Malaysia Personal data

Feedback to the proposed Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017

The Malaysian Personal Data Protection Commissioner (Commissioner) has published the Public Consultation Paper (PCP) No. 1/2017 (click to download) entitled Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017 (“Order”). The public consultation is intended to solicit feedback from data users and/or relevant parties pertaining to the whitelist places for transfer of personal data outside Malaysia. This step is in line with the requirements of subsection 129(1) of the Personal Data Protection Act 2010 [Act 709]. The Order is a ‘living document’ in which, as and when required; addition of places to the list will be done accordingly. Among the criteria considered by the Commissioner in preparing a list of those places are:

i. Places that have comprehensive data protection law(can be from a single comprehensive personal data protection legislation or otherwise a combination of several laws and regulations in that place);

ii. Places that have no comprehensive data protection law but are subjected to binding commitments(multilateral/bilateral agreements and others);

iii. Places that have no data protection law but have a code of practice or national co-regulatory mechanisms.

The Order has proposed the following places to be in the “whitelist places”:-

(a) European Economic Area (EEA) member countries
(b) United Kingdom
(c) The United States of America
(d) Canada
(e) Switzerland
(f) New Zealand
(g) Argentina
(h) Uruguay
(i) Andorra
(j) Faeroe Islands
(k) Guernsey
(l) Israel
(m) Isle of Man
(n) Jersey
(o) Australia
(p) Japan
(q) Korea
(r) China
(s) Hong Kong
(t) Taiwan
(u) Singapore
(v) The Philippines
(w) Dubai International Financial Centre (DIFC)

The deadline for sending feedback is on the 4th of May 2017 (Thursday). For more details, please click here.

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010

The Personal Data Protection Commissioner has issued the Proposal Paper [No .1/2014] – Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010. The Commissioner has invited feedback and opinion in respect of the matters raised in the Proposal Paper and shall be submitted before 20 February 2014.

Download: Proposal Paper

Enforcement of the Personal Data Protection Act 2010

The Malaysian Reserve reported that no date has been set for the enforcement of the Personal Data Protection Act 2010 (PDPA). The newly appointed Communication and Multimedia Minister Datuk Seri Ahmad Shabery Cheek stated that the PDPA will be enforced as soon as possible. However, he declined to be more specific as to the exact period or whether or not it will be enforced before the end of this year.

End to data abuse

I was quoted in The Sun Daily regarding the weaknesses of the Personal Data Protection Act 2010 (PDPA). Note that The Sun Daily also reported that the PDPA will be in force come 1 January 2013.

End to data abuse
Posted on 23 October 2012 – 05:24am
Pauline Wong

PETALING JAYA (Oct 23, 2012): Come Jan 1, you will be able to put an end to pesky telemarketers and report such harassment to the authorities.

This is because the Personal Data Protection (PDP) Act which criminalises unauthorised use of your personal data will finally be enforced after a two-year delay.

Information, Communications and Culture Minister Datuk Seri Rais Yatim told theSun recently that enforcement of the Act was held up due to a delay in the recruitment of personnel for the newly-formed Personal Data Department.

The department, which comes under his ministry, will oversee and be responsible for the enforcement of the Act.

“The department will be operational from Jan 1,” Rais said in an SMS reply to queries from theSun as to the enforcement of the Act which had been gazetted in June 2010.

The law stipulates how personal data – phone numbers, identity card numbers, addresses and even DNA – is used and stored by any organisation.

It defines “personal data” as any information processed in respect of commercial transactions that relates directly or indirectly to a “data subject” (the consumer), including any sensitive personal data.

Data users – including banks, telecommunications providers and even employers – must comply with seven principles.

Failure to do so will make the data user liable to a fine of up to RM300,000, up to two years’ jail, or both, upon conviction.

Once in force, the Act makes it a criminal offence for data users to reveal your phone number (for example) to third-party telemarketers, unless you had consented and were notified of their intention to do so.

The right to put an end to direct marketing is also provided for under the Act as a consumer may, by notice in writing, tell the data user to stop processing personal data for direct marketing.

He or she may also at any time withdraw any consent previously given to the data user.

However, legal experts point out that many aspects of the Act remain vague – which they say does not bode well for the wide-ranging impact of the Act.

Lawyer Adlin Abdul Majid, who heads the PDP compliance team at law firm Lee Hishammuddin Allen and Gledhill, said the Act is in need of more thorough guidelines before implementation.

“The Act was drafted in a very general manner. For example, even the definition of ‘commercial transaction’ is not specific.

“If someone goes to a small boutique and makes a purchase with a credit card, does this hold the boutique responsible for your data, and will it have to serve you a notice?” she said.

She added that in interpreting the law, employers are also considered data users.

“This could mean that even a small or medium enterprise (SME) with a few employees would have to adhere to the Act and conduct a privacy impact assessment to ensure full compliance, but that can be very costly for SMEs,” she said.

Adlin said the government needs to draft very detailed guidelines in enforcing the PDP, or it would lead to a lot of confusion.

KL Bar IT Committee co-chairman Foong Cheng Leong said the Act does not address several key problems, especially when it comes to storing a person’s personal data.

