Malaysian Personal Data Protection Act - PDP Act

FINALLY. After years of waiting, the Malaysian Personal Data Protection (PDP) Bill has been passed by the Dewan Rakyat on 5 April 2010.

It marks the end of waiting, and starts a new chapter in personal data protection for Malaysia, which is the first nation to have such law in ASEAN countries.

Of course, I would not miss the opportunity to witness the debates in Parliament when the PDP Bill was tabled for reading. Sharp at 5.00pm on 5 April 2010, the Minister (Dato’ Seri Utama Dr. Rais Yatim) introduced the Bill for second reading. The debate took about 2 1/2 hours and ended at 7.32pm.

As the Minsiter said, the is not a contoversial Bill. This is evidenced that MP's from the government and opposition side have supported the fact that we need such law. In fact, this tabling of such law is long overdue, as pointed out by Datuk Bung Moktar bin Radin (MP for Kinabatangan). 

Many MP's took part in the debate relate to their personal experiences (pengalaman peribadi) on the issue on personal data protection. Puan Hajah Nancy binti Haji Shukri (MP for Batang Sadong) received unsolicited calls and sms inviting her to invest on illegal schemes. Datuk Abd. Rahman Dahlan (MP for Kota Belud) said that when he went to a bank to collect his cheque book, he was asked why he has not invested in the investment instruments offered by the bank. The bank officer informed him that YB has money in the account and wanted him to invest in the instruments. Prof. Dr. P. Ramasamy (MP for Batu Kawan) was asked why he has not taken a loan by a bank officer. When questioned, the officer informed him that they have the data.

Undeniably, the data users (like banks, insurance companies, telcos etc) have personal data. The real question is how they deal with the personal data. This is the crux of the PDP law.

MP's from the opposition raised issues regarding the applicability of the PDP law. One of the issue raised was why the PDP law does not apply to Federal Government and State Governments. In my opinion, that is a valid question and it should be discussed even though such law has been passed. If we agree that such law in important, why shouldn't it apply to Government as well?

The answer provided by the Minister was that the law is meant for data protection in "commercial transactions", and the Government does not process personal data of such nature. With due respect, this may not be entire accurate. Federal Government and State Governments do have links with business community, such as banks. Give an example, if one uses MyKad as ATM as well, the accounts information stored in MyKad is not commercial in nature?

Moving forward, we hope that the Government would establish relavant mechanism or procedure which is consistent with the Data Protection Principles in their departments/ agencies.

Another issue raised by Fong Po Kuan (MP for Batu Gajah) was in relation to Retention Period. She viewed that the law should expressly state the Retention Period, which the data could be retained and thereafter the data user must destroy the data. It is opined that such fixed retention period is not possible as the reasonable Retention Period relates to the specific circumstances. For example, the retention period for CCTV recording in retail shop would be different from the Telco's record on telephone calls/ sms by individuals. If there is no crime happened, the recording should be deleted within days by business operator, whereas Telco would retain the telephone/ sms records for at least a month for billing purpose. Take another example, students' results in universities. Understandbly, the record would be kept for years before it is deleted. Would it be possible to fix a time frame for retention for all circumstances? The answer is clearly, no.

Sitting in the Parliament, it is interesting to see how MP's took on CTOS as the bashing ground when debating the PDP Bill. Of course, one of the reason that raised public awareness on PDP law is the occurance of CTOS Saga in 2007. But it should be noted that the Government has drafted a specific law - Credit Reference Agencies Bill 2009 to deal with CRA's like CTOS. If the CRA Bill is passed, CTOS would be governed under such law.

After the Bill is passed, it is now implementation time! The task will be put on the shoulder of the Data Protection Commissioner. Effective implementation would ensure the success of the PDP Act.

Overall, it is great that PDP Bill is passed by the Parliament, albeit with some shortcomings. This is not a perfect Bill, but it is definately a Giant leap forward in the legal framework for protecting personal data in Malaysia.

Finally, we have it now - the Malaysian Personal Data Protection Act.

Teh Tai Yong 

April 2010 


[Note: The Bill was passed unamended. Click the link to read the full text of the PDP Bill http://www.parlimen.gov.my/billindexbi/pdf/DR352009E.pdf ]

The Star: No personal data out without consent

THE House has passed the Personal Data Protection Bill 2009 which seeks to protect personal data from being misused through commercial transactions.

