Cyber Pdpa

7/27/2019 Cyber Pdpa

1/30

TOPIC : PERSONAL DATAPROTECTION

ISSUES :

I. WHY PDPA STILL NOT BEING ENFORCED INMALAYSIA?

II. IF PDPA IS ENFORCED,IT IS SUFFICIENT TOGIVE PROTECTON TO PERSONAL DATA?


2/30

EXAMPLES OF PERSONAL DATA?

Examples:

I/c number

Phone number

Password

Type of blood

Etc.


3/30

DEFINITION OF PERSONAL DATA

Section 4of Personal Data Protection Act 2010 :

any information in respect of commercial transactions

Datasubject: an individual who is the subject of the

personal data.

Data user: a person who either alone or jointly or in

common with or in common with other persons

processes any personal data or has control over

authorizes the processing of any personal data but

does not include data processor.


4/30

- Automatic and Manual Data :

Processed wholly or partly by means of equipment

operating automatically

Relevant filing system

- Processing (Section 4)

collecting

recording

holding

storing

organising, etc.


5/30

WHY WE HAVE TO PROTECT PERSONAL

DATA?

Neglect in data protection will lead to severalissues, for example:

Impact on trade

CTOS Land Scam

Allegation on UPU Staff Selling Students List

Allegation on Developers Selling Customers Database

Less people go online

Low privacy ranking

Problem of Spam


6/30

INTERNATIONAL INSTRUMENTS

GOVERNING DATA PROTECTION

OECD Guidelines 1980

Council of Europe Convention 1981

European Directive 1995

APEC Privacy Framework 2004

Madrid Resolution 2009


7/30

MALAYSIA INSTRUMENT GOVERNING

DATA PROTECTION

Personal Data Protection Act 2010:

- Date of Royal Assent: 2nd June 2010- Date of publication in the Gazette:

10th June 2010

- In force from: .Not Yet In Force


8/30

ISSUE 1 :

WHY PERSONAL DATA PROTECTION

ACT 2010 (PDPA 2010) NOT BEING

ENFORCED YET?


9/30

NEED OF COMMISIONER

Provided under :

Sect 47(1) of PDPA

Will be appointed by the minister.

Main purpose of appointment : carrying out thefunctions & powers assigned to the Commisioner

The function and the of power of thecommissioner is laid down in the section 48 andsection49 of PDPA 2010.

However no appointment yet has been made bythe minister.


10/30

WHY THERE IS NO COMMISIONER

BEING APPOINTED YET?

I. Qualification of the Commissioner

Establish judge who has wide knowledge in the

legal system

Expert in cyber world

II. The position being politicised

As it being appointed and placed under the

minister, the commissioner is not anindependent body.


11/30

CONCLUSION 1ST ISSUE

Cannot be enforced because of no expertise in

the area of cyber law.

The position being politicised by the minister


12/30

IF PDPA IS ENFORCED,IT IS SUFFICIENT

TO GIVE PROTECTON TO PERSONAL

DATA?

ISSUE 2 :


13/30


14/30

Section 6 : General Principle

Personal Data cannot be processed without

the consent of data subject.

Exemptions :

for the performance of a contract to which the

data subject is a party

at the request of the data subject with a view to

entering into a contract

to protect the vital interest of the data subject


15/30

Section 7 : Notice & Choice Principle

A data user shall inform the data subject that :

the personal data of the data subject is being

processed and provide a description of the

personal data

the purposes of the collection

the right of the data subject to request access


16/30

Section 8 : Disclosure Principle

No personal data shall, without the consent of

the data subject, be disclosed for other

purposes


17/30

Section 9 : Security Principles

A data user shall take practical steps to protect

the personal data from any loss, misuse,

modification, unauthorised or accidental

access or disclosure, alteration or destruction.


18/30

Section 10 : Retention Principles

Personal data processed for any purpose shall

not be kept longer that is necessary for the

fulfillment of that purpose.


19/30

Section 11 : Data Integrity Principles

Data user shall take reasonable steps to

ensure that the personal data is accurate,

complete, not misleading and kept up-to-date


20/30

Section 12 : Access Principle

A data subject shall be given access to his

personal data and shall be able to correct that

personal data if it is inaccurate, incomplete,

misleading or not up-to-date


21/30

INSUFFICIENT


22/30

1. LIMITED TO COMMERCIAL

TRANSACTION

Section 2 (1) (b) of PDPA

Any person who has

control over theauthorizes the processing

of, any personal data in

respect of commercialtransaction.


23/30

What is commercial transaction?

Commercial nature, whether contractual or not ,

which includes any matters relating to the supply

or exchange of goods or services, agency,investments, financing, banking and insurance

Commercial transaction includes transactions in

both real and virtual world.


24/30

Conclusion

Insufficient because it is only limited to

commercial matters whereas in non commercial

matters it is not applicable.


25/30

2. EXCLUDE FEDERAL & STATE

GOVERNMENT

Section 3(1) of PDPA

Not apply to the federal and state government.

Means PDPA is not applicable to the federal &

state government.


26/30

The Federal and State Government cannot beexcluded from the PDPA

There are many goverment departments that collectdata. (JPN)

Data subject and his personal data can not be

protected if the PDPA is not apply to the government. Governments can sell or use it for other purposes (sell

the data to other users or persons).

The government cannot be held vicarious liable fortheir employees. I.e. : When the employees sell thedata to other person, so the employer which isgovernment cannot be liable for it due to theexclusion from the PDPA.


27/30

Conclusion

It is insufficient when the PDPA is not apply to the

government.


28/30

3. CRIMINAL OFFENCES

It lead to criminal offences when:-

Without consent, obtains access to or alters,

deletes and discloses personal data

Gives false or misleading information to request

for access or correct data

Uses or discloses personal data for other purpose

Failure to comply with data protection principlesand an enforcement body.


29/30

Punished by criminal punishments

ie. imprisonment

When any offences is committed, it can not be

initiated under civil action

Conclusion

So, the data subjects can not claim damages


30/30

CONCLUSION 2ND ISSUE

If PDPA is enforced in Malaysia, it is

insufficient to give protection to personal data

because it only covers about commercial

matters, exclude Federal Government andState Government from its application and it is

liable for criminal offences only.

Cyber Pdpa

Documents

Transcript of Cyber Pdpa