Post on 21-Dec-2014
description
transcript
Personal Data Protection in Malaysia
Are you ready?
The Law
On 15 November 2013, the Personal Data Protection Act 2010 (PDPA) was Gazetted to
come into force. This Act regulates all companies who process personal data in
commercial transactions.
Your company is caught by the PDPA if you...
Process personal data for own commercial use
Outsource the process of personal data to other companies
Act as outsourced service provider to process personal data for others
In short, unless you do not keep any data of customers or suppliers, the Act applies to you.
What is personal data?
Any data which can identify a person is considered personal data. There are 2 categories of personal data as follows:
Personal Data
Name
Address
Tel No
Gender
Date of birth
Photos
Videos, etc
Sensitive Personal Data
Physical health or condition
Mental health or condition
Political views
Religious or other similar beliefs
Criminal records
Any other information deemed by the Minister to be sensitive personal data
Difference between personal data and sensitive personal data
All personal data must be processed in accordance with the principles set out in the
PDPA.
However, sensitive personal data can only be processed if explicit consent is given under
section 40 PDPA.
The meaning of “processing” personal data
Processing includes any form of dealing with personal data such as collecting, keeping,
organizing, using, etc.
The definition of “processing” under the Act is adequately exhaustive to ensure that any
dealing with personal data will be considered “processing”.
7 Principles of Personal Data Protection under the PDPA
1. General Principle
Person whose data is to be processed must consent.
2. Notice and Choice Principle
Person must be notified his personal data will be processed and how. He must also be given the choice to limit the right to process.
4. Security Principle
Companies must have sufficient steps and procedures to protect personal data from loss, misuse, modification, unauthorised access or disclosure, alteration or destruction.
3. Disclosure Principle
Personal data cannot be used except for purpose stated, and cannot be disclosed except to disclosed third parties.
Principles of Personal Data Protection (2)
5. Retention Principle
Personal data cannot be kept longer than necessary, and must be destroyed or permanently deleted if no longer required.
6. Data Integrity Principle
Companies must take reasonable steps to ensure personal data is accurate, complete, not misleading and kept updated.
And finally,
7. Access Principle
Any person must be permitted access to his own personal data and be entitled to correct any inaccurate, incomplete or misleading information of himself.
Need to register as data user
Companies processing personal data must register as a data user under the PDPA.
This registration must be renewed on an annual basis.
Obligation to keep records
Companies must also keep records of every notice, application or request made by any person regarding the processing of his personal data.
Enforcement Provisions Commissioner entitled to
inspect system of every company either pursuant to complaint or on own initiative.
Commissioner may search premises and seize records including computers, with or without a warrant (if authorised officer is satisfied delay in getting warrant will result in lost or tampered evidence).
Officers can compel attendance of any person for purposes of facilitating investigations, and arrest any person suspected of committing an offence under the Act.
No claim for costs or damages can lie against enforcement officers in carrying out their duties (appropriately or otherwise).
Offences and punishment
Offences of unlawful collection and processing of personal data can, on conviction, attract a fine of up to RM500,000-00 or imprisonment of up to 3 years or both.
If company is found liable, its director, CEO, COO, manager, secretary or similar officer may be held personally liable for the said offence.
So, what must you do? Analyse your current practices. Identify where you fall
short of the requirements of the PDPA. Revamp your forms, processes and procedures to comply
with the requirements and 7 principles. Document your revised forms, processes and procedures. Allocate roles and responsibilities in order to ensure
continued compliance by your company. Register your company as a personal data user. This is
compulsory under the PDPA. Train your staff to comply and avoid liabilities.
REMINDER:Outsourcing to third parties does not help. Your
company continues to be liable for the conduct of the third party service provider under the PDPA.
Need help?We can assist you to comply with the PDPA by:
1. reviewing your existing forms, processes and procedures and revamping them to comply;
2. documenting your policy and practices and structure roles and responsibilities to ensure
compliance;
3. register your company as a personal data user;
4. train your staff.
For more information, please contact:
Chan Kheng HoePartner, Corporate and Commercial
Tel: +603-6205 3928Fax: +603-6205 4928
E-mail: khenghoe@mycounsel.com.my
When in doubt, Ask@MyCounsel.com.my