“With the digitalisation of records, the internet, and ‘cloud’ computing, the question is how does a data user deal with soft copies of personal information?” he asked.

He added that it is also not practical for data users to give written notice when data is collected over the phone, or captured via closed-circuit television (CCTV).

Foong urged the autorities to draw up specific guidelines to address these issues.

Protecting your personal data


At long last, we now have a venue to bring up grouses about our personal data being given away without our knowledge – the Personal Data Protection Department, which was officially launched on Thursday.

ISSUES related to Personal Data Protection have been dabbled with for a long time in this part of the world. The Personal Data Protection Act 2010 (PDPA) is one of the cyber legislations aimed at regulating the processing of personal data in commercial transactions.

The Act was passed by Parliament in May 2010 and the Personal Data Protection Department was created a year later. At a cyber seminar in November 2001, I raised the importance of Malaysia creating an Act to protect the personal data of an individual.

Awareness had risen not only because of rapid commercial development involving violations of personal data such as credit status of individuals, but also invasion through the means of communication tools being detected and questioned.

During the seminar, I spoke on the rights and liabilities pertaining to information; protection of information from unlawful use; the right to information; the status of information belonging to individuals and the overall issues pertaining to the future of online trade and commerce using other people’s data.

“Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.” – DATUK SERI DR RAIS YATIM

When you purchase an item online, your credit card data is online as well. Your banking activities precipitate the storage, retrieval as well as the movement of your credit and debit records.

To some quarters, these are useful if not valuable information. Wrongly used, your very own data could be the meat for a sly move or the subject matter of fraud.

Whichever way you look at it, modern life has involved us in a multi-faceted approach towards preserving our rights in respect of personal data.

Now, 11 years later, we are dealing with personal data again with the opening of the department (on Thursday) and a seminar on its legislation. In this context, our Government’s efforts to recognise individual interests through efforts to protect personal data should be given due recognition.

While the PDPA functions in the commercial environment, abuse of telephony communication networks or other channels through violations of personal data are also closely associated with the Communications and Multimedia Act (CMA) 1998.

For example, a person who intentionally infiltrates and gets without permission any information, including data through telephony or other means of communications under S.234 of the CMA, can be jailed up to one year or fined up to RM50,000 or both, if convicted.

The word “intercepts, attempts to intercept or procures through any other person, any communications” have very broad implications and applications to the extent of involving the personal data of an individual.

On the other hand, the CMA is complementary to the PDPA and the expedient should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to “ensure information security, and network strength and reliability”.

Defining personal data

To ordinary citizens, a common question is: What is actually personal data? Under Section 4 of the PDPA, personal data means any information concerning commercial transactions stored or recorded and which can be managed automatically or as a file system.

It does not matter whether the information is being processed, stored automatically or filed by any party. But it will only be an offence if the information data is used in the commercial environment.

The next question is: If certain personal data are not involved in any commercial transaction, does the question of offence or abuse arise? This seems to be the implications and applications of the new law. Hence, the commercial environment should be involved before a criminal offence is recognised under the PDPA.

Generally, personal data has a very wide scope, covering sensitive and personal information such as blood type, health records and descriptions, political and religious beliefs, mental or physical conditions, or any other data needed by the authority from time to time.

Normal personal data also involves details on bank accounts, credit cards, telecommunication links like telephone or any other information stipulated by the minister under the PDPA from time to time.

The lists of personal data under the PDPA could also be expanded by the authority based on the demands of the living environment. However, details or information of one’s credit ratings are put under the Credit Rating Agency Act 2010 and so are not covered by the PDPA. It is clear that while the register or lists of personal data could be added according to the needs and interests of the consumers in the commercial environment in the future, the public need to know their rights under the new law.

It should also be stressed that the PDPA comprises seven key principles that must be adhered to under S.5(1) to protect the integrity of personal data. They are:

> A user is not allowed to process the personal data of another user without permission. The process here simply means data handling through an automated or computerised system or method or any other process;

> The user must comply with the Principle of Notice and Choice in which the information and purpose of the preliminary communication are conveyed to the data subject;

> The Principle of Disclosure spells out the need to disclose the use of personal data;

> The Principle of Security states that when processing personal data of any subject, precautionary measures must be taken so that the data is safe, and not tampered with, abused, missing or given to irrelevant parties;

> The Principle of Storing specifies that any personal data shall not be kept in a processing system longer than needed;

> The Principles of Data Integrity: all personal data must be accurate, complete, non-confusing and up-to-date in line with the purpose of storing and processing; and

> The Principle of Access: a user must be given access to his/her own personal data, which is kept by another user, and to be allowed to update the data.

With these principles in place, users and e-commerce practitioners will be more confident that their personal information are well protected. In the meantime, a practical and reasonable code of practice can be formulated by private effort or on the initiatives of Personal Data Commissioner.

Scope of the Act

Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give the space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.

The law will also speed up the development of electronic connection and transactions like e-commerce and e-business. It can be concluded that the existence of the law will, among others, help Malaysia to become a communication and electronic trade centre; an attractive location for investment in multimedia and communications industry; and an international trade partner which is able to offer personal data protection assurance according to international standards.

