Personal Data Protection Act 2010

Compoundable Offences under the Personal Data Protection Act 2010

Certain offences under the Personal Data Protection Act 2010 (PDPA) are compoundable as of 15 March 2016.

Under the Personal Data Protection (Compounding of Offences) Regulations 2016, the following offences are compoundable by making payment to the Commissioner of Personal Data Protection Malaysia:-

Offences under the PDPA

(1) Breach of any of the Personal Data Protection Principles (s. 5(2))
(2) Processing of personal data without the required registration under PDPA (this is only applicable to certain class of users) (s. 16(4))
(3) Processing of personal data after registration under the PDPA is revoked by the Personal Data Protection Commissioner (s. 18(4))
(4) Failure to surrender certificate of registration after revocation (s. 19(2))
(5) Failure to make a note on an expression of opinion which is considered as inaccurate, incomplete, misleading or not up-to-date by a person who made a data correction request and using that expression of opinion without the note being drawn to the attention of and being available for inspection by that person (s. 37(4))
(6) Failure to cease processing of personal data upon receipt of withdrawal of consent to process personal data (s. 38(4))
(7) Processing of sensitive personal data without explicit consent (s. 40(3))
(8) Failure to comply with an enforcement notice (s. 108(8))

Offences under the Personal Data Protection Regulations 2013

(1) Failure to obtain consent from a data subject in relation to the processing of personal data in any form that such consent can be recorded and maintained properly by the data user (Reg 3(1))
(2) Failure to develop and implement a security policy or that the security policy implemented does not comply with the security standards set by the Commissioner. Failure to ensure that the security standard in the processing of personal data be complied with by any data processor (Reg 6)
(3) Failure to comply with the retention standards set out by the Commissioner (Reg 7)
(4) Failure to comply with the data integrity standards set out by the Commissioner (Reg 8)

Offences under the Personal Data Protection (Registration of Data User) Regulations 2013

(1) Failure to renew the data user certificate of registration and continues to process personal data after expiry of the certificate of registration (Reg. 5)
(2) Failure to notify the Commissioner in writing of any change to the particulars in the certificate of registration (Reg 6(5))
(3) Failure to display the certificate of registration and any amendment to the certificate, if any, at a conspicuous place at the principal place of business and a certified copy of the certificate for each branch, where applicable. (Reg 8(3))

Malaysian Personal Data Protection Commissioner publishes draft Codes of Practice

The Malaysian Personal Data Protection Commissioner has published the draft Codes of Practice for the banking and finance industry and also for the communications sector. Members of the public are invited to provide their feedback before 22 September 2015 by sending their comments to:-

KERTAS KONSULTANSI AWAM (KTA) BIL. 2/2015 / KERTAS KONSULTANSI AWAM (KTA) BIL. 3/2015 (Delete the necessary)
Aras 6, Kompleks KKMM, Lot 4G9,
Jabatan Perlindungan Data Peribadi
Kementerian Komunikasi dan Multimedia Malaysia
Persiaran Perdana, Presint 4,
Pusat Pentadbiran Kerajaan Persekutuan,
62100 Putrajaya.

or email or fax to kmohan@pdp.gov.my and 603-89117959 respectively.

Public Consultation Paper No. 1/2015: PROPOSED STANDARD PERSONAL DATA PROTECTION  

On 1 July 2015, the Personal Data Protection Commissioner published the Public Consultation Paper No. 1/2015. This consultation paper is intended to solicit feedback from the data users and data subjects relating to their understanding of the personal data protection.

In order to make the Standard for Personal Data Protection a reliable reference document, the Commissioner will merged three standards namely the Safety Standard, Storage Standard and Data Integrity Standard into one document.
  
According to the Commissioner, this step is in accordance with the requirements of the Personal Data Protection Regulations 2013 and the Personal Data Protection Act 2010. The feedback received through this public consultation paper will be analyzed and the results of this analysis will be used in the preparation of the final draft standard. The final draft will be presented to the 11 classes of data users before being registered by the Commissioner.

The feedback can be downloaded here (in Malay) and here (in English)

Source: www.pdp.gov.my

List of Data User Forums in Malaysia

The Personal Data Protection Commissioner has appointed the following associations as data user forum for the following sectors:-

1. Institut Akauntan Malaysia for the accounting and audit sectors;
2. Persatuan Jualan Langsung Malaysia for the direct selling sector;
3. Persatuan Bank-bank Dalam Malaysia for the banking and financial sectors;
4. Institut Jurutera Malaysia for the engineering services sector;
5. Institut Insurans Hayat Malaysia for the insurance sector;
6. Pertubuhan Akitek Malaysia for the architecture sector;
7. Maxis Berhad for the telecommunications sector;
8. Persatuan Hotel Malaysia for the travel and hospitality sector.
9. Majlis Peguam, Persatuan Undang-Undang Sabah and Persatuan Peguambela Sarawak for the legal sector.

Last updated: 1 April 2015

Source: Personal Data Protection Department Registration Unit.

Survey Relating to Compounding Regulations

The Malaysia Personal Data Protection Commissioner Office wishes to enforce compounding regulations pursuant to the Personal Data Protection Act 2010. They have now issued a survey for the members of the public and organisations.

Any response to the survey should be submitted before 14 November 2014. For more details, go to www.pdp.gov.my

Download: Survey Form (in Malay language only)

Retirement of Haji Abu Hassan Ismail

With the retirement of Haji Abu Hassan Ismail as the Director General of the Personal Data Protection Department, Encik Mazmalek bin Mohamad has been appointed as the new Director General of the Personal Data Protection Department effective from 1st October 2014.

Malaysian Bar releases feedback to Personal Data Protection Commissioner’s Proposal Papers

On behest of the Malaysian Bar Ad Hoc Committee for the Personal Data Protection Act, the Malaysian Bar has published the feedback by Ad Hoc Committee on Personal Data Protection to Personal Data Protection Commissioner’s following proposal papers.

1) Guideline on Compliance of Personal Data Protection Act 2010;
2) Guide on the Management of Employee Act Data under Personal Data Protection Act 2010;
3) Advisory Guideline related to Consent requirement under the Personal Data Protection Act 2010; and
4) Guide on Management of CCTV under Personal Data Protection Act 2010.

Download the feedback.

Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

– No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

– Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

It is noted that s. 233 of the Communications and Multimedia Act 1998 criminalises harasses but such harassment must be in a form of electronic harassment which is obscene, indecent, false, menacing or offensive in character.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.



First published on Digital News Asia on 17 July 2014.

[No. 5/2014] Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.

This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?

My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.

If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.

Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.

Download: Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

1 2 3 5  Scroll to top