Personal Data Protection Act 2010: Employee Data Privacy

Labour Law Conference

9 – 10 April 2015

Adlin Abdul Majid

Content

• Introduction

• Issues & Implications

• Conclusion

2

Introduction

Written / Oral

3

PERSONAL DATA PROTECTION ACT 2010

Application

• Applies to any person who processes or has control over or authorises processing of personal data in respect of commercial transactions

• Applies if:

• PERSON ESTABLISHED IN MALAYSIA: Personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment

• PERSON NOT ESTABLISHED IN MALAYSIA: Uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia)

NOT applicable

• Federal & State Governments

• Personal data processed outside Malaysia, unless intended to be further processed in Malaysia

Complaints-based system

Application to employment relationships

4

• Any transaction of a commercial nature, whether contractual or not

• Includes matters relating to:

• Supply or exchange of goods or services;

• Agency;

• Investments;

• Financing;

• Banking; &

• Insurance

• Does not include a credit reporting business

commercial transactions

Draft Guidelines on Management of Employee Data

7 Principles of data protection

Written / Oral

5

Data Subject General Principle

Data Processor/ 3rd Party

Data User Security Principle

Retention Principle

Integrity Principle

Notice & Choice Principle

Disclosure Principle

Access Principle

Employee

Employer Service

providers

Content

• Introduction

• Issues & Implications

• Conclusion

6

Issues & Implications

7

Notice

Access

Retention

Consent

Issues & Implications

8

Notice

Access

Retention

Consent

What do you need consent for?

Written / Oral

9

Consent?

Non-sensitive personal data

Disclosure of personal data

to third parties

Transfer of personal data

overseas

Sensitive personal data

(explicit consent)

Exemptions to consent

10

No Exemption Example

(a) For the performance of a contract to which the data subject is a party

Existing bank customers

(b) For the taking of steps at the request of the data subject with a view to entering into a contract

Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract

(c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract

When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities

(d) In order to protect the vital interests of the data subject

In a situation where a person is unconscious & needs medical treatment to save his life

(e) For the administration of justice For the enforcement of a court order

(f) For the exercise of any functions conferred on any person by or under any law

If an organisation is tasked to perform a service by a law

Written / Oral

11

Explicit consent given by data subject

Processing is necessary

Personal data has been made public

Sensitive personal data may only be processed if…

Example of explicit consent

12

Consent: What does it entail?

Written / Oral

13

PDPA Regulations DRAFT GUIDELINES ON

CONSENT

• Key test: Ability to demonstrate that consent exists / given

• Data subject must be fully aware of & understand consent

• Consent understood to have been given when individuals DO NOT OBJECT or volunteer personal data after purposes clearly explained

Issues & Implications

14

Notice

Access

Retention

Consent

Notice & choice

Written / Oral

15

• Data user shall provide a WRITTEN NOTICE to the data subject. To include:

• That personal data of the data subject is being processed by or on behalf of the data user

• Description of the personal data

• Purpose it is collected & further processed

• Class of 3rd parties to whom data user discloses / may disclose the personal data

• Whether it is obligatory for the data subject to provide the personal data

• Must be given as soon as practicable

• In national language & English

• Must be able to keep a record of service of notice

Issues & Implications

16

Notice

Access

Retention

Consent

17

Channels of serving notices to employees

Notice to employees

Emails

Employment forms

Employment contracts

Salary slips

Right to access personal data

18

Right to access

Full disclosure

Partial disclosure

Refuse to disclose

Must respond within 21 days

When can you refuse to disclose / partially disclose?

Written / Oral

19

No sufficient information on

identity of requestor / data subject

No sufficient information to locate

personal data

Burden or expense of providing access

Would disclose information of

another individual

Another data user controls personal

data

Violation of court order

Would disclose confidential commercial information

Access is regulated by another law

Issues & Implications

20

Notice

Access

Retention

Consent

21

s10 PDPA

Employment Draft

Guidelines

*Must destroy personal data once purpose of processing has

lapsed

*Be aware of obligations imposed by law, such as s61 of

Employment Act 1955

*Fresh consent needed for future uses

*Should minimise cost by deleting / anonymise when no

longer necessary

Retention of employee records

Retention of former employees’ data

22

HK Guidance

Necessary for legal / contractual /

statutory obligation

Directly related to managing the relationship

between employer & former employee

Need to defend organisation in civil or

criminal suit

Consented to by former

employee

Needed for job references /

reapplication

Content

• Introduction

• Issues & Implications

• Conclusion

23

Conclusion

24

PRE-EMPLOYMENT

• Receipt of CVs

BEGINNING OF EMPLOYMENT

• Requests for personal data: Non-sensitive personal data / sensitive personal data

DURING EMPLOYMENT

• Further requests for personal data

• Security / Access / Integrity / Disclosure

END OF EMPLOYMENT

• Retention

Thank you (aam@lh-ag.com)