The document summarizes Malaysia's Personal Data Protection Act of 2010, which regulates the processing of personal data related to commercial transactions. It defines key terms, outlines 7 data protection principles, and discusses the rights of data subjects, offenses/penalties, and requirements for data users and sensitive personal data. It proposes a two-stage action plan for organizations to comply with the new law.

1. Data Protection in Malaysia by Foong Cheng Leong [email_address] | [email_address] www.foongchengleong.com

2. Personal Data Protection Act 2010 [ Act 709 ] Gazetted: 10 June 2010 (not yet in force) Highlights of the Act

3. Overview of the Act Regulates “processing” of personal data Only “commercial transactions” Not Federal and State Government Not data processed outside Malaysia 7 Principles Criminal offences No civil remedies Highlights of the Act

4. Definitions Data User Data Subject Data Processor Personal Data Sensitive Personal Data Commercial Transactions Processing Highlights of the Act

5. “ Personal data” means any information in respect of commercial transactions that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user including any sensitive personal data and expression of opinion about the data subject Highlights of the Act

6. “ Personal data” may be in any form, so long its can “identify” a data subject. For example: Name Passport / Identity Card Number Phone number Photograph Email Finger print DNA Highlights of the Act

7. Email It is not personal data per se, it depends on the circumstances of the case – Hong Kong Complaint Case No. 2008005 IP address Hong Kong Complaint Case No. 2007006 IP address itself cannot be personal data as it is a specific machine address assigned to an inanimate computer However, IP address together with other information disclosed constituted "personal data" may consider as personal data. Highlights of the Act

8. “ Commercial Transaction ” Any transaction of a commercial nature, whether contractual or not. Includes matters relating to: The supply or exchange of goods or services (HR?); Agency; Investments; Financing; Banking; and Insurance; but Does not include a credit reporting business Highlights of the Act

9. “ Sensitive personal data ” any personal data consisting of information as to: the physical or mental health or condition of a data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; the commission or alleged commission by him of any offence; or any other personal data determined by the Minister Highlights of the Act

10. “ Processing” means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data. Highlights of the Act

11. 7 Principles Highlights of the Act

12. Principles of Data Protection For data to be processed lawfully in Malaysia, a data user shall comply with the following principles, namely— (1) the General Principle; (2) the Notice and Choice Principle; (3) the Disclosure Principle; (4) the Security Principle; (5) the Retention Principle; (6) the Data Integrity Principle; and (7) the Access Principle. Highlights of the Act

13. General Principle A data user shall not process personal data about a data subject unless the data subject has given his consent to the processing of the personal data Highlights of the Act Processing means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data.

14. General Principle Exceptions for the performance of a contract to which the data subject is a party; for the taking of steps at the request of the data subject with a view to entering into a contract; for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract; Highlights of the Act

15. General Principle Exceptions in order to protect the vital interests of the data subject; for the administration of justice; or for the exercise of any functions conferred on any person by or under any law. Highlights of the Act

16. Notice and Choice Principle When a data user shall provide a written notice to the data subject. The written notice shall include, among others, that personal data of the data subject is being processed by or on behalf of the data user, the purpose it is collected and whether it is obligatory for the data subject to provide the personal data. Notice must be in national language and English. Highlights of the Act

17. Disclosure Principle personal data shall not without the consent of the data subject, be disclosed for any purpose other than the purpose disclosed at the time of collection or related purpose; or to any party other than third parties whom the data subject has permitted. Highlights of the Act

18. Security Principle A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and takes reasonable steps to ensure compliance with those measures Highlights of the Act

19. Retention Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. No time limit but if it is not required for its initial purpose, it must be destroyed. Highlights of the Act

20. Data Integrity Principle A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed. Highlights of the Act

21. Access Principle A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act. Highlights of the Act

22. Personal Data Protection Commissioner Highlights of the Act

23. Commissioner The Act provides for the appointment of a Personal Data Protection Commissioner. Any complaints made against a data user is directed to the Commissioner The Commissioner will conduct investigation and issue an enforcement notice Decision of Commissioner is appealable to the Appeal Tribunal Highlights of the Act

