by Foong Cheng Leong and Halina Jael Abu Bakar
After a long wait, the Personal Data Protection Act 2010 [Act 709] (“the Act”) has finally been passed. The Act seeks to regulate the processing of personal data of individuals involved in commercial transactions by data users so as to provide protection to the individual’s personal data, thereby safeguarding the interests of such individual.
The enactment of the Act is timely, for information can be transferred and transmitted seamlessly and sometimes, effortlessly. From the traditional snail mail to the social networking tool of “Tweet-ing”, personal and often very important information can now be easily shared.
New technologies and changing market trends are also contributing to the increasingly important role of information in the global market economy. This information, in particular the personal data of individuals involved in commercial transactions, has become a valuable commodity.
Legislation to protect personal data has been enacted in jurisdictions such as Hong Kong, New Zealand, Canada and the European Union. The Act is similar to legislation enacted in those countries.
Notwithstanding the passing of the Act, it will only come into operation once the Minister responsible for the protection of personal data makes a notification in the Gazette, and he can appoint different dates for different provisions of the Act. As at the date of this article, the Act has not yet come into operation.
Under the Act, this means “any information in respect of commercial transactions, which —
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; …”.
In view of the above, personal data may take various forms, such as the following:
(2) passport/identity card number;
(3) telephone number;
(5) fingerprint; or
There may be other data which are used daily by individuals but may not be considered as “personal data” under the Act. For example, e-mail addresses are used daily by individuals and each e-mail address is unique to an individual. However, an e-mail address per se may not be “personal data” as it may or may not directly identify an individual —firstname.lastname@example.org, for instance, does not directly identify an individual. However, an e-mail address with a person’s full name directly identifies an individual and may be considered as “personal data”.
In a recent decision, the Administrative Appeals Board from the Office of the Privacy Commissioner for Personal Data, Hong Kong held that an e-mail address could be personal data.
Operation and application of the Act
The Act only applies to:
(a) personal data which is processed;
(b) any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions and such a person is a “data user”; and
(c) to a person in respect of personal data if —
(1) the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or
(2) the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.
A data user is a party:
“… who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor”.
The Act envisages situations where the processing is shared, that is, more than one data user processes the personal data, or when more than one data user is able to access the pool of personal data. As an example, where a number of subsidiary companies in a group share a common database of personal data, each subsidiary company would constitute a “data user” under the Act.
On the other hand, the individual who is the subject of the personal data is a “data subject” under the Act. Following from this, it is arguable that the Act is aimed at protecting the personal data of individuals only, and not that of companies or societies.
The term “process” or “processing” in relation to personal data has a wide meaning to the extent that it can cover almost anything that might or can be done with personal data. It is defined as “collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data”.
A commercial transaction is one:
“… of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
At this juncture, it is unclear whether the Act would apply to an employer-employee relationship. A contract of services may be considered as “supply or exchange of services”. In an abundance of caution, it is advisable that employers adhere to the Act.
The Act would not apply to:
(a) any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia;
(b) Federal and State Governments; and
(c) any personal data collected for non-commercial transactions.
Processing personal data — Seven principles of the Act
Each data user, in processing personal data, must comply with the following principles:
(a) the General Principle;
(b) the Notice and Choice Principle;
(c) the Disclosure Principle;
(d) the Security Principle;
(e) the Retention Principle;
(f) the Data Integrity Principle; and
(g) the Access Principle.
Failure to abide by the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding two years or to both.
Below is a summary of each principle:
(a) the performance of a contract to which the data subject is a party;
(b) the taking of steps at the request of the data subject with a view to entering into a contract;
(c) compliance with any legal obligation to which the data user is a subject, other than a contractual obligation;
(d) the protection of the vital interests of a data subject;
(e) the administration of justice; or
(f) the exercise of any functions conferred on any person by or under any law.
(a) for a lawful purpose directly related to an activity of the data user;
(b) necessary for or directly related to that purpose; and
(c) adequate but not excessive in relation to that purpose.
* The Act does not define “consent”. Although consent can be expressed or implied, it is our view that a positive act should be taken to communicate consent. For example, a form requiring certain information can contain an option for the individual to allow or forbid the processing of his personal data for purposes other than the subject matter to which the form relates. Consent should not be assumed if the individual fails to state his option or reply to state its consent for the personal data to be processed.
Consent, once given, can be withdrawn under s.38.
|7||Notice and Choice||
(a) that personal data is being processed and provide a description of it;
(b) the purpose of the personal data being collected and processed;
(c) the source of the personal data;
(d) the data subject’s right to request access to and to request correction of the personal data and contact details of the data user if there are any inquiries or complaints on the personal data;
(e) the class of third parties to which the data user discloses the personal data;
(f) of the choices and means offered to the data subject to limit the processing of personal data, including personal data of other data subjects which may be identified from that personal data;
(g) whether it is obligatory or voluntary for the data subject to supply the personal data; and
(h) whether it is obligatory for the data subject to supply the personal data and consequences if the data subject fails to provide the personal data.
