Jabatan Perlindungan Data Peribadi Malaysia

Malaysia gazettes data protection act, effective immediately

I was quoted by ZDNet in their article “Malaysia gazettes data protection act, effective immediately“.

Malaysia gazettes data protection act, effective immediately

Summary: After almost a year delay, Malaysia finally gazettes its Personal Data Protection Act 2010 on Thursday and makes it effective Friday. Businesses have three months to comply and violation can result in fine and/or imprisonment.

By  |

Malaysia has quietly gazetted its Personal Data Protection Act 2010 (PDPA), effective immediately, and given businesses three months to ensure compliance.

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010. An earlier note by the American Malaysian Chamber of Commerce indicated that the Act was scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia (PDPD) by November 15, 2013. This, however, apparently was also rescheduled.

According to Kuala Lumpur-based lawyer Foong Cheng Leong, the act has been gazetted and comes into force today, with Tuan Abu Hassan bin Ismail appointed the Personal Data Protection Commissioner. Foong noted that the Act outlined four new subsidiary legislation, including the class of data users and registration of data users. Businesses that fall under these categories include banking and financial institutions, communications service providers, insurance companies, transportation, and utilities.

Data users now have three months from November 15 to ensure compliance, he added.

The PDPA also provided some guidelines on the definition of consent, which must be in a form that can be recorded and maintained by the data user. Burden of proof for consent lies on the data user, Foong said.

Singapore-based tech lawyer and ZDNet blogger, Bryan Tan, said the sudden turn of events meant Malaysia has “stolen a march” on Singapore which passed its Personal Data Protection Act in October 2012, but its main regulations will come into effect only on July 2, 2014, when allorganizations must ensure complianceThe Act, however, includes a Do-Not-Call Registry which will be in force January 2, 2014.

Tan said: “The two countries’ PDPAs are different, but what it generally means for businesses is that a lot of time and effort will need to be spent on compliance. Perhaps it is a blessing in disguise that both come into force almost at the same time, so companies operating in Singapore and Malaysia can coordinate their compliance in one single project.”

PDF Creator    Send article as PDF   

Data protection act gazetted, effective today

I was quoted by the Malay Mail in their report “Data protection act gazetted, effective today” on 15 November 2013.


KUALA LUMPUR, Nov 15 — The much awaited Personal Data Protection Act (PDPA) 2010 has finally been gazetted and will take effect today, with businesses given three months to comply with the new law and violation will result in fine, or imprisonment, or both.

KL Bar Information Technology Committee chairman Foong Cheng Leong confirmed that the law will be effective today, with Abu Hassan Ismail appointed the Personal Data Protection commissioner.

“The law introduced seven principles, in these seven principles, you would need to, for example get consent if you possess any personal data, name, IC, address, pictures, email and phone numbers.

“Once you get the personal data, you need to give a written notification in BM and English and make sure it’s safe and give it to the relevant parties,” he told The Malay Mail Online when contacted.

Foong, who is also the member of the Malaysian Bar Intellectual Property Committee, also said that although businesses are given three months to comply, it would be a challenge to those which have not begun putting their houses in order.

“I think [businesses] are hit quite hard especially those not doing anything since 2009 because the law was introduced since 2009, but I know quite a bit of companies which have started to comply with the law since 2009.

“Most companies would need six months to complete the exercise, so those who have not done anything, need to move very quickly.

“For consumers, expect less phone calls, less SMSes and basically receiving any tele-marketing materials,” he said.

Foong noted however, that the Malaysian government is exempted from this law.

The PDPA also introduced four new subsidiary legislations, including the registration of data user and class of data users.

Businesses that are considered data users including banking and financial institutions, communications service providers, insurance companies, transportation, and utilities, will now have to register with the commissioner.

He also said that data subject, meaning individuals, would be able to request access to the type of personal data being processed.

“The law provides that there will be no transfer of data outside Malaysia, unless you get consent, or the country or jurisdiction you want to transfer data to is included in the list by the commissioner [which has yet to be released],” he said.

The law stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed. The organiser will also need to justify the reason they need the information they are asking for.

Under the law, consumers have the right to access, correct data, prevent damage or distress, withdraw from data processing, prevent direct marketing and bring complaint on data abuses to PDP commissioners.

Data users meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights.

The provisions also allows consumers to withdraw consent to personal data. If the data user continue to process the personal data, it will be liable to a fine of up to RM100,000 or a maximum of one-year jail, or both.

