the Malaysian Personal Data Protection still in its infancy, is set to take some noteworthy next steps

1. Malaysia: Personal
Data Protection Act
(PDPA) 2010
Hairul Hafiz B
Hasbullah
Data Protection:
It’s Getting Personal

2. WHAT YOU WILL LEARN?

3. • What is personal data
• General guidelines for the collection of personal
data
• Your responsibilities with respect to the protection
and management of personal data
• Which major legislation and policies directly relate
to privacy and personal data
WHAT YOU WILL LEARN:

4. Loss of personal data leaves customers and
employees at risk of fraud and personal
identity theft
WHAT YOU WILL LEARN:
Identity Thief -The Scam.mp4

5. Crooks_use_fake_hotel_WiFi_hotspots_to_steal_personal_info.mp4

6. To demonstrate the data you are routinely sharing, walk through these next steps. If you are an iPhone user, here's how
you can easily see if you are vulnerable to a data hack:
1.Go to Settings.
2.Tap Privacy.
3.Tap Location Services (If Off, you have nothing to worry about).
4.Scroll down and tap on Systems Services.
5.Scroll down to Frequent Locations (if Off, your privacy is intact).
6.If ON, tap on Frequent Locations.
7.Tap on any of the History details.
Up will pop the last six weeks of your whereabouts, including frequency, time of day and amount of time spent at each
location! Of course, this is not limited to iPhone users.
THE SCARIER FACT IS THAT YOU MIGHT SHARED THE
INFORMATION WITH HACKERS FOR NEFARIOUS
PURPOSE
GOOD NEWS TO POKEMON FANS

7. ZITMO BANKER MALWARE
ANDROID –2010-PRESENT

9. Information about an
individual that is recorded
in any form
Personal data is…

10. 3TYPES OF DATA
Data SubjectData Subject
Individual who is subject of personal data
Written / Oral
Data UserData User
Person who processes personal data OR has control over
OR authorises processing of personal data
Data ProcessorData Processor
Person (other than data user’s employee) who processes
personal data solely on behalf of data user

11. PERSONAL # SENSITIVE#
COMMERCIAL DATA

12. PERSONAL DATA
• Home address
• Home telephone
number
• Age, date of birth,
gender
• Blood type
• Ethnicity, nation of
origin, colour of skin
• Religious beliefs
• Health care/medical
history
• Marital status
• Identifying numbers (NRIC)
• Credit card numbers
• Criminal records, fingerprints
• Curriculum vitae
• Educational history
• Financial history
• Employment information
• Exact salary

13. SENSITIVE DATA
Any personal data consisting:
• the physical or mental health of a data subject
• his political opinions
• his religious beliefs
• the commission by him of any offence; or
• any other personal data determined by the
Minister
Note : can only be processed under specific circumstances set out in
PDPA (including explicit consent by data subject)

14. Written / Oral
SENSITIVE PERSONAL DATA MAY ONLY BE PROCESSED IF:

15. COMMERCIAL DATA
• Any transaction of a commercial nature include matters
relating to:
• Supply or exchange of goods or services
• Agency
• Investments
• Financing
• Banking &
• Insurance
Note: Does not include a credit reporting business (CTOS/CCRIS)

16. RESPONSIBILITY
MyCEB employees are expected to be aware and
follow applicable guidelines for the collection of
personal data.

17. What Data That You need consent?
Written / Oral

18. EXEMPTIONS TO CONSENT
No Exemption Example
1 Performance of a contract to which
the data subject is a party
Employment contracts
2 the taking of steps at the request of
the data subject with a view to
entering into a contract
Before the sale & purchase of a
house or Hire and Purchase of a car.
3 Compliance with any legal obligation Organisation is under a duty
pursuant to eg. SOCSO/EPF/LHDN,
to provide data of its employees to
authorities
4 Protect the vital interests of the data
subject
Person that is unconscious & needs
medical treatment to save his life
5 Administration of justice Enforcement of a court order
6 Exercise of any functions conferred
on any person by or under any law
If an organisation is tasked to
perform a service by a law eg Police

19. DISCLOSURE IS VERY IMPORTANT
It is vital that the following is disclosed to the owners of
the personal DATA:
• Why this personal DATA is being collected
• How this DATA may be used and if the DATA is
shared, with whom; and
• How and for how long this DATA will be held and
then disposed of

20. Responsibility
MyCEB employees have a duty to
protect and manage personal data
about individuals.
Responsibility
MyCEB employees have a duty to
protect and manage personal data
about individuals.