(a) When the data subject is asked to provide the personal data;
(b) When the data user collects the personal data of the data subject; or
(c) In any other case, before the data user uses the personal data for any other reason than that for which the personal data is collected or discloses the personal data to third parties.
* The data user must inform the data subject of all the information prescribed in s.7(1), and not just part of it.
(a) for any other purpose other than the purpose for which it was disclosed at the time of collection or a purpose directly related to the purpose it was disclosed at the time of collection; or
(b) to any party other than the third party of the class of third parties stated in the written notice provided by the data user under s.7(1).
* Notwithstanding the Disclosure Principle, the Act allows disclosure of personal data in circumstances specified in s.39.
(a) the nature of the personal data and potential harm that would result if it is not protected;
(b) the place or location as to where the personal data is stored;
(c) the security measures incorporated in any equipment which stores the personal data;
(d) the measures taken to ensure the reliability, integrity and competence of personnel having access to the personal data; and
(e) the measures taken to ensure the secure transfer of the personal data.
*It is not clear what “practical steps” means under the Act but it arguably should be the measures that can be taken by the data user. Thus, the data user would need to identify the appropriate measures taken in respect of the nature and type of personal data processed in adopting “practical steps” to protect the personal data.
|11||Data integrity||The data user must take all reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date, having regard to the purpose, including any directly related purpose for which the personal data was collected and further processed.|
|12||Access||A data subject must be provided access to his personal data held by the data user and be able to correct his personal data, except where compliance with a request for such access or correction is refused under the Act.|
Disclosure of personal data
Although the Act requires the consent of the data subject before any personal data can be disclosed, s.39 also allows disclosure of personal data in the following circumstances:
(a) the disclosure —
(i) is necessary to prevent crime or for the purpose of investigations; or
(ii) is required or authorized by law or by an order of court.
(b) The data user acted in reasonable belief that he had the legal right to disclose the personal data to another party;
(c) The data user acted in reasonable belief that he would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or
(d) The disclosure was justified as being in the public interest in the circumstances determined by the Minister.
Under the Act, a distinction has been made between “sensitive personal data” and “personal data”. “Sensitive personal data” is:
“… any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette”.
Any disclosure of sensitive personal data must be done in accordance with s.40 of the Act, which requires a data user to be more careful in processing sensitive personal data.
Due to the nature of sensitive personal data, a higher restriction is imposed for data users in processing it. A data user must not process sensitive personal data unless with the explicit consent of the data subject. While “explicit consent” is not defined in the Act, arguably, the data subject should be required to provide his clear and express consent to the processing of his sensitive personal data.
Notwithstanding the requirement for explicit consent from the data subject, s.40 of the Act also allows the processing of sensitive personal data where:
(a) the processing is necessary —
(i) to exercise or perform any right or obligation which is conferred or imposed by law on the data user in connection with employment;
(ii) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject;
(iii) in order to protect the vital interest of another person, in a case where consent by or on behalf of the data subject is unreasonably withheld;
(iv) for medical purposes and is undertaken by a healthcare professional;
(v) for any legal proceeding;
(vi) to obtain legal advice;
(vii) for the administration of justice;
(viii) for the exercise of any functions conferred by law; or
(ix) for any purpose as the Minister thinks fit, or
(b) the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
It is an offence to process sensitive data contrary to s.40 of the Act. If convicted, a data user will be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding two years or both.
Registration of data users
Under s.14, the Minister may, by an order published in the Gazette, specify a class of data users which must register itself as data users under the Act. At present, there is no such specification.
A data user who wishes to register under the Act must apply to the Personal Data Protection Commissioner (“the Commissioner’), who may register the applicant and issue a certificate of registration, or refuse the application. The Commissioner may also impose conditions or restrictions in the certificate of registration.
The class of data users who must be registered under the Act is unknown at the moment. However, we are of the view that these may be telecommunications, insurance, banking, pharmaceutical and entertainment companies.
On the assumption that a data user falls within the class of data users which must register and fails to do so, yet processes personal data without a certificate of registration, the said data user has committed an offence. This offence, upon conviction, is subject to a fine not exceeding RM500,000 or to an imprisonment for a term not exceeding three years or both.
Personal Data Protection Commissioner
The Commissioner will be appointed by the Minister for the purposes of carrying out the functions and powers assigned under the Act. One of the Commissioner’s functions is to receive complaints from the public on any contravention of the Act and to investigate the same. His decision can be appealed by way of an appeal to the Appeal Tribunal.