The move comes almost one year after the act was scheduled to take effect on January 1, 2013, but delayed due to legal formalities. The bill was first drafted in 2001 and was originally expected to be implemented early-2010.

The law was initially scheduled to be passed August 16 this year, with businesses using personal user data required to register themselves with the Personal Data Protection Department of Malaysia by November 15, 2013.

Create PDF    Send article as PDF   

Enforcement of the Personal Data Protection Act 2010

Notwithstanding of my earlier posting that the Personal Data Protection Act 2010 (PDPA) may be in force on 16 August 2013, there is still no notification on the Government Gazette officiating the date of enforcement.

Sin Chew has also reported that the PDPA may be deferred.

PDF    Send article as PDF   

各界需時間落實‧資料保護令或再延遲

I was quoted by Sin Chew in the article below regarding the impending Personal Data Protection Act 2010.


雪蘭莪‧八打靈再也14日訊)為保護國人個人隱私的《2010年個人資料保護法令》一再展延生效,在寬限期於本月16日屆滿後,若該法令指南再有更動,生效日期將再展延。

個人資料保護局公關諾韓妮占對星洲日報說,現階段總檢察署正探討該法令的相關指南,若有任何更動,則該法令將不會於後日生效。
她受詢及《2010年個人資料保護法令》寬限期於16日屆滿一事指出,若總檢察署電子憲報(e-Federal Gazette)明日仍沒有公佈法令的實施日期,則法令有可能再展延生效。

諾韓妮占:瞭解公司需時執行
詢及該法令一再展延的原因,諾韓妮占透露,該局在諮詢公眾意見後,瞭解到各商家及公司需要時間執行該法令,因此才會展延。
“這個法令隨時可以實行,但牽涉其中的公司等需要時間擬定對策及整理資料,如確保所有客戶的資料是最新的等等,否則他們就是違反了該法令。”

“若該法令確定在16日開始生效,通訊及多媒體部長拿督斯里阿末沙比里當天在吉打出席活動時就會做出公佈。”
個人資料保護局(JPDP)是通訊及多媒體部旗下的機構,主要協助保護人民的個人資料,並在所有用戶進行商業交易時,肩負監管個人資料的責任,確保遵守既定的條規。

她說,在該法令下,其中一項原則就是確保所有用戶資料是正確、最新及不具誤導性的。

已會見逾200電訊公司

個人資料保護局從2012年開始已陸續會見了約200家電訊公司及企業,而大部份公司也已瞭解有關法令。

她指出,根據該局進行的公眾諮詢調查,各公司及企業表示需要時間去適應該法令的7大原則。

“大部份大型公司已經通知了他們的客戶,並做出資料更新,但仍有一些小型企業還沒適應新法令。”

涉商業交易才有效

諾韓妮占強調,該法令在涉及商業交易的前提下才有效;而在法令生效後,用戶若要進行投訴,可投報至aduanpdp@kkmm.gov.my。
她解釋,由於必須遵從“通知原則”,因此若用戶收到行銷電話或行銷訊息,首先得通知對方本身沒有興趣,並要求對方刪除其個人資料(電話)。

“若對方再發出第二封訊息,你仍需通知對方,直到收到第三封相同的行銷訊息,你才可以進行投報。”

《個人資料保護法令》的7大原則
1.不可在未經當事人允許下,處理其私人資料(如宗教信仰、政治或性取向、身份證號碼、電話號碼、薪水單、評估報告等)。
2.“通知及選擇”原則:在處理資料前,必須通知並告知當事人採用其資料的目的及取得管道;
3.除非獲得當事人同意,否則不能透露其個人資料給第三者;
4.安全原則:資料使用者在處理他人個人資料時,必須確保資料沒被破壞、被更改、濫用、遺失或把資料傳給不相關人士;
5.存檔原則:不能長期持有他人的個人資料,因此在完成相關程序後,必須刪除或銷毀;
6.資料完整性:資料使用者必須確保他人個人資料是最新、正確、完整及不會令人混淆的;
7.允許原則:當事人有權更改及更新其個人資料。

陳嘉斌:指南不明確
商家多不瞭解新法令

另一方面,馬來西亞中華工商聯合會法律組副主任陳嘉斌律師透露,由於該法令的指南不明確,因此許多商家及企業仍不瞭解該法令。

他受詢時說,該商會針對這項法令已舉辦了多項講座,向商家及企業講解這項法令,惟遺憾的是會員反應不活躍。

“所以現在只有待法令實行後,扮演後續行動的角色,包括與政府溝通。”

