You are on page 1of 3

NAVINJIT SINGH T3

1161300812
Why is data protection such an important factor to consider in the age of computer’s and
development of IT?
Data protection can be understood as a process of safeguarding important information regardless
of it being personal or private from multiple misuses such as misrepresentation, fraud,
impersonation harassment and defamation. These misuses arises from the development of IT
which has brought upon much changes to the cyberspace in this age of computers. Nevertheless,
the question here is why data protection is a vital factor in the midst of all of this pandemic
cybercrime.
In order to shed light to this question, let us analyse statutory provisions that has been proposed
and came into existence in order to protect the data protection. Several data protection legislation
have been proposed over the years, including the Data Protection Bill 1998 and the Data
Protection Bill 2001, but none came to fruition. A new Personal Data Protection Act 2010 (“PDP
Act”) has recently been enacted due to the increasing need to curb the unauthorised use of
personal data in Malaysia. The PDP Act purports to safeguard personal data by requiring the data
user to comply with certain obligations and conferring certain rights to the data subject in
relation to his personal data. Some of the pertinent provisions of the PDP Act are discussed in
this article. The PDPA asserts seven Personal Data Protection Principles (Principles) which have
to be complied with when processing personal data. Non-compliance by a data user with any of
the Principles constitutes an offence under the PDPA and the penalty includes fines and/or
imprisonment. Certain Principles are qualified by exceptions and exemptions.
Firstly, the General Principle. This principle prohibits a data user from processing an individual's
personal data without their consent. The Personal Data Protection Regulations (Regulations)
stipulate that consent must be "recorded" and "maintained" which suggests that express consent
is required. However recent proposal papers indicate that implied consent may be sufficient
provided the individual has been made fully aware of the purposes of the processing of his
personal data and as long as the data user is able to demonstrate that consent has been given by
the individual. The PDPA also prohibits processing of personal data unless it is for a lawful
purpose directly related to the activity of the data user; it is necessary for or directly related to
that purpose and the data processed is not excessive in relation to that purpose. Explicit consent
is required for the processing of "sensitive personal data": data about health; political opinion;
religious beliefs; and commission or alleged commission of an offence. Secondly, the Notice and
Choice Principle. The PDPA requires a data user to inform the individual by written notice, in
both the national and English languages, of certain matters including the fact that the personal
data of the individual is being processed and a description of the data; the purposes for which the
personal data is being collected and further processed; any information available to the data user
as to the source of that personal data; the individual's right to request access to and correction of
the personal data and contact particulars of the data user in the event of any inquiries or
complaints; the class of third parties to whom the data is or may be disclosed; the choices and
means offered to the individual to limit the processing of the data and whether it is obligatory or
voluntary for the individual to supply data, and if obligatory, the consequences of not doing so.
Notice of the above has to be given by the data user "as soon as practicable", that is, when the
data user first requests the personal data from the individual, or when the data user first collects
the personal data of the individual, or before the data user uses it for a purpose other than the
original purpose or discloses it to a third party. Thirdly, the Disclosure Principle. This Principle
prohibits the disclosure, without the individual's consent, of personal data for any purpose other
than that for which the data was disclosed at the time of collection, or a purpose directly related
to it; and to any party other than a third party of the class notified to the data user. Fourthly, the
Security Principle. The PDPA imposes obligations on the data user to take steps to protect the
personal data during its processing from any loss, misuse, modification, unauthorised or
accidental access or disclosure, alteration or destruction. Where the data processing is carried out
by a third party (a "data processor") on behalf of a data user, the data user must ensure that the
data processor provides sufficient guarantees in respect of the technical and organisational
security measures governing the processing and takes reasonable steps to ensure compliance with
those measures. In the Regulations, data users are required to develop a security policy in
compliance with any security standards issued, though no such standards have been issued at
present. Fifth, the Retention Principle. Under this Principle, personal data is not to be retained
longer than is necessary for the fulfilment of the purpose for which it is processed. A duty is also
imposed on the data user to take reasonable steps to ensure that all personal data is destroyed or
permanently deleted if it is no longer required for the purpose for which it was processed. Sixth,
the Data Principle Principle. The data user has to take reasonable steps to ensure that the
personal data is accurate, complete, not misleading and kept-up-to-date, having regard to the
purpose (and any directly related purpose) for which it was collected and processed. Lastly, the
Access Principle. The PDPA gives the individual the right to access and correct his own data
where it is inaccurate, incomplete, misleading or outdated. The PDPA provides grounds on
which the data user may refuse to comply with a data access or data correction request by the
individual. Besides these principles, there exist rights that are granted to data subject which are
The right to access personal data, the right to rectify personal data, the right to withdraw consent
to process personal data, the right to prevent processing likely to cause damage or distress
(distress), the right to prevent processing for purposes of direct marketing.
As a conclusion, the provisions of the PDP Act are extensive in nature and grant data subjects a
say over how their personal data is processed and used. The PDP Act also imposes a wide range
of obligations on data users in relation to the personal data collected. Upon the implementation
of the PDP Act, data users will have to change the way in which they process and manage
personal data and to ensure that their business processes comply with the seven Personal Data
Protection Principles. The PDP Act will, upon its enforcement, also confer safeguards to data
subjects against abuse and unwanted disclosure of their personal data by data users. Regrettably,
as the PDP Act only applies to personal data that is collected in respect of commercial
transactions, the collection, use and dissemination of data that is collected for non-commercial
purposes, such as registration for social networking websites and free online newspapers or
lifestyle magazines, remains unregulated. Hence, the abuse and dissemination of such data may
continue unabated.

You might also like