Personal Data Protection in Malaysia

9,586 views

Published on

Bangsar South City Knowledge Clinics - Online Security & Data Protection on 30 June 2011

Published in: Business, Technology
1 Comment
6 Likes
Statistics
Notes
No Downloads
Views
Total views
9,586
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
455
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide

Personal Data Protection in Malaysia

  1. 1. Data Protection in Malaysia by Foong Cheng Leong [email_address] | [email_address] www.foongchengleong.com
  2. 2. <ul><li>Personal Data Protection Act 2010 </li></ul><ul><li>[ Act 709 ] </li></ul><ul><li>Gazetted: 10 June 2010 </li></ul><ul><li>(not yet in force) </li></ul>Highlights of the Act
  3. 3. <ul><li>Overview of the Act </li></ul><ul><ul><li>Regulates “processing” of personal data </li></ul></ul><ul><ul><li>Only “commercial transactions” </li></ul></ul><ul><ul><li>Not Federal and State Government </li></ul></ul><ul><ul><li>Not data processed outside Malaysia </li></ul></ul><ul><ul><li>7 Principles </li></ul></ul><ul><ul><li>Criminal offences </li></ul></ul><ul><ul><li>No civil remedies </li></ul></ul>Highlights of the Act
  4. 4. <ul><li>Definitions </li></ul><ul><ul><li>Data User </li></ul></ul><ul><ul><li>Data Subject </li></ul></ul><ul><ul><li>Data Processor </li></ul></ul><ul><ul><li>Personal Data </li></ul></ul><ul><ul><li>Sensitive Personal Data </li></ul></ul><ul><ul><li>Commercial Transactions </li></ul></ul><ul><ul><li>Processing </li></ul></ul>Highlights of the Act
  5. 5. <ul><li>“ Personal data” </li></ul><ul><ul><li>means any information in respect of commercial transactions that </li></ul></ul><ul><ul><ul><li>relates directly or indirectly to a data subject </li></ul></ul></ul><ul><ul><ul><li>who is identified or identifiable from that information or from that and other information in the possession of a data user </li></ul></ul></ul><ul><ul><ul><li>including any sensitive personal data and expression of opinion about the data subject </li></ul></ul></ul>Highlights of the Act
  6. 6. <ul><li>“ Personal data” </li></ul><ul><ul><li>may be in any form, so long its can “identify” a data subject. For example: </li></ul></ul><ul><ul><ul><li>Name </li></ul></ul></ul><ul><ul><ul><li>Passport / Identity Card Number </li></ul></ul></ul><ul><ul><ul><li>Phone number </li></ul></ul></ul><ul><ul><ul><li>Photograph </li></ul></ul></ul><ul><ul><ul><li>Email </li></ul></ul></ul><ul><ul><ul><li>Finger print </li></ul></ul></ul><ul><ul><ul><li>DNA </li></ul></ul></ul>Highlights of the Act
  7. 7. <ul><li>Email </li></ul><ul><ul><li>It is not personal data per se, it depends on the circumstances of the case – Hong Kong Complaint Case No. 2008005 </li></ul></ul><ul><li>IP address </li></ul><ul><ul><li>Hong Kong Complaint Case No. 2007006 </li></ul></ul><ul><ul><li>IP address itself cannot be personal data as it is a specific machine address assigned to an inanimate computer </li></ul></ul><ul><ul><li>However, IP address together with other information disclosed constituted &quot;personal data&quot; may consider as personal data. </li></ul></ul>Highlights of the Act
  8. 8. <ul><li>“ Commercial Transaction ” </li></ul><ul><ul><li>Any transaction of a commercial nature, whether contractual or not. </li></ul></ul><ul><ul><li>Includes matters relating to: </li></ul></ul><ul><ul><ul><li>The supply or exchange of goods or services (HR?); </li></ul></ul></ul><ul><ul><ul><li>Agency; </li></ul></ul></ul><ul><ul><ul><li>Investments; </li></ul></ul></ul><ul><ul><ul><li>Financing; </li></ul></ul></ul><ul><ul><ul><li>Banking; and </li></ul></ul></ul><ul><ul><ul><li>Insurance; but </li></ul></ul></ul><ul><ul><ul><li>Does not include a credit reporting business </li></ul></ul></ul>Highlights of the Act
