Implicaons!of!the! PDPA!2010!on!a Malaysian!Telecom ...€¦ · an!axiata company!! Contents •...
Transcript of Implicaons!of!the! PDPA!2010!on!a Malaysian!Telecom ...€¦ · an!axiata company!! Contents •...
Implica)ons of the
PDPA 2010 on a Malaysian Telecom Operator
an axiata company
Contents
• Introduction • Celcom Preparation for PDPA 2010 • Implications and Future Challenges
- Consent and Strategic Options for Giving Consent - Notice - Disclosure - Security - Retention - Data Integrity - Access - Fines and Jail Term
• Conclusion
& Choice
reten)on consent
an axiata company
Introduction q Telecommunications Service Providers are always innovating to develop
product offerings to serve customers better.
q Managing privacy is important in the long run as Service Providers can become trusted service providers by integrating the requirements of the PDPA with minimal impact to the business.
q Customers who trust that Service Providers do not misuse their personal data will be more willing to consent to the use of their data.
q The telecommunications sector is already highly regulated so most Service Providers have systems in place for customers especially prepaid customers to access and correct data themselves. There are provisions to manage customer data currently in the Banking and Financial Institutions Act 1989, Communications and Multimedia Act 1998 3, Computer Crimes Act 1997, Money Services Business Act 2011, General Consumer Code of Practice.
COMPANY CONFIDENTIAL 3
& Choice
reten)on consent
an axiata company
Introduction
q Many Telecommunications Service Providers also have systems to control delivery of premium content required by regulation . These systems make it a requirement to “opt in “ to receive premium content.
q PDPA will take regulation one step earlier in the customer life cycle , the point of registration for a new user or a new service not initially bundled with the mobile service i.e. the point of obtaining “consent” to “process” personal data . There will have to be added processes to address existing users allowing them to opt out
q Moving forward this presentation will consider at least one concern per data protection principle to highlight the concerns and clarity we will need to implement PDPA
COMPANY CONFIDENTIAL 4
& Choice
reten)on consent
an axiata company
Celcom Preparation for PDPA 2010 q Company undertook PD Impact Assessment (PIA) § to assess the level of compliance between company’s own data
protection system with PDPA § to identify potential gaps and weaknesses in the date protection
system § to design an implementation program for data protection system
review q Celcom’s PIA process is shown here
COMPANY CONFIDENTIAL 5
Module 1 • Awareness Training -‐ en)re organiza)on
Module 2 (PIA) • map out data flow in organiza)on
• Assess internal PD policies & procedures
• Iden)fy gaps
Module 3
-‐ PIA workshop
-‐ implementa)on plan
Module 4 -‐ Actual implementa)on & compliance training
Module 5 • On going audit to ensure compliance to new PD policies and procedures.
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Consent What mode of seeking consent will be acceptable to the Data Protection Regulator as consent is also not defined in the Act q The preferred mode which is seen from recent examples
contain the “continued use or our service means you have consented to the use of your personal data being used for the purposes ….”
q The PDPA 2010 allows the data user to process data if
processing is necessary for the performance of a contract to which the data subject is a party ?
q The key question is what processing is necessary for the “performance of the contract” is it basic telephony or the full suite of innovative smart application services .
COMPANY CONFIDENTIAL 6
& Choice
reten)on consent
an axiata company
Telcos should prefer 2 to 1 for core services. 3 should be preferred for new services /applica)ons, but cannot simply be imposed on exis)ng mobile customers.
1. Tradi)onal Telco Approach
• Develop model no)ce of consent to process data.
• Give customers choice to opt-‐out of use of data for marke)ng / 3rd party services.
• Encourage / incen)vize customers to opt-‐in at point of SIM / handset sale etc..
• Market / adver)se to sub-‐set of customers who choose to who don’t opt out.
2. Aggressive Telco Approach
• Introduce adver)sing on relevant Telco services
• Encourage customers to opt-‐in to receive relevant services by consen)ng to allow their data to be used.
• Model no)ce explains how consent supports more relevant / targeted services.
• Develop a framework for adver)sing partners which retains permission within Axiata, so permissions do not have to be extended to third par)es.
• More customers exposed to adver)sing => commercial benefit but also intrusion risk.
3. ‘New’ Internet-‐based Approach
• Targeted services is an integral component of a new service.
• Consent to the use of customer data to support targeted marke)ng is effec)vely “bundled” as a condi)on of service use.
• This must be obvious to customers allowing them to make an overall, informed decision as to whether or not to use a service.
• Model no)ce of consent reflects this posi)on
• Framework for partners which retains permissions within Celcom Axiata.
• So as Google / Facebook / or a new ad-‐supported MVNO model.
