Malaysia data privacy

Leveraging Big Data

I was quoted in the May 2014 issue of Personal Money.


Leveraging Big Data
Personal Finance
Written by Emily Chow and Sarah Voon of The Edge Malaysia
Friday, 16 May 2014 00:00

UPLOADING photos on Facebook; making an ATM transaction; operating a machine in a factory; making a call from a handphone. On the surface, these activities do not seem to have much in common. But they all contribute to the accruement of big data.

Everything and anything that is, and has ever been, linked up to the digital realm constitute big data. Big data analysis is what many businesses are doing today to enhance their business process.

“Big data isn’t so much the content or amount of the data, but [data on] who is contributing towards it and how often,” says Queenie Wong, head of data management at SAS Institute in Malaysia. The international company is a leader in business analytics software and services, and helps organisations turn large amounts of collected data into information they can use.

“[Companies] have been capturing this information, but it’s expensive to store. Most of the time, you just store and archive it. But with the new trend of big data analytics, how do you capture it [in a meaningful way] to get ahead of the competition and differentiate yourself?”

According to Wong, big data analysis has existed for some time and is being used especially by banks and telecommunications companies. The term was coined and came under the spotlight relatively recently, and businesses are starting to use it in making decisions and maintaining customer relationships.

“When you deal with consumers in today’s business world, it’s not about high value anymore. As a business, I don’t want you to spend thousands or millions of dollars [per transaction]; I’d want you to spend multiple [transactions worth] hundreds of dollars, that add up to more than the [initial] thousand that you might have spent,” she says, emphasising customer loyalty. “It’s easy to acquire customers, but it’s difficult to keep them and make them happy.”

Big data analysis helps in target marketing: Gone are the days of cold-calling and salesmen going door to door to sell their products. Today, a company can anticipate a customer’s need by studying his previous purchases or activities.

“For example, when a bank calls you offering loans and insurance, it isn’t a targeted offer because they don’t know if you’re an existing customer or not, or whether you own any other product in particular,” Wong explains.

“It’s just an outbound call, making it is expensive, and it’s only effective if it gets to the right person [who needs a loan]. The company also wants to make sure that within the first minute of the conversation, the customer wants to hear what it has to say.

“But with big data, we can comprehend the way customers use your service,” she continues. “If you are at a car sales online portal, the bank would want to give you relevant information on car loans [on the website itself]. Say, a customer uses an app on a mobile phone service to buy a train ticket. The information is captured when the ticket is purchased, so the next natural thing to do is to offer hotel stays, which the customer will appreciate. Big data is about anticipating the customer’s next move. It might not be of high value, but it’s very targeted.”

Examples of big data a bank would examine include customers’ ATM transactions and banking details. For a telecommunications company, it would be the way customers use their phones.

Unfortunately, this flood of information can be overwhelming, so companies need to know how to make use of it.

“Every time I make a call, send a message or access broadband, this information is being captured by the telco,” Wong says. “It’s a big dump of information, so businesses need to know what is relevant to them. Data will be used differently based on the maturity level of the companies.”
Such data can also add value to customer interactions.

“Banks have been analysing customer behaviour through credit cards [usage] and are able to detect fraud by notifying customers [of charges made] through text message,” adds Wong.

“But they can do more than this. If you’re travelling overseas and charge something to your card, data will be captured [regarding] your location. Instead of just sending customers a message verifying that they have just charged their card, banks can bring added value by telling them what promotions are [available] nearby if they use their credit cards there.”

Ballooning industry

As big data analysis grows in popularity, or even by necessity, it is predicted that businesses will direct significantly larger sums of resources towards big data analytic tools and solutions. According to the International Data Corporation (IDC) Predictions 2014 report, worldwide spending in this area is likely to increase by 30% this year, exceeding US$14 billion.

“The potential of deriving valuable insights and real-time decision-making from this data avalanche will drive massive investments and create new data-centred analytics and content services,” says the report. In Malaysia, the big data market is expected to reach US$24.2 million (RM46 million) this year.

“Malaysia is moving towards capturing more data — it is starting to recognise the people, process and technology,” observes Wong. “We see an increase in customers asking us to analyse and digest information. Big data isn’t a big bang thing; it is a journey for a business’ internal growth.”