  9. 9. <ul><li>“ Sensitive personal data ” </li></ul><ul><ul><li>any personal data consisting of information as to: </li></ul></ul><ul><ul><ul><li>the physical or mental health or condition of a data subject; </li></ul></ul></ul><ul><ul><ul><li>his political opinions; </li></ul></ul></ul><ul><ul><ul><li>his religious beliefs or other beliefs of a similar nature; </li></ul></ul></ul><ul><ul><ul><li>the commission or alleged commission by him of any offence; </li></ul></ul></ul><ul><ul><ul><li>or any other personal data determined by the Minister </li></ul></ul></ul>Highlights of the Act
  10. 10. <ul><li>“ Processing” </li></ul><ul><ul><li>means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data. </li></ul></ul>Highlights of the Act
  11. 11. <ul><ul><li>7 Principles </li></ul></ul>Highlights of the Act
  12. 12. <ul><li>Principles of Data Protection </li></ul><ul><ul><li>For data to be processed lawfully in Malaysia, a data user shall comply with the following principles, namely— </li></ul></ul><ul><li>(1) the General Principle; (2) the Notice and Choice Principle; (3) the Disclosure Principle; (4) the Security Principle; (5) the Retention Principle; (6) the Data Integrity Principle; and (7) the Access Principle. </li></ul>Highlights of the Act
  13. 13. <ul><li>General Principle </li></ul><ul><ul><li>A data user shall not process personal data about a data subject unless the data subject has given his consent to the processing of the personal data </li></ul></ul>Highlights of the Act <ul><li>Processing </li></ul><ul><ul><li>means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data. </li></ul></ul>
  14. 14. <ul><li>General Principle </li></ul><ul><ul><li>Exceptions </li></ul></ul><ul><ul><ul><li>for the performance of a contract to which the data subject is a party; </li></ul></ul></ul><ul><ul><ul><li>for the taking of steps at the request of the data subject with a view to entering into a contract; </li></ul></ul></ul><ul><ul><ul><li>for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; </li></ul></ul></ul>Highlights of the Act
  15. 15. <ul><li>General Principle </li></ul><ul><ul><li>Exceptions </li></ul></ul><ul><ul><ul><li>in order to protect the vital interests of the data subject; </li></ul></ul></ul><ul><ul><ul><li>for the administration of justice; or </li></ul></ul></ul><ul><ul><ul><li>for the exercise of any functions conferred on any person by or under any law. </li></ul></ul></ul>Highlights of the Act
  16. 16. <ul><li>Notice and Choice Principle </li></ul><ul><ul><li>When a data user shall provide a written notice to the data subject. </li></ul></ul><ul><ul><li>The written notice shall include, among others, that personal data of the data subject is being processed by or on behalf of the data user, the purpose it is collected and whether it is obligatory for the data subject to provide the personal data. </li></ul></ul><ul><ul><li>Notice must be in national language and English. </li></ul></ul>Highlights of the Act
  17. 17. <ul><li>Disclosure Principle </li></ul><ul><ul><li>personal data shall not without the consent of the data subject, be disclosed for </li></ul></ul><ul><ul><ul><li>any purpose other than the purpose disclosed at the time of collection or related purpose; or </li></ul></ul></ul><ul><ul><ul><li>to any party other than third parties whom the data subject has permitted. </li></ul></ul></ul>Highlights of the Act
  18. 18. <ul><li>Security Principle </li></ul><ul><ul><li>A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. </li></ul></ul><ul><ul><li>Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and takes reasonable steps to ensure compliance with those measures </li></ul></ul>Highlights of the Act
  19. 19. <ul><li>Retention Principle </li></ul><ul><ul><li>The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. </li></ul></ul><ul><ul><li>No time limit but if it is not required for its initial purpose, it must be destroyed. </li></ul></ul>Highlights of the Act
  20. 20. <ul><li>Data Integrity Principle </li></ul><ul><ul><li>A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed. </li></ul></ul>Highlights of the Act
