FINALLY. After years of waiting, the Malaysian Personal Data Protection (PDP) Bill has been passed by the Dewan Rakyat on 5 April 2010.
It marks the end of waiting, and starts a new chapter in personal data protection for Malaysia, which is the first nation to have such law in ASEAN countries.
Of course, I would not miss the opportunity to witness the debates in Parliament when the PDP Bill was tabled for reading. Sharp at 5.00pm on 5 April 2010, the Minister (Dato’ Seri Utama Dr. Rais Yatim) introduced the Bill for second reading. The debate took about 2 1/2 hours and ended at 7.32pm.
As the Minsiter said, the is not a contoversial Bill. This is evidenced that MP's from the government and opposition side have supported the fact that we need such law. In fact, this tabling of such law is long overdue, as pointed out by Datuk Bung Moktar bin Radin (MP for Kinabatangan).
Many MP's took part in the debate relate to their personal experiences (pengalaman peribadi) on the issue on personal data protection. Puan Hajah Nancy binti Haji Shukri (MP for Batang Sadong) received unsolicited calls and sms inviting her to invest on illegal schemes. Datuk Abd. Rahman Dahlan (MP for Kota Belud) said that when he went to a bank to collect his cheque book, he was asked why he has not invested in the investment instruments offered by the bank. The bank officer informed him that YB has money in the account and wanted him to invest in the instruments. Prof. Dr. P. Ramasamy (MP for Batu Kawan) was asked why he has not taken a loan by a bank officer. When questioned, the officer informed him that they have the data.
Undeniably, the data users (like banks, insurance companies, telcos etc) have personal data. The real question is how they deal with the personal data. This is the crux of the PDP law.
MP's from the opposition raised issues regarding the applicability of the PDP law. One of the issue raised was why the PDP law does not apply to Federal Government and State Governments. In my opinion, that is a valid question and it should be discussed even though such law has been passed. If we agree that such law in important, why shouldn't it apply to Government as well?
The answer provided by the Minister was that the law is meant for data protection in "commercial transactions", and the Government does not process personal data of such nature. With due respect, this may not be entire accurate. Federal Government and State Governments do have links with business community, such as banks. Give an example, if one uses MyKad as ATM as well, the accounts information stored in MyKad is not commercial in nature?
Moving forward, we hope that the Government would establish relavant mechanism or procedure which is consistent with the Data Protection Principles in their departments/ agencies.
Another issue raised by Fong Po Kuan (MP for Batu Gajah) was in relation to Retention Period. She viewed that the law should expressly state the Retention Period, which the data could be retained and thereafter the data user must destroy the data. It is opined that such fixed retention period is not possible as the reasonable Retention Period relates to the specific circumstances. For example, the retention period for CCTV recording in retail shop would be different from the Telco's record on telephone calls/ sms by individuals. If there is no crime happened, the recording should be deleted within days by business operator, whereas Telco would retain the telephone/ sms records for at least a month for billing purpose. Take another example, students' results in universities. Understandbly, the record would be kept for years before it is deleted. Would it be possible to fix a time frame for retention for all circumstances? The answer is clearly, no.
Sitting in the Parliament, it is interesting to see how MP's took on CTOS as the bashing ground when debating the PDP Bill. Of course, one of the reason that raised public awareness on PDP law is the occurance of CTOS Saga in 2007. But it should be noted that the Government has drafted a specific law - Credit Reference Agencies Bill 2009 to deal with CRA's like CTOS. If the CRA Bill is passed, CTOS would be governed under such law.
After the Bill is passed, it is now implementation time! The task will be put on the shoulder of the Data Protection Commissioner. Effective implementation would ensure the success of the PDP Act.
Overall, it is great that PDP Bill is passed by the Parliament, albeit with some shortcomings. This is not a perfect Bill, but it is definately a Giant leap forward in the legal framework for protecting personal data in Malaysia.
Finally, we have it now - the Malaysian Personal Data Protection Act.
Teh Tai YongApril 2010
[Note: The Bill was passed unamended. Click the link to read the full text of the PDP Bill http://www.parlimen.gov.my/billindexbi/pdf/DR352009E.pdf ]