Information, Communications, Culture and Arts Minister Datuk Seri Dr Rais Yatim, in his winding-up speech, said the Bill placed high importance on the protection of sensitive personal data, such as information on a person’s health, physical attributes, mental status and religious preferences.

“A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.

“It will be their job to monitor the activities of commercial transactors of information, such as the Credit Tip Off Service Sdn Bhd (CTOS), in putting such information in their database.”
Rais said anyone found to have abused the data would face a RM200,000 fine or imprisonment of two years or both.

The minister told reporters later that private database collection agencies would have to strictly comply once the Bill becomes law.

“The Bill is a form of cyber-legislation and Malaysia is the first among Asean countries to introduce such a law.

“It’s modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights requirements,” he added.

Rais said the new law would ensure that personal data would not be given out except with the consent of their owners.

MALAYSIAN DATA PROTECTION LAW IS INADEQUATE

By Prof Abu Bakar Munir

Soon, Malaysia will have a comprehensive data protection law governing the processing of personal data. As mentioned elsewhere, the Personal Data Protection Bill (PDP) has been tabled for the first reading in November 2009. The second reading will take place in March 2010. This discussion is based on the assumption that the PDP Bill is passed in its current form.

The European Union (EU) has adopted its 1995 Data Protection Directive (DPD). Article 25 of the DPD provides that the Member States shall provide that the transfer to a third country of personal data may only take place only if the third country in question ensures an adequate level of protection. In another words, transfer of personal data from any European country to Malaysia may only take place if there is an adequate protection afforded by the PDP Act.

The European Commission has the power to make a decision of adequacy upon consultation with the Article 29 Data Protection Working Party. This Working Party has developed the Working Document: Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive (WP 12). The WP 12 assessment framework consists of two parts: content principles and procedural/enforcement requirements.

Content principles sets out minimum requirements for the content of the law governing collection and processing of personal data. There are six contents principles that Malaysian PDP law should have: the purpose limitation principle, the data quality and proportionality principle, the transparency principle, the security principle, the right of access, rectification and opposition, and restrictions on onward transfers. The Malaysian PDP law does contain all these principles.

In assessing the adequacy, the Working Party will also consider the scope or reach of the regime. They are divided into: (1) scope with regard to the data controller, (2) scope with regard to the data subject, (3) scope with regard to the means of processing, (4) scope with regard to the purpose of the processing operations, and (5) territorial scope. The Malaysian PDP law may not be able to satisfy scopes (1) and (4). Under the former, the data protection law of a country must apply to all entities and organizations, all data controllers within the jurisdiction: public or private, corporate and individual, actual and potential. Here lies the problem, the Malaysian PDP Act, in section 3 exempts the Federal and State Government from its application. Under the latter, the law is to be applied to all processing of personal data regardless of purpose. Again, the Malaysian PDP Act in section 2 provides that the Act only applies to the processing of personal data in respect of commercial transactions.

Under the procedural and enforcement mechanisms or requirement, the WP 12 states that a system of external supervision in the form of an independent authority is a necessary feature of a data protection compliance system. In another words, there must be an independent supervisory authority to enforce the law. Under the Malaysian PDP Act, the supervisory authority is the Data Protection Commissioner (DPC). He or she will be appointed by and responsible to the Minister. Clearly, the DPC is not an independent authority.

The EU is one of the Malaysia’s largest trading partners. The total trade in 2008 alone amounted to USD41.0 billion. Free flow of personal data can further facilitate and stimulate trade and investment. The enactment of the PDP law is the best opportunity for Malaysia to achieve that. This very brief assessment, however, indicates that the PDP Act does not pass the EU’s adequacy requirement test. What is the implication? Transfers of personal data may still take place provided that the originating party takes additional measures to ensure that the data is adequately protected in Malaysia. It is a missed opportunity.

As the adviser to the Government of Malaysia on data protection, it is my duty to ensure that the PDP Law is in line with the international norms and standards, including the standards set by the EU DPD. However, I have been advised that the issues mentioned above are policy matters that could not be changed.

 

Source: http://profabm.blogspot.com/2010/01/malaysian-data-protection-law-is.html

Data Protection Act offences: new powers for the ICO

By PAULA BARRETT

A new power to issue fines against offenders, first approved by Parliament in 2008, will soon come into force. The latest from the Information Commissioner’s Office is that this will be from April 2010.

The Ministry of Justice is the Government department responsible for the changes and, as many of you will know, it shall have final determination over the exact timescale.