21. 7 PRINCIPLES OF DATA PROTECTION
Written / Oral
* Disclosure
Principle
*Access
Principle
* Notice &
Choice
Principle
• Data user shall provide a written notice
to the data subject. To include:
• That personal data of the data subject
is being processed by or on behalf of
the data user
• Description of the personal data
• Purpose it is collected & further
processed
• Class of 3rd
parties to whom data user
discloses / may disclose the personal
data
• Whether it is obligatory for the data
subject to provide the personal data
• Must be given as soon as practicable
• In Bahasa & English

22. CHANNELS OF SERVING NOTICE
• Application
forms
• Terms &
conditions
• RFQs / RFPs
• Agreements
• Letters of
employment
• Salary slips
• E-mails

23. PRINCIPLES OF DATA PROTECTION
Written / Oral
* Disclosure
Principle
*Access Principle
* Notice &
Choice
Principle
Personal data shall not without the consent
of the data subject, be disclosed:
•For any purpose other than the purpose
disclosed at the time of collection or related
purpose; or
•To any party other than 3rd
parties of the
class in notice

24. PRINCIPLES OF DATA PROTECTION
Written / Oral
* Disclosure
Principle
*Access Principle
* Notice &
Choice
Principle
• The personal data processed for any purpose shall not be kept
longer than is necessary for the fulfillment of that purpose
• No time limit but if it is not required for its initial purpose, it must
be destroyed

25. PRINCIPLES OF DATA PROTECTION
Written / Oral
* Disclosure
Principle
*Access Principle
* Notice &
Choice
Principle
A data user shall take reasonable steps to ensure that the personal
data is accurate, complete, not misleading & kept up-to-date by having
regard to the purpose, including any directly related purpose, for
which the personal data was collected & further processed

26. PRINCIPLES OF DATA PROTECTION
Written / Oral
* Disclosure
Principle
*Access
Principle
* Notice &
Choice
Principle
• A data subject shall be given access to his personal data held by a
data user
• Able to correct that personal data where the personal data is
inaccurate, incomplete, misleading or not up-to-date
• EXCEPT where compliance with a request to such access or
correction is refused under PDPA

27. # CASES
# MyCEB COMPLIANCE

29. Written / Oral

30. Written / Oral
Offence Liability
Contravention of the personal data protection
principles
RM300,000 or imprisonment
of 2 years or both
Failure to register as data user for specified
class of data users
RM500,000 or imprisonment
of 3 years or both
Data users continue to process personal data
after the registration is revoked
RM500,000 or imprisonment
of 3 years or both
Processing of sensitive personal data in
contravention with s40
RM200,000 or imprisonment
of 2 years or both
Failure to comply with the Commissioner's
requirements to cease processing of personal
data likely to cause damage or distress
RM200,000 or imprisonment
of 2 years or both
Unlawful collection or disclosure of personal
data: RM500,000 or imprisonment 3 years or to
both
RM500,000 or imprisonment
of 3 years or both
Transfer of personal data overseas RM300,000 or imprisonment
of 2 years or both
UNDER PDPA 2010 (Act 709)UNDER PDPA 2010 (Act 709)

31. Compliance

32. PDPA COMPLIANCE
PreventPrevent DetectDetect RespondRespond
• Risk assessment
& regular re-
assessment
• Policies
• Guidelines
• Training
• Risk assessment
& regular re-
assessment
• Policies
• Guidelines
• Training
• Monitoring
• Compliance
Audit
• Concern /
incident
reporting
• Monitoring
• Compliance
Audit
• Concern /
incident
reporting
• Internal
Investigations
• Dealings with
authorities
• Employment
related
consequences
• Internal
Investigations
• Dealings with
authorities
• Employment
related
consequences