他呼吁,若任何商家及企業面對問題,可瀏覽馬來西亞中華工商聯合會或隆雪總商會官網進行查詢。

他認為,這項法令的實施對各造都有好處,因為在不能濫用及購買用戶個人資料的情況下可保障個人隱私。

他說,該法令對商家肯定是有所影響,而商家必須在個人隱私及商業利益下做出平衡。

歐美早已落實

“這項法令一早已在歐美等國家實行,部份商家在無可避免下已開始瞭解這項法令,而我國的中小型企業也必須做好準備適應新法令。”

他強調,這項法令主要管制涉及商業交易的行動,如某公司售賣客戶的個人資料給另一家公司,而與員工提供個人資料給雇主的行為無關。

個人資料保護令一旦落實
不明電話推銷可投訴

一旦2010年個人資料保護法令生效後,如果你接到不明公司致電要求你購買產品,你可以直接向個人資料保護局投訴,而這是2010年個人資料保護法令生效後,對消費者的一大福音。

國會於2010年4月三讀通過上述法令,並於同年6月在憲報上公佈,輾轉逾2年後終要全面落實,但吉隆坡律師公會資訊工藝及出版委員會主席馮正良認為,當局尚未擬出清楚的指南,許多問題有待釐清。

或影響電訊銀行業

他今日受詢時,指新法令正式開跑,對消費者是一大福音,但會對所有公司包括電訊業、銀行業者甚至是中小型企業,帶來問題和深遠影響。

他舉例,過去掌握許多消費者資料的公司,日後是否還可以繼續致電或傳簡訊給消費者,而消費者需要主動致電相關公司,指不願再接到任何資訊,都還是疑問。

同一集團子公司不能分享顧客資料

“新法令最重要的精神,是要使用任何個人資料,都要獲得當事人同意,如日後一間公司不能隨意將其顧客的個人資料(被視為私密),公開給其他人知道,同一家集團的2家子公司,也不能分享顧客的資料。”

個人資料被洩漏可投訴
罪成可罰款或監禁

任何消費者如果覺得個人資料被泄漏,可向個人資料保護局投訴,該局會展開調查,一旦確認違法,涉及公司包括管理層都有可能被罰款,甚至控上法庭。

共有146條文的個人資料保護法令,針對不同違法行為有各種處罰,其中未獲同意出售他人個人資料,罪成可被罰款不超過50萬令吉,或監禁不超過三年或兩者兼施。

雖然消費者不能對涉及公司採取民事訴訟,但公司若違法,會構成刑事罪,當局可採取行動包括罰款等對付。

2010年個人資料保護法令刑罰
● 抵觸法令129條文,即即未經允許轉移個人資料至海外刑罰:罰款不超過30萬令吉,或監禁不超過2年,或兩者兼施
● 抵觸法令130條文,即非法收集或轉售他人個人資料刑罰:罰款不超過50萬令吉,或監禁不超過3年,或兩者兼施

獲法令保障的個人資料包括:
1 名字;
2 護照或身份證號碼;
3 電話號碼;
4 照片;
5 指紋;或
6 脫氧核糖核酸(DNA)樣本。
(星洲日報‧獨家報道:盧慧菁、李佩霜、戴孜芮)

PDF Printer    Send article as PDF   

Director General of the Malaysia Personal Data Protection Department

According to the Facebook page of the Personal Data Protection Department (PDPA), the former Director General of the PDPD, Encik Abu Hassan bin Ismail has been reappointed as the Director General of the PDPD.

I would like to congratulate Encik Abu Hassan bin Ismail for his reappointment.

Free PDF    Send article as PDF   

Enforcement of the Personal Data Protection Act 2010

On 9 July 2013, the Bar Council Intellectual Property Committee and myself paid a courtesy visit to the Personal Data Protection Department at Putrajaya. We were received by the Deputy Director General of Personal Data Protection Department, Dr. Zainal Abidin Bin Sait and his team.

In the meeting, we have been informed that, among others, the Personal Data Protection Act 2010 (PDPA) will be in force on 16 August 2013. Former Director General of the PDPD, Tuan Haji Abu Hassan Ismail will be appointed the Commissioner.