From the commencement date, the ICO will be able to issue what are expected to be “substantial” fines against data controllers (ie businesses and organisations using personal information from their employees, customers or other individuals on their own behalf) without prior warning, for deliberate or reckless breaches of the Data Protection Act (DPA).

The Ministry of Justice published a consultation paper on 9 November proposing that the maximum civil monetary penalty which can be imposed for serious breaches of the data protection principles should be £500,000.

Other details, such as whether the ICO will be allowed to fine individuals (for example directors) as well as the organisations themselves are still to be confirmed.

- Increase in potential monetary penalties: welcomed by many

- Overlap between the ICO and the FSA

- Enhanced sanctions approved by Parliament

- Serving a notice of intent

Read more on the above issue(s) at info4SECURITY.com

Two Bills withdrawn for next sitting - Malaysia Star

DECEMBER 18, 2009: TWO Bills – the Personal Data Protection Bill and the Credit Reporting Agencies Bill – which are scheduled to be tabled at the Dewan Rakyat have been withdrawn due to time constraint.

They will be tabled at the next sitting scheduled for mid-March next year.

Minister in the Prime Minister’s Department Datuk Seri Nazri Abdul Aziz said the withdrawal would also give MPs more time to study the Bills and prepare for debates.

The Personal Data Protection Bill is aimed at regulating personal data processing in commercial transactions.

The Credit Reporting Agencies Bill, meanwhile, is aimed at providing the mechanism to register and supervise all credit tip-off agencies involved in processing credit information of clients.

Apart from Budget 2010, the other Bills passed by the Dewan Rakyat included the Judges Ethics Committee Bill, Malaysia Deposit Insurance Corporation (Amendment) Bill, Rubber Industry Smallholders Development Authority (Amendment) Bill and the Capital Markets and Services (Amendment) Bill.

The Dewan Rakyat adjourned sine die yesterday after sitting for 36 days.

 

Source: The Star

Bill to address concerns over personal information - Malaysia Star

THE people’s concerns over how their personal data are processed and stored during commercial transactions will be addressed in a new Bill, which was tabled in Parliament.

Once passed, it will prevent such data from falling into the wrong hands and safeguard the rights of individuals.

Users of such data will be required to register themselves under the Personal Data Protection Bill, which will regulate the processing of the personal data of individuals involved in commercial transactions and also to protect such information.

The Bill was tabled by Deputy Infor­m­ation, Communications and Culture Minister Datuk Joseph Salang Gandum.

Under the Act, a Personal Data Prot­ection Commissioner will be appointed and the person will be advised by a Personal Data Advisory Commit-tee.

An appeals tribunal will also be established to allow the people to submit their complaints if they were unhappy with the management of their data.

A register of data user forums and a register of codes of practice will also be established under the Act, where users who failed to comply with a code of practice can be fined up to RM100,000 or jailed for a year, or both.

A heavier penalty awaits data users if they were found to have contravened provisions in the Bill, where they can be fined a maximum of RM200,000 or jailed for two years, or both.

The Bill seeks to prevent the occurrences of people losing their money through credit card fraud, customer-privacy infringements and data theft.

 

Source: The Star

Personal Data Protection Bill Tables In Parliament - Bernama

KUALA LUMPUR, Nov 19 (Bernama) -- The Personal Data Protection Bill 2009 aimed at protecting public interests with regard to processing of personal data was tabled in the Dewan Rakyat on Wednesday.

In tabling the bill for the first reading, Deputy Information Communication and Culture Minister Datuk Joseph Salang Gandum said the bill consisted of 146 clauses and 11 sections.

The bill, among others, is aimed at regulating personal data processing in commercial transactions by users to protect the owners, and as such, protecting their interest.

According to the bill, as new technology and changes in market trend contributed to the growing importance of knowledge in the global economy, personal data in commercial transaction were becoming a valuable commodity.

This adds pressure in regulating data processing in efforts to enhance consumers confidence in the global economy, it noted.

The bill provides for the appointment of the personal data protection commissioner and the setting up of an advisory committee to advise the commissioner on the enforcement of the act.

A tribunal will also be set up under the bill to enable offenders to appeal against decisions made by the commissioner.

The second section of the bill spells out provisions on personal data protection.

Among them, Section 5(1) states that personal data processing must adhere to the personal data protection principles, namely the general, notice, choice, due diligence, security, storage, integrity and access principles.

A personal data user faces imprisonment up to two years jail or a fine up to RM300,000 or both, if convicted under the act.

Read more at Bernama.com