Personal Data Protection Act 2010
There has been much anticipation on the Personal Data Protection Act 2010 (“PDPA”) as it would be the legislation in Malaysia which deals with the protection of personal data. The Act was passed in 2010 and was recently gazetted on 15th November 2013. It should be noted that the principles of data protection laws contained in the PDPA are quite similar to the principles in other jurisdictions such as the UK and Singapore.
The applicability of PDPA
The PDPA applies to any personal data processed in Malaysia or is intended to be processed in Malaysia in respect of commercial transactions by any person established in Malaysia or person who is not established in Malaysia but uses the equipment in Malaysia not for the purpose of transit through Malaysia.
“Commercial transactions” under the PDPA is defined as any transaction of a commercial nature which includes the supply or exchange of goods or services, agency, investments, financing, banking and insurance but does not include a credit reporting business. Credit reporting business such as CTOS searches would not be deemed as a commercial transaction under the Act.
“Personal Data” under the PDPA appears to be sufficiently wide to cover the usual types of personal information collected in day to day transactions i.e. name, address, telephone number, email address, banking details and identification card numbers. However, as mentioned, the information must be in relation to commercial transactions.
“Processing” of personal data includes collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data which includes:
i) organisation, adaptation or alteration;
ii) retrieval, consultation or use;
iii) disclosure by transmission, transfer, dissemination, or otherwise making available;
iv) alignment, combination, correction, erasure or destruction.
The PDPA does not apply to non-commercial transactions, the Federal and State Governments of Malaysia nor does it apply to any personal data processed outside Malaysia (unless that personal data is intended to be further processed in Malaysia).
Principles of PDPA
A summary of the principles which have to be complied with by a data user (which means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data) when processing personal data are as follows:
- The ‘General Principle’ which prohibits a data user from processing a data subject’s personal data except with the consent of the data subject.Although consent is not strictly defined, it is good practice for the consent to be in a written form. There are certain exceptions to the general principle such as when the data is used for compliance of a legal obligation, administration of justice, protecting vital interests and also entering into a contract.As for sensitive data such as physical and mental health condition, personal beliefs and political opinions, they are subjected to stringent conditions.
- The ‘Notice and Choice Principle’ which requires a data user to inform a data subject by written notice, inter alia, that the data subject’s personal data is being processed by or on behalf of the data user and to provide a description of the data subject’s personal data, the purposes for which the personal data is being collected and further processed, of the data subject’s right to request access to and to request correction of the personal data and of the class of third parties to whom the data user discloses or may disclose the personal data.Notice in both the English and National language should be given as soon as practicable and the person which the data is being obtained should be aware of the information being collected and how these information will be used by the data user.
- The ‘Disclosure Principle’ which prohibits the disclosure of personal data without the consent of the data user: (i) for any purpose other than that for which the data was disclosed at the time of collection, or a purpose directly related to it; or (ii) to any party other than a third party of the class of third parties notified to the data user.However, if the disclosure is for the prevention of crime, justified in the interest of public or if the data user reasonably believed that the data subject would give its consent had he known the disclosure, then in these situations, the prohibition is exempted.
- The ‘Security Principle’ which imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.The data user must ensure that the data processor (means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes) provides sufficient guarantees in respect of the technical and organisational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
- The ‘Retention Principle’ which provides that the personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose, and that it shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.Although reasonable steps may be taken to ensure files no longer used are deleted, the law does not provide for the eventuality that these files may be recovered.
- The ‘Data Integrity Principle’ where a data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose for which the personal data was collected and further processed.
- The ‘Access Principle’ which allows a data subject to be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date.
For further details of the PDPA, kindly contact us.
Wilson Ho Sheen Lik
LL.B. (Hons) (Northumbria)
Barrister at Law, Lincoln’s Inn
Telephone (Secretary): +603 2164 0200 – ext no. 188