Data Protection in Malaysia

by Foong Cheng Leong

fcl@lh-ag.com | fcl@foongchengleong.com
www.foongchengleong.com


Personal Data Protection Act 2010
[Act 709]

Gazetted: 10 June 2010
(not yet in force)

Highlights of the Act
Overview of the Act
Regulates processing of personal data
Only commercial transactions
Not Federal and State Government
Not data processed outside Malaysia
7 Principles
Criminal offences
No civil remedies
Highlights of the Act
Definitions
Data User
Data Subject
Data Processor
Personal Data
Sensitive Personal Data
Commercial Transactions
Processing
Highlights of the Act
Personal data
means any information in respect of commercial
transactions that
relates directly or indirectly to a data subject
who is identified or identifiable from that information or
from that and other information in the possession of a data
user
including any sensitive personal data and expression of
opinion about the data subject
Highlights of the Act
Personal data
may be in any form, so long its can identify a
data subject. For example:
Name
Passport / Identity Card Number
Phone number
Photograph
Email
Finger print
DNA
Highlights of the Act
Email
It is not personal data per se, it depends on the
circumstances of the case Hong Kong Complaint
Case No. 2008005
IP address
Hong Kong Complaint Case No. 2007006
IP address itself cannot be personal data as it is a specific
machine address assigned to an inanimate computer
However, IP address together with other information
disclosed constituted "personal data" may consider as
personal data.
Highlights of the Act
Commercial Transaction
Any transaction of a commercial nature, whether
contractual or not.
Includes matters relating to:
The supply or exchange of goods or services (HR?);
Agency;
Investments;
Financing;
Banking; and
Insurance; but
Does not include a credit reporting business
Highlights of the Act
Sensitive personal data
any personal data consisting of information as to:
the physical or mental health or condition of a data subject;
his political opinions;
his religious beliefs or other beliefs of a similar nature;
the commission or alleged commission by him of any
offence;
or any other personal data determined by the Minister
Highlights of the Act
Processing
means collecting, recording, holding or storing the
personal data or carrying out any operation or set
of operations on the personal data.
Highlights of the Act



7 Principles



Highlights of the Act
Principles of Data Protection
For data to be processed lawfully in
Malaysia, a data user shall comply with the
following principles, namely
(1) the General Principle;
(2) the Notice and Choice Principle;
(3) the Disclosure Principle;
(4) the Security Principle;
(5) the Retention Principle;
(6) the Data Integrity Principle; and
(7) the Access Principle.
Highlights of the Act
General Principle
A data user shall not process personal data about a
data subject unless the data subject has given his
consent to the processing of the personal data


Highlights of the Act
Processing
means collecting, recording, holding or storing the personal data
or carrying out any operation or set of operations on the personal
data.



General Principle
Exceptions
for the performance of a contract to which the data
subject is a party;
for the taking of steps at the request of the data subject
with a view to entering into a contract;
for compliance with any legal obligation to which the
data user is the subject, other than an obligation
imposed by a contract;


Highlights of the Act
General Principle
Exceptions
in order to protect the vital interests of the data
subject;
for the administration of justice; or
for the exercise of any functions conferred on any
person by or under any law.


Highlights of the Act
Notice and Choice Principle
When a data user shall provide a written notice to the
data subject.
The written notice shall include, among others, that
personal data of the data subject is being processed
by or on behalf of the data user, the purpose it is
collected and whether it is obligatory for the data
subject to provide the personal data.
Notice must be in national language and English.
Highlights of the Act
Disclosure Principle
personal data shall not without the consent of the data
subject, be disclosed for
any purpose other than the purpose disclosed at the
time of collection or related purpose; or
to any party other than third parties whom the data
subject has permitted.

Highlights of the Act
Security Principle
A data user shall take practical steps to protect the
personal data from any loss, misuse, modification,
unauthorized or accidental access or disclosure, alteration
or destruction.
Where processing of personal data is carried out by a data
processor on behalf of the data user, the data user shall
ensure that the data processor provides sufficient
guarantees in respect of the technical and organizational
security measures governing the processing to be carried
out and takes reasonable steps to ensure compliance
with those measures

Highlights of the Act
Retention Principle
The personal data processed for any purpose shall not
be kept longer than is necessary for the fulfilment of
that purpose.
No time limit but if it is not required for its initial
purpose, it must be destroyed.
Highlights of the Act
Data Integrity Principle
A data user shall take reasonable steps to ensure that
the personal data is accurate, complete, not misleading
and kept up-to-date by having regard to the purpose,
including any directly related purpose, for which the
personal data was collected and further processed.
Highlights of the Act
Access Principle
A data subject shall be given access to his personal
data held by a data user and be able to correct that
personal data where the personal data is inaccurate,
incomplete, misleading or not up-to-date, except
where compliance with a request to such access or
correction is refused under this Act.