More than 100 countries have or are in the process of introducing personal data protection legislation as the borderless transaction environment entails a free flow of information through electronic networks worldwide to cater to the needs to comply with international standards.

The activities and scopes of the Personal Data Protection Act, among others, cover the Registration of Personal Data Users; Creation of the Consumer Data Forum; Creation of the Personal Data Practice Code; Appointment, Functions and Powers of Personal Data Protection Commissioner, including Financial Provisions; Creation of the Personal Data Protection Provident Fund; Creation of the Personal Data Protection Advisory Committee; Creation of the Appeal Tribunal; Inspection Procedures, Complaints and Investigation; and Enforcement.

Personal data processed by an individual for the purpose of personal, family or household affairs, including for recreational purposes, are excluded from the provisions of this Act.

The security, integrity and protection of personal data are a fundamental factor to shift the country from a manufacturing-based economy to high-value knowledge economy through the support of ICT infrastructure. The rise of electronic-based transactions has assailed the status of personal data which previously did not have a high commercial value.

This Act, of course, is able to strengthen personal data protection as a social obligation. This is important in order to protect the privacy of an individual, apart from the objective of producing dignified, integral and responsible traders in daily practices hinged on widespread use of e-commerce characteristics.

The importance of decisiveness and efficiency in all matters pertaining to enforcement must be stressed. May the Personal Data Protection Commissioner implement this principle in an effort to produce a resilient society for the benefit of future generations.

> Datuk Seri Dr Rais Yatim, who is Information, Communication and Culture Minister, officially opened the new Personal Data Protection Department in Kuala Lumpur on Thursday.

Source: The Star Newspaper

Protection for your personal data

This is an interesting article from Singapore’ Straits Times regarding the collection of personal data by building owners. Whether the Malaysian Personal Data Protection Act 2010 (“PDPA”) will apply to building owners in respect of such processing is a moot point but I take the view that the PDPA is not applicable as such collection is not in respect of a commercial transaction. However, the subsequent use of the personal data for commercial use will be caught by the PDPA.

Source: Straits Times
Author: Irene Tham

It is common for security guards at condominiums or other buildings to ask visitors to hand over their identity cards to gain entry.

The practice likely started out as a safeguard in case a visitor commits a crime or sabotage.

Some building owners record a visitor’s name, contact details and identity card number in a log book or computer system, while others hold on to the card in exchange for a visitor’s pass.

But tweaks to this system will be needed once a new data protection law kick in, which could be as early as next year.

The Ministry of Information, Communications and the Arts (Mica) told The Sunday Times this consumer privacy law – primarily to deter irresponsible marketers – will also apply to commercial and private building owners.

A Mica spokesman acknowledged that building owners and managements may not have proper data collection and handling processes in place yet. But when the law applies, organisations including commercial and private buildings, must have ‘the necessary processes for the collection, use, disclosure and disposal of personal data’.

Personal data includes names, identity card numbers and contact details.

Managers of buildings or estates must also specify how visitors’ data will be used at the point of collection.

A new Data Protection Commission will investigate complaints of misuse and fine offending parties, with the proposed maximum fine being a hefty $1 million.

Engineer Ngiam Shih Tung said: ‘Retaining identity cards in exchange for visitor passes is a bad practice. Who will be responsible if an identity card is lost?’

Some years ago, he said, his identity card ended up with someone else when soldiers signed out of his army camp.

The Security Industry Regulatory Department, a unit of the Singapore Police Force, does not provide security agencies with guidelines on the retention or scanning of identity cards.

Even after the new data protection law kicks in, this practice of surrendering identity cards to gain entry to premises will still be allowed. But the law will make organisations more accountable for the information they collect.

‘While security officers at buildings, condominiums and other premises are not authorised by the National Registration Regulations to retain a visitor’s IC, it is not illegal for them to do so if the visitor authorises them to hold the IC as a condition for entry or in exchange for a visitor’s pass,’ said a police spokesman.

‘This is a private matter between the parties concerned.’

Building owners and security companies The Sunday Times spoke to said they will review their systems when more details of the new law are available.

Keppel Land – which manages commercial buildings like Ocean Financial Centre, Equity Plaza, Keppel Towers, Bugis Junction Towers and Prudential Tower – makes use of barcode scanning to capture identity card details.

The card is then returned to the visitor. The guards at its buildings also type into a computer the visitor’s name and the location being visited.

‘The information is stored in a system which tracks repeated visits,’ said a Keppel Land spokesman.

Security company Chambers International, which manages about 160 condominiums, does not retain visitors’ identity cards but logs the details in a book. Such books are stored for at least two years.

Its spokesman said it will talk to each condo’s council members to decide what needs to be done when the new law kicks in.

Professor Abu Bakar Munir, an information and communications technology law expert at the University of Malaya’s law faculty, said: ‘People should not be required to give up their ICs just to visit a family in an apartment. A name and mobile number will suffice.’

Source: Straits Times © Singapore Press Holdings Ltd.

 Scroll to top