PDPA: Businesses have responsibilities and burdens
By Foong Cheng Leong December 31, 2012
- PDPA comes into force Jan 1, 2013, and companies have three months to comply
- Many have waited, and now may not have enough time to processes in place
Bread & Kaya by Foong Cheng Leong
WELCOME to the inaugural Bread & Kaya column! The term is a Malaysianized version for bread-and-butter. This column aims to be your bread-and-kaya serving of legal news relating to intellectual property, cyberlaws, franchise, data privacy and the like.
You may have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re reading my articles, “Hello.”
Without a doubt, 2013 will be an interesting year for businesses. Many new laws and regulations will be introduced, and the Personal Data Protection Act 2010 (PDPA) is one of them.
It was reported that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to comply with the Act. Similarly, Singapore will have its own Personal Data Protection Act 2012 coming into force on Jan 2, 2013.
Notwithstanding the reported enforcement date of Jan 1, 2013, there is no official government gazette confirming this as I write this column. Thus, the PDPA would still not be in force until such a government gazette is published.
What is the PDPA?
The PDPA provides that any information that directly or indirectly relates to a data subject (i.e. individual) who is identified or identifiable from that information, is personal data. This information may take various forms, such as your name, passport number, telephone number and email address.
A person who processes personal data is called a data user. Companies processing individual customers or employees' personal data must comply with the PDPA.
Under the PDPA, a data user, in processing personal data, must comply with the following principles:
(1) General Principle;
(2) Notice and Choice Principle;
(3) Disclosure Principle;
(4) Security Principle;
(5) Retention Principle;
(6) Data Integrity Principle; and
(7) Access Principle.
Failure to abide by any of the above principles amounts to an offence. Upon conviction, the data user is liable to a fine not exceeding RM300, 000 or to imprisonment for a term not exceeding two (2) years or to both (S. 5(2) PDPA).
[RM1 = US$0.33]
Under these principles, the collection and use of personal data must be consented to by the data subject and steps must be taken to ensure that the data is stored securely. The processing of personal data cannot be excessive in relation to the purpose or related purpose of which the personal data is collected.
Adequate notice must be given to data subjects that their personal data will be processed, used, and the purpose of the same. Such notice must be in writing and in the Malay and English languages. Personal data no longer in use has to be destroyed.
Further, personal data cannot be transferred outside Malaysia unless such a place is specified by the Government, consented to by the data subject, or is necessary for the performance of a contract between the data user and the data subject.
The PDPA only applies to personal data processed in relation to “commercial transactions.”
What do you need to do?
If you are processing employees or individuals customers' personal data, you are advised to, among others:-
- Access how the PDPA affects your organization;
- Prepare a privacy notice, in Malay and English, to be issued to potential and current employees or customers;
- Prepare a Personal Data Policy to govern the processing and handling of personal data by employees;
- Prepare a Retention Policy for employees or customers' personal data and audit the personal data of previous employees or customers in order to dispose personal data that are no longer in use;
- Establish a data access procedure for employees or customers to access their personal data;
- Ensure that the storage of the employees and customers' personal data is secure.
- Ensure that personal data is only disclosed for the purpose in which the personal data is collected and not disclosed to unrelated parties;
- Ensure that the relevant personnel such as Human Resource or customer relationship staff are adequately trained in data protection laws and practice;
- Review data collection forms so that personal data is not collected excessively; and
- Ensure that personal data are transferred overseas lawfully.
The word consent is not defined in the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang announced that "whenever consent is required for data processing, it'll have to be given expressly rather than impliedly or be assumed."
This would mean that there must be some sort of active communication between the parties. For example, if a company wishes to obtain more information about an individual, the former would need to get the individuals' express consent by contacting the individual.
In this regard, all companies will need to ensure that all possible purposes for processing the personal data are set out before the collection of the data. Additional procedures may need to be established to ensure consent is captured.
Express consent can be gained in a variety of ways -- for example by filling in a form, ticking a box on a website, over the phone and face-to-face.
Although express consent seems to give individuals added protection, this is not necessarily true. Malaysia's restricted view on the definition of consent will have an impact on businesses and individuals. Additional cost will be incurred in establishing new procedures and practices such as new forms, storage, impact analysis and compliance exercises. Individuals may also be swamped with requests for consent from time to time, although the individual would ultimately consent.
Companies will need to wait for individuals' express consent before they can roll out new projects.
To give an example on how the PDPA will affect business:
In the event that a data subject disputes that express consent had been given, the data user will need to show that express consent had been given. Assuming that we adopt the implied consent regime, it is arguable that a data subject had implied consent to processing of personal data if the data subject uses the data user's services.
However, with express consent, evidence must be provided and this may be difficult, especially in electronic transactions.
In such a case, Section 114A of the Evidence Act 1950 may be helpful to data users as it puts a presumption of publication by a person if his or her name appears on a particular content. The affected individual will need to prove that he did give express consent. This may be costly, highly bureaucratic and time consuming.
The PDPA is supposed to bring an end to unsolicited communication, but it will cause drastic changes to Malaysian businesses.
Much valuable commercial data will be lost due to the PDPA. It is noted that many Malaysian industries had taken the wait-and-see approach. This is alarming considering that three months to comply with the PDPA will probably be not enough.
The Personal Data Protection Department recently issued Malaysian Personal Data Protection Department's Public Consultation No. 2/2012 entitled "Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees" which sets out the class of data users that is required to register with the Commission. [Click here to download].
The release of such consultation paper is commendable. I hope that the Commission or the Personal Data Protection Department will issue more of these consultation papers and guidelines on the interpretation of the PDPA.
Foong Cheng Leong is a blogger pretending to be a lawyer, and a lawyer pretending to be a blogger. He blogs at xes.cx and foongchengleong.com, and tweets at @xescx and @FCLCo.