PERSONAL DATA PROTECTION ACT 2010 – Is it relevant to me?
The Personal Data Protection Act 2010 (“PDPA”) came into force on 15 November 2013. The purpose of the PDPA is to regulate the processing of personal data with regards to commercial transactions.
This means that the PDPA applies to any person who collects and processes personal data in connection with any commercial transaction.
The common misconception that businesses have is that “the PDPA does not apply to me because I do not buy or sell personal data”. This is a dangerous position to take because the PDPA governs all form of data processing, not merely buying and selling. Moreover, the penalty for non-compliance is between RM100,000-RM500,000 and/or between 1-3 years imprisonment – so being ill-prepared for the implementation of the PDPA is extremely risky to all businesses.
If you are a business owner or are involved at the management level of any organisation, here are some of the questions you should ask:
(a) Does my business collect or use personal data of its customers, suppliers or vendors?
(b) Does my business have any employees?
(c) Does my business engage any contractors or sub-contractors, agents or representative?
In the event you answered “yes” to any of the above questions, you should pay attention to the paragraphs below because that means your business will most certainly fall within the ambit of the PDPA.
“Personal Data” is defined as information that relates directly or indirectly to a person, who is identified or identifiable from that information, including any sensitive personal data and any expression of opinion about that person. Such information can include a person’s name, NRIC number, date of birth or mobile number. It is clear from the PDPA’s definition that the ambit of “personal data” is very wide.
“Sensitive Personal Data” is however more exhaustive, and is confined to a person’s physical and mental health, his political opinions, his religious beliefs and the commission or alleged commission by him of any offence.
The act of “processing” under the PDPA means collecting, recording, holding or storing personal data or carrying out operation on the personal data including organising, adapting, altering, retrieving, consulting, using, disclosing, making available, aligning, combining, correcting, erasing or destroying personal data. By virtue of this definition, the PDPA essentially encompasses any handling of personal data.
Nevertheless, the PDPA limits its application to only processing personal data in respect of “commercial transactions”, which carries the meaning of any transaction of a commercial nature, whether contractual or not, including any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
The PDPA lays down 7 principles for businesses to abide by in their processing of personal data. These principles are:
(a) The general principle (obtaining consent from the data subject);
(b) The notice and choice principle;
(c) The disclosure principle;
(d) The retention principle;
(e) The security principle;
(f) The access principle; and
(g) The data integrity principle.
Breaching any one of these 7 principles carries a maximum penalty of RM300,000 and/or 2 years imprisonment.
The Department of Personal Data Protection has further listed down 11 industries that are required to be registered with the Department. It is important to note that registration with the Department does NOT exempt a company or business from complying with the 7 principles of data protection.
Here are a few basic rules you can implement in your business to take steps towards PDPA compliance:
(a) Always collect personal data with consent only;
(b) Do not ask for irrelevant / unnecessary information;
(c) Put in place measures to protect personal data;
(d) Do not keep personal data any longer than necessary; and
(e) All notices issued concerning personal data must be in English and Malay.
Whilst the Department of Personal Data Protection presently appears to be lenient in its enforcement of the PDPA requirements, it does not mean that businesses can continue to be ignorant about what is required by law. Businesses need to genuinely assess how they handle personal data, and begin to integrate appropriate data protection systems and policies into their practices before enforcement officers come knocking at their doors.