Malaysia Personal Data Protection Act (PDPA) 2010...

© 2014 Deloitte Enterprise Risk Services Sdn Bhd

Malaysia Personal Data Protection Act (PDPA)

2010 Awareness Seminar

Privacy and Protection of Personal Data

25th June 2014

Room 1202, Level 2,

Penang Skills Development Centre,

1, Jalan Sultan Azlan Shah

11909 Bayan Lepas,

Penang.

http://www.google.com.my/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=C6pGWEbY-JXyvM&tbnid=hl1J9tyUZXx3QM:&ved=0CAUQjRw&url=http://www.christopherleeong.com/&ei=VwnqUsSbFoTJiAf4u4GwBA&bvm=bv.60444564,d.aGc&psig=AFQjCNGWBmGVXcoNUn0fhyE_eUIY6mgHxA&ust=1391155915971824


AGENDA

Introduction to Malaysia PDPA 2010

Malaysia PDPA 2010 at a glance

Key Definitions

The 7 Principles of Malaysia PDPA 2010

Impact of Malaysia PDPA 2010 to your organisation

Frequently Asked Questions

Tea Break

Malaysia PDPA 2010 – How Should You Prepare Yourself

Actions Required

PDPA Project Phases

Question & Answer Session

1


INTRODUCTION TO MALAYSIA

PDPA 2010

2


Malaysia PDPA 2010 at a glance…

3

Came into force on 15 November 2013

Department formed, Commission pending

Regulations and Orders issued 4 public consultation papers released

Registration of Data Users within 3 months from 15 November 2013

Three phases of implementation: 1. Awareness 2. Compliance 3. Enforcement

*Extracted from Christopher & Lee Ong PDPA Compliance Deck


The Objectives of Malaysia PDPA 2010

Strengthen overall competitiveness of Malaysian

businesses

Enhance Malaysian

Competitiveness

Avoid disadvantages for

businesses in Malaysia

Protect privacy, right and freedom of

citizens

4


What is “Personal Data”?

5

Expression of opinion

Fingerprint, face/iris

recognition

Images

Name, IC No.,

Gender, Race,

Address

Covers both electronic and manually recorded data.

“Consent” is required.



What is “Sensitive Personal Data”?

6

Sensitive Personal

Data

Physical and mental health

Political opinions

Religious beliefs

Commission of an offence

Other personal data the Minister

may prescribe

Explicit consent required.



Key Parties involved in Malaysian PDPA 2010

7

• The body that oversees and enforces the law (i.e. PDPD / Commission)

•A person who processes personal data solely on behalf of data user, and not for his own purposes (e.g. cloud provider, back-end IT processors)

• A person whose personal data is processed by a data user (e.g. customers, employees, third party contractors)

• A person who processes or has control over the processing of personal data (e.g. companies, individuals) Data

User Data

Subject

Regulator Data

Processor



The PDPA does not apply to..

8

the Federal and State Governments;

Personal data outside Malaysia (unless the personal data is intended to be further processed in Malaysia);

Non-commercial transactions;

Agencies operating under the Credit Reporting Agencies Act 2010;

Personal data intended for transit through Malaysia; or

Individuals who collect personal data only for the purposes of personal, family, or household affairs, including recreational purposes.



We are here because all this happened … just

last year

Massachusetts Mutual The 401(k) retirement plan information of certain clients was

inadvertently exposed when a MassMutual account manager sent an

email on May 8.

Insurance Co. of the

West

Confidential medical records were found under a freeway by a

concerned citizen.

Prudential America An administrative error resulted in documents with sensitive

information from members being emailed to an incorrect party.

Nationwide Mutual

Insurance

1 million individual records compromised by cyber criminals.

State Farm Insurance An dishonest employee was caught misusing customer information to

make fraudulent transactions online.

Massachusetts Mutual Inadvertently sent a report via secure email that included client

information to an incorrect retirement Plan Sponsor.

