Personal Data Protection Act 2010

Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

– No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

– Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

It is noted that s. 233 of the Communications and Multimedia Act 1998 criminalises harasses but such harassment must be in a form of electronic harassment which is obscene, indecent, false, menacing or offensive in character.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.



First published on Digital News Asia on 17 July 2014.

[No. 5/2014] Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.

This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?

My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.

If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.

Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.

Download: Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

Leveraging Big Data

I was quoted in the May 2014 issue of Personal Money.


Leveraging Big Data
Personal Finance
Written by Emily Chow and Sarah Voon of The Edge Malaysia
Friday, 16 May 2014 00:00

UPLOADING photos on Facebook; making an ATM transaction; operating a machine in a factory; making a call from a handphone. On the surface, these activities do not seem to have much in common. But they all contribute to the accruement of big data.

Everything and anything that is, and has ever been, linked up to the digital realm constitute big data. Big data analysis is what many businesses are doing today to enhance their business process.

“Big data isn’t so much the content or amount of the data, but [data on] who is contributing towards it and how often,” says Queenie Wong, head of data management at SAS Institute in Malaysia. The international company is a leader in business analytics software and services, and helps organisations turn large amounts of collected data into information they can use.

“[Companies] have been capturing this information, but it’s expensive to store. Most of the time, you just store and archive it. But with the new trend of big data analytics, how do you capture it [in a meaningful way] to get ahead of the competition and differentiate yourself?”

According to Wong, big data analysis has existed for some time and is being used especially by banks and telecommunications companies. The term was coined and came under the spotlight relatively recently, and businesses are starting to use it in making decisions and maintaining customer relationships.

“When you deal with consumers in today’s business world, it’s not about high value anymore. As a business, I don’t want you to spend thousands or millions of dollars [per transaction]; I’d want you to spend multiple [transactions worth] hundreds of dollars, that add up to more than the [initial] thousand that you might have spent,” she says, emphasising customer loyalty. “It’s easy to acquire customers, but it’s difficult to keep them and make them happy.”

Big data analysis helps in target marketing: Gone are the days of cold-calling and salesmen going door to door to sell their products. Today, a company can anticipate a customer’s need by studying his previous purchases or activities.

“For example, when a bank calls you offering loans and insurance, it isn’t a targeted offer because they don’t know if you’re an existing customer or not, or whether you own any other product in particular,” Wong explains.

“It’s just an outbound call, making it is expensive, and it’s only effective if it gets to the right person [who needs a loan]. The company also wants to make sure that within the first minute of the conversation, the customer wants to hear what it has to say.

“But with big data, we can comprehend the way customers use your service,” she continues. “If you are at a car sales online portal, the bank would want to give you relevant information on car loans [on the website itself]. Say, a customer uses an app on a mobile phone service to buy a train ticket. The information is captured when the ticket is purchased, so the next natural thing to do is to offer hotel stays, which the customer will appreciate. Big data is about anticipating the customer’s next move. It might not be of high value, but it’s very targeted.”

Examples of big data a bank would examine include customers’ ATM transactions and banking details. For a telecommunications company, it would be the way customers use their phones.

Unfortunately, this flood of information can be overwhelming, so companies need to know how to make use of it.

“Every time I make a call, send a message or access broadband, this information is being captured by the telco,” Wong says. “It’s a big dump of information, so businesses need to know what is relevant to them. Data will be used differently based on the maturity level of the companies.”
Such data can also add value to customer interactions.

“Banks have been analysing customer behaviour through credit cards [usage] and are able to detect fraud by notifying customers [of charges made] through text message,” adds Wong.

“But they can do more than this. If you’re travelling overseas and charge something to your card, data will be captured [regarding] your location. Instead of just sending customers a message verifying that they have just charged their card, banks can bring added value by telling them what promotions are [available] nearby if they use their credit cards there.”

Ballooning industry

As big data analysis grows in popularity, or even by necessity, it is predicted that businesses will direct significantly larger sums of resources towards big data analytic tools and solutions. According to the International Data Corporation (IDC) Predictions 2014 report, worldwide spending in this area is likely to increase by 30% this year, exceeding US$14 billion.

