THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS

FIDE Forum – Breakfast Talk 11 April 2013

Adlin Abdul Majid

Content

• Introduction

• The 7 Principles

• Compliance

2

Joining the global privacy & data protection community

4

Introduction

Written / Oral

5

Introduction

Written / Oral

6

Introduction

data subjectdata subject

7

Individual who is subject of personal data

Written / Oral

data userdata user

• Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data

• Does not include data processor

data processordata processor

• Person (other than data user’s employee) who processes personal data solely on behalf of data user

• Does not process for own purpose

Introduction

personal datapersonal data

8

Any information in respect of commercial transactions:

• that relates directly or indirectly to a data subject

• who is identified or identifiable from that information or from that & other information in the possession of a data user

• includes any sensitive personal data & expression of opinion about the data subject

May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone

no, photograph, e-mail address, fingerprint, DNA)

Introduction

9

sensitive personal datasensitive personal data• Any personal data consisting of information as to:

• the physical or mental health or condition of a data subject;

• his political opinions;

• his religious beliefs or other beliefs of a similar nature;

• the commission or alleged commission by him of any offence; or

• any other personal data determined by the Minister

• Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject)

Introduction

10

Introduction

11

• Any transaction of a commercial nature, whether contractual or not

• Includes matters relating to:

• Supply or exchange of goods or services;

• Agency;

• Investments;

• Financing;

• Banking; &

• Insurance

• Does not include a credit reporting business

commercial transactionscommercial transactions

Introduction

12


The Personal Information Protection & Electronic Documents Act (PIPEDA)

http://www.google.com.my/url?sa=i&source=images&cd=&cad=rja&docid=hKV7QbMfjSTA3M&tbnid=9OFyQH9OMsbKKM:&ved=0CAgQjRwwAA&url=http%3A%2F%2Fwww.flags.net%2FCANA.htm&ei=W74HUdPcDYbLrQeB04HYDA&psig=AFQjCNG6pbdTzQLhD84lQ4WWQh0LJcJWzA&ust=1359548379267727

Introduction

13


13

Case Facts Commercial Transaction?

PIPEDA Case Summary #342 PIPEDA Case Summary #342

Collection of personal data of tenants by landlordsCollection of personal data of tenants by landlords YesYes

PIPEDA Case Summary #309PIPEDA Case Summary #309

Collection of information of a child in a daycare organisationCollection of information of a child in a daycare organisation YesYes

PIPEDA Case Summary #345PIPEDA Case Summary #345

Collection of information by a private schoolCollection of information by a private school

No, look at the core activity of the school’s servicesNo, look at the core activity of the school’s services

Rodgers v. Calvert, 2004 ON SC (CanLII)Rodgers v. Calvert, 2004 ON SC (CanLII)

Collection of personal information in a membership list, which charged membership fees

Collection of personal information in a membership list, which charged membership fees

No, charging a fee for membership does not mean it is for a commercial transaction

No, charging a fee for membership does not mean it is for a commercial transaction

PIPEDA Case Summary #2009-008PIPEDA Case Summary #2009-008

Collection of personal information by a social networking siteCollection of personal information by a social networking site

Yes, the personal data is used for the success of the website. Yes, the personal data is used for the success of the website.

Content

• Introduction


• Compliance

14

Principles of data protection

15

For data to be processed lawfully in Malaysia, data user shall comply with following principles:

1.General Principle

2.Notice & Choice Principle

3.Disclosure Principle

4.Security Principle

5.Retention Principle

6.Data Integrity Principle

7.Access Principle


Written / Oral

16

* Notice & Choice Principle

* Disclosure Principle

*Access Principle


Written / Oral

17

* Notice & Choice Principle


*Access Principle• Data user shall not process a personal data about a data subject UNLESS the data subject has given his consent to the processing of the personal data

• Personal data shall not be processed UNLESS:

• For lawful purpose directly related to activity of data user

• Necessary for or directly related to purpose

• Adequate but not excessive in relation to purpose

What do you need consent for?

Written / Oral

18

Exemptions to consent

19

No Exemption Example

(a) For the performance of a contract to which the data subject is a party

Employment contracts

(b) For the taking of steps at the request of the data subject with a view to entering into a contract

Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract

(c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract

When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities

(d) In order to protect the vital interests of the data subject

In a situation where a person is unconscious & needs medical treatment to save his life

(e) For the administration of justice For the enforcement of a court order

(f) For the exercise of any functions conferred on any person by or under any law

If an organisation is tasked to perform a service by a law

Written / Oral

20

Sensitive personal data may only be processed if…


Written / Oral

21


*Access Principle* Notice & Choice Principle

• Data user shall provide a written notice to the data subject. To include:

• That personal data of the data subject is being processed by or on behalf of the data user

