THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk
description
Transcript of THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk
THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS
FIDE Forum – Breakfast Talk 11 April 2013
Adlin Abdul Majid
Content
• Introduction
• The 7 Principles
• Compliance
2
3
Joining the global privacy & data protection community
4
Introduction
Written / Oral
5
Introduction
Written / Oral
6
Introduction
data subjectdata subject
7
Individual who is subject of personal data
Written / Oral
data userdata user
• Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data
• Does not include data processor
data processordata processor
• Person (other than data user’s employee) who processes personal data solely on behalf of data user
• Does not process for own purpose
Introduction
personal datapersonal data
8
Any information in respect of commercial transactions:
• that relates directly or indirectly to a data subject
• who is identified or identifiable from that information or from that & other information in the possession of a data user
• includes any sensitive personal data & expression of opinion about the data subject
May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone
no, photograph, e-mail address, fingerprint, DNA)
Introduction
9
sensitive personal datasensitive personal data• Any personal data consisting of information as to:
• the physical or mental health or condition of a data subject;
• his political opinions;
• his religious beliefs or other beliefs of a similar nature;
• the commission or alleged commission by him of any offence; or
• any other personal data determined by the Minister
• Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject)
Introduction
10
Introduction
11
• Any transaction of a commercial nature, whether contractual or not
• Includes matters relating to:
• Supply or exchange of goods or services;
• Agency;
• Investments;
• Financing;
• Banking; &
• Insurance
• Does not include a credit reporting business
commercial transactionscommercial transactions
Introduction
12
commercial transactionscommercial transactions
The Personal Information Protection & Electronic Documents Act (PIPEDA)
Introduction
13
commercial transactionscommercial transactions
13
Case Facts Commercial Transaction?
PIPEDA Case Summary #342 PIPEDA Case Summary #342
Collection of personal data of tenants by landlordsCollection of personal data of tenants by landlords YesYes
PIPEDA Case Summary #309PIPEDA Case Summary #309
Collection of information of a child in a daycare organisationCollection of information of a child in a daycare organisation YesYes
PIPEDA Case Summary #345PIPEDA Case Summary #345
Collection of information by a private schoolCollection of information by a private school
No, look at the core activity of the school’s servicesNo, look at the core activity of the school’s services
Rodgers v. Calvert, 2004 ON SC (CanLII)Rodgers v. Calvert, 2004 ON SC (CanLII)
Collection of personal information in a membership list, which charged membership fees
Collection of personal information in a membership list, which charged membership fees
No, charging a fee for membership does not mean it is for a commercial transaction
No, charging a fee for membership does not mean it is for a commercial transaction
PIPEDA Case Summary #2009-008PIPEDA Case Summary #2009-008
Collection of personal information by a social networking siteCollection of personal information by a social networking site
Yes, the personal data is used for the success of the website. Yes, the personal data is used for the success of the website.
Content
• Introduction
• The 7 Principles
• Compliance
14
Principles of data protection
15
For data to be processed lawfully in Malaysia, data user shall comply with following principles:
1.General Principle
2.Notice & Choice Principle
3.Disclosure Principle
4.Security Principle
5.Retention Principle
6.Data Integrity Principle
7.Access Principle
Principles of data protection
Written / Oral
16
* Notice & Choice Principle
* Disclosure Principle
*Access Principle
Principles of data protection
Written / Oral
17
* Notice & Choice Principle
* Disclosure Principle
*Access Principle• Data user shall not process a personal data about a data subject UNLESS the data subject has given his consent to the processing of the personal data
• Personal data shall not be processed UNLESS:
• For lawful purpose directly related to activity of data user
• Necessary for or directly related to purpose
• Adequate but not excessive in relation to purpose
What do you need consent for?
Written / Oral
18
Exemptions to consent
19
No Exemption Example
(a) For the performance of a contract to which the data subject is a party
Employment contracts
(b) For the taking of steps at the request of the data subject with a view to entering into a contract
Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract
(c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract
When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities
(d) In order to protect the vital interests of the data subject
In a situation where a person is unconscious & needs medical treatment to save his life
(e) For the administration of justice For the enforcement of a court order
(f) For the exercise of any functions conferred on any person by or under any law
If an organisation is tasked to perform a service by a law
Written / Oral
20
Sensitive personal data may only be processed if…
Principles of data protection
Written / Oral
21
* Disclosure Principle
*Access Principle* Notice & Choice Principle
• Data user shall provide a written notice to the data subject. To include:
• That personal data of the data subject is being processed by or on behalf of the data user
• Description of the personal data
• Purpose it is collected & further processed
• Class of 3rd parties to whom data user discloses / may disclose the personal data
• Whether it is obligatory for the data subject to provide the personal data
• Must be given as soon as practicable
• In national language & English
22
Channels of serving notice
• Application forms
• Terms & conditions
• RFQs / RFPs
• Agreements
• Letters of employment
• Salary slips
• E-mails
Principles of data protection
Written / Oral
23
* Disclosure Principle
*Access Principle* Notice & Choice Principle
Personal data shall not without the consent of the data subject, be disclosed:
•For any purpose other than the purpose disclosed at the time of collection or related purpose; or
•To any party other than 3rd parties of the class in notice
24
Disclosure to third parties
Related companies /
affiliates / consultants
MalaysiaMalaysia
Data processors
Authorities
Notification of disclosure to 3rd parties
(1) Notification of disclosure to 3rd
parties
(2) Data processors’ compliance with
PDPA
Personal data
Personal data
25
Disclosure to third parties
Related companies /
affiliates / consultants
MalaysiaMalaysia
Data processors
Authorities
Notification of disclosure to 3rd parties
(1) Notification of disclosure to 3rd
parties
(2) Data processors’ compliance with
PDPA
Personal data
Personal data
OverseasOverseas
Notification of transfer out of
Malaysia
Principles of data protection
Written / Oral
26
* Disclosure Principle
*Access Principle* Notice & Choice Principle
• A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction
• If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor:
• provides sufficient guarantees in respect of the technical & organisational security measures governing the processing
• takes reasonable steps to ensure compliance with those measures
What is “adequate”?