Ameritas Life Insurance A laptop was stolen or discovered stolen sometime around March 21,

2012. It contained the sensitive health information of 3,000 people.

UnitedHealthcare A dishonest employee used the names, Social Security numbers,

addresses, phone numbers, dates of birth, and Medicare Health

Insurance Claim Numbers to steal the identities of at least 24

customers . 9


… and it costs companies

• £70,000 after a report containing sensitive information about a patient was sent to

the wrong person.

• £140,000 for repeated breaches involving the disclosure sensitive personal data

relating to children and their carers to the wrong recipients on five separate

occasions.

• £375,000 after hard drives containing sensitive patient information were stolen and

subsequently sold online.

• £50,000 for a “mix-up” in administration of two accounts which culminated in tens

of thousands of pounds ending up in the wrong account and confusing the account

holders.

• £2,275,000 following the loss of 46,000 insurance policy holders' personal details.

• Over £3m for information security failings (financial institution).

10


The 7 data protection principles of Malaysian

PDPA 2010 Principles Description

General Principle • Personal data cannot be processed without the consent of data subject

• Exemptions:

i. For the performance of a contract to which the data subject is a party

ii. At the request of the data subject with a view to entering into a contract

iii. To protect the vital interest of the data subject

Notice and Choice • A data user shall inform the data subject that

i. The personal data of the data subject is being processed and provide a

description of the personal data and purpose of collection

ii. The right of the data subject to request access

Disclosure • No personal data shall, without the consent of the data subject, be disclosed for other

purposes

Security • A data user shall take practical steps to protect personal data from any loss, misuse,

modification, unauthorized or accidental access or disclosure, alteration or destruction

Retention • Personal data processed for any purpose shall not be kept longer than necessary for the

fulfillment of that purpose

Integrity • The data user shall take reasonable steps to ensure that the personal data collected is

accurate, complete, not misleading and kept up-to-date

Access Principle • All data subjects shall be given access to access to their personal data and will be able

to correct that personal data if it is inaccurate, incomplete, misleading or not up-to-date

11


Data users who are required to register

12

Communication

Banking and Financial

Institution

Insurance

Private Healthcare

Private Education

Tourism and Hospitalities

Transportation (Airlines)

Direct Selling

Services

Housing Developers

Utilities



How will PDPA impact your organisation?

• New obligations for organizations that process personal data

• The data lifecycle (personal data) namely from its collection,

processing, dissemination and destruction will need to be

reviewed.

• Organizations which process individual customers’ or

employees’ personal data will need to re-evaluate their current

data privacy policies and processes

• Non-conformance with the principles may result in penalties

ranging from financial to legal liabilities. It is best to act now to

mitigate commercial or reputational risks.

13

Personal data of the following persons:

Customers/

Business partners/

Suppliers

3rd Party Contractors/

Vendors

Employees /

Directors /

Shareholders



How will PDPA impact your organisation?




reviewed.







14

Customers/Partners/Suppliers/Vendors Employees

Purchase Order/Application Forms Job Application Forms

Enquiry Forms CV

Agreements Payroll Records, EPF, SOCSO Records

Warning Letters, Resignation Letters

Directors/Shareholders Other Individuals

Register of Members Contractors, Sub-Contractors

Register of Directors Walk-in Customers

Forms of Annual Return Suppliers, Advertisers

Share Certificates Sales Representatives, agents



Offenses




reviewed.







15

Offence Penalty

Non registration RM 500,000 fine and or/ 3 years imprisonment

Unlawful collection, disclosure and sale of personal data

RM 500,000 fine and/or 3 years imprisonment

Breach of any of the seven principles RM 300,000 fine and/or 2 year imprisonment

Failure to comply with enforcement notice


Transfer personal data to a place which has not been gazetted


Continue to process personal data after withdrawal of consent by data subject




Personal Liability




reviewed.







16

Officer of the Company

deemed

Jointly and severally liable

unless

Without his knowledge, consent and connivance

and has taken all due diligence to prevent the offence



Practical points to remember




reviewed.







17

Always collect data with consent

Do not ask for irrelevant /

unnecessary data

Take Steps to protect security and integrity of

data

Do not keep data

for longer than necessary

Allow Data Subject access to

his data

Notice in Dual Language



FREQUENTLY ASKED QUESTION’S

18


Collection, Use & Disclosure

Question: How much personal data can an organisation

collect, use or disclose?