Transfer of personal data overseas
The Act prohibits the transfer of personal data to a place outside Malaysia unless to such place as specified by the Minister, upon the recommendation of the Commissioner, by notification published in the Gazette.
Notwithstanding the said prohibition, a data user may transfer any personal data to a place outside Malaysia if —
(1) the data subject has given his consent to the transfer;
(2) the transfer is necessary for the performance of a contract between the data subject and the data user;
(c) the transfer is necessary for the conclusion or performance of a contract between the data user and a third party which —
(i) is entered into at the request of the data subject; or
(ii is in the interests of the data subject;
(d) the transfer is for the purpose of any legal proceedings or for the purpose of obtaining legal advice or for establishing, exercising or defending legal rights;
(e) the data user has reasonable grounds for believing that in all circumstances of the case—
(i) the transfer is for the avoidance or mitigation of adverse action against the data subject;
(ii) it is not practicable to obtain the consent in writing of the data subject to that transfer; and
(iii) if it was practicable to obtain such consent, the data subject would have given his consent;
(f) the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not in that place be processed in any manner which, if that place is Malaysia, would be a contravention of this Act;
(g) the transfer is necessary in order to protect the vital interests of the data subject; or
(h) the transfer is necessary as being in the public interest in circumstances as determined by the Minister.
A data user who contravenes the above prohibition is liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding two (2) years or to both.
Right of data subjects
A data subject has various rights to his personal data kept by data users. These are:
Right of access to personal data
An individual is entitled to be informed by a data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user. A requestor may, upon payment of a prescribed fee, make a data access request in writing to the data user for information of the data subject’s personal data that is being processed by or on behalf of the data user and to have communicated to him a copy of the personal data in an intelligible form.
A data user must comply with the request not later than 21 days from the receipt of the request but may refuse to comply with the request under a few circumstances. For example, the request does not have enough information for the data user to locate the information.
Right to correct personal data
A data subject has the right to make a data correction request in writing to the data user that the data user makes the necessary correction to the personal data. A data user must comply with the request not later than 21 days from the receipt of the request but may refuse to comply with the request under a few circumstances.
Right to withdraw consent
A data subject may by notice in writing withdraw his consent to the processing of personal data in respect of which he is the data subject. The data user shall upon receiving the notice, cease the processing of the personal data. Failure to comply with this requirement attracts a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.
Right to prevent processing likely to cause damage or distress
A data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances, to cease processing any personal data in respect of which he is the data subject if, based on reasons stated by him —
(i) the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another person; and
(ii) the damage or distress is or would be unwarranted.
The data subject may refuse to comply with the notice under certain circumstances, for example, if the data subject has given consent to the processing of the personal data.
Right to prevent processing for purposes of direct marketing
A data subject may, by notice in writing to a data user, require the data user to cease or not to begin processing his personal data for purposes of direct marketing. “Direct marketing” means the communication by whatever means of any advertising or marketing material which is directed to particular individuals.
The Act provides that where a data user has collected personal data from the data subject or any third party before the date of coming into operation, he shall comply with its provisions within three months from such date.
Notwithstanding the grace period of three months, it is advisable that data users start complying with the provisions of the Act as soon as possible. Any use of personal data by a data user would require consent, hence data subjects should start acquiring consent from data users to use the personal data.
Other than the aforesaid, data users may also want to consider the following:
(1) All documents such as customer forms should be reviewed to determine whether they comply with the Act;
(2) Avoid collecting sensitive information;
(3) For companies that deal directly with individuals, designate a special officer to deal with any personal data matters at the ground level;
(4) Appoint a privacy officer such as Chief Privacy Officer to deal with privacy-related matters;
(5) Implement security and procedures to protect personal data from being abused;
(6) Implement procedures to handle customer complaints and announce the same to all customers; and
(7) If a third party is appointed to handle the personal data, ensure that terms and conditions are set out properly to control the process of personal data.
* All references are to this Act, unless otherwise stated
 Section 1(2)
 Section 4
 Section 2(1)
 Section 2(2)
 Section 4
 Section 3(2)
 Section 3(1)
 Section 5(1)
 Section 5(2)
 Section 6(1)(a)
 Section 6(1)(b)
 Section 6(2)
 Section 6(3)
 The data subject may withdraw via written notice consent to the processing of personal data of
which he is the data subject. The data user shall cease to process the personal data upon receiving the notice. Failure to comply is an offence.
 Section 4
 Section 15(1)
 Section 16(1)
 Section 16(2)
 Section 16(4)
 Section 47(1)
 Section 93
 Section 30
 Section 34
 Section 38
 Section 42
 Section 43
 Section 43(5)