“The potential of deriving valuable insights and real-time decision-making from this data avalanche will drive massive investments and create new data-centred analytics and content services,” says the report. In Malaysia, the big data market is expected to reach US$24.2 million (RM46 million) this year.

“Malaysia is moving towards capturing more data — it is starting to recognise the people, process and technology,” observes Wong. “We see an increase in customers asking us to analyse and digest information. Big data isn’t a big bang thing; it is a journey for a business’ internal growth.”

For leading banks in the region, which may already have insight into what customers want through cross-channel banking transactional behaviour analysis, big data allows for increased targeting precision by extending their view of customer behaviour.

“This includes website activity, social engagement, contact centre voice interactions, and location data,” says Donald MacDonald, head of group customer analytics and decisioning at OCBC Bank Singapore.

“New technologies also enable us to react to this data faster than before — in some cases, in real-time — so we can directly engage customers with messages based on where they are and what they are doing right now.”

Apart from customer service and consumer sentiment, OCBC uses big data analytics in marketing analytics, fraud detection, credit quality optimisation and financial forecasting. The bank has spent over S$100 million (RM259 million) on data analytics since 2004, with investments on integrating data from multiple sources to one source, and on tools for analysis.

“Through the use of data analytics, we are able to significantly raise the quantity and targeting sophistication of our marketing activity. We can directly quantify the success of our marketing campaigns by monitoring customers’ individual behaviour to understand who responded to our offers, and then attribute a financial result to each contact,” shares MacDonald.

“Two major [big data] trends we’re focusing on now are speed to insight and contextual awareness.”

Speed to insight refers to the bank leveraging on “data-in-motion”, or data captured when direct interaction occurs with a customer. As this data is put into the bank’s system, its analytical engine updates the bank’s existing knowledge of the customer, and is able to recommend the most relevant products or services in real-time.

“Contextual awareness refers to leveraging additional information on the customers’ current circumstances to improve the relevance of our communications,” MacDonald says. For instance, OCBC could use big data to locate where a customer is, and then recommend merchants based on his preference as well as current location.

“Another example is leveraging voice logs within our contact centre to identify factors such as the increasing frustration of a customer on the line, which might be missed by a staff member,” he continues. “These factors enrich our existing view of the customer… ensuring that our sales and service offers are more targeted and relevant to each individual’s current situation.”

CIMB Group is another bank that leverages on big data initiatives to increase customer satisfaction, and appeal to their needs and lifestyle. The bank, for example, links customers’ Facebook data with its internal data to provide targeted offers to credit and debit cardholders.

“As a result, we discovered that there is an 80% correlation between merchants that customers ‘like’ on Facebook and our existing transaction data of merchants with whom they charge their cards,” says Iswaraan Suppiah, group chief information and operations officer, CIMB Group.

“Additionally, we have noted that banks in other countries are using big data techniques to reduce fraud incidents, or even use social network analysis to determine the creditworthiness of borrowers.”

According to CIMB, big data can also grow revenues faster by better matching its offers to customers’ needs.

“[This is] to the extent of designing better products and services that are directly relevant to various customer segments. Instead of using a traditional marketing campaign targeted at hundreds of thousands of customers and getting a 2% conversion rate, we can now target 30,000 customers and get a 50% conversion rate,” says Iswaraan.

“By using big data to really get to know and understand our customers, we can cut down on unnecessary ‘marketing’ and have real conversations about real customer challenges that will lead to benefits on both sides.”

Privacy protection and consumer rights

From a social perspective, big data could also benefit the public sector when used by the government, albeit allowing surveillance with an Orwellian touch. Authorities worldwide have been using such information in policy design and logistics planning, and to monitor crime and public security.

In Malaysia, however, data collected by companies cannot be sold or shared with a third party without the subject’s consent, as stated in the Personal Data Protection Act 2010 (PDPA).

