Personal data and the law

Published in The Star Newspaper on 5 August 2010

As the Personal Data Protection Act 2010 will be in force any time soon, data users are advised to be familiar with, and to start adhering to, its principles.

THE Personal Data Protection Act 2010 that is set to be enforced regulates the collection of personal data by parties for commercial transactions and will change the way we do business.

In brief, personal data is defined as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

A data user is basically the party using the personal data of an individual, which is referred to as data subject in the Act.

Personal data may take various forms and may be a name combined with other information, passport/identity card number, telephone number, photograph, fingerprint, or DNA.

A name itself cannot be personal data as there may be many individuals with the same name. However, where the information is combined with other information such as an address, this may be sufficient to identify an individual.

Unfortunately, the Act is only limited to personal data in respect of commercial transactions. Social media networking websites such as Facebook and Twitter, and foreign website owners are not subject to the Act.

This limits the type of personal data that are protected, for example, intimate photographs of individuals. As such data is normally not collected through commercial transactions, their distribution may not contravene the Act.

In Hong Kong, such data is covered. In an incident relating to the online circulation of nude photos of certain celebrities, the Privacy Commissioner for Personal Data decreed that such photographs are caught under the Hong Kong Personal Data (Privacy) Ordinance.

The Act sets out seven principles which a data user must adhere to when dealing with personal data. They are General, Notice and Choice, Disclosure, Security, Retention, Data Integrity and Access.

Failure to comply with any of the seven principles amounts to an offence punishable with a fine not exceeding RM300,000 or imprisonment not exceeding two years or both.

Under these principles, the collection and use of personal data must be consented to by the data subject, and steps must be taken to ensure that they are updated, correct and stored securely.

Further, adequate notice must be given to data subjects that their personal data will be used, and the purpose of the same. Data subjects should also be given the choice to opt out from giving certain personal data. Personal data no longer in use has to be destroyed.

Consent is not defined in the Act but a positive consent — written, oral or electronic — would be sufficient. However, positive consent would not apply in a scenario where a data user sends a form requesting consent and the form states that consent is assumed if no response is given. Failure to respond may not be considered as consent under the Act.

As the Act only applies to personal data in respect of commercial transactions, whether blogs would fall under its purview would depend on the circumstance of the case. If a blog is established purely for a recreational purpose, the Act may not apply due to the limitation of the definition of personal data.

A website generally collects personal data in two situations: when a user visits the website, and when a user provides information to the website operator, e.g. through an online form.

Information collected from a visitor to the website would include the IP address of the visitor and also cookies. Cookies are files used by websites to collect information about a user’s online activity. It can recognise a computer when a user logs on and can allow a website to store and remember usernames and passwords. Such information must be properly kept and not revealed to third parties.

As for the latter situation, website operators should inform the visitor that his or her information will be kept and used by them and their related parties. If website operators wish to use the information for other purposes, such as for marketing, they should obtain consent from the data subject.

Also, if personal data will be transferred outside Malaysia, consent should be obtained, otherwise any reference to the owner should be removed as it is an offence under the Act for a data user to transfer personal data outside Malaysia.

Companies need to be careful when sending out marketing materials. Under the Act, data users may be liable to a fine not exceeding RM200,000 or imprisonment not exceeding two years or both if they refuse to cease sending unsolicited marketing materials.

Following the security principle, personal data collected by website operators must be kept properly to ensure that they are not leaked. Proper security measures such as encryption must be in place.

If personal data is meant to be revealed to the public, notice should be given ahead and consent obtained. For example, a web forum should indicate to its users that information will be revealed to the public if requested. However, if the personal data is requested by a competent authority, consent may not be required.

In addition, website operators should also consider inserting a privacy policy statement on their websites in a specific page accessible by a visitor.

The privacy policy should state:

> WHAT will be done with the personal data;

> WHO is collecting the personal data;

> WHAT personal data is being collected;

> whether the personal data will be transferred out of Malaysia: AND

> whether the personal data will be disclosed to third parties.

As the Act will be in force any time soon, data users are advised to start adhering to its principles. Notice and consent of data subjects are the keys to allow a data user to use personal data. As such, data users should revise their data collecting system to be in line with the seven principles.

Unfortunately, at this stage, the extent and applicability of the Act is unknown and it seems to be wide and far reaching and, to a certain extent, excessive. In this regard, a Personal Data Protection Commissioner should be appointed soon to address these uncertainties.

In many jurisdictions with data protection legislation, the respective Commissioners play a vital role in determining the scope and applicability of the Act and will from time to time issue good practice notes or clarifications to the public.

PDF    Send article as PDF   

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.