www.secure-it.com.my

Personal Data Protection Bill 2009 - A Summary PDF Print E-mail
  • The Personal Data Protection Bill 2009 (PDP) was tabled in Parliament for first reading in November 2009.  The bill was first introduced almost ten years ago and despite the pressing urgency for such legislation in an age where US statistics estimates 1 in 4 Americans was a victim of identity theft, has yet to see the light of day as enacted legislation.

The PDP is stated to be an Act to regulate the processing of personal data in commercial transactions.

At the outset, it is important to note that the PDP expressly excludes the Federal Government and State Governments from the application of the Act.

Key Definitions

Commercial Transactions means any transaction of a commercial nature, whether contractual or not which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2009;

Data processor

in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes;

Data subject

means an individual who is the subject of the personal data;

Data user

is defined as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data excluding persons who process data on behalf of a data user and not for their own purposes)

Disclose

is in relation to personal data, defined as an act by which such personal data is made available by a data user;

Personal data

is defined as any information in respect of commercial transactions which is processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose or is recorded with the intention that it should wholly or partly be processed by means of such equipment or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system and that relates directly or indirectly to an identified or identifiable data subject INCLUDING sensitive personal data and expression of opinion about the data subject BUT NOT INCLUDING any information processed for credit reporting purposes by agencies under the Credit Reporting Agencies Act 2009;

Processing

in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data including organization, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or the alignment, combination, correction, erasure or destruction of personal data; and

Sensitive personal data

means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, religious or other similar beliefs, the commission or alleged commission by him of any offence or any personal data as gazette by the Minister.

Personal Data Protection Principles

The foundation of the PDP is the “Personal Data Protection Principles” set out in Part II, Division 1 of the PDP. The Personal Data Protection Principles (PDP Principles) are:-

The General Principle

A data user shall not in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data or in the case of sensitive personal data, process sensitive personal data only in accordance with the PDP, i.e. only with explicit consent or where such processing is necessary for the limited stated purposes set out in the PDP (e.g. to protect the vital interests of another person, for medical purposes, in connection with any legal proceedings, in the defence of legal rights for the administration of justice, etc ) or where the information has already been made public by the data subject.

The Notice and Choice Principle

A data user shall by written notice inform a data subject that personal data is being processed and provide a description of the personal data to the data subject, the purposes for which the personal data is being or is to be collected and processed, the source of that personal data and of the class of third parties to whom disclosure of the personal data is or may be made.  The data user shall also by such written notice inform the data subject of:-

  • his right to request access to and to request correction of personal data and make available contact particulars for the data subject to contact the data user with any inquiries or complaints in respect of the personal data;
  • the choices and means the data user offers the data subject for limiting the processing of personal data; and
  • whether it is obligatory or voluntary for the data subject to supply the personal data and if it is mandatory, the consequences for the data subject if he fails to supply the personal data.

Notice in respect of the above is to be given as soon as practicable by the data user when the data subject is first asked to provide personal data or when the data user first collects the personal data or in any other case, before the data user uses the personal data or discloses

the same to a third party.  Notices must either be in the national language or English.

The Disclosure Principle

No personal data shall, without the consent of the data subject, be disclosed for any purpose other than the purpose for which the personal data was to be disclosed at the time of collection or a purpose directly related to such purpose and shall not be disclosed to any party other than to third parties disclosed to the data subject in the exercise of the Notice Principle above.

The Security Principle

  • A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction with regard to:-
  • the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
  •  the place or location where the personal data is stored;
  • any security measures incorporated into any equipment in which personal data is stored;
  • measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
  • measures taken for ensuring the secure transfer of the personal data.

Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall (for the purpose of protecting the personal data in the manner contemplated above) ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out and takes reasonable steps to ensure compliance with those measures.

The Retention Principle

The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose and it shall be the duty of the data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

The Data Integrity Principle

A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose (including any directly related purpose) for which the personal data was collected and further processed.

The Access Principle

A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under the provisions of the PDP.

A data user that contravenes any of the PDP Principles commits an offence and on conviction shall be liable to a fine not exceeding RM300,000.00 or imprisonment for a term not exceeding 2 years or both.

Registration of Data Users and Data User Forums

The PDP provides for registration of such classes of data users as identified by the Minister upon recommendation of the Commissioner of Public Data Protection (Commissioner).  At present it is unclear what categories of data users are likely to be required to be registered.  Upon identification as a data user required to be registered under the PDP, such data user will be required to ensure compliance with all the provisions of the PDP failing which such registration may be revoked and the data user then precluded from processing public data.

The Commissioner may designate a body as a data user forum in respect of a specific class of data users and membership to each such forum shall be open to all data users of that class.  A code of practice for the data user forum may be issued by the Commissioner or by the data user forum for itself.

Rights of Data Subject

An individual is entitled to be informed by a data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user and may request for such information and a copy of the personal data upon payment of a prescribed fee.  A data user is required to comply (except when the statutory grounds for refusal are applicable) with a data access request not later than 21 days from the date of receipt of a data access request with provision for a further 14 days extension.  The statutory grounds for refusal include, amongst others, doubt over the identity of the requestor, disproportionate burden or expense in providing access or where it would result in a violation of a court order or disclosure of confidential commercial information.

A requestor may also make a data correction request in writing to a data user to correct any personal data that is inaccurate, incomplete, misleading or not up-to-date.

A data subject may by notice in writing withdraw his consent to the processing of personal data in respect of which he is the data subject and the data user shall upon receiving such notice, cease the processing of the personal data.

A data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing.

A data user shall keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by him.