24. Registration of Data User Highlights of the Act

25. Registration of Data Users Registration by class of data users prescribed by the Minister Commissioner will determine whether to approve the application Must be renewed from time to time Highlights of the Act

26. Transfer of Personal Data Overseas Highlights of the Act

27. Transfer of Data Overseas No transfer outside Malaysia unless to such place as specified by the Minister However, a data user may transfer if, among others: consent was obtained; necessary for performance of a contract between data subject and data user; purpose of legal proceedings or to obtain legal advice protect vital interest of data subject and for public interest. Highlights of the Act

28. Sensitive Personal Data physical or mental health or condition, political opinions, religious beliefs, offences Highlights of the Act

29. Sensitive Personal Data Can only be processed if, among others, explicit consent has been given by data user Employment purposes Protect vital interest of data subject, in a case where consent cannot be given by or on behalf of data subject or data user cannot reasonably be expected to obtain the consent of the data subject Protect vital interest of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld Highlights of the Act

30. Sensitive Personal Data Can only be processed if, among others, for medical purposes and is undertaken by (a) a healthcare professional (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional for the purpose of, or in connection with, any legal proceedings; Highlights of the Act

31. Sensitive Personal Data Can only be processed if, among others, for obtaining legal advice; for establishing, exercising or defending legal rights; for the administration of justice; to exercise of any functions conferred on any person by or under any written law Highlights of the Act

32. Rights of data subject Highlights of the Act

33. Rights of data subject Right to access personal data Right to correct personal data Right to withdrawn consent Right to prevent processing likely to cause damage or distress Right to prevent processing for purpose of direct marketing Highlights of the Act

34. Offences and Liability Punishment for contravention of the Act

35. Offences and Liability Contravention of the personal data protection principles RM300,000 or imprisonment 2 years or to both Failure to register as data user for specified class of data users RM500,000 or imprisonment 3 years or to both Data users continue to process personal data after the registration is revoked RM500,000 or imprisonment 3 years or to both Punishment for contravention of Act

36. Offences and Liability Processing of sensitive personal data in contravention to s 40 RM200,000 or imprisonment 2 years or to both Failure to comply with commissioner's requirements to cease processing of personal data likely to cause damage or distress RM200,000 or imprisonment 2 years or to both Punishment for contravention of Act

37. Offences and Liability Unlawful collection or disclosure of personal data RM500,000 or imprisonment 3 years or to both Transfer of personal data overseas RM300,000 or imprisonment 2 years or to both Punishment for contravention of Act

38. Transitional Provision Transitional Provision

39. Transitional Provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of the Act, he shall comply with the provisions of the Act within three (3) months from the date of coming into operation of the Act. Transitional Provision

40. Proposed Action Plan Proposed Action Plan

41. Stage 1 – Prior to the coming into force of the Act Establish a data protection task force Conduct a Privacy Impact Assessment Obtain consent for use of personal data Prepare standard data protection notice Proposed Action Plan

42. Privacy Impact Assessment purpose - identify and recommend options for managing, minimising or eradicating privacy impacts. Further reading: The Information Commissioner’s Office PIA handbook Privacy Impact Assessment Guide - Australia Office of Privacy Commissioner Proposed Action Plan

43. Stage 2 – On the coming into force of the Act Review plans established during Stage 1 Establish procedures and forms to handle data protection complaints Establish processes for training of relevant staff Proposed Action Plan

44. Stage 2 – On the coming into force of the Act (cont’d) Implementation of security to protect data physical access electronic access Review contracts between your organisation and third parties who may use data on your behalf Prepare internal manual regarding data protection Inform customers and public of your initiatives to comply with the Act Proposed Action Plan

45. Questions? Thank you