Other laws such as the Communications and Multimedia Act 1998, the Computer Crimes Act 1997, and the Penal Code also ensure that collected data must only be used for the original purpose it was lawfully obtained for. This means customers should have willingly imparted their data to companies, with their knowledge.

“It’s fine for a person to use big data for business marketing research purposes, provided the data was acquired lawfully,” says Foong Cheng Leong, a lawyer at Foong Cheong Leong & Co, who specialises in cyberdata cases.

“There are many cases where data is purchased without the knowledge of the subjects within the data,” says Foong. In this case, the subject may exercise his right and file a complaint against the company or person that has been selling the information. Complaints can be made with the Personal Data Protection Commissioner.

“The information includes personal data, such as your name, identity card number, email address, images, your address, and so on, [used] in a commercial transaction,” he says, adding that this is all covered under the PDPA.

However, before a subject exercises his right, he should always read the privacy notices or policies provided by businesses explaining how they will use his data, Foong advises. A company is obliged to disclose how it uses personal data in a privacy notice or policy. This is also to enable the consumer to make informed decisions when sharing information requested by the company.

“With PDPA in force, consumers have a say in how their data is to be treated. They can even control the amount of data being flown out of a company.”

According to Foong, however, there are some cases of companies disclosing certain information necessary to deliver their services to the subject. For example, a telecommunications company may pass its customer’s data to a subcontractor. “[This is in the event] that the subcontractor needs to perform certain services. However, before a company [shares the data, it will make sure that the customer’s] personal data will be kept securely.”

This should also be disclosed to subjects during the time of data collection. Anything beyond what is stipulated in the initial privacy policy that is shared to subcontractors or other third-party services is considered illegal.

Foong says the only way to secure one’s personal data is to only use trusted service providers. Apart from that, he also advises that one should maintain a separate email to sign up for goods or services.

“Make sure you have strong passwords, and do not reuse passwords for different platforms. Phishing is common nowadays. Any email that goes into your junk or spam folders should be read with caution. It is unlikely to be true. Fake calls from unknown parties are also common. Many such callers ask for personal details on the pretext that someone is misusing your data.”

Otherwise, Foong believes that there should not be much to worry about. If users continue to take precautionary measures to protect their data privacy, they should not fear sharing their information online.

However, as an urban population moves towards a technologically driven lifestyle, rapidly expanding digital footprints are inevitable. From SAS Institute’s perspective, a company that chooses to use big data and its analytics has to make it relevant to its customers.

“If you want to use big data and big data analytics, whatever you give back to your customer must be relevant,” Wong says.

“Companies are very cautious with the kind of information they have and I think now with guidelines from Bank Negara Malaysia and the Malaysian Communications and Multimedia Commission, there are clear lines on what you can and cannot do. [Sometimes] there is a grey area, because that has to do with the company’s obligation to the customer and the public. The company then has to decide how they want to address that.”

This article was first published in the May 2014 issue of Personal Money — a personal finance magazine published by The Edge Communications.

Proposal Paper – Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010”.

This proposal paper discusses the requirements of “consent” under the Personal Data Protection Act 2010. Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

Download: Proposal Paper – Advisory Guideline Related to Consent Required under the Personal Data Protection Act 2010.pdf

Proposal Papers – Guideline on Compliance for Personal Data Protection Act and Guide on the Management of Employee Data Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published two (2) proposal papers namely:-

(1) Guideline on Compliance for Personal Data Protection Act [No 2/2013]; and

(2) Guide on the Management of Employee Data Under Personal Data Protection Act (PDPA) 2010 [No 3/2013].

The Proposal Paper No 2/2014 sets out the proposed steps to be taken to comply with the Personal Data Protection Act 2010 (PDPA) whereas the Proposal Paper No 3/2014 confirms that employer-employee relationship is governed by the PDPA. Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline. Copies of the proposal papers are enclosed.

Further, the Commissioner has also uploaded a complaint form on the Commissioner’s website. Data subjects may now file complaints to the Commissioner directly.

Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010

The Personal Data Protection Commissioner has issued the Proposal Paper [No .1/2014] – Guide in Dealing with Direct Marketing under Personal Data Protection Act (PDPA) 2010. The Commissioner has invited feedback and opinion in respect of the matters raised in the Proposal Paper and shall be submitted before 20 February 2014.

Download: Proposal Paper

Enforcement of the Personal Data Protection Act 2010

It is official. The Malaysian Personal Data Protection Act 2010 (“PDPA”) will be in force on 15 November 2013. As expected, Tuan Abu Hassan bin Ismail is appointed as the Personal Data Protection Commissioner with effect from 15 November 2013.

Data users now have 3 months to comply with the PDPA in respect of personal data processed before 15 November 2013 and immediate compliance with the PDPA for personal data collected from 15 November 2013.

The enforcement of the PDPA also introduced four (4) new subsidiary legislations namely:-

1.Personal Data Protection (Fees) Regulations 2013;
2. Personal Data Protection (Registration of Data User) Regulations 2013;
3. Personal Data Protection (Class of Data Users) Order 2013; and
4. Personal Data Protection Regulations 2013.

For your easy reading, I have summarised the new regulations below.

Registration of Class of Data Users

The new regulations require certain class of data users to register with the Personal Data Protection Commissioner. They are:-

1. Communications
(a) A licensee under the Communications and Multimedia Act 1998 [Act 588].
(b) A licensee under the Postal Services Act 2012 [Act 741].

2. Banking and financial institution
(a) A licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758].
(b) A licensed islamic bank and licensed international islamic bank under the Islamic Financial Services Act 2013 [Act 759].
(c) A development financial institution under the Development Financial Institution Act 2002 [Act 618].

3. Insurance
(a) A licensed insurer under the Financial Services Act 2013.
(b) A licensed takaful operator under the Islamic Financial Services Act 2013.
(c) A licensed international takaful operator under the Islamic Financial Services Act 2013.

4. Health
(a) A licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586].
(b) A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998.
(c) A body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].

5. Tourism and hospitalities
(a) A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482].
(b) A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992.

6. Transportation
(a) Malaysian Airlines System (MAS).
(b) Air Asia.
(c) MAS Wings.
(d) Air Asia X.
(e) Firefly.
(f) Berjaya Air.
(g) Malindo Air.

7. Education
(a) A private higher educational institution registered under the Private Higher Educational Institutions Act 1996 [Act 555].
(b) A private school or private educational institution registered under the Education Act 1996 [Act 550].

8. Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].

9. Services
(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:
(i) legal;
(ii) audit;
(iii) accountancy;
(iv) engineering; or
(v) architecture.

(b) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 [Act 122].
(c) A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981 [Act 246].

10. Real estate
(a) A licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118].
(b) A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah.
(c) A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.

11. Utilities
(a) Tenaga Nasional Berhad.
(b) Sabah Electricity Sdn. Bhd.
(c) Sarawak Electricity Supply Corporation.
(d) SAJ Holding Sdn. Bhd.
(e) Air Kelantan Sdn. Bhd.
(f) LAKU Management Sdn. Bhd.
(g) Perbadanan Bekalan Air Pulau Pinang Sdn. Bhd.
(h) Syarikat Bekalan Air Selangor Sdn. Bhd.
(i) Syarikat Air Terengganu Sdn. Bhd.
(j) Syarikat Air Melaka Sdn. Bhd.
(k) Syarikat Air Negeri Sembilan Sdn. Bhd.
(l) Syarikat Air Darul Aman Sdn. Bhd.
(m) Pengurusan Air Pahang Berhad.
(n) Lembaga Air Perak.
(o) Lembaga Air Kuching.
(p) Lembaga Air Sibu.

Personal Data Protection Regulations 2013

Personal Data Protection Regulations 2013 provided some guidelines on the definition of consent of a data subject in the PDPA. In this regard, consent must be in a form that can be recorded and maintained properly by the data user. Burden of proof for consent lie on the data user.

Any privacy policy must also provide the designation of the contact person, phone number, fax number (if any), e-mail address (if any) and such other related information.