Exemption

Certain categories of data usage/processing are exempted from all or identified sections of the PDP:-

  1. personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes;
  2. personal data processed for the prevention or detection of crime or for the purpose of investigations, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty or any other imposition of a similar nature, shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act;
  3. personal data processed in relation to information of the physical or mental health of a data subject shall be exempted from the Access Principle and other related provisions of this Act of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
  4. personal data processed for preparing statistics or carrying out research shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act, provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject;
  5. personal data processing that is necessary for the purpose of or in connection with any order or judgement of a court shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act;
  6. personal data processed for the purpose of discharging regulatory functions shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or
  7. personal data processed only for journalistic, literary or artistic purposes shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle, Retention Principle, Data Integrity Principle and Access Principle and other related provisions of this Act, provided that the processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material which the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest and compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.

Complaint

Any individual or relevant person may make a complaint in writing to the Commissioner about an act, practice or request that is specified in the complaint and has been done or engaged in, or is being done or engaged in, in contravention of the provisions of the PDP (including any codes of practice) by the data user specified in the complaint in relation to personal data of which the individual is the data subject.

 

Investigation by Commissioner

Where the Commissioner receives such a complaint, the   Commissioner shall, subject to the provisions of the PDP, carry out an investigation in relation to the relevant data user to ascertain whether the act, practice or request specified in the complaint contravenes the provisions of this Act.

Where the Commissioner has reasonable grounds to believe that an act, practice or request has been done or engaged in, or is being done or engaged in, by the relevant data user that relates to personal data and such act, practice or request may be a contravention of the provisions of the PDP, the Commissioner may carry out an investigation in relation to the relevant data user to ascertain whether the act, practice or request contravenes the provisions of the PDP.

Enforcement notice

Where, following the completion of an investigation about an act, practice or request specified in the complaint, the Commissioner is of the opinion that the relevant data user—

  1. is contravening a provision of the PDP; or
  2. has contravened such a provision in circumstances that make it likely   that  the contravention will continue or be repeated,

then the Commissioner may serve on the relevant data user an enforcement notice stating his opinion of such contravention and specifying the provision of the PDP on which he has based that opinion and the reasons why he is of that opinion.  In the said enforcement notice, the Commissioner shall also direct the relevant data user to take such steps as are specified in the enforcement notice to remedy the contravention or, as the case may be, the matters occasioning it within such period as is specified in the enforcement notice and where necessary, to cease processing the personal data pending the remedy of the contravention by the relevant data user.

In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention or the matter to which the enforcement notice relates has caused or is likely to cause damage or distress to the data subject of the personal data to which the contravention or matter relates.

The steps as specified in the enforcement notice to remedy the contravention or matter to which the enforcement notice relates may be framed to any extent by reference to any approved code of practice or so as to afford the relevant data user a choice between different ways of remedying the contravention or matter.

The period specified in the enforcement notice for taking the steps specified in it shall not expire before the end of the 30 days period (after service of the notice) within which an appeal against the enforcement notice may be made and, if such an appeal is made, those steps need not be taken pending the determination or withdrawal of the appeal unless the Commissioner notifies the data user in the enforcement notice that the steps are to be taken as a matter of urgency (though the PDP also provides that enforcement notice shall not require those steps to be taken before the end of the period of seven days from the date on which the enforcement notice was served) and the reasons for such opinion.

A person who fails to comply with an enforcement notice commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to for a term not exceeding two years or to both.

 

Unlawful collecting, etc., of personal data

A person shall not knowingly or recklessly, without the consent of the data user collect or disclose personal data that is held by the data user or procure the disclosure to another person of personal data that is held by the data user except where such person can show:-

  1. that the collecting or disclosing of personal data or procuring the disclosure of personal data was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations or as required or authorized by or under any law or by the order of a court;
  2. that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;
  3. that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or
  4. that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.

A person who collects or discloses personal data or procures the disclosure of personal data in contravention of the above and/or who sells personal data collected in contravention of the above commits an offence.  The PDP provides that an advertisement indicating that personal data is or may be for sale is an offer to sell the personal data.

A person who commits such offences shall, upon conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

Abetment and attempt punishable as offences

A person who abets the commission of or who attempts to commit any offence under the PDP shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for that offence. A person who does any act preparatory to or in furtherance of the commission of any offence under the PDP shall be guilty of that offence and shall, on conviction, be liable to the punishment provided for the offence Provided that any term of imprisonment imposed shall not exceed one-half of the maximum term provided for the offence.

Offences by body corporate

If a body corporate commits an offence under the PDP, any person who at the time of the commission of the offence was a director, chief executive officer, chief operating officer, manager, secretary or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management may be charged severally or jointly in the same proceedings with the body corporate and if the body corporate is found to have committed the offence, shall be deemed to have committed that offence unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves that the offence was committed without his knowledge, consent or connivance and that he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.

If any person would be liable under this Act to any punishment or penalty for his act, omission, neglect or default, he shall be liable to the same punishment or penalty for every such act, omission, neglect or default of any employee or agent of his, or of the employee of the agent, if the act, omission, neglect or default was committed:-

  1. by that person’s employee in the course of his employment;
  2. by the agent when acting on behalf of that person; or
  3. by the employee of the agent in the course of his employment by the agent or otherwise on behalf of the agent acting on behalf of that person.
 

Did You Know

arrow Identity theft is the top consumer complaint in the USA according to the Federal Trade Commission.

arrow US consumers reported fraud loss totalling more than $1.1 billion in 2006.

arrow Credit card fraud (25%) was the most common form of reported identity theft in the US in 2006.

arrow More than 100 000 people are affected by identity theft each year in the UK

arrow According to Privacy Rights Clearinghouse, more than 350 data loss incidents involving more than 140 million records have occurred since February 2005

arrow Organisations are obliged by law to take take adequate steps to ensure the proper disposal of data


mxi-3devices0

Visitors

mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter
Now: 2017-11-24 12:13

Who's Online

We have 29 guests online
You are here  :