Personal Data Protection Act 2010

BFM Podcast: LANDMARK #22: WHAT HAPPENS WHEN OUR PERSONAL DATA IS LEAKED

Late last year, it was reported that the private data of 46.2 million mobile phone subscribers were leaked sometime in the middle of 2014. All 14 telcos were affected in what is Malaysia’s biggest ever data breach. Explaining what this means for you and me is lawyer Foong Cheng Leong. He chairs the KL Bar’s Information Technology and Publications Committee.

Your browser does not support native audio, but you can download this MP3 to listen on your device.

CCTVs in cinema are legal, but…

I was quoted in an article entitled “CCTVs in cinema are legal, but…” the in Free Malaysia Today news portal on 21 March 2017. It was reported that Kuala Terengganu has finally had its first cinema in 20 years. However, CCTV cameras are installed in each of the cinema hall. The cameras will broadcast live the footage from the halls on a big screen placed at the cinema’s lobby.

The relevant extract from my statement is as follow:-

PETALING JAYA: If you’re a cinema owner and you’re subjecting your patrons to CCTV monitoring, you must get their consent before publicly displaying the footage.

Otherwise, you would run afoul of the Personal Data Protection Act (PDPA), said lawyer Foong Cheng Leong in a comment on Lotus Five Star’s decision to monitor activities in the viewing hall of its cinema in Kuala Terengganu.
He said the monitoring was legal but the public display of footage required the consent of those affected.
“As long as people who go to the cinema know that they will be recorded and the recording will be publicly displayed, and they show agreement to this condition by buying tickets, then it’s okay,” he told FMT.

He said the PDPA required a privacy notice to be published to tell moviegoers how the CCTV footage would be used.

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

Malaysian Personal Data Protection Commissioner publishes draft Codes of Practice

The Malaysian Personal Data Protection Commissioner has published the draft Codes of Practice for the banking and finance industry and also for the communications sector. Members of the public are invited to provide their feedback before 22 September 2015 by sending their comments to:-

KERTAS KONSULTANSI AWAM (KTA) BIL. 2/2015 / KERTAS KONSULTANSI AWAM (KTA) BIL. 3/2015 (Delete the necessary)
Aras 6, Kompleks KKMM, Lot 4G9,
Jabatan Perlindungan Data Peribadi
Kementerian Komunikasi dan Multimedia Malaysia
Persiaran Perdana, Presint 4,
Pusat Pentadbiran Kerajaan Persekutuan,
62100 Putrajaya.

or email or fax to kmohan@pdp.gov.my and 603-89117959 respectively.

Public Consultation Paper No. 1/2015: PROPOSED STANDARD PERSONAL DATA PROTECTION  

On 1 July 2015, the Personal Data Protection Commissioner published the Public Consultation Paper No. 1/2015. This consultation paper is intended to solicit feedback from the data users and data subjects relating to their understanding of the personal data protection.

In order to make the Standard for Personal Data Protection a reliable reference document, the Commissioner will merged three standards namely the Safety Standard, Storage Standard and Data Integrity Standard into one document.
  
According to the Commissioner, this step is in accordance with the requirements of the Personal Data Protection Regulations 2013 and the Personal Data Protection Act 2010. The feedback received through this public consultation paper will be analyzed and the results of this analysis will be used in the preparation of the final draft standard. The final draft will be presented to the 11 classes of data users before being registered by the Commissioner.

The feedback can be downloaded here (in Malay) and here (in English)

Source: www.pdp.gov.my

List of Data User Forums in Malaysia

The Personal Data Protection Commissioner has appointed the following associations as data user forum for the following sectors:-

1. Institut Akauntan Malaysia for the accounting and audit sectors;
2. Persatuan Jualan Langsung Malaysia for the direct selling sector;
3. Persatuan Bank-bank Dalam Malaysia for the banking and financial sectors;
4. Institut Jurutera Malaysia for the engineering services sector;
5. Institut Insurans Hayat Malaysia for the insurance sector;
6. Pertubuhan Akitek Malaysia for the architecture sector;
7. Maxis Berhad for the telecommunications sector;
8. Persatuan Hotel Malaysia for the travel and hospitality sector.
9. Majlis Peguam, Persatuan Undang-Undang Sabah and Persatuan Peguambela Sarawak for the legal sector.

Last updated: 1 April 2015

Source: Personal Data Protection Department Registration Unit.

Survey Relating to Compounding Regulations

The Malaysia Personal Data Protection Commissioner Office wishes to enforce compounding regulations pursuant to the Personal Data Protection Act 2010. They have now issued a survey for the members of the public and organisations.

Any response to the survey should be submitted before 14 November 2014. For more details, go to www.pdp.gov.my

Download: Survey Form (in Malay language only)

Retirement of Haji Abu Hassan Ismail

With the retirement of Haji Abu Hassan Ismail as the Director General of the Personal Data Protection Department, Encik Mazmalek bin Mohamad has been appointed as the new Director General of the Personal Data Protection Department effective from 1st October 2014.

Malaysian Bar releases feedback to Personal Data Protection Commissioner’s Proposal Papers

On behest of the Malaysian Bar Ad Hoc Committee for the Personal Data Protection Act, the Malaysian Bar has published the feedback by Ad Hoc Committee on Personal Data Protection to Personal Data Protection Commissioner’s following proposal papers.

1) Guideline on Compliance of Personal Data Protection Act 2010;
2) Guide on the Management of Employee Act Data under Personal Data Protection Act 2010;
3) Advisory Guideline related to Consent requirement under the Personal Data Protection Act 2010; and
4) Guide on Management of CCTV under Personal Data Protection Act 2010.

Download the feedback.

1 2 3 5  Scroll to top