Highlights of the Act Overview of the Act Regulates processing of personal data Only commercial transactions Not Federal and State Government Not data processed outside Malaysia 7 Principles Criminal offences No civil remedies Highlights of the Act Definitions Data User Data Subject Data Processor Personal Data Sensitive Personal Data Commercial Transactions Processing Highlights of the Act Personal data means any information in respect of commercial transactions that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user including any sensitive personal data and expression of opinion about the data subject Highlights of the Act Personal data may be in any form, so long its can identify a data subject. For example: Name Passport / Identity Card Number Phone number Photograph Email Finger print DNA Highlights of the Act Email It is not personal data per se, it depends on the circumstances of the case Hong Kong Complaint Case No. 2008005 IP address Hong Kong Complaint Case No. 2007006 IP address itself cannot be personal data as it is a specific machine address assigned to an inanimate computer However, IP address together with other information disclosed constituted "personal data" may consider as personal data. Highlights of the Act Commercial Transaction Any transaction of a commercial nature, whether contractual or not. Includes matters relating to: The supply or exchange of goods or services (HR?); Agency; Investments; Financing; Banking; and Insurance; but Does not include a credit reporting business Highlights of the Act Sensitive personal data any personal data consisting of information as to: the physical or mental health or condition of a data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; the commission or alleged commission by him of any offence; or any other personal data determined by the Minister Highlights of the Act Processing means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data. Highlights of the Act
7 Principles
Highlights of the Act Principles of Data Protection For data to be processed lawfully in Malaysia, a data user shall comply with the following principles, namely (1) the General Principle; (2) the Notice and Choice Principle; (3) the Disclosure Principle; (4) the Security Principle; (5) the Retention Principle; (6) the Data Integrity Principle; and (7) the Access Principle. Highlights of the Act General Principle A data user shall not process personal data about a data subject unless the data subject has given his consent to the processing of the personal data
Highlights of the Act Processing means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data.
General Principle Exceptions for the performance of a contract to which the data subject is a party; for the taking of steps at the request of the data subject with a view to entering into a contract; for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
Highlights of the Act General Principle Exceptions in order to protect the vital interests of the data subject; for the administration of justice; or for the exercise of any functions conferred on any person by or under any law.
Highlights of the Act Notice and Choice Principle When a data user shall provide a written notice to the data subject. The written notice shall include, among others, that personal data of the data subject is being processed by or on behalf of the data user, the purpose it is collected and whether it is obligatory for the data subject to provide the personal data. Notice must be in national language and English. Highlights of the Act Disclosure Principle personal data shall not without the consent of the data subject, be disclosed for any purpose other than the purpose disclosed at the time of collection or related purpose; or to any party other than third parties whom the data subject has permitted.
Highlights of the Act Security Principle A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and takes reasonable steps to ensure compliance with those measures
Highlights of the Act Retention Principle The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. No time limit but if it is not required for its initial purpose, it must be destroyed. Highlights of the Act Data Integrity Principle A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed. Highlights of the Act Access Principle A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.
Highlights of the Act
Personal Data Protection Commissioner
Highlights of the Act Commissioner The Act provides for the appointment of a Personal Data Protection Commissioner. Any complaints made against a data user is directed to the Commissioner The Commissioner will conduct investigation and issue an enforcement notice Decision of Commissioner is appealable to the Appeal Tribunal
Highlights of the Act
Registration of Data User
Highlights of the Act Registration of Data Users Registration by class of data users prescribed by the Minister Commissioner will determine whether to approve the application Must be renewed from time to time
Highlights of the Act
Transfer of Personal Data Overseas
Highlights of the Act Transfer of Data Overseas No transfer outside Malaysia unless to such place as specified by the Minister However, a data user may transfer if, among others: consent was obtained; necessary for performance of a contract between data subject and data user; purpose of legal proceedings or to obtain legal advice protect vital interest of data subject and for public interest. Highlights of the Act
Sensitive Personal Data
physical or mental health or condition, political opinions, religious beliefs, offences
Highlights of the Act Sensitive Personal Data Can only be processed if, among others, explicit consent has been given by data user Employment purposes Protect vital interest of data subject, in a case where consent cannot be given by or on behalf of data subject or data user cannot reasonably be expected to obtain the consent of the data subject Protect vital interest of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld
Highlights of the Act Sensitive Personal Data Can only be processed if, among others, for medical purposes and is undertaken by (a) a healthcare professional (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional for the purpose of, or in connection with, any legal proceedings;
Highlights of the Act Sensitive Personal Data Can only be processed if, among others, for obtaining legal advice; for establishing, exercising or defending legal rights; for the administration of justice; to exercise of any functions conferred on any person by or under any written law
Highlights of the Act
Rights of data subject
Highlights of the Act Rights of data subject Right to access personal data Right to correct personal data Right to withdrawn consent Right to prevent processing likely to cause damage or distress Right to prevent processing for purpose of direct marketing
Highlights of the Act
Offences and Liability
Punishment for contravention of the Act Offences and Liability Contravention of the personal data protection principles RM300,000 or imprisonment 2 years or to both
Failure to register as data user for specified class of data users RM500,000 or imprisonment 3 years or to both
Data users continue to process personal data after the registration is revoked RM500,000 or imprisonment 3 years or to both
Punishment for contravention of Act Offences and Liability Processing of sensitive personal data in contravention to s 40 RM200,000 or imprisonment 2 years or to both
Failure to comply with commissioner's requirements to cease processing of personal data likely to cause damage or distress RM200,000 or imprisonment 2 years or to both
Punishment for contravention of Act Offences and Liability Unlawful collection or disclosure of personal data RM500,000 or imprisonment 3 years or to both
Transfer of personal data overseas RM300,000 or imprisonment 2 years or to both
Punishment for contravention of Act
Transitional Provision
Transitional Provision Transitional Provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of the Act, he shall comply with the provisions of the Act within three (3) months from the date of coming into operation of the Act. Transitional Provision
Proposed Action Plan
Proposed Action Plan
Stage 1 Prior to the coming into force of the Act
Establish a data protection task force
Conduct a Privacy Impact Assessment
Obtain consent for use of personal data
Prepare standard data protection notice
Proposed Action Plan
Privacy Impact Assessment
purpose - identify and recommend options for managing, minimising or eradicating privacy impacts. Further reading: The Information Commissioners Office PIA handbook Privacy Impact Assessment Guide - Australia Office of Privacy Commissioner Proposed Action Plan Stage 2 On the coming into force of the Act
Review plans established during Stage 1 Establish procedures and forms to handle data protection complaints Establish processes for training of relevant staff Proposed Action Plan Stage 2 On the coming into force of the Act (contd)
Implementation of security to protect data physical access electronic access Review contracts between your organisation and third parties who may use data on your behalf Prepare internal manual regarding data protection Inform customers and public of your initiatives to comply with the Act Proposed Action Plan Questions?