… an organisation may collect, use or disclose personal data only for purposes that a

reasonable person would consider appropriate in the circumstances and that the

organisation has notified to the individual unless an exception under the PDPA applies

… the organisation must obtain the consent of the individual to such collection, use or

disclosure, unless any exception under the PDPA applies

… organisations shall not, as a condition of supplying a product or service, require an

individual to consent to the collection, use or disclosure of personal data beyond what is

reasonable to provide the product or service

Example: request to provide household income for organization selling consumer

products; remember though organization can ask in optional fields

For collection of additional data, the organization shall provide option whether to

consent

19


Collection, Use & Disclosure

Question: How to handle personal data collected before

effective date of PDPA – Feb 2014?

• Generally that data can be used, for reasonable purposes for which it was

collected but notice will need to be given

• Obtaining consent required if existing data used for new purpose or data

disclosed to other organizations / individuals, unless any exception applies

Example: company uses personal data for after-sales customer support prior to

PDPA – can continue without prior obtaining consent if notice is given. But cannot use

data for direct marketing if not covered in original purpose for collection.

Note: Informal confirmation from PDPD as a pragmatic solution to seeking fresh consent

for existing customers.

20


Access & Correction

Question: Must an organisation provide access to an

individual's personal data when a request is made?

• Organisations shall allow individuals access to their personal data that is

possessed or controlled by the organisations, and may charge a reasonable fee on a

cost recovery basis.

• Exceptions and prohibitions: - cause immediate or grave harm to the individual’s safety or physical or mental health;

- threaten the safety or physical or mental health of another individual;

- reveal personal data about another individual;

- reveal the identity of another individual who has provided the personal data, and the individual has not consented to

the disclosure of his or her identity; or

- be contrary to national interest

• Other cases when organisations may deny subject access requests and other

exclusions:

• Requested personal data would reveal confidential commercial information that

could harm the competitive position of the organisation

• any examination conducted by an education institution, examination scripts and

examination results prior to their release.

• opinion data kept solely for an evaluative purpose as defined in the PDPA.

21


Access & Correction

Question: Must an organisation provide correction to an

individual's personal data when a request is made?

• An organisation is generally required to correct an error or omission and send the

corrected personal data to every other organisation to which the personal data was

disclosed by the organisation within a year before the correction, unless the other

organisation does not need the corrected personal data for any legal or business

purpose.

- Example: organisation discloses customer name and address to a delivery company it engaged on a once-off basis

to deliver a product that the customer has purchased. Since the delivery has been completed, the organisation will not

be required to send the corrected personal data to the delivery company.

• The corrected data may be sent only to specific organisations to which the data was

disclosed by the organisation, if the individual consents to it.

• No need for correction where it is satisfied on reasonable grounds that a

correction should not be made. In this case, the organisation shall annotate the

personal data in its possession or under its control with the correction that is requested

but not made.

• An organisation is also not required to alter an opinion, including a professional

or expert opinion.

22


Care of Personal Data

Question: How long can an organisation retain its

customers' personal data for?

• No prescribed retention period

• But, organisation shall cease to retain personal data as soon as the purpose of

collection is no longer served by the retention; and retention is no longer necessary for

business or legal purposes

Question: What must an organisation do to ensure the

personal data collected is protected?

• Make practical security arrangements to prevent unauthorised access, collection,

use, disclosure, copying, modification, disposal or similar risks

23


Care of Personal Data

Question: What are the rules on cross-border transfer of

personal data?

• The PDPA will apply to all personal data collected, used or disclosed in Malaysia

• As such, organisations that collect personal data overseas and host and/or process

it in Malaysia will still be subject to relevant obligations under the PDPA from the point

that such personal data is brought into Malaysia

• For organisations that collect personal data here and transfer such data overseas:

‒ Must put in place measures by the organisation here transferring the personal data, to

provide a comparable standard of protection overseas

‒ Measures will be prescribed and are envisioned to include the use of contractual

agreements among the organisations involved in the transfer.

24


TIME FOR A BREAK!

25


MALAYSIA PDPA 2010 –

HOW SHOULD YOU

PREPARE YOURSELF

26


Actions required

Appoint Data protection

Officer

Map Out Your Personal

Data Inventory

Implement Data

Protection Processes

27


28

Establish

Governance

Framework

Assessment PDPA

Readiness

Define

Policies and

Procedures

Rollout and

Training

Design

governance

structure

Define roles and

responsibilities

Conduct PDPA

Readiness Check

Design scope of

personal data

Inventory of

personal data,

flows and storage

Assess controls

and identify areas

of improvements

Update existing

policies and

procedures to

align to PDPA

Design operating

models and

processes

Develop training

awareness

programmes

Implement

process and

implement data

protection control

PDPA Project Phases

© 2014 Deloitte Enterprise Risk Services Sdn Bhd 29

Establish

Governance

Framework

Assessment Define Policies

and Procedures

Rollout and

Training

Understand PDP

Programme Requirements

Conduct project kick-off

meeting Build PDP organisation

Define project scope and

objective

Plan project activities

Build management and

technology objectives,

required resources,

costs and time estimates

Define PDP governance

structure

Define PDP organisation

and roles and

responsibilities

Establish PDPA Governance


Establish

Governance

Framework


and Procedures

Rollout and

Training

Appoint Data Protection

Office

This activity shall

enable the design of

the Personal Data

Protection programme

and roles and

responsibilities.

Through the

establishment of the

PDP organisation,

roles and

responsibilities related

to PDP can be clearly

defined to steer the

subsequent PDP

activities.

PDP Committee Chairman

PDP Committee

Data Protection Officer PDP Contact Window

Education & Training Owner

Individual’s Right Exercise Planner

Personal Data Leakage Owner

PDP Representatives in depts./units

PDP Committee Chairman

Personal Data Manager

PDP Contact Window

Unit 1

Audit

Unit 2 Unit 3 Unit

N

Build PDPA organisation

Establish PDPA Governance


Establish

Governance

Framework

Define Policies

and Procedures

Rollout and

Training

Define personal data

Collect and identify

information assets and

personal data

Conduct personal data

business process data

flow sessions

Develop personal data

flow diagrams

Assess current status of

personal data protection

within the organisation

against PDPA

obligations

Identify areas for

improvement and

mitigating actions

Assessment

Design scope of personal

data Inventory of personal data,

flows and storage

Conduct PDPA impact

assessment

Conduct PDPA Impact Assessment


Establish

Governance

Framework

Define Policies

and Procedures

Rollout and

Training

Assessment



flows and storage

Conduct PDPA impact

assessment

Accounting/

Finance

Customer & Product Servicing, Support,

and Maintenance

Sales

Business Divisions

Customer System/ Operational Activity

Third Parties Product

Development

Other Carriers

Clearing Organization

Conduct PDPA Impact Assessment – Personal Data Flow


Establish

Governance

Framework

Define Policies

and Procedures

Rollout and

Training Assessment



flows and storage

Conduct PDPA impact

analysis and risk

assessment

Conduct PDPA Impact Assessment – 7 Principles

General – consent required

Notice and Choice – notify purpose, access & correct

Disclosure – no consent, no disclosure

Security – practical steps to protect

Retention – as long as required only

Data Integrity – accurate, complete and up-to-date

Access – access and right to correct

1

2

3

4

5

6

7


Key Focus Areas - Human Resources

34

Collection, Use and Disclosure of

Employee Information

Retention & Disposal of

Records

Employment Contracts

Use of Recruitment

Agencies

Recruitment Information

Outsourcing / Temp staff

Human Resources


Key Focus Areas - Information Technology

35

Data Governance

Data Security

Data Access

Data Storage

Cross Border Data

Transfer

Data Retention &

Archival

Data Destruction

Information Technology


Key Focus Areas - Sales and Customer Service

36

Consent, Notice &

Disclosure

Marketing Database

Collection of Customer

Data

Marketing Activities

Do Not Call Registry

Tele-marketing

Customer Interaction

Sales and Customer

Service


Key Focus Areas– Legal & Contracts

37

Customer Forms

Customer Agreements

Vendor Contracts

Outsourcing Contracts

Cross border data transfer

Employment contracts

Legal & Contracts


Establish

Governance

Framework

Rollout and

Training

Update data security

policies and procedures

Update data handling


with third parties

Update data accuracy

and integrity policies and

procedures

Update data access

control and review


Update data change

control policies and

procedures

Define Complaint

Management procedures

Define Enquiry and

Exercise of Rights

procedures

Define Personal Data

Retention & Disposal

procedures

Define public

communications plan

(website updates, etc.)