Written / Oral
27
Principles of data protection
Written / Oral
28
* Disclosure Principle
*Access Principle* Notice & Choice Principle
• The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose
• No time limit but if it is not required for its initial purpose, it must be destroyed
Principles of data protection
Written / Oral
29
* Disclosure Principle
*Access Principle* Notice & Choice Principle
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard
to the purpose, including any directly related purpose, for which the personal data was collected & further processed
Principles of data protection
Written / Oral
30
* Disclosure Principle
*Access Principle* Notice & Choice Principle
• A data subject shall be given access to his personal data held by a data user
• Able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date
• EXCEPT where compliance with a request to such access or correction is refused under PDPA
Other key provisions
31
• Right to access personal data
• Right to correct personal data
• Right to withdraw consent
• Right to prevent processing likely to cause damage or distress
• Right to prevent processing for purpose of direct marketing
Rights of data subjectRights of data subject
Other key provisions
32
Data user registrationData user registration
Data user forumData user forum
Content
• Introduction
• The 7 Principles
• Compliance
33
34
35
Why is compliance important?
Written / Oral
36
Why is compliance important?
Written / Oral
37
Offence Liability
Contravention of the personal data protection principles
RM300,000 or imprisonment of 2 years or both
Failure to register as data user for specified class of data users
RM500,000 or imprisonment of 3 years or both
Data users continue to process personal data after the registration is revoked
RM500,000 or imprisonment of 3 years or both
Processing of sensitive personal data in contravention with s40
RM200,000 or imprisonment of 2 years or both
Failure to comply with the Commissioner's requirements to cease processing of personal data likely to cause damage or distress
RM200,000 or imprisonment of 2 years or both
Unlawful collection or disclosure of personal data: RM500,000 or imprisonment 3 years or to both
RM500,000 or imprisonment of 3 years or both
Transfer of personal data overseas RM300,000 or imprisonment of 2 years or both
Compliance
Written / Oral
38
Top-down approach
Analysis of status quo & existing gaps
Solutions should address gaps by complying with legal requirements in an effective
manner
Compliance
39
PreventPrevent DetectDetect RespondRespond
• Risk assessment & regular re-assessment
• Policies
• Guidelines
• Training
• Risk assessment & regular re-assessment
• Policies
• Guidelines
• Training
• Monitoring
• Compliance Audit
• Concern / incident reporting
• Monitoring
• Compliance Audit
• Concern / incident reporting
• Internal Investigations
• Dealings with authorities
• Employment related consequences
• Internal Investigations
• Dealings with authorities
• Employment related consequences
Compliance
Written / Oral
40
Privacy Impact
AssessmentCompliance
Compliance
41
Privacy Impact AssessmentPrivacy Impact Assessment
LOOK OUT FOR:Description of personal data
How personal data is collected
Was consent sought? How?
Purpose of processing
How personal data is kept – security?
Procedures to ensure accuracy? Access?
Retention period? Is personal data destroyed?
Disclosure / transfer
Compliance
42
Types of Documents Description
Type A: Policies & Procedures 1. Internal Data Protection Policy
2. External Data Protection Policy
Type B: Agreements 1. Guide to amend agreements
2. Amended agreements
3. Supplementary agreement
Type C: Notices 1. Recruitment
2. Employment
3. Customers
4. Vendors
ComplianceCompliance
Compliance: Policies
Written / Oral
43
Compliance: Documents
44
ComplianceCompliance
Application forms
Terms & conditions
Contracts of employment
Employee handbooks
Service agreements Notices
Remember:
45
Transitional provisionTransitional provision
Where a data user has collected personal data from the data subject or any third party before the date of coming into
operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into
operation of PDPA
Thank you
Adlin Abdul Majid ([email protected])Lyssa Loh ([email protected])