For leading banks in the region, which may already have insight into what customers want through cross-channel banking transactional behaviour analysis, big data allows for increased targeting precision by extending their view of customer behaviour.

“This includes website activity, social engagement, contact centre voice interactions, and location data,” says Donald MacDonald, head of group customer analytics and decisioning at OCBC Bank Singapore.

“New technologies also enable us to react to this data faster than before — in some cases, in real-time — so we can directly engage customers with messages based on where they are and what they are doing right now.”

Apart from customer service and consumer sentiment, OCBC uses big data analytics in marketing analytics, fraud detection, credit quality optimisation and financial forecasting. The bank has spent over S$100 million (RM259 million) on data analytics since 2004, with investments on integrating data from multiple sources to one source, and on tools for analysis.

“Through the use of data analytics, we are able to significantly raise the quantity and targeting sophistication of our marketing activity. We can directly quantify the success of our marketing campaigns by monitoring customers’ individual behaviour to understand who responded to our offers, and then attribute a financial result to each contact,” shares MacDonald.

“Two major [big data] trends we’re focusing on now are speed to insight and contextual awareness.”

Speed to insight refers to the bank leveraging on “data-in-motion”, or data captured when direct interaction occurs with a customer. As this data is put into the bank’s system, its analytical engine updates the bank’s existing knowledge of the customer, and is able to recommend the most relevant products or services in real-time.

“Contextual awareness refers to leveraging additional information on the customers’ current circumstances to improve the relevance of our communications,” MacDonald says. For instance, OCBC could use big data to locate where a customer is, and then recommend merchants based on his preference as well as current location.

“Another example is leveraging voice logs within our contact centre to identify factors such as the increasing frustration of a customer on the line, which might be missed by a staff member,” he continues. “These factors enrich our existing view of the customer… ensuring that our sales and service offers are more targeted and relevant to each individual’s current situation.”

CIMB Group is another bank that leverages on big data initiatives to increase customer satisfaction, and appeal to their needs and lifestyle. The bank, for example, links customers’ Facebook data with its internal data to provide targeted offers to credit and debit cardholders.

“As a result, we discovered that there is an 80% correlation between merchants that customers ‘like’ on Facebook and our existing transaction data of merchants with whom they charge their cards,” says Iswaraan Suppiah, group chief information and operations officer, CIMB Group.

“Additionally, we have noted that banks in other countries are using big data techniques to reduce fraud incidents, or even use social network analysis to determine the creditworthiness of borrowers.”

According to CIMB, big data can also grow revenues faster by better matching its offers to customers’ needs.

“[This is] to the extent of designing better products and services that are directly relevant to various customer segments. Instead of using a traditional marketing campaign targeted at hundreds of thousands of customers and getting a 2% conversion rate, we can now target 30,000 customers and get a 50% conversion rate,” says Iswaraan.

“By using big data to really get to know and understand our customers, we can cut down on unnecessary ‘marketing’ and have real conversations about real customer challenges that will lead to benefits on both sides.”

Privacy protection and consumer rights

From a social perspective, big data could also benefit the public sector when used by the government, albeit allowing surveillance with an Orwellian touch. Authorities worldwide have been using such information in policy design and logistics planning, and to monitor crime and public security.

In Malaysia, however, data collected by companies cannot be sold or shared with a third party without the subject’s consent, as stated in the Personal Data Protection Act 2010 (PDPA).

Other laws such as the Communications and Multimedia Act 1998, the Computer Crimes Act 1997, and the Penal Code also ensure that collected data must only be used for the original purpose it was lawfully obtained for. This means customers should have willingly imparted their data to companies, with their knowledge.

“It’s fine for a person to use big data for business marketing research purposes, provided the data was acquired lawfully,” says Foong Cheng Leong, a lawyer at Foong Cheong Leong & Co, who specialises in cyberdata cases.

“There are many cases where data is purchased without the knowledge of the subjects within the data,” says Foong. In this case, the subject may exercise his right and file a complaint against the company or person that has been selling the information. Complaints can be made with the Personal Data Protection Commissioner.

“The information includes personal data, such as your name, identity card number, email address, images, your address, and so on, [used] in a commercial transaction,” he says, adding that this is all covered under the PDPA.