Highlights of the Act

Personal Data Protection
Commissioner






Highlights of the Act
Commissioner
The Act provides for the appointment of a Personal
Data Protection Commissioner.
Any complaints made against a data user is directed
to the Commissioner
The Commissioner will conduct investigation and
issue an enforcement notice
Decision of Commissioner is appealable to the
Appeal Tribunal


Highlights of the Act



Registration of Data User






Highlights of the Act
Registration of Data Users
Registration by class of data users prescribed by the
Minister
Commissioner will determine whether to approve
the application
Must be renewed from time to time

Highlights of the Act



Transfer of Personal Data Overseas






Highlights of the Act
Transfer of Data Overseas
No transfer outside Malaysia unless to such place as
specified by the Minister
However, a data user may transfer if, among others:
consent was obtained;
necessary for performance of a contract between data
subject and data user;
purpose of legal proceedings or to obtain legal advice
protect vital interest of data subject and for public interest.
Highlights of the Act


Sensitive Personal Data

physical or mental health or condition, political
opinions, religious beliefs, offences




Highlights of the Act
Sensitive Personal Data
Can only be processed if, among others,
explicit consent has been given by data user
Employment purposes
Protect vital interest of data subject, in a case where
consent cannot be given by or on behalf of data subject
or data user cannot reasonably be expected to obtain
the consent of the data subject
Protect vital interest of another person, in a case where
consent by or on behalf of the data subject has been
unreasonably withheld


Highlights of the Act
Sensitive Personal Data
Can only be processed if, among others,
for medical purposes and is undertaken by (a) a
healthcare professional (b) a person who in the
circumstances owes a duty of confidentiality which is
equivalent to that which would arise if that person
were a healthcare professional
for the purpose of, or in connection with, any legal
proceedings;


Highlights of the Act
Sensitive Personal Data
Can only be processed if, among others,
for obtaining legal advice;
for establishing, exercising or defending legal rights;
for the administration of justice;
to exercise of any functions conferred on any person by
or under any written law


Highlights of the Act


Rights of data subject




Highlights of the Act
Rights of data subject
Right to access personal data
Right to correct personal data
Right to withdrawn consent
Right to prevent processing likely to cause damage
or distress
Right to prevent processing for purpose of direct
marketing



Highlights of the Act


Offences and Liability




Punishment for contravention of the Act
Offences and Liability
Contravention of the personal data protection principles
RM300,000 or imprisonment 2 years or to both

Failure to register as data user for specified class of data
users
RM500,000 or imprisonment 3 years or to both

Data users continue to process personal data after the
registration is revoked
RM500,000 or imprisonment 3 years or to both

Punishment for contravention of Act
Offences and Liability
Processing of sensitive personal data in contravention to
s 40
RM200,000 or imprisonment 2 years or to both

Failure to comply with commissioner's requirements to
cease processing of personal data likely to cause damage
or distress
RM200,000 or imprisonment 2 years or to both

Punishment for contravention of Act
Offences and Liability
Unlawful collection or disclosure of personal data
RM500,000 or imprisonment 3 years or to both

Transfer of personal data overseas
RM300,000 or imprisonment 2 years or to both

Punishment for contravention of Act


Transitional Provision




Transitional Provision
Transitional Provision
Where a data user has collected personal data from the
data subject or any third party before the date of
coming into operation of the Act, he shall comply with
the provisions of the Act within three (3) months from
the date of coming into operation of the Act.
Transitional Provision


Proposed Action Plan




Proposed Action Plan

Stage 1 Prior to the coming into force of the Act

Establish a data protection task force

Conduct a Privacy Impact Assessment

Obtain consent for use of personal data

Prepare standard data protection notice

Proposed Action Plan

Privacy Impact Assessment

purpose - identify and recommend options for
managing, minimising or eradicating privacy impacts.
Further reading:
The Information Commissioners Office PIA handbook
Privacy Impact Assessment Guide - Australia Office of Privacy
Commissioner
Proposed Action Plan
Stage 2 On the coming into force of the Act

Review plans established during Stage 1
Establish procedures and forms to handle data protection
complaints
Establish processes for training of relevant staff
Proposed Action Plan
Stage 2 On the coming into force of the Act (contd)

Implementation of security to protect data
physical access
electronic access
Review contracts between your organisation and third
parties who may use data on your behalf
Prepare internal manual regarding data protection
Inform customers and public of your initiatives to comply
with the Act
Proposed Action Plan
Questions?


Thank you