The Personal Data Protection Act 2010 [Act 709] (“the Act”) has been gazette in June 2010 and has finally come into force on 15th November 2013. The objective of the Act is to protect the personal data of individuals in regard to commercial transactions.
The Act was introduced as one of the solutions to encounter the seriousness of problems related to the leakage of personal data of the individual in our country.
Under the Act,
“personal data” means any information in respect of commercial transactions.
“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.
“data subject” means an individual who is the subject of the personal data. “commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or service, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a Credit Reporting Agencies 2010.
The Act requires the data user within certain categories to register with the Commissioner established under the Act and to obtain a certificate of registration. These categories include those in the communication, banking and financial, insurance, health, tourism and hospitality, transportation, education, direct selling, real estate, utility, and service industries. Failure of this, the data user could be subject to a fine not exceeding RM 500,000-00 or to imprisonment for a term not exceeding 3 years or to both. However, the Act does not apply to the Federal and State Governments and to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.
The Act asserts seven personal data protection principles which have to be complied with when processing personal data, namely:
1. General Principle
The general principle prohibits a data user from processing a data subject’s personal data except with the data subject’s consent.
2. Notice and Choice Principle
The Act requires a data user to inform a data subject by written notice in both _____national and English languages, of the followings:
The personal data is being processed and a description of the data.
The purposes for which the personal data is being processed.
Any information available to the data user as to the source of that personal data.
The data subject’s right to request access to and correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints.
The class of third parties to whom the data is or may be disclosed.
The choices and means offered to a data subject to limit the processing of the data.
3. Disclosure Principle
Prohibits the disclosure without the data subject’s consent for any purpose other than that for which the data was disclosed at the time of collection or a purpose directly related to it and to any party other than a third party of the class notified to the data user.
4. Security Principle
The Act imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.
5. Retention Principle
The data user is required, under this principle, to ensure that personal data is not kept longer than necessary.
6. Data Integrity Principle
Under this principle, the data user has to ensure that the personal data being processed is accurate, complete, and kept updated for its purpose.
7. Access Principle
This last principle that the data user must comply with is to allow a data subject access to his personal data and the opportunity to correct the data where the information is inaccurate or outdated.
The data user who contravenes these seven principles could be liable to a fine not exceeding RM 300,000-00 or to imprisonment for a term not exceeding 2 years or both.
With the existence of this new law, the data user now has a bigger responsibility to ensure that personal data are secured in a manner set out by the Act. Non-compliance with the Act would lead to the severe penalties laid down under the Act. On the other hand, the public now can be assured that their personal data will not be misused by the data user.