However, before a subject exercises his right, he should always read the privacy notices or policies provided by businesses explaining how they will use his data, Foong advises. A company is obliged to disclose how it uses personal data in a privacy notice or policy. This is also to enable the consumer to make informed decisions when sharing information requested by the company.

“With PDPA in force, consumers have a say in how their data is to be treated. They can even control the amount of data being flown out of a company.”

According to Foong, however, there are some cases of companies disclosing certain information necessary to deliver their services to the subject. For example, a telecommunications company may pass its customer’s data to a subcontractor. “[This is in the event] that the subcontractor needs to perform certain services. However, before a company [shares the data, it will make sure that the customer’s] personal data will be kept securely.”

This should also be disclosed to subjects during the time of data collection. Anything beyond what is stipulated in the initial privacy policy that is shared to subcontractors or other third-party services is considered illegal.

Foong says the only way to secure one’s personal data is to only use trusted service providers. Apart from that, he also advises that one should maintain a separate email to sign up for goods or services.

“Make sure you have strong passwords, and do not reuse passwords for different platforms. Phishing is common nowadays. Any email that goes into your junk or spam folders should be read with caution. It is unlikely to be true. Fake calls from unknown parties are also common. Many such callers ask for personal details on the pretext that someone is misusing your data.”

Otherwise, Foong believes that there should not be much to worry about. If users continue to take precautionary measures to protect their data privacy, they should not fear sharing their information online.

However, as an urban population moves towards a technologically driven lifestyle, rapidly expanding digital footprints are inevitable. From SAS Institute’s perspective, a company that chooses to use big data and its analytics has to make it relevant to its customers.

“If you want to use big data and big data analytics, whatever you give back to your customer must be relevant,” Wong says.

“Companies are very cautious with the kind of information they have and I think now with guidelines from Bank Negara Malaysia and the Malaysian Communications and Multimedia Commission, there are clear lines on what you can and cannot do. [Sometimes] there is a grey area, because that has to do with the company’s obligation to the customer and the public. The company then has to decide how they want to address that.”

This article was first published in the May 2014 issue of Personal Money — a personal finance magazine published by The Edge Communications.

PDC Seminar on The Personal Data Protection Act on 28.05.2013

I will be speaking about the Personal Data Protection Act 2010 at the KL Bar on 28 May 2013. Details are below.


2 CPD Points ( 28052013/KLB/KLB1183/2 )

As part of its Professional Development Programme, the PDC is pleased to present the above Seminar by Mr Foong Cheng Leong on 28.05.2013 (Tuesday) from 3.00pm to 5.30pm. Venue: KL Bar Auditorium.

Areas to be covered:

• Introduction to Personal Data Protection Act 2010
• Highlights of the Personal Data Protection Act 2010
• 7 Principals
• Personal Data Protection Commissioner
• Registration of Data Users
• Transfer of Data Overseas
• Rights of Data Subjects
• Offences and Liability
• Transitional Period
• How would the Act affect Companies?
• Action Plan / Checklist
• Question & Answers
• Case Study

About the speaker
Foong Cheng Leong was called to the Malaysian Bar in 2005. He is currently the KL Bar Information Technology and Publications Chair and a member of the Bar Council Intellectual Property Committee. He is regularly featured in the media notably over topics regarding intellectual property, cyberlaw, data privacy and the like.

REGISTRATION FEE

Pupils-in-Chambers / Law Students – RM30.00 per participant

Members of the Bar – RM60.00 per participant

Non-Members – RM100.00 per participant

Registration Must be Accompanied With Payment to Guarantee Your Place

Only 120 Seats Available. Click here to register.

Malaysia’s data privacy Act slow to take off

I was quoted by ZDNet in their article “Malaysia’s data privacy Act slow to take off” on 5 February 2013. To date, our Malaysian Personal Data Protection Act 2010 is still not in force.


Summary: Country’s personal data protection Act was due to take effect last month, but is still pending formalities. Despite that, many companies do not appear to be ready yet.

By Liau Yun Qing | February 5, 2013 — 11:16 GMT (19:16 SGT)

Malaysia’s Personal Data Protection Act 2010 (PDPA) was due to take effect on January 1, 2013, but the law is still not in force due to legal formalities. Despite its impending introduction, many companies are still lacking in compliance while consumers doubt it will be strongly enforced.