Strategic Options for Gaining Consent
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Notice
q The PDPA provides for the provision of written notice to inform the data subject that personal data is being processed and the purposes of use
q Would notice in newspapers and websites be deemed acceptable written notice?
q Would an SMS notice or e mail linking to a Web based Privacy Policy be acceptable?
q For telecommunications service providers the best way to ensure customers have notice is by way of SMS and not by mail as the prepaid subscribers may not have updated address data
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Choice Option to Limit processing of Data q The PDPA 2010 gives data subjects the right to limit the processing of
personal data q This could be seen as an opt out and require the creation of a list of
data subjects who do not want to be contacted q The are significant commercial implications for business as the
customer may elected to limit processing of advertising or information about new products which reduce the value add of the service benefits to the customer
q Yet data subjects give information freely to OTT applications providers
like Whats App and Viber, including access to their address books which include personal data of contact in address books . Have you given informed consent?
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Choice Withdrawal of consent to process personal data q This means that the Service Provider can no longer use the
information and will not longer be able to supply the service q Examples of situations where this can occur § Termination of Service § Porting number to another operator
q Effectively the Service Provider will not be able to engage in customer retention strategies after the customer has withdrawn his consent. What if there is a competitive “come back offer” ?
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Disclosure
q Purpose of use of personal data is will be disclosed in a Privacy Policy which will then be updated from time to time.
q There could be concerns that this policy may be framed too widely.
q If there are regulations issued for example , limiting the extent of “purpose’ clauses disclosure for “purpose” may be required each time something not covered in the under the original consent needs to be launched. Customers to may be uncomfortable to continuously give consent or give it automatically to get the content they want
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Security
q In general Service Providers are already taking “reasonably practical steps to “ protect personal data from loss misuse, unauthorized access, accidental access etc,
q Service Providers already have systems in place to protect access to customer data . How much more will the various regulators prescribe ? Will the regulations apply in the same way to across other industries?
q There will always be issues where data is released due to the misconduct of an employee. We at Celcom Axiata recognise a need for an internal awareness of data protection rules and security polices across the company
& Choice
reten)on consent
an axiata company
Implications and Future Challenges - Retention
q There is a need to clarify the position as there are various laws covering the length of Service Providers are required to store data . In practice many Service Providers keep relevant data for 7 years because of these laws
q Service Providers as an industry need to seek clarification on
length of time data can be retained as well as the implication of written instructions to cease processing data
q If we purge records at the request of customers or within a shorter time frame we may not be able to process information requests by the police , sector regulators or other authorities .
& Choice
reten)on consent
an axiata company
Implications and Future Challenges – Data Integrity
q Almost 80% of telecommunications data subjects on our network are prepaid customers .
q Data Integrity has always been an issue. Service Providers have stringent prepaid registration regulations imposed by the telecommunications regulator.
q Service Providers have online access and correction systems developed to allow prepaid users to access and correct their own information.
q Collection of accurate data always be an uphill task most service providers dependant on dealers throughout the nation who are unregulated and in a position of strength as they control distribution networks . Some unscrupulous dealers do manipulate the systems for personal gain
& Choice
reten)on consent
an axiata company
Implications and Future Challenges- Access
q The PDPA Act prescribes that access and the ability to correct be given to the Data Subject
q As mentioned Service Providers have online access systems in place for prepaid users to access and correct their data . This will have to be extended to post paid users
q Some care has to me taken to ensure data subject own access and correction of data cannot change data like identity card information without verification to limit misuse.
q Inaccurate information uploaded onto our database by data subjects using an online method of personal correction may be an issue with the authorities in the event of an investigation
& Choice
reten)on consent
an axiata company
Implications and Future Challenges- Fines and Jail Term
q A final an overriding concern is that it is extremely easy for an allegation of breach to be made.
q Many people give personal data freely in contest forms in supermarkets online etc but will assume it’s the Service Provider that released their information because the a call comes in from their hand held device
q With fines ranging from RM $ 100k to RM $500 k and jail terms of 1 to 3 years a lot of man hours and cost may have to be spent addressing complaints and proving that the information did not come from a Service Provider
q Another key implication is the Joint and Several liability with Body Corporate of CEO , COO, Manager etc. and this iswide enough to catch all Managerial Staff
& Choice
reten)on consent
an axiata company
Conclusion
q The above is not an exhaustive list of implications
q It shows the need to seek interpretations to support business continuity and balance this equally with personal data protection requirement
q Service Providers will in parallel have to build trust of the customer/data subject that the personal data will be protected and used for the benefit and utility of the customer/data user.
q Building this trust will reduce potential complaints about non-compliance to the data protection principles and allow the industry to continue to develop a roust applications environment
& Choice
reten)on consent
THANK YOU