Define an Incident

Response Programme


and Procedures

Update existing policies and

procedures to align to

PDPA

Design operating models

and processes

Design Incident Response

Programme

Define Policies & Procedures

38


Establish

Governance

Framework

Rollout and

Training Assessment

Define Policies

and Procedures

Update existing policies and

procedures to align to

PDPA

Design operating models

and processes

Design Incident Response

Programme

Define Policies & Procedures

39


Establish

Governance

Framework

Rollout and

Training

Define internal training &

awareness programmes


and Procedures

Develop training awareness

programmes

Implement process and

implement data protection

control

Implement Incident

Response Programme

Conduct training for

Incident Response

programme

Rollout Incident

Response Programme

Rollout implementation

roadmap (items

classified as

“Immediate” only)

Conduct training and

awareness sessions

Rollout & Training


41

Establish

Governance

Framework

Assessment PDPA

Readiness

Define

Policies and

Procedures

Rollout and

Training

Design

governance

structure

Define roles and

responsibilities

Conduct PDPA

Readiness Check

Design scope of

personal data

Inventory of

personal data,

flows and storage

Assess controls

and identify areas

of improvements

Update existing

policies and

procedures to

align to PDPA

Design operating

models and

processes

Develop training

awareness

programmes

Implement

process and

implement data

protection control

PDPA Readiness


PDPA Readiness - Test Scenario

Consent, Notifications and Purpose

Scenario

An individual complains to PDPD that <CLIENT> did not obtain consent or inform him the purpose when collecting his personal data at a marketing road show.

PDPD decides to investigate and writes to <CLIENT> requesting evidence for the following:

• <CLIENT> has informed the individual the purpose for collection of personal in question and has obtained his consent

• <CLIENT> has a standard process to clearly inform an individual the purpose(s) for which it collects, uses or discloses personal data and obtain his/her

consent.

Additional Injects

None

Readiness Checklist Observations/Findings Test Result

Expected Response to Scenario

1. Able to readily retrieve documented/recorded evidence of the consent

obtained

• To be added <Pass / Partially Pass

/ Fail / NA>

2. Able to retrieve documented/recorded evidence of the purpose

notification provided to the individual


/ Fail / NA>

Policy / Procedures in place

3. Able to demonstrate a standard procedure in place to inform

purpose(s) and obtain consent


/ Fail / NA>

4. Able to demonstrate that employees are trained in applying the

standard procedure to inform purpose(s) and obtain consent when

collecting personal data


/ Fail / NA>

Impact / Compliance Risk

• Non compliance to Part IV, Division 1, Clause 13

42


After this seminar …

43

Phase 3

Implement PDPA

programme

Phase 2

Develop PDPA

policies,

processes and

procedures

Phase 1

Perform PDPA

Impact

Assessment

Immediate

1 - 2 month 1 – 2 months 3 – 6 months


QUESTION & ANSWER

SESSION


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of

member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/my/about for a detailed

description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a

globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service

to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000

professionals, all committed to becoming the standard of excellence.

About Deloitte Southeast Asia

Deloitte Southeast Asia Ltd—a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei,

Guam, Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam—was established to deliver measurable value to the

particular demands of increasingly intra-regional and fast growing companies and enterprises.

Comprising over 250 partners and 6,000 professionals in 23 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia

Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the

region.

All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent

legal entities.

About Deloitte Malaysia

In Malaysia, services are provided by Deloitte Enterprise Risk Services Sdn Bhd and its affiliates.

45

Malaysia Personal Data Protection Act (PDPA) 2010...

Documents

Transcript of Malaysia Personal Data Protection Act (PDPA) 2010...