Foong Cheng Leong, a Malaysian lawyer and co-chairman at Kuala Lumpur Bar Information Technology Committee, said despite the announcement by a minister that the act will take effect at the beginning of the year, it is technically still on hold as there needs to first be an official notification in the Government Gazette for the Act to be formalized.

In a report published in December 2012, Malaysian newspaper The Star cited deputy Information, Communications and Culture Minister Datuk Joseph Salang who said during a keynote the PDPA would be enforced on January 1, 2013 and companies will have three months to comply.

Malaysia’s law for personal data protection has been long in the making. The Personal Data Protection Bill was first drafted in 2001 and was expected to be in force in early-2010 but that did not materialize.

Despite the protracted lead up, many Malaysian companies are still not prepared for the eventual implementation of the law. Foong pointed out during his many talks on PDPA, he had noticed many companies have not started their compliance exercise.

Barry Ooi, president of the Marketing Research Society of Malaysia, said the Act will have a direct impact on the practice of market research in the country as it includes entities that process personal data. “All market research companies will need to be aware of the rules and regulations under this act,” he said.

Ooi pointed out most market research companies in Malaysia have been adopting the international research standards set by the World Association for Market, Social and Opinion Research (ESOMAR). “Many of the rules and procedures in the PDPA are similar to the ESOMAR guidelines,” he added.

“Nevertheless, our members are tightening up their procedures, particularly in the area of respondent consent and non-disclosure,” he noted.

Consumers lack confidence in enforcement of Act
Despite the government efforts, a few consumers in Malaysia were not confident about how the law would be eventually enforced.

IT systems engineer Ranjeeta Kaur said she knew that the country has such an act. However, she did not take much interest in reading the details mainly because of the lack of enforcement for most of the laws in Malaysia. “Enacting an act is simple but placing it into the actual corporate world and making sure that it’s followed is another story altogether,” she said.

“If we were to look at our daily Internet activities, most Malaysians don’t care about this Act. In fact they don’t even bother that the information they exchange with other parties could be leaked or used against them,” said Kaur.

Postgraduate student Chua Soon Hau questioned whether the Act would impact Internet companies such as Facebook or Instagram which were not based in Malaysia. “The Act will more likely tackle analytics companies that gather data and sell it to people who want it,” he said.

Chua wondered if the implementation of the law might even conflict with privacy agreements which users need to agree to before using a service.

Kaur said unlike the European countries, consumers in Malaysia were more “carefree” about their personal information. “Many folks are just happy to be given a computer and access the Internet with a carefree mind. We should actually be made aware of how our data is being handled, who is viewing it or has access to it,” she said.

Malaysia vs Singapore’s data privacy Act
Neighboring country Singapore passed its personal data protection billin October 2012 and was enforced in January this year.

Foong said while both countries’ personal data protection bill are similar, the details differ “quite a bit”.

The Malaysian law requires data collection parties to give subjects a written notification in the national language and English during the process. For Singapore, the notification is simpler as there is no rule the notification needs to be in the national language or English.

However, the Singapore Act requires the party collecting data to state the purpose for the collection, use or disclosure of the personal data, he noted. When requested, the party collecting data needs to give the business contacts of the person who is able to answer any questions the individual might have.

Foong added consent to process personal data is not defined in the Malaysian PDPA, while the Singapore law sets out in detail what amounts to consent and what type of consent is acceptable.

Bread & Kaya: Attention e-commerce businesses: Fraud, the law and you

My Bread & Kaya’s second column was published on Digital News Asia on 29 January 2013.


Attention e-commerce businesses: Fraud, the law and you
Jan 29, 2013

– A new law to protect users of online trading portals goes into effect July 1
– While it may cost them a bit, operators of such businesses will have to comply

Bread & Kaya by Foong Cheng Leong

E-COMMERCE is booming in Malaysia. Euromonitor International estimated that Internet retailing in Malaysia reached RM842 million (US$268.3 million) in 2011; Goldman Sachs forecasts that e-commerce in Malaysia is projected to hit RM3.4 billion (US$1.1 billion) this year with a 30% year-on-year growth.

Notwithstanding such growth, online fraud is rampant in Malaysia. If you scour our online auction or listing websites, you’ll find many dodgy sellers and buyers selling or offering to buy products and services.

