and may assume the race and religion of the individuals involved. Nevertheless, it would be ridiculous to take all such names as â€œsensitive personal dataâ€, which would mean that to clench such names on customer databases you had to fulfill a situation for processing sensitive personal data. However, if you processed such names particularly because they represented race or religion, for instance to deliver commerce materials for goods and services intended at individuals of that race or religion, then you will be processing sensitive personal data. In any affair, you must beware when making presumptions about individuals as you could be compiling incorrect personal data. Hence, regards to the â€˜sensitive dataâ€™, Malaysia shares the same view with the United Kingdom. Case Analysis
In the case of H( A Healthcare Worker) v Associated Newspapers Limited  EWCA Civ 195, the applicant, H had been a health care worker, but was no longer working and he had diagnosed HIV positive. H commenced an action against his previous employer, N seeking a declaration that the notification was contrary to the Data Protection Act and an injunction to prohibit N from obtaining the records. He had obtained an order under the rules to protect his identity within the proceedings. The court held that the order against the newspaper obtained as part of the first action, but the newspaper was restricted to publish anything which might reveal his identification directly or indirectly. 
In this case, the judge states that the identity of the patient shall be well protected, it shall be very privacy and must be confidential. This case clearly shows that the information of data detail of the patient shall not be publish direct or indirectly. In the case of Douglas v Hello!  EWHC 786 (Ch), a claim for breach of confidence, breach of Data Protection Act 1998 and breach of Article 8 as a consequence of the unauthorized publication against Hello! of the wedding prototroph of Mr and Mrs Douglas. The defendant taken without consent and the exclusive right to photograph the wedding had previously been sold to a rival magazine, Ok. The court states that the defendant is taken to be a data controller by which the unauthorized pictures represent personal data and the publication in England is considered as part of the operations covered by the requirement of the Act. 
In other words, a data controller shall be responsible for the publication of the data which he is no authorized to publish yet. Meanwhile, a data controller shall be responsible for the publication of the copies which reproduce data that has previously been processed. In this case, the defendant does not has the right to take photograph on the wedding and the unauthorized publish shall be considered as in breach of the data protection act. Based on this case, it is well to be said that there is a need and how important of the act shall be come into force, so that the personal data have a safeguard to protect it. According to the case of Lord Ashcroft v Attorney- general & Department for International Development  EWHC 1122(QB), There are articles published in newspaper on 1999 and 2000 revealed confidential and sensitive personal information about Lord Ashcroft. The information which contained in documents leaked from the Foreign Office and the second defendant. The issue in this case is whether the Data Protection Act 1984 provided a private law remedy in damages for the leak of the document in breach of the data protection principle. The court held that the private law right to damages conferred by the act would be allowed only to the extent that it sought damages under the section for the disclosure of document. 
As under this case, it clearly show that the data protection act could only be invoke where there is an actual infringe or publish of the document or data which would be defamatory toward someone.
In the case of Campbell v MGN Ltd (QBD)  EWHC 499 (QB), the claimant was photographed of a Narcotics Anonymous (â€œNAâ€) meeting and the â€œMirrorâ€ published an articles consist of the photographs of her with the other attendeeâ€™s of the meetingâ€™s faces pixilated to protect their identities. The articles with headline read â€˜Naomi: I m a drug addictâ€™ and consist of information relating to Ms Campbellâ€™s treatment for drug addiction, including the number of NA meeting she had attended. The claimant claimed damages for breach of confidentiality and compensation for the articles and subsequent ones published by the â€œMirrorâ€ under s 13 of Data Protection Act 1998. The claimant states that the â€œMirrorâ€ was entitled to publish that she was a drug addict and the fact that she was having therapy but the information of therapy being obtained through NA and the detail of her attendance at meeting shall be private and confidential. The court held that the defendant may publish the articles as consent by the claimant by which she is having drug addict and receiving her therapy. But the defendant shall not obtained and publish the detail of the attendance and the therapy without consent of the claimant, the detail of the claimantâ€™s attendance at NA shall be confidential. Therefore, the claimant was entitle dot the remedy for the disclosure of the detail of her treatment. By refer to this case, a person is permit to publish the contents which is consent by someone and prohibited to publish any personal data which may lower the dignity of someone. Cases after the emforcement of Data Protection Act 1998, United Kingdom.
In Campbell v Mirror Group Newspapers Ltd
,the claimant, Naomi Campbell, the well known supermodel has sued the â€œMirrorâ€ Newspaper Group Ltd over the allegations contained in the articles that she was addicted to drug and was engaging the in the meeting of Narcotics Anonymous. The article comes with a photo which shows that she was leaving Narcotics Anonymous. However, source of the newspaper's information was not revealed. The fact that MsCampbell is addicted to drug has never been disclosed by any social media. In fact she used to tell the media that she would be someone whom forever immune from drug despite their prevalence in modeling industry. MsCampbell claimed damages for breach of confidence, alleging that her right to privacy contained in Art8 of the European Convention of Human Rights (ECHR) outweighed the newspaper's right to freedom of expression contained in Art10. She also sought compensation for a breach of the Data Protection Act 1988 (UK). One of the issue was whether she can claim for her right to privacy under Data Protection Act 1998. There are three requirements laid down in the data protection principle under s4 of the Data Protection Act 1998 (UK) .The processing must have been fair, lawful, and only carried out if at least one of the conditions in Schedule2 was met, and in the case of sensitive personal data. The â€œmirrorâ€ newspaper had contravened the Act. The exemption contained in s32 where data is processed only for the special purposes and with a view to publication only applies prior to publication and has no application once publication has taken place. The court has uphold the claim and held that details of MsCampbell's attendance at Narcotics Anonymous had the necessary quality of confidence to sustain an action for breach of confidence , one of the reason is that photographs were capable of having the quality of confidence, and had that quality in this case. Court further strengthen that those who deliberately court publicity are also deserve to have privacy in their life and and should be respected by the media unless there exists an overriding public interest consistent with Art10(2). Therefore, MsCambell has been awarded to aggravated damages of Â£1000, for the additional distress suffered by the newspaper's conduct, following the publication of the article. In case of Edem v Information Commissioner
, thefirst defendant decline to order the disclosure or the names of three members of the staff of the second defendant Financial Services Authority in response to an information request by the claimant. Nevertheless, the claimant appealed on grounds including that the names of the employees were notpersonal dataand it would not be possible to find them. The issue here now was whether the disclosure of the names of the officials could be withheld on the basis that they were 'personal data'and that disclosure of that information would contravene the first principle of Part 1 ofSch 1
to theData Protection Act 1998. The court has dismissed the appeal and held that to disclose the names of the three individuals would be to disclose theirpersonal data. In the case of Kjo v Xim,
the claimant forged a will of his maternal grandmother. Later on, he pleaded guilty as his action was being detected and being sentenced to nine months imprisonment. After that, he moved and lived in Hong Kong. He was dogged for a long time by communications sent to various employers, potential employers and official bodies by his motherâ€™s brother, the defendant, informing them of his conviction and sentence for forgery. The claimant alleged that that only came to his attention and the end of 2008, as the defendant had been at pains to conceal what he had been up too. The claimant has applied an injunction against the defendant to restrain him from communicating any further information about the 1992 conviction. His ground was there could be no legitimate purpose served by the defendant continuing his campaign. Subsequently, he applied for summary judgment based onData Protection Act 1998
. The issue was whether summary judgment ought to be entered in favor of claimant on data protection claim based on Data Protection Act 1998 The court dismissed claimantâ€™s application as there had not been sufficient evidence of intention on the defendantâ€™s part. There was also no basis upon which the court could at the instant stage grant summary judgment.
Section 40 of the Personal Data Protection Act 2010 
United Kingdom Data Protection Act 1998  http://swarb.co.uk/h-a-healthcare-worker-v-associated-newspapers-limited-ca-27-feb-2002/  http://www.1cor.com/1315/?form_1155.replyids=576  http://www.5rb.com/case/lord-ashcroft-v-attorney-general-department-for-international-development/  http://www.5rb.com/case/campbell-v-mgn-ltd-qbd/ 
(2002)54 IPR 645  [2 014] EWCA Civ 92   EWHC 1768 (QB)