33. PRIVACY IMPACT ASSESSMENT
LOOK OUT FOR:
Description of personal data
How personal data is collected
Was consent sought? How?
Purpose of processing
How personal data is kept – security?
Procedures to ensure accuracy? Access?
Retention period? Is personal data destroyed?
Disclosure / transfer

34. GUIDELINES:
COLLECTION OF PERSONAL DATA
• Any collection of personal data shall be done in
consultation with legal and corporate service unit.
• No personal data shall be collected unless it relates
directly to an operating program or activity of MyCEB.

35. HR : PDPA POLICY
MALAYSIA CONVENTION & EXHIBITION BUREAU
PERSONAL DATA PROTECTION
Privacy Policy
1. Collection of Personal Data
This Personal Data Protection Notice is issued to all our valued customers/prospective
customers, pursuant to the requirements of the Personal Data Protection Act 2010.
We treat and view your personal data seriously.
In the course of your dealings with Malaysia Convention & Exhibition Bureau (“MyCEB”), as our
valued customer / prospective customer, we will request that you provide data and information
about yourself (“Personal Data”) to enable us to enter into transaction with you or to deliver the
necessary notices, services and/or products.
2. Nature of Personal Data
Such Personal Data may be subject to applicable data protection, privacy and other similar laws
and may include information concerning name, age, identity card number, passport number,
address, gender, date of birth, marital status, occupation, contact information, email address,
race, ethnic origin and nationality.
3. Impact from failure to supply Personal Data
The failure to supply such Personal Data will result in us being unable to :
a. provide you with the notices, services and/or products requested;
b. update you on our latest products, services and promotions.
4. Purpose of Collecting Personal Data
The Personal Data is collected, used and otherwise processed by us for, amongst others, the
following purposes:
a. delivering notices, services, products, updates materials to you;
b. maintaining and improving customer relationship;
c. maintaining and updating internal record keeping; and
d. meeting any legal or regulatory requirements and making disclosure under the
requirements of any applicable law, regulation, direction, court order, by-law,
guideline, circular, code applicable to PSMB
5. Disclosure
The Personal Data provided to us will generally be kept confidential but you hereby consent
and authorize us to provide or disclose your Personal Data to the following categories:-
a. any person to whom we are compelled or required to do so under law ;
b. statutory authorities, government agencies and industry regulators;
c. our consultants, accountants, auditors, lawyers or other financial or professional advisers;
and
d. our service providers for purposes of establishing and maintaining a common database
where we have a legitimate common interest;
6. Safeguards
We shall keep and process your data in a secure manner. We endeavour, where practicable,
to implement the appropriate administrative and security safeguards and procedures in
accordance with the applicable laws and regulations to prevent the unauthorized or unlawful
processing of the Personal Data and the accidental loss or destruction of, or damage to, the
Personal Data.
7. Rights of Access and Correction
You have the right to request for access to and correction of your information held by us and
in this respect, you may:
a. Check whether we hold or use your Personal Data and request access to such data;
b. Request that we correct any of your Personal Data that is inaccurate, incomplete or out-
of-date;
c. Request that your Personal Data is retained by us only as long as necessary for the
fulfilment of the purposes for which it was collected;
d. Request that we specify or explain our policies and procedures in relation to data and
types of Personal Data handled by us;
e. Communicate to us your objection to the use of your Personal Data for marketing
purposes whereupon we will not use your Personal Data for these purposes; and
f. Withdraw, in full or in part, your consent given previously, in each case subject to any
applicable legal restrictions, contractual conditions and a reasonable time period.

36. IN SUMMARY:
• Personal data is information about an individual that is
recorded in any form.
• We must establish a process for the storage and
management of personal data that both enables access
to and protection of the information.
• You must ensure that personal data is correct and you
should practice “just in time” collection of personal
information.

37. CONGRATULATIONS!
You have just completed Privacy and Personal data
(Part 1) under MyCEB Personal Data Protection
2010
THANK YOU