  21. 21. <ul><li>Access Principle </li></ul><ul><ul><li>A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act. </li></ul></ul>Highlights of the Act
  22. 22. <ul><li>Personal Data Protection Commissioner </li></ul>Highlights of the Act
  23. 23. <ul><li>Commissioner </li></ul><ul><ul><li>The Act provides for the appointment of a Personal Data Protection Commissioner. </li></ul></ul><ul><ul><li>Any complaints made against a data user is directed to the Commissioner </li></ul></ul><ul><ul><li>The Commissioner will conduct investigation and issue an enforcement notice </li></ul></ul><ul><ul><li>Decision of Commissioner is appealable to the Appeal Tribunal </li></ul></ul>Highlights of the Act
  24. 24. <ul><li>Registration of Data User </li></ul>Highlights of the Act
  25. 25. <ul><li>Registration of Data Users </li></ul><ul><ul><li>Registration by class of data users prescribed by the Minister </li></ul></ul><ul><ul><li>Commissioner will determine whether to approve the application </li></ul></ul><ul><ul><li>Must be renewed from time to time </li></ul></ul>Highlights of the Act
  26. 26. <ul><li>Transfer of Personal Data Overseas </li></ul>Highlights of the Act
  27. 27. <ul><li>Transfer of Data Overseas </li></ul><ul><ul><li>No transfer outside Malaysia unless to such place as specified by the Minister </li></ul></ul><ul><ul><li>However, a data user may transfer if, among others: </li></ul></ul><ul><ul><ul><li>consent was obtained; </li></ul></ul></ul><ul><ul><ul><li>necessary for performance of a contract between data subject and data user; </li></ul></ul></ul><ul><ul><ul><li>purpose of legal proceedings or to obtain legal advice </li></ul></ul></ul><ul><ul><ul><li>protect vital interest of data subject and for public interest. </li></ul></ul></ul>Highlights of the Act
  28. 28. <ul><li>Sensitive Personal Data </li></ul><ul><li>physical or mental health or condition, political opinions, religious beliefs, offences </li></ul>Highlights of the Act
  29. 29. <ul><li>Sensitive Personal Data </li></ul><ul><ul><li>Can only be processed if, among others, </li></ul></ul><ul><ul><ul><li>explicit consent has been given by data user </li></ul></ul></ul><ul><ul><ul><li>Employment purposes </li></ul></ul></ul><ul><ul><ul><li>Protect vital interest of data subject, in a case where consent cannot be given by or on behalf of data subject or data user cannot reasonably be expected to obtain the consent of the data subject </li></ul></ul></ul><ul><ul><ul><li>Protect vital interest of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld </li></ul></ul></ul>Highlights of the Act
  30. 30. <ul><li>Sensitive Personal Data </li></ul><ul><ul><li>Can only be processed if, among others, </li></ul></ul><ul><ul><ul><li>for medical purposes and is undertaken by (a) a healthcare professional (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional </li></ul></ul></ul><ul><ul><ul><li>for the purpose of, or in connection with, any legal proceedings; </li></ul></ul></ul>Highlights of the Act
  31. 31. <ul><li>Sensitive Personal Data </li></ul><ul><ul><li>Can only be processed if, among others, </li></ul></ul><ul><ul><ul><li>for obtaining legal advice; </li></ul></ul></ul><ul><ul><ul><li>for establishing, exercising or defending legal rights; </li></ul></ul></ul><ul><ul><ul><li>for the administration of justice; </li></ul></ul></ul><ul><ul><ul><li>to exercise of any functions conferred on any person by or under any written law </li></ul></ul></ul>Highlights of the Act
  32. 32. <ul><li>Rights of data subject </li></ul>Highlights of the Act
  33. 33. <ul><li>Rights of data subject </li></ul><ul><ul><li>Right to access personal data </li></ul></ul><ul><ul><li>Right to correct personal data </li></ul></ul><ul><ul><li>Right to withdrawn consent </li></ul></ul><ul><ul><li>Right to prevent processing likely to cause damage or distress </li></ul></ul><ul><ul><li>Right to prevent processing for purpose of direct marketing </li></ul></ul>Highlights of the Act
