Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Personal Data Protection Act - Employee Data Privacy
Similar to Personal Data Protection Act - Employee Data Privacy (20)
More from legalPadmin
More from legalPadmin (12)
Recently uploaded
Recently uploaded (20)
Personal Data Protection Act - Employee Data Privacy
- 1. Personal Data Protection Act 2010: Employee Data Privacy Labour Law Conference 9 – 10 April 2015 Adlin Abdul Majid
- 2. Content • Introduction • Issues & Implications • Conclusion 2
- 3. Introduction Written / Oral 3 PERSONAL DATA PROTECTION ACT 2010 Application • Applies to any person who processes or has control over or authorises processing of personal data in respect of commercial transactions • Applies if: • PERSON ESTABLISHED IN MALAYSIA: Personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment • PERSON NOT ESTABLISHED IN MALAYSIA: Uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia) NOT applicable • Federal & State Governments • Personal data processed outside Malaysia, unless intended to be further processed in Malaysia Complaints-based system
- 4. Application to employment relationships 4 • Any transaction of a commercial nature, whether contractual or not • Includes matters relating to: • Supply or exchange of goods or services; • Agency; • Investments; • Financing; • Banking; & • Insurance • Does not include a credit reporting business commercial transactions Draft Guidelines on Management of Employee Data
- 5. 7 Principles of data protection Written / Oral 5 Data Subject General Principle Data Processor/ 3rd Party Data User Security Principle Retention Principle Integrity Principle Notice & Choice Principle Disclosure Principle Access Principle Employee Employer Service providers
- 6. Content • Introduction • Issues & Implications • Conclusion 6
- 9. What do you need consent for? Written / Oral 9 Consent? Non-sensitive personal data Disclosure of personal data to third parties Transfer of personal data overseas Sensitive personal data (explicit consent)
- 10. Exemptions to consent 10 No Exemption Example (a) For the performance of a contract to which the data subject is a party Existing bank customers (b) For the taking of steps at the request of the data subject with a view to entering into a contract Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract (c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities (d) In order to protect the vital interests of the data subject In a situation where a person is unconscious & needs medical treatment to save his life (e) For the administration of justice For the enforcement of a court order (f) For the exercise of any functions conferred on any person by or under any law If an organisation is tasked to perform a service by a law
- 11. Written / Oral 11 Explicit consent given by data subject Processing is necessary Personal data has been made public Sensitive personal data may only be processed if…
- 12. Example of explicit consent 12
- 13. Consent: What does it entail? Written / Oral 13 PDPA Regulations DRAFT GUIDELINES ON CONSENT • Key test: Ability to demonstrate that consent exists / given • Data subject must be fully aware of & understand consent • Consent understood to have been given when individuals DO NOT OBJECT or volunteer personal data after purposes clearly explained
- 15. Notice & choice Written / Oral 15 • Data user shall provide a WRITTEN NOTICE to the data subject. To include: • That personal data of the data subject is being processed by or on behalf of the data user • Description of the personal data • Purpose it is collected & further processed • Class of 3rd parties to whom data user discloses / may disclose the personal data • Whether it is obligatory for the data subject to provide the personal data • Must be given as soon as practicable • In national language & English • Must be able to keep a record of service of notice
- 17. 17 Channels of serving notices to employees Notice to employees Emails Employment forms Employment contracts Salary slips
- 18. Right to access personal data 18 Right to access Full disclosure Partial disclosure Refuse to disclose Must respond within 21 days
- 19. When can you refuse to disclose / partially disclose? Written / Oral 19 No sufficient information on identity of requestor / data subject No sufficient information to locate personal data Burden or expense of providing access Would disclose information of another individual Another data user controls personal data Violation of court order Would disclose confidential commercial information Access is regulated by another law
- 21. 21 s10 PDPA Employment Draft Guidelines *Must destroy personal data once purpose of processing has lapsed *Be aware of obligations imposed by law, such as s61 of Employment Act 1955 *Fresh consent needed for future uses *Should minimise cost by deleting / anonymise when no longer necessary Retention of employee records
- 22. Retention of former employees’ data 22 HK Guidance Necessary for legal / contractual / statutory obligation Directly related to managing the relationship between employer & former employee Need to defend organisation in civil or criminal suit Consented to by former employee Needed for job references / reapplication
- 23. Content • Introduction • Issues & Implications • Conclusion 23
- 24. Conclusion 24 PRE-EMPLOYMENT • Receipt of CVs BEGINNING OF EMPLOYMENT • Requests for personal data: Non-sensitive personal data / sensitive personal data DURING EMPLOYMENT • Further requests for personal data • Security / Access / Integrity / Disclosure END OF EMPLOYMENT • Retention