7/27/2019 Cyber Pdpa
1/30
TOPIC : PERSONAL DATAPROTECTION
ISSUES :
I. WHY PDPA STILL NOT BEING ENFORCED INMALAYSIA?
II. IF PDPA IS ENFORCED,IT IS SUFFICIENT TOGIVE PROTECTON TO PERSONAL DATA?
7/27/2019 Cyber Pdpa
2/30
EXAMPLES OF PERSONAL DATA?
Examples:
I/c number
Phone number
Password
Type of blood
Etc.
7/27/2019 Cyber Pdpa
3/30
DEFINITION OF PERSONAL DATA
Section 4of Personal Data Protection Act 2010 :
any information in respect of commercial transactions
Datasubject: an individual who is the subject of the
personal data.
Data user: a person who either alone or jointly or in
common with or in common with other persons
processes any personal data or has control over
authorizes the processing of any personal data but
does not include data processor.
7/27/2019 Cyber Pdpa
4/30
- Automatic and Manual Data :
Processed wholly or partly by means of equipment
operating automatically
Relevant filing system
- Processing (Section 4)
collecting
recording
holding
storing
organising, etc.
7/27/2019 Cyber Pdpa
5/30
WHY WE HAVE TO PROTECT PERSONAL
DATA?
Neglect in data protection will lead to severalissues, for example:
Impact on trade
CTOS Land Scam
Allegation on UPU Staff Selling Students List
Allegation on Developers Selling Customers Database
Less people go online
Low privacy ranking
Problem of Spam
7/27/2019 Cyber Pdpa
6/30
INTERNATIONAL INSTRUMENTS
GOVERNING DATA PROTECTION
OECD Guidelines 1980
Council of Europe Convention 1981
European Directive 1995
APEC Privacy Framework 2004
Madrid Resolution 2009
7/27/2019 Cyber Pdpa
7/30
MALAYSIA INSTRUMENT GOVERNING
DATA PROTECTION
Personal Data Protection Act 2010:
- Date of Royal Assent: 2nd June 2010- Date of publication in the Gazette:
10th June 2010
- In force from: .Not Yet In Force
7/27/2019 Cyber Pdpa
8/30
ISSUE 1 :
WHY PERSONAL DATA PROTECTION
ACT 2010 (PDPA 2010) NOT BEING
ENFORCED YET?
7/27/2019 Cyber Pdpa
9/30
NEED OF COMMISIONER
Provided under :
Sect 47(1) of PDPA
Will be appointed by the minister.
Main purpose of appointment : carrying out thefunctions & powers assigned to the Commisioner
The function and the of power of thecommissioner is laid down in the section 48 andsection49 of PDPA 2010.
However no appointment yet has been made bythe minister.
7/27/2019 Cyber Pdpa
10/30
WHY THERE IS NO COMMISIONER
BEING APPOINTED YET?
I. Qualification of the Commissioner
Establish judge who has wide knowledge in the
legal system
Expert in cyber world
II. The position being politicised
As it being appointed and placed under the
minister, the commissioner is not anindependent body.
7/27/2019 Cyber Pdpa
11/30
CONCLUSION 1ST ISSUE
Cannot be enforced because of no expertise in
the area of cyber law.
The position being politicised by the minister
7/27/2019 Cyber Pdpa
12/30
IF PDPA IS ENFORCED,IT IS SUFFICIENT
TO GIVE PROTECTON TO PERSONAL
DATA?
ISSUE 2 :
7/27/2019 Cyber Pdpa
13/30
7/27/2019 Cyber Pdpa
14/30
Section 6 : General Principle
Personal Data cannot be processed without
the consent of data subject.
Exemptions :
for the performance of a contract to which the
data subject is a party
at the request of the data subject with a view to
entering into a contract
to protect the vital interest of the data subject
7/27/2019 Cyber Pdpa
15/30
Section 7 : Notice & Choice Principle
A data user shall inform the data subject that :
the personal data of the data subject is being
processed and provide a description of the
personal data
the purposes of the collection
the right of the data subject to request access
7/27/2019 Cyber Pdpa
16/30
Section 8 : Disclosure Principle
No personal data shall, without the consent of
the data subject, be disclosed for other
purposes
7/27/2019 Cyber Pdpa
17/30
Section 9 : Security Principles
A data user shall take practical steps to protect
the personal data from any loss, misuse,
modification, unauthorised or accidental
access or disclosure, alteration or destruction.
7/27/2019 Cyber Pdpa
18/30
Section 10 : Retention Principles
Personal data processed for any purpose shall
not be kept longer that is necessary for the
fulfillment of that purpose.
7/27/2019 Cyber Pdpa
19/30
Section 11 : Data Integrity Principles
Data user shall take reasonable steps to
ensure that the personal data is accurate,
complete, not misleading and kept up-to-date
7/27/2019 Cyber Pdpa
20/30
Section 12 : Access Principle
A data subject shall be given access to his
personal data and shall be able to correct that
personal data if it is inaccurate, incomplete,
misleading or not up-to-date
7/27/2019 Cyber Pdpa
21/30
INSUFFICIENT
7/27/2019 Cyber Pdpa
22/30
1. LIMITED TO COMMERCIAL
TRANSACTION
Section 2 (1) (b) of PDPA
Any person who has
control over theauthorizes the processing
of, any personal data in
respect of commercialtransaction.
7/27/2019 Cyber Pdpa
23/30
What is commercial transaction?
Commercial nature, whether contractual or not ,
which includes any matters relating to the supply
or exchange of goods or services, agency,investments, financing, banking and insurance
Commercial transaction includes transactions in
both real and virtual world.
7/27/2019 Cyber Pdpa
24/30
Conclusion
Insufficient because it is only limited to
commercial matters whereas in non commercial
matters it is not applicable.
7/27/2019 Cyber Pdpa
25/30
2. EXCLUDE FEDERAL & STATE
GOVERNMENT
Section 3(1) of PDPA
Not apply to the federal and state government.
Means PDPA is not applicable to the federal &
state government.
7/27/2019 Cyber Pdpa
26/30
The Federal and State Government cannot beexcluded from the PDPA
There are many goverment departments that collectdata. (JPN)
Data subject and his personal data can not be
protected if the PDPA is not apply to the government. Governments can sell or use it for other purposes (sell
the data to other users or persons).
The government cannot be held vicarious liable fortheir employees. I.e. : When the employees sell thedata to other person, so the employer which isgovernment cannot be liable for it due to theexclusion from the PDPA.
7/27/2019 Cyber Pdpa
27/30
Conclusion
It is insufficient when the PDPA is not apply to the
government.
7/27/2019 Cyber Pdpa
28/30
3. CRIMINAL OFFENCES
It lead to criminal offences when:-
Without consent, obtains access to or alters,
deletes and discloses personal data
Gives false or misleading information to request
for access or correct data
Uses or discloses personal data for other purpose
Failure to comply with data protection principlesand an enforcement body.
7/27/2019 Cyber Pdpa
29/30
Punished by criminal punishments
ie. imprisonment
When any offences is committed, it can not be
initiated under civil action
Conclusion
So, the data subjects can not claim damages
7/27/2019 Cyber Pdpa
30/30
CONCLUSION 2ND ISSUE
If PDPA is enforced in Malaysia, it is
insufficient to give protection to personal data
because it only covers about commercial
matters, exclude Federal Government andState Government from its application and it is
liable for criminal offences only.
Top Related