• Description of the personal data

• Purpose it is collected & further processed

• Class of 3rd parties to whom data user discloses / may disclose the personal data

• Whether it is obligatory for the data subject to provide the personal data

• Must be given as soon as practicable

• In national language & English

22

Channels of serving notice

• Application forms

• Terms & conditions

• RFQs / RFPs

• Agreements

• Letters of employment

• Salary slips

• E-mails


Written / Oral

23



Personal data shall not without the consent of the data subject, be disclosed:

•For any purpose other than the purpose disclosed at the time of collection or related purpose; or

•To any party other than 3rd parties of the class in notice

24

Disclosure to third parties

Related companies /

affiliates / consultants

MalaysiaMalaysia

Data processors

Authorities

Notification of disclosure to 3rd parties

(1) Notification of disclosure to 3rd

parties

(2) Data processors’ compliance with

PDPA

Personal data

Personal data

25

Disclosure to third parties

Related companies /

affiliates / consultants

MalaysiaMalaysia

Data processors

Authorities

Notification of disclosure to 3rd parties

(1) Notification of disclosure to 3rd

parties

(2) Data processors’ compliance with

PDPA

Personal data

Personal data

OverseasOverseas

Notification of transfer out of

Malaysia


Written / Oral

26



• A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction

• If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor:

• provides sufficient guarantees in respect of the technical & organisational security measures governing the processing

• takes reasonable steps to ensure compliance with those measures

What is “adequate”?

Written / Oral

27


Written / Oral

28



• The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose

• No time limit but if it is not required for its initial purpose, it must be destroyed


Written / Oral

29



A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard

to the purpose, including any directly related purpose, for which the personal data was collected & further processed


Written / Oral

30



• A data subject shall be given access to his personal data held by a data user

• Able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date

• EXCEPT where compliance with a request to such access or correction is refused under PDPA

Other key provisions

31

• Right to access personal data

• Right to correct personal data

• Right to withdraw consent

• Right to prevent processing likely to cause damage or distress

• Right to prevent processing for purpose of direct marketing

Rights of data subjectRights of data subject

Other key provisions

32

Data user registrationData user registration

Data user forumData user forum

Content

• Introduction


• Compliance

33

Why is compliance important?

Written / Oral

36

Why is compliance important?

Written / Oral

37

Offence Liability

Contravention of the personal data protection principles

RM300,000 or imprisonment of 2 years or both

Failure to register as data user for specified class of data users


Data users continue to process personal data after the registration is revoked


Processing of sensitive personal data in contravention with s40


Failure to comply with the Commissioner's requirements to cease processing of personal data likely to cause damage or distress


Unlawful collection or disclosure of personal data: RM500,000 or imprisonment 3 years or to both


Transfer of personal data overseas RM300,000 or imprisonment of 2 years or both

Compliance

Written / Oral

38

Top-down approach

Analysis of status quo & existing gaps

Solutions should address gaps by complying with legal requirements in an effective

manner

Compliance

39

PreventPrevent DetectDetect RespondRespond

• Risk assessment & regular re-assessment

• Policies

• Guidelines

• Training

• Risk assessment & regular re-assessment

• Policies

• Guidelines

• Training

• Monitoring

• Compliance Audit

• Concern / incident reporting

• Monitoring

• Compliance Audit

• Concern / incident reporting

• Internal Investigations

• Dealings with authorities

• Employment related consequences

• Internal Investigations

• Dealings with authorities

• Employment related consequences

Compliance

Written / Oral

40

Privacy Impact

AssessmentCompliance

Compliance

41

Privacy Impact AssessmentPrivacy Impact Assessment

LOOK OUT FOR:Description of personal data

How personal data is collected

Was consent sought? How?

Purpose of processing

How personal data is kept – security?

Procedures to ensure accuracy? Access?

Retention period? Is personal data destroyed?

Disclosure / transfer

Compliance

42

Types of Documents Description

Type A: Policies & Procedures 1. Internal Data Protection Policy

2. External Data Protection Policy

Type B: Agreements 1. Guide to amend agreements

2. Amended agreements

3. Supplementary agreement

Type C: Notices 1. Recruitment

2. Employment

3. Customers

4. Vendors

ComplianceCompliance

Compliance: Policies

Written / Oral

43

Compliance: Documents

44

ComplianceCompliance

Application forms

Terms & conditions

Contracts of employment

Employee handbooks

Service agreements Notices

Remember:

45

Transitional provisionTransitional provision

Where a data user has collected personal data from the data subject or any third party before the date of coming into

operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into

operation of PDPA

Thank you

Adlin Abdul Majid ([email protected])Lyssa Loh ([email protected])

mailto:[email protected]

mailto:[email protected]

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk

Documents

Transcript of THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk