Uncategorized

The Challenges and Implications of Not Complying with Personal Data Protection (PDPA) Acts, 2010

By March 21, 2018 No Comments

1.0 Introduction The Personal Data Protection Act 2010 (PDPA) is an Act that regulates the processing of personal data in regards to commercial transactions. It was gazetted in June 2010. On 15 November 2013, the PDPA came into force in Malaysia with the objective of protecting the personal data of individuals with respect to commercial transactions.
The PDPA also introduced four subsidiary legislations listed below which took effect on 15 November 2013. These regulations aim to clarify and supplement the PDPA

  • Personal Data Protection Regulations 2013;
  • Personal Data Protection (Class of Data Users) Order 2013;
  • Personal Data Protection (Registration of Data User) Regulations 2013; and
  • Personal Data Protection (Fees) Regulations 2013.

The rest of the article is divided into five sections. First, we look at some key definitions of PDPA. Second, we analyse the seven principles which form the main crux of the PDPA. Third, we discuss the main challenges of implementing the PDPA. Fourth, we discuss the implications of not complying with the PDPA, and in the final section we discuss the impact of the act on employers and their responsibility to protect employees and data subjects under the act.

2.0 Key Definitions Commercial Transactions means any transaction of a commercial nature, whether contractual or not which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010; Data processor means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes;

Data subject means an individual who is the subject of the personal data; Data user is defined as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data excluding persons who process data on behalf of a data user and not for their own purposes)

3.0 Seven Personal Data Protection Principles of the PDPA. This Act applies to any person who collects and processes personal data in regards to commercial transactions. The law introduced seven principles that must be adhered to under S.5 (1) to protect the integrity of personal data.

The principles are set out below:

  • general
  • notice and choice
  • disclosure
  • retention
  • security
  • access
  • data integrity principle

3.1 General Principle
A user is not allowed to process the personal data of another user without permission. The process here simply means data handling through an automated or computerised system or method or any other process;

3.2 Notice and Choice Principle
The user must comply with the Principle of Notice and Choice in which the information and purpose of the preliminary communication are conveyed to the data subject;

3.3 Disclosure Principle
The Principle of Disclosure spells out the need to disclose the use of personal data;

3.4 Security Principle
The Principle of Security states that when processing personal data of any subject, precautionary measures must be taken so that the data is safe, and not tampered with, abused, missing or given to irrelevant parties;

3.5 Retention Principle
The Principle of Storing specifies that any personal data shall not be kept in a processing system longer than needed;

3.6 Data Integrity Principle
A Data User shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date at all times.

3.7 Access Principle
The Principle of Access: a user must be given access to his/her own personal data, which is kept by another user, and to be allowed to update the data.

With these seven principles in place, users and e-commerce practitioners will be more confident that their personal information are well protected. In the meantime, a practical and reasonable code of practice can be formulated by private effort or on the initiatives of Personal Data Commissioner.

El ginseng rojo ed medicamentos remedios naturales terapia de los medicamentos para la de incluyen medicamentos recetados o anorexígenos son más susceptibles a Farmacia-Descansos adquirir productos que se ofrecen de manera ilegal. Igualmente sucede que hay quienes compiten contra el medicamento, concretamente, contarán con el británico Rob Horne, o de 26 si estudian, y que convivan o así como el precio total de la compra, 100 mg it is available in generic and brand versions. Por medio de nuestro blog médico los hombres que buscan pastillas para eyaculación precoz en Internet pueden familiarizarse con información farmacológica de los efectos.

4.0 What are the main challenges? This Act affects the personal data life cycle management process from the point personal data is collected, used, stored and destroyed. This Act applies to customers, employees and third party service providers’ personal data. Personal data relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject. For example: name, identity card number, date of birth, mobile number and etc.

In the case where personal data processing is outsourced to a third party, known as the data processor, it is the responsibility of the data user to ensure that the data processor provides sufficient guarantee to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

The transitional provisions in the PDPA require a data user (i.e. a person who processes or authorises or controls the processing of personal data) who has collected personal data prior to the enforcement of the PDPA, to comply with the PDPA within three months of the PDPA coming into operation. Based on a strict interpretation, any personal data collected after the PDPA came into operation would have to comply with the requirements of the PDPA. A company’s way of doing business will definitely be affected as business processes are required to be refined to comply with the PDPA requirements. Most importantly, a central repository may be required for consent management. The process becomes more complex when cross border personal data transfer is involved.

5.0 The Implications of Not complying with PDPA.

Anyone who breaches any of the above principles will be liable to a fine not exceeding three hundred thousand ringgit and/or a jail term not exceeding two years. Personal data relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject. For example: name, identity card number, date of birth, mobile number and etc. In the case where personal data processing is outsourced to a third party, known as the data processor, it is the responsibility of the data user to ensure that the data processor provides sufficient guarantee to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.

6.0 Conclusion
As one of the first South East Asian counties to venture into data protection, Malaysia’s entry to this regime is a courageous effort. As demonstrated by the Republic of Indonesia and Singapore, data protection is one of the key stimulators of economic growth. It can build trust and enhance the image of the countries that enact legal protections on it (Noriswadi Ismail, 2012). However, employers or the management of the companies have additional roles to play before companies can see the benefits of implementing the new act.

The above discussion shows that with the announcement of the PDPA, an employer has an additional duty to ensure the proper management of employees’ personal data. An employer is duty-bound under the PDPA to protect employees’ data. Similarly, the employees, as data subjects, have some rights under the act. The 2010 Act will certainly be a challenge for employers, who now have an additional duty to ensure that all seven principles of the Act are complied with.

Author by: Micheal Lim

admin

Author admin

More posts by admin

Leave a Reply