Personal Data Protection Act 2010: Our details are worth protecting

I was quoted by Rakyat Post in their article “Personal Data Protection Act 2010: Our details are worth protecting.

The Personal Data Protection Act 2010 intends to protect personal data and stop it from being distributed.

THE Personal Data Protection Act 2010 is necessary because personal data is often the cause of constant unwelcome calls from companies, and can be used by malicious people to break into networks.

Personal Data Protection Department Deputy Director-General Dr Zainal Abidin Sait said personal data used in commercial transactions had value while personal data available online may not.

“My name on Facebook would not be useful for marketing. I don’t give my real information in Facebook, but in commercial transactions, I give my real name, my real data.”

He said there were penalties for those who did not adhere to the law, but that was not the reason the law was gazetted.

“The intention of this law is not to issue summonses to people. The intention of the law is to ensure the personal data of all Malaysians, which is collected from all over the place by these agencies, is managed properly and systematically.”

Zainal Abidin also said the PDPA would not hamper doctors and banks.

This is because for doctors, processing without consent can still be carried out with conditions, while banking transactions made via contracts do not fall under the law.

Solicitor Foong Cheng Leong said laws similar to the Personal Data Protection Act (PDPA) 2010 had been implemented around the world.

“But in Southeast Asia, we are the first to come up this law. Singapore has a similar law. It came after ours, but came into force earlier than us.”

Foong is a lawyer focusing on Intellectual Property, Information Technology, Internet, Social Media and Cyber laws, Franchise, Privacy and Data Protection laws.

In the past, people had been selling personal data without repercussions, but that will all change now.

“The new law is to protect personal data and stop it from being distributed. Now under the law, it is subject to consent. If individuals want to receive all these things, then they (the companies) can send. Otherwise they can’t,” Foong said.

Websense Inc Asia Pacific Sales Engineering Director William Tam pointed out that personal information was highly valuable, not just to sell insurance or credit cards.

“When we look at what happened at many large retailers over the years, such as TJ Maxx and Target, personal data was pure gold to people with a malicious intent.”

He said cybercriminals were not just after credit card details as even simple personal contact details could be used in social engineering to create a very powerful lure that could be the way into a company’s network and lead to a highly targeted attack.

“Once individuals understand their rights under the PDPA, they can be the key driving force in encouraging businesses to comply with the same standard.”

There is no need for the Personal Data Protection Act 2010 because customer information is already treated with complete confidentiality, say stakeholders.

THE Personal Data Protection Act 2010 is unnecessary for the banking and health industry. It also hinders insurance agents and marketers in conducting their business.

Although banks will comply with the Act, Association of Banks in Malaysia (ABM) Executive Director Mei Lin Chuah said it was already common practice in banks to respect the personal data of those who bank with them.

“All this while, our members have taken the necessary steps to ensure that customer information is treated with the greatest of confidentiality as a matter of policy which, in a certain fashion, has now become a requirement of law.

“Our member banks have in place controls and systems to ensure that customer information is kept confidential at all times.

“Further to this, banks have their strict internal rules on confidentiality and information security which all bank employees must abide by. Failure to comply with the internal rules will lead to disciplinary action against the employee,” said Mei.

Malaysian Medical Association (MMA) President Datuk Dr N.K.S. Tharmaseelan said including doctors under the Act was redundant. It was unfair to slap them with a fine as no announcement on this had been made earlier, he added.

“The Commissioner of the Personal Data Protection Department did not send out any circular whatsoever to inform doctors about this registration exercise, but still expects all to know,” said Dr Tharmaseelan in a statement.

“Doctors were given till Feb 15, 2014 to register or be slapped with a fine of RM500,000.

“It appears redundant as the doctors are strictly regulated by MMC on confidentiality. Doctors now have to face this additional burden.

“Doctors have always been guided by the Hippocratic Oath since the birth of modern medicine, but now we have a law which has become a hippopotamus that will run through our practice.

“This was another law passed without consulting stakeholders, in this case doctors. But we hope common sense will prevail and an exemption is granted,” said Dr Tharmaseelan.

Insurance agents, direct sellers and telemarketers rely on gathering personal information to find customers.
“Basically, information about people can’t be passed around any more without their permission,” said an insurance agent who did not want to be named.

The Act made it more difficult to initiate contact with a person through the telephone, which is known as “cold calling”, and is often done using bank databases sold by middlemen.

“When you apply for a loan or credit card, whatever information you give them is what these databases will contain,” said the agent, adding that direct sellers and telemarketers relied heavily on such databases to make sales.