Personal Data Protection Act and it Application in Commercial Transactions
Introduction
The use of Personal Data is an integral part of today’s commercial world. The collection, interpretation, storing and transferring of Personal Data has become necessary in the age of electronic commerce and digital technology. The Personal Data Protection Act 2010 (“PDPA”) was gazetted in June 2010 and came into force on 15 November 2013 to regulate the use of Personal Data commercial transactions.
The Personal Data Protection Commissioner regulates and enforces the PDPA. As at the date of writing, no guidelines have been issued by the Personal Data Protection Department.
The term commercial transactions is defined under the PDPA to mean any transaction of a commercial nature, regardless of whether it is contractual. The PDPA will therefore affect how we use Personal Data in commercial, e-commerce and online transactions.
The PDPA also introduced four subsidiary legislations listed below which took effect on 15 November 2013. These regulations aim to clarify and supplement the PDPA.
- Personal Data Protection Regulations 2013;
- Personal Data Protection (Class of Data Users) Order 2013;
- Personal Data Protection (Registration of Data User) Regulations 2013; and
- Personal Data Protection (Fees) Regulations 2013.
Personal Data
Personal Data relates directly or indirectly to a personal , who is identified or identifiable from that information or from that and other information in the possession of a Data User (for example, name, identity card number, date of birth, email address, mobile number and, credit card details) (“Personal Data”). This includes sensitive Personal Data such as a person’s physical and mental health, his political opinion and religious beliefs.
Data Subject and Data User
The terms ‘Data Subject’ and ‘Data User’ are regularly used in the PDPA. The PDPA defines the ‘Data Subject’ as the individual who is the subject of the Personal Data whereas, ‘Data User’ is a person who either alone or jointly with other persons ‘processes’ Personal Data, has control or authorizes the processing of any Personal Data.
Processing Personal Data
Processing Personal Data is the act of collecting, recording, holding, disposing or storing Personal Data. The storage of Personal Data online or offline, including in paper files, computer database, e-mail, instant messenger, USB sticks, external hard disks, cloud computing system or other storage systems on the Internet may be caught by the PDPA.
Framework of 7 Principles
The law introduced seven principles which form the main crux of the PDPA. The principles are set out below:
- General Principle;
- Notice and Choice Principle;
- Disclosure Principle;
- Security Principle;
- Retention Principle;
- Data Integrity Principle; and
- Access Principle.
General Principle
A Data User shall not process Personal Data without the consent of the Data Subject. In the case of sensitive Personal Data, Section 40 of the PDPA requires that the Data Subject’s explicit consent be obtained before it can be processed. Generally, to err on the side of caution, explicit or express consent should be obtained from the Data Subject, rather than be implied or assumed. The burden of proof for such consent lies on the Data User. The Personal Data Protection Regulations 2013 provides that a Data User shall obtain consent from a Data User in any form that can be recorded and maintained properly by the Data User.
Notice and Choice Principle
Data Users are required to notify the Data Subject by written notice of the purpose for which the Personal Data is collected, the right to request access and correction of the Personal Data, of the class of third parties to whom the Data User will disclose the Personal Data to, and the choices and means the Data User offers for limiting the processing of Personal Data.
Disclosure Principle
The Data User is not allowed to disclose the Personal Data to any third party and for any other purpose not specified in the notice without the consent of the Data Subject.
However, a Data User may disclose the Personal Data for another purpose if the Data User acted in the reasonable belief that he would have had the consent of the Data Subject if the Data Subject had known of the disclosing of the Personal Data and the circumstances of such disclosure.
A Data User shall maintain a list of disclosure to third parties. Though this may be tedious, Data Users must comply otherwise they will be in breach of the law.
Security Principle
A Data User shall take practical steps to protect the Personal Data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. In the case where Personal Data processing is outsourced to the data processor, it is the responsibility of the Data User to ensure that the data processor provides sufficient guarantees and takes reasonable measures to protect the Personal Data.
The standard of security protection will however be determined by the Personal Data Protection Commissioner.
Retention Principle
The PDPA does not stipulate a specific duration for which Personal Data shall be kept. The PDPA however states that Personal Data shall not be kept longer than is necessary for the fulfilment of its purpose of processing. The Data User shall take all reasonable steps to ensure that all Personal Data is destroyed or permanently deleted when it is no longer needed for the purpose.
Data Integrity Principle
A Data User shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to date at all times.
Access Principle
The right of access and right to correct Personal Data allows Data Subjects to make a request to check and verify their information. Any Personal Data deemed inaccurate can be corrected or struck off the record. A Data Subject can even request the Data User not to begin or stop in the middle of the processing of Personal Data, particularly if it is likely to cause damage or distress to the person. Data Subjects can also ask direct marketing companies to stop processing their Personal Data for future profiling, screening or data mining activities.
The Data Subject has the right to withdraw consent at any time. Data Users will therefore need to implement a system to facilitate the access and correction of Personal Data by the Data Subject.
Registration
A Data User who belongs to a class of Data Users specified in the Order shall be required to register as Data Users under the PDPA by 14 February 2014. The Class of Data Users are as follows:
1. Communications
(a) a licensee under the Communications and Multimedia Act 1998 [Act 588];
(b) a licensee under the Postal Services Act 2012 [ Act 741].
2. Banking and financial institution
(a) a licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758];
(b) a licensed Islamic bank and licensed international islamic bank under the Islamic Financial Services Act 2013 [Act 759];
(c) a development financial institution under the Development Financial Institution Act 2002 [Act 618].
3. Insurance
(a) a licensed insurer under the Financial Services Act 2013;
(b) a licensed takaful operator under the Islamic Financial Services Act 2013;
(c) a licensed international takaful operator under the Islamic Financial Services Act 2013.
4. Health
(a) a licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586];
(b) a holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare facilities and Services Act 1998;
(c) a body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].
5. Tourism and hospitalities
(a) a licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482];
(b) a person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992.
6. Transportation
For example, Malaysian Airlines System (MAS), Air Asia and MAS Wings.
7. Education
(a) a private higher educational institution registered under the Private Higher Education Institutions Act 1996 [Act 555];
(b) a private school or private educational institution registered under the Education Act 1996 [Act 550].
8. Direct Selling
(a) a license under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].
9. Services
(a) a company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the Partnership Act 1961 [Act 135] carrying on business as follows:
(I) legal;
(II) audit;
(III) accountancy;
(IV) engineering; or
(V) architecture.
(b) a company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961 [Act 122];
(c) a company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981 [Act 246].
10. Real Estate
(a) a licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118];
(b) a licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah;
(c) a licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.
11. Utilities
For example, Tenaga Nasional Berhad, Syarikat Bekalan Air Selangor Sdn. Bhd. and LAKU Management Sdn. Bhd.
Penalties
With businesses given three months to comply with the PDPA, it is crucial to note that non-compliance will result in a fine, or imprisonment, or both. Contravention of the above principles is an offence and shall on conviction be liable to a fine not exceeding RM300 000, imprisonment for a term not exceeding 2 years or both.
Next Steps
Every Data User has to develop their own compliance step plan as each has its own unique activities and business processes.
Companies and organisations should appoint a Personal Data protection compliance officer to monitor the implementation of Personal Data protection processes. Data Users should provide adequate training to employees to ensure that they understand the PDPA and the effects of non-compliance. Data Users should also conduct regular internal audits. Data Users also need to establish a record of any application, notice, request or any other information relating to Personal Data that has been or is being processed.
If in doubt, consult a lawyer to ensure you are complying with the rules and regulations.