But the long arm of the law recently caught Mohd Yunus Jan Muhammad for approaching six victims who had advertised to sell their gadgets through an Internet trading portal, by posing as a customer and setting up appointments. At these meetings, he would grab the merchandise and flee. He was sentenced to one year’s jail. The Court also fined and imposed a whipping on Mohd Yunud.

Sometime in 2011, the Ministry of Domestic Trade, Co-operatives and Consumerism proposed that the Electronic Commerce Act 2006, an act that regulates online commercial transactions, be amended to regulate the online market place industry. I am told that consultation was held with the industry and I understand that some industry players had taken steps to lobby against the amendment.

In April 2012, its minister Datuk Seri Ismail Sabri Yaakob announced that the amendment would ensure that electronic transactions could be done in a safer and secured environment.

The law came about in the form of the Consumer Protection (Electronic Trade Transactions) Regulations 2012 (“Regulation“), a regulation under the Consumer Protection Act 1999.

The Regulation will be in force on July 1, 2013. Under this Regulation, an online marketplace operator is required to, among others, provide their full details, terms of conditions of sale, rectification of errors and maintenance of records.

The new law applies to two (2) types of persons namely:

– A person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace (“Online Business Owner“). “Online marketplace” means a website where goods or services are marketed by third parties for the purpose of trade. This may include your typical blog shops and sellers with accounts with eBay, Lelong and Mudah online stores.

– A person who provides an online marketplace (“>Online Marketplace Operator“). This may include group buying websites operators such as GroupOn, auction and listing websites such as eBay, Lelong and Mudah, and online shopping websites where third party products as sold such as Zalora.

Online business owners

Under the Regulation, Online Business Owners shall disclose on the website where the business is conducted and the following information, failing which the operator commits an offence.

  • The name of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace, or the name of the business, or the name of the company.
  1. The registration number of the business or company, if applicable.
  2. The e-mail address and telephone number, or address of the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace.
  3. A description of the main characteristics of the goods or services.
  4. The full price of the goods or services including transportation costs, taxes and any other costs.
  5. The method of payment.
  6. The terms and conditions.
  7. The estimated time of delivery of the goods or services to the buyer.

Any person who discloses or provides the above information that he knows or has reason to believe is false or misleading, commits an offence.

Online Business Owners shall also:

  • – provide the appropriate means to enable the buyer to rectify any errors prior to the confirmation of the order made by the buyer; and
  • – shall acknowledge receipt of the order to the buyer without undue delay.

The order and the acknowledgement of receipt shall be deemed to have been received by the person who operates a business for the purpose of supply of goods or services through a website or in an online marketplace and the buyer, respectively, when the person and the buyer are able to access to such order and the acknowledgement of receipt.

The Online Marketplace Operator shall take reasonable steps to keep and maintain a record of the names, telephone numbers and the address of the person who supplies goods or services in the online marketplace, for a period of two years, failing which an offence is committed.

In addition to the terms and conditions, Online Business Owners and Online Marketplace Operators must comply with the Notice and Choice Principal provided by Personal Data Protection Act 2010 by inserting a privacy notice, in the National and English languages, on their website before the collection of any personal data.

Extra costs for businesses

Although this law seeks to protect consumers from unscrupulous traders, the introduction of this new law increases the startup costs and cost of operation of an e-commerce business.

Engaging lawyers to draft terms and conditions for e-commerce businesses can be expensive. But it is something any e-commerce business should invest in to protect themselves and their users.

The new law doesn’t specify in detail how the terms and conditions should be. Therefore, one can have a very simple set of terms and conditions.

Alternatively, one may opt to adopt the terms and conditions of other e-commerce businesses provided that one is well versed in drafting and amending agreements. But one should take note that every set of terms and conditions is customized for specific businesses.

It would be ideal if we have affordable online services to draft terms and conditions and privacy policies for SMEs (small and medium enterprises) like SnapTerms, which allows start-up companies the opportunity to customize their website’s terms and conditions without having to pay the fees typically associated with having the documents drafted by a lawyer.

But one must bear in mind that SnapTerms is a service provided by people who are well versed in the laws of their country and perhaps not Malaysia.

To digress a little, e-commerce businesses should also protect their intellectual property such as their trademarks, copyright and patents. These rights are registerable and one can protect these rights in Malaysia by filing them with the Intellectual Property Corporation of Malaysia or MyIPO.

