January 25, 2012

PERSONAL DATA PROTECTION ACT 2010: BUSINESS AS USUAL?

Professor Abu Bakar Munir

Malaysia is the first among the countries in ASEAN to have a law governing the processing of personal information. The Personal Data Protection Act (PDPA) passed in June 2010 is expected to be in force soon, this year. The PDPA sets out principles as a good information handling practice that must be followed whenever personal data is processed for commercial purposes. The law applies only if the data or information processed is a ‘personal data’, which is data or information that relate directly or indirectly to an individual.

At the heart of the Act are the seven data protection principles which must be observed by companies when processing personal data of their customers, staff members, etc. Non-compliance with any of these principles is a criminal offence. One of the most important prohibitions is the processing of personal data without the consent of the individual. Besides, the information must only be used for the purposes it was collected and it should be adequate for the purpose and not excessive. 

Companies are also required to have privacy policy statements and not allowed to disclose information for other purpose or disclose it to a third party without the consent of the individual. Companies must take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Personal data collected can only be processed for the specified purpose and once such purpose is achieved, the personal data shall not be kept any longer by the data user. It is the responsibility of the company to destroy or permanently delete the personal data. An obligation is also imposed on companies to take reasonable steps to ensure that the personal data are accurate, complete, not misleading and kept up to date. More importantly, the individuals are given the right to have access to their data kept by companies. The other rights are: to correct the personal data, withdraw consent, prevent processing likely to cause damage or distress and prevent processing for the purposes of direct marketing.

The PDPA has created several new criminal offences. These include offences for contravening the data protection principles, processing data without certificate of registration, selling of personal data, etc. It must be noted that the Act allows an officer of a company to be charged severally or jointly with the body corporate. If the body corporate is found to have committed the offence, the officer of the company shall be deemed to have committed the offence unless he can prove that the offence was committed without his knowledge, consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the crime. 

When the enforcement date of the Act is fixed, all organizations in Malaysia are required to comply with the Act within a grace period of three months. This is indisputably too short a time to work towards compliance. Failing to comply with the Act would render these organizations liable to criminal penalties. The Act, however, was passed more than eighteen months ago. How many are aware of the existence of the Act? How many have made efforts to comply with it? To ‘wait and see’ is not a wise approach. Time is running out. The enforcement date will be announced very soon. Would business be as usual?

2 comments:

  1. salam, Prof, boleh tak perincikan sikit ttg seksyen 45 Akta tersebut? tentang pengecualian..bagaimana bentuk penyiasatan yang dimaksudkan?adakah ia merujuk kepada polis atau piahk2 tertentu sahaja yg boleh buat penyiasatan?

    ReplyDelete