Data user shall develop and implement a security policy to comply with Security Principal.

The Personal Data Protection Regulations 2013 also stated that the Personal Data Protection Commissioner may notify a data user of his intention to carry out an inspection on a personal data system used by a data user.

各界需時間落實‧資料保護令或再延遲

I was quoted by Sin Chew in the article below regarding the impending Personal Data Protection Act 2010.


雪蘭莪‧八打靈再也14日訊)為保護國人個人隱私的《2010年個人資料保護法令》一再展延生效,在寬限期於本月16日屆滿後,若該法令指南再有更動,生效日期將再展延。

個人資料保護局公關諾韓妮占對星洲日報說,現階段總檢察署正探討該法令的相關指南,若有任何更動,則該法令將不會於後日生效。
她受詢及《2010年個人資料保護法令》寬限期於16日屆滿一事指出,若總檢察署電子憲報(e-Federal Gazette)明日仍沒有公佈法令的實施日期,則法令有可能再展延生效。

諾韓妮占:瞭解公司需時執行
詢及該法令一再展延的原因,諾韓妮占透露,該局在諮詢公眾意見後,瞭解到各商家及公司需要時間執行該法令,因此才會展延。
“這個法令隨時可以實行,但牽涉其中的公司等需要時間擬定對策及整理資料,如確保所有客戶的資料是最新的等等,否則他們就是違反了該法令。”

“若該法令確定在16日開始生效,通訊及多媒體部長拿督斯里阿末沙比里當天在吉打出席活動時就會做出公佈。”
個人資料保護局(JPDP)是通訊及多媒體部旗下的機構,主要協助保護人民的個人資料,並在所有用戶進行商業交易時,肩負監管個人資料的責任,確保遵守既定的條規。

她說,在該法令下,其中一項原則就是確保所有用戶資料是正確、最新及不具誤導性的。

已會見逾200電訊公司

個人資料保護局從2012年開始已陸續會見了約200家電訊公司及企業,而大部份公司也已瞭解有關法令。

她指出,根據該局進行的公眾諮詢調查,各公司及企業表示需要時間去適應該法令的7大原則。

“大部份大型公司已經通知了他們的客戶,並做出資料更新,但仍有一些小型企業還沒適應新法令。”

涉商業交易才有效

諾韓妮占強調,該法令在涉及商業交易的前提下才有效;而在法令生效後,用戶若要進行投訴,可投報至aduanpdp@kkmm.gov.my。
她解釋,由於必須遵從“通知原則”,因此若用戶收到行銷電話或行銷訊息,首先得通知對方本身沒有興趣,並要求對方刪除其個人資料(電話)。

“若對方再發出第二封訊息,你仍需通知對方,直到收到第三封相同的行銷訊息,你才可以進行投報。”

《個人資料保護法令》的7大原則
1.不可在未經當事人允許下,處理其私人資料(如宗教信仰、政治或性取向、身份證號碼、電話號碼、薪水單、評估報告等)。
2.“通知及選擇”原則:在處理資料前,必須通知並告知當事人採用其資料的目的及取得管道;
3.除非獲得當事人同意,否則不能透露其個人資料給第三者;
4.安全原則:資料使用者在處理他人個人資料時,必須確保資料沒被破壞、被更改、濫用、遺失或把資料傳給不相關人士;
5.存檔原則:不能長期持有他人的個人資料,因此在完成相關程序後,必須刪除或銷毀;
6.資料完整性:資料使用者必須確保他人個人資料是最新、正確、完整及不會令人混淆的;
7.允許原則:當事人有權更改及更新其個人資料。

陳嘉斌:指南不明確
商家多不瞭解新法令

另一方面,馬來西亞中華工商聯合會法律組副主任陳嘉斌律師透露,由於該法令的指南不明確,因此許多商家及企業仍不瞭解該法令。

他受詢時說,該商會針對這項法令已舉辦了多項講座,向商家及企業講解這項法令,惟遺憾的是會員反應不活躍。

“所以現在只有待法令實行後,扮演後續行動的角色,包括與政府溝通。”