Other than that, it is pertinent to protect your brand from being taken in well-known social media websites like Facebook and Twitter. You can use Knowem to check for the use of your brand, product, personal name or username instantly on over 550 popular and emerging social media websites.

Closing

The introduction of laws to track and record Internet transactions is nothing new. Last year, Section 114A of the Evidence Act 1950 and Cyber Centre and Cyber Cafe (Federal Territory of Kuala Lumpur) Rules 2012 were introduced to track and record such transactions.

These laws will not be the last. I foresee that many more such laws will be introduced in the near future.

Download:
Consumer Protection (Electronic Trade Transactions) Regulations 2012

Docudeer – Your source of sample legal agreements and documents!
1. General Terms of Services
2. Comprehensive e-Commerce Terms & Conditions
3. Simple e-Commerce Terms & Conditions (Free!)
4. General Privacy Policy

Podcast: Resource Centre: The Personal Data Protection Act 2010

I was interviewed by Freda Liu of BFM Radio on the topic of Personal Data Protection Act 2010 (“PDPA”) on 15 January 2013.


The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.
PDPA came into force January 1, 2013.

PDPA: Businesses have responsibilities and burdens

I was invited to contribute to a monthly column in Digital News Asia which I named it as Bread & Kaya. The column will have legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

My first article “PDPA: Businesses have responsibilities and burdens” was published on 31 December 2012.



Dec 31, 2012

  • PDPA comes into force Jan 1, 2013, and companies have three months to comply
  • Many have waited, and now may not have enough time to processes in place
  • Bread & Kaya by Foong Cheng Leong

    WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.

    You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”

    Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.

    It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.

    Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.

    What is the PDPA?

    The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.

    A person who processes personal data is called a data user. Companies processing individual customers or employees’ personal data must comply with the PDPA.

    Under the PDPA, a data user, in processing personal data, must comply with the following principles:

    (1) General Principle;
    (2) Notice and Choice Principle;
    (3) Disclosure Principle;
    (4) Security Principle;
    (5) Retention Principle;
    (6) Data Integrity Principle; and
    (7) Access Principle.

    Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).

    [RM1 = US$0.33]

    Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.

    Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.

    Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.

    The PDPA only applies to personal data processed in relation to “commercial transactions.”

    What do you need to do?

    If you are processing employees or individuals customers’ personal data, you are advised to, among others:-

  • Access how the PDPA affects your organization;
  • Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
  • Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
  • Prepare a Retention Policy for employees or customers’ personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
  • Establish a data access procedure for employees or customers to access their personal data;
  • Ensure that the storage of the employees and customers’ personal data is secure;
  • Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
  • Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
  • Review data collection forms so that personal data is not collected excessively; and
  • Ensure that personal data are transferred overseas lawfully.
  • Consent

    The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that “whenever consent is required for data processing, it’ll have to be given expressly rather than impliedly or be assumed.”

    This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals’ express consent by contacting the individual.

    In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.

    Express consent can be gained in a variety of ways — for example by filling in a form, ticking a box on a website, over the phone and face-to-face.

    Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia’s restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.

    Companies will need to wait for individuals’ express consent before they can roll out new projects.

    To give an example on how the PDPA will affect business:

    Company X wishes to roll out a new security system to enter the office. The system utilizes the employees’ personal data as unique identifiers. In view of the express consent requirement, Company X will need to get the employees’ express consent to use employees’ personal data. If certain employees refuse to do so, such system cannot be fully utilized.

    In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user’s services.

    However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.

    In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.

    Closing

    The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.

    Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.

    The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department’s Public Consultation No. 2/2012 entitled “Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees” which sets out the class of data users that is required to register with the Commission. [Click here to download].

    The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.

    Podcast: Msia I Can Series: The Right To Your Privacy

    This is my podcast from my live radio interview on BFM Radio Station.

    [Source: BFM.my]

    As part of our series, Msia: I Can in collaboration with Loyar Burok to encourage awareness of rightsamongst citizens, we will be examining the right to privacy. In a society with extremely communaltendencies, the right to privacy is rarely discussed. As adolescents we submit to the right of ourparents to invade our lives, and as adults we submit to the authorities. Where should we draw theline? Foong Cheng Leong, privacy law expert joins us to explain our inherent right to keep our business to ourselves, and its limitations in Malaysia.

     Scroll to top