The Data User registration regime will also be in force. Under this regime, designated class of data users will be required to register with the Commissioner (see Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees for the proposed class of users).

PDF Download    Send article as PDF   

Enforcement of the Malaysian Personal Data Protection Act 2010 (2)

In our earlier blog entry entitled, “Enforcement of the Malaysian Personal Data Protection Act 2010“, we mentioned that the Personal Data Protection Department stated that “it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette”.

We recently came across a tweet by the Information, Communication and Culture Minister, Datuk Seri Utama Dr Rais Yatim that the Personal Data Protection Act 2010 (PDPA) will come into force “middle of the year”.

We look forward to the announcement of the date of operation of the PDPA in the Government Gazette.

PDF Creator    Send article as PDF   

Enforcement of the Malaysian Personal Data Protection Act 2010

In our earlier blog entry, we mentioned that Bernama reported that the Personal Data Protection Act 2010 (PDPA) will be enforced in June 2012 but this may not be correct in view of the Director General of Personal Data Protection Department’s (PDPD) statement.

We sought clarification with the PDPD and the PDPD informed us that “the newspaper reported that the Act [PDPA] is going to be enforce in June was based on the Secretary General’s closing ceremony speech in the evening eventhough the Minister did not state anything earlier. Despite of all that, it is best for us to wait for the Minister to make the announcement on the enforcement of the Act and notify in the Gazette “.

We look forward to the Minister’s announcement on the enforcement of the PDPA.

Create PDF    Send article as PDF   

Proposal to have privacy officer to implement data protection law

KUALA LUMPUR: New Zealand’s Assistant Privacy Commissioner Katrine Evans has suggested that Malaysia have privacy officers to implement the data protection law.

She said a privacy officer is the person in an agency who can understand its business and, at the same time, help the agency get it right in handling personal information.

“I don’t know whether Malaysia has the requirement for every agency to have a privacy officer but, if it doesn’t, you should have one,” she said when delivering her talk on ‘First Steps for a Data Protection Commissioner: Some Suggestions from New Zealand’ at the inaugural seminar on personal data protection, here.

[Read More]

PDF    Send article as PDF   

Protecting your personal data

By DATUK SERI DR RAIS YATIM

At long last, we now have a venue to bring up grouses about our personal data being given away without our knowledge – the Personal Data Protection Department, which was officially launched on Thursday.

ISSUES related to Personal Data Protection have been dabbled with for a long time in this part of the world. The Personal Data Protection Act 2010 (PDPA) is one of the cyber legislations aimed at regulating the processing of personal data in commercial transactions.

The Act was passed by Parliament in May 2010 and the Personal Data Protection Department was created a year later. At a cyber seminar in November 2001, I raised the importance of Malaysia creating an Act to protect the personal data of an individual.

Awareness had risen not only because of rapid commercial development involving violations of personal data such as credit status of individuals, but also invasion through the means of communication tools being detected and questioned.

During the seminar, I spoke on the rights and liabilities pertaining to information; protection of information from unlawful use; the right to information; the status of information belonging to individuals and the overall issues pertaining to the future of online trade and commerce using other people’s data.

“Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.” – DATUK SERI DR RAIS YATIM

When you purchase an item online, your credit card data is online as well. Your banking activities precipitate the storage, retrieval as well as the movement of your credit and debit records.

To some quarters, these are useful if not valuable information. Wrongly used, your very own data could be the meat for a sly move or the subject matter of fraud.

Whichever way you look at it, modern life has involved us in a multi-faceted approach towards preserving our rights in respect of personal data.

Now, 11 years later, we are dealing with personal data again with the opening of the department (on Thursday) and a seminar on its legislation. In this context, our Government’s efforts to recognise individual interests through efforts to protect personal data should be given due recognition.

While the PDPA functions in the commercial environment, abuse of telephony communication networks or other channels through violations of personal data are also closely associated with the Communications and Multimedia Act (CMA) 1998.

For example, a person who intentionally infiltrates and gets without permission any information, including data through telephony or other means of communications under S.234 of the CMA, can be jailed up to one year or fined up to RM50,000 or both, if convicted.

The word “intercepts, attempts to intercept or procures through any other person, any communications” have very broad implications and applications to the extent of involving the personal data of an individual.

On the other hand, the CMA is complementary to the PDPA and the expedient should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to “ensure information security, and network strength and reliability”.

Defining personal data

To ordinary citizens, a common question is: What is actually personal data? Under Section 4 of the PDPA, personal data means any information concerning commercial transactions stored or recorded and which can be managed automatically or as a file system.

It does not matter whether the information is being processed, stored automatically or filed by any party. But it will only be an offence if the information data is used in the commercial environment.

The next question is: If certain personal data are not involved in any commercial transaction, does the question of offence or abuse arise? This seems to be the implications and applications of the new law. Hence, the commercial environment should be involved before a criminal offence is recognised under the PDPA.

Generally, personal data has a very wide scope, covering sensitive and personal information such as blood type, health records and descriptions, political and religious beliefs, mental or physical conditions, or any other data needed by the authority from time to time.

Normal personal data also involves details on bank accounts, credit cards, telecommunication links like telephone or any other information stipulated by the minister under the PDPA from time to time.

The lists of personal data under the PDPA could also be expanded by the authority based on the demands of the living environment. However, details or information of one’s credit ratings are put under the Credit Rating Agency Act 2010 and so are not covered by the PDPA. It is clear that while the register or lists of personal data could be added according to the needs and interests of the consumers in the commercial environment in the future, the public need to know their rights under the new law.

It should also be stressed that the PDPA comprises seven key principles that must be adhered to under S.5(1) to protect the integrity of personal data. They are:

> A user is not allowed to process the personal data of another user without permission. The process here simply means data handling through an automated or computerised system or method or any other process;

> The user must comply with the Principle of Notice and Choice in which the information and purpose of the preliminary communication are conveyed to the data subject;

> The Principle of Disclosure spells out the need to disclose the use of personal data;

> The Principle of Security states that when processing personal data of any subject, precautionary measures must be taken so that the data is safe, and not tampered with, abused, missing or given to irrelevant parties;

> The Principle of Storing specifies that any personal data shall not be kept in a processing system longer than needed;

> The Principles of Data Integrity: all personal data must be accurate, complete, non-confusing and up-to-date in line with the purpose of storing and processing; and

> The Principle of Access: a user must be given access to his/her own personal data, which is kept by another user, and to be allowed to update the data.

With these principles in place, users and e-commerce practitioners will be more confident that their personal information are well protected. In the meantime, a practical and reasonable code of practice can be formulated by private effort or on the initiatives of Personal Data Commissioner.

Scope of the Act

Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give the space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.

The law will also speed up the development of electronic connection and transactions like e-commerce and e-business. It can be concluded that the existence of the law will, among others, help Malaysia to become a communication and electronic trade centre; an attractive location for investment in multimedia and communications industry; and an international trade partner which is able to offer personal data protection assurance according to international standards.

More than 100 countries have or are in the process of introducing personal data protection legislation as the borderless transaction environment entails a free flow of information through electronic networks worldwide to cater to the needs to comply with international standards.

The activities and scopes of the Personal Data Protection Act, among others, cover the Registration of Personal Data Users; Creation of the Consumer Data Forum; Creation of the Personal Data Practice Code; Appointment, Functions and Powers of Personal Data Protection Commissioner, including Financial Provisions; Creation of the Personal Data Protection Provident Fund; Creation of the Personal Data Protection Advisory Committee; Creation of the Appeal Tribunal; Inspection Procedures, Complaints and Investigation; and Enforcement.

Personal data processed by an individual for the purpose of personal, family or household affairs, including for recreational purposes, are excluded from the provisions of this Act.

The security, integrity and protection of personal data are a fundamental factor to shift the country from a manufacturing-based economy to high-value knowledge economy through the support of ICT infrastructure. The rise of electronic-based transactions has assailed the status of personal data which previously did not have a high commercial value.

This Act, of course, is able to strengthen personal data protection as a social obligation. This is important in order to protect the privacy of an individual, apart from the objective of producing dignified, integral and responsible traders in daily practices hinged on widespread use of e-commerce characteristics.

The importance of decisiveness and efficiency in all matters pertaining to enforcement must be stressed. May the Personal Data Protection Commissioner implement this principle in an effort to produce a resilient society for the benefit of future generations.

> Datuk Seri Dr Rais Yatim, who is Information, Communication and Culture Minister, officially opened the new Personal Data Protection Department in Kuala Lumpur on Thursday.

Source: The Star Newspaper

PDF Printer    Send article as PDF   
1 2  Scroll to top