  34. 34. <ul><li>Offences and Liability </li></ul>Punishment for contravention of the Act
  35. 35. <ul><li>Offences and Liability </li></ul><ul><ul><li>Contravention of the personal data protection principles </li></ul></ul><ul><ul><ul><li>RM300,000 or imprisonment 2 years or to both </li></ul></ul></ul><ul><ul><li>Failure to register as data user for specified class of data users </li></ul></ul><ul><ul><ul><li>RM500,000 or imprisonment 3 years or to both </li></ul></ul></ul><ul><ul><li>Data users continue to process personal data after the registration is revoked </li></ul></ul><ul><ul><ul><li>RM500,000 or imprisonment 3 years or to both </li></ul></ul></ul>Punishment for contravention of Act
  36. 36. <ul><li>Offences and Liability </li></ul><ul><ul><li>Processing of sensitive personal data in contravention to s 40 </li></ul></ul><ul><ul><ul><li>RM200,000 or imprisonment 2 years or to both </li></ul></ul></ul><ul><ul><li>Failure to comply with commissioner's requirements to cease processing of personal data likely to cause damage or distress </li></ul></ul><ul><ul><ul><li>RM200,000 or imprisonment 2 years or to both </li></ul></ul></ul>Punishment for contravention of Act
  37. 37. <ul><li>Offences and Liability </li></ul><ul><ul><li>Unlawful collection or disclosure of personal data </li></ul></ul><ul><ul><ul><li>RM500,000 or imprisonment 3 years or to both </li></ul></ul></ul><ul><ul><li>Transfer of personal data overseas </li></ul></ul><ul><ul><ul><li>RM300,000 or imprisonment 2 years or to both </li></ul></ul></ul>Punishment for contravention of Act
  38. 38. <ul><li>Transitional Provision </li></ul>Transitional Provision
  39. 39. <ul><li>Transitional Provision </li></ul><ul><ul><li>Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of the Act, he shall comply with the provisions of the Act within three (3) months from the date of coming into operation of the Act. </li></ul></ul>Transitional Provision
  40. 40. <ul><li>Proposed Action Plan </li></ul>Proposed Action Plan
  41. 41. <ul><li>Stage 1 – Prior to the coming into force of the Act </li></ul><ul><ul><li>Establish a data protection task force </li></ul></ul><ul><ul><li>Conduct a Privacy Impact Assessment </li></ul></ul><ul><ul><li>Obtain consent for use of personal data </li></ul></ul><ul><ul><li>Prepare standard data protection notice </li></ul></ul>Proposed Action Plan
  42. 42. <ul><ul><li>Privacy Impact Assessment </li></ul></ul><ul><ul><ul><li>purpose - identify and recommend options for managing, minimising or eradicating privacy impacts. </li></ul></ul></ul><ul><ul><ul><li>Further reading: </li></ul></ul></ul><ul><ul><ul><ul><li>The Information Commissioner’s Office PIA handbook </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Privacy Impact Assessment Guide - Australia Office of Privacy Commissioner </li></ul></ul></ul></ul>Proposed Action Plan
  43. 43. <ul><li>Stage 2 – On the coming into force of the Act </li></ul><ul><ul><li>Review plans established during Stage 1 </li></ul></ul><ul><ul><li>Establish procedures and forms to handle data protection complaints </li></ul></ul><ul><ul><li>Establish processes for training of relevant staff </li></ul></ul>Proposed Action Plan
  44. 44. <ul><li>Stage 2 – On the coming into force of the Act (cont’d) </li></ul><ul><ul><li>Implementation of security to protect data </li></ul></ul><ul><ul><ul><li>physical access </li></ul></ul></ul><ul><ul><ul><li>electronic access </li></ul></ul></ul><ul><ul><li>Review contracts between your organisation and third parties who may use data on your behalf </li></ul></ul><ul><ul><li>Prepare internal manual regarding data protection </li></ul></ul><ul><ul><li>Inform customers and public of your initiatives to comply with the Act </li></ul></ul>Proposed Action Plan
  45. 45. Questions? Thank you

×