The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.
This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.
I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?
My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.
If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.
Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.