他呼吁,若任何商家及企業面對問題,可瀏覽馬來西亞中華工商聯合會或隆雪總商會官網進行查詢。

他認為,這項法令的實施對各造都有好處,因為在不能濫用及購買用戶個人資料的情況下可保障個人隱私。

他說,該法令對商家肯定是有所影響,而商家必須在個人隱私及商業利益下做出平衡。

歐美早已落實

“這項法令一早已在歐美等國家實行,部份商家在無可避免下已開始瞭解這項法令,而我國的中小型企業也必須做好準備適應新法令。”

他強調,這項法令主要管制涉及商業交易的行動,如某公司售賣客戶的個人資料給另一家公司,而與員工提供個人資料給雇主的行為無關。

個人資料保護令一旦落實
不明電話推銷可投訴

一旦2010年個人資料保護法令生效後,如果你接到不明公司致電要求你購買產品,你可以直接向個人資料保護局投訴,而這是2010年個人資料保護法令生效後,對消費者的一大福音。

國會於2010年4月三讀通過上述法令,並於同年6月在憲報上公佈,輾轉逾2年後終要全面落實,但吉隆坡律師公會資訊工藝及出版委員會主席馮正良認為,當局尚未擬出清楚的指南,許多問題有待釐清。

或影響電訊銀行業

他今日受詢時,指新法令正式開跑,對消費者是一大福音,但會對所有公司包括電訊業、銀行業者甚至是中小型企業,帶來問題和深遠影響。

他舉例,過去掌握許多消費者資料的公司,日後是否還可以繼續致電或傳簡訊給消費者,而消費者需要主動致電相關公司,指不願再接到任何資訊,都還是疑問。

同一集團子公司不能分享顧客資料

“新法令最重要的精神,是要使用任何個人資料,都要獲得當事人同意,如日後一間公司不能隨意將其顧客的個人資料(被視為私密),公開給其他人知道,同一家集團的2家子公司,也不能分享顧客的資料。”

個人資料被洩漏可投訴
罪成可罰款或監禁

任何消費者如果覺得個人資料被泄漏,可向個人資料保護局投訴,該局會展開調查,一旦確認違法,涉及公司包括管理層都有可能被罰款,甚至控上法庭。

共有146條文的個人資料保護法令,針對不同違法行為有各種處罰,其中未獲同意出售他人個人資料,罪成可被罰款不超過50萬令吉,或監禁不超過三年或兩者兼施。

雖然消費者不能對涉及公司採取民事訴訟,但公司若違法,會構成刑事罪,當局可採取行動包括罰款等對付。

2010年個人資料保護法令刑罰
● 抵觸法令129條文,即即未經允許轉移個人資料至海外刑罰:罰款不超過30萬令吉,或監禁不超過2年,或兩者兼施
● 抵觸法令130條文,即非法收集或轉售他人個人資料刑罰:罰款不超過50萬令吉,或監禁不超過3年,或兩者兼施

獲法令保障的個人資料包括:
1 名字;
2 護照或身份證號碼;
3 電話號碼;
4 照片;
5 指紋;或
6 脫氧核糖核酸(DNA)樣本。
(星洲日報‧獨家報道:盧慧菁、李佩霜、戴孜芮)

Director General of the Malaysia Personal Data Protection Department

According to the Facebook page of the Personal Data Protection Department (PDPA), the former Director General of the PDPD, Encik Abu Hassan bin Ismail has been reappointed as the Director General of the PDPD.

I would like to congratulate Encik Abu Hassan bin Ismail for his reappointment.

Enforcement of the Personal Data Protection Act 2010

The Malaysian Reserve reported that no date has been set for the enforcement of the Personal Data Protection Act 2010 (PDPA). The newly appointed Communication and Multimedia Minister Datuk Seri Ahmad Shabery Cheek stated that the PDPA will be enforced as soon as possible. However, he declined to be more specific as to the exact period or whether or not it will be enforced before the end of this year.

1 2 3 4 5  Scroll to top