Professor Abu Bakar Munir
Malaysia is the first among the countries in ASEAN to have a law governing the processing of personal information. The Personal Data Protection Act (PDPA) passed in June 2010 is expected to be in force soon, this year. The PDPA sets out principles as a good information handling practice that must be followed whenever personal data is processed for commercial purposes. The law applies only if the data or information processed is a ‘personal data’, which is data or information that relate directly or indirectly to an individual.
At the heart of the Act are the seven data protection principles which must be observed by companies when processing personal data of their customers, staff members, etc. Non-compliance with any of these principles is a criminal offence. One of the most important prohibitions is the processing of personal data without the consent of the individual. Besides, the information must only be used for the purposes it was collected and it should be adequate for the purpose and not excessive.
The PDPA has created several new criminal offences. These include offences for contravening the data protection principles, processing data without certificate of registration, selling of personal data, etc. It must be noted that the Act allows an officer of a company to be charged severally or jointly with the body corporate. If the body corporate is found to have committed the offence, the officer of the company shall be deemed to have committed the offence unless he can prove that the offence was committed without his knowledge, consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the crime.
When the enforcement date of the Act is fixed, all organizations in Malaysia are required to comply with the Act within a grace period of three months. This is indisputably too short a time to work towards compliance. Failing to comply with the Act would render these organizations liable to criminal penalties. The Act, however, was passed more than eighteen months ago. How many are aware of the existence of the Act? How many have made efforts to comply with it? To ‘wait and see’ is not a wise approach. Time is running out. The enforcement date will be announced very soon. Would business be as usual?