Beruflich Dokumente
Kultur Dokumente
Manique Cooray
MMU, Malacca
Lecture 5
Data Protection (For exams only need to know interpretations, rights and principles.)
S. 4, 5-12, rights from 30-43. Only need to know all these. Must understand the principles
Will be given situation, National Registration situation, where only 15% given consent,
the rest did not want to give consent. Need to mention on the principles, must keep secure
etc.
Mr. X gave his information and did not give consent, want to know how to proceed with
an action against the national registration. He is data subject, as a data subject, PDPA
gives rights. Apply the correct rights.
Sometimes, given situation and will be asked, who is data subject, who is data user, who
is data processor in the scenario. Data processor, National Registration, Data subject, the
citizens, all based on S. 4 interpretation.
Can also be related to privacy, in essay questions. Maybe link between DP and privacy.
About information, information of people. Names/addresses/birthdays etc. If this
information is misused, is MyKAD is lost, if information entered wrongly. If misused,
can bring action? This is what Data Protection is all about. The key people involved in
the processing of this information, data user/data subject/data processor. What do they
process? They process these things called personal data. There is also sensitive personal
data. Act is split into 4 parts, first, personal data principles (Other 3 not tested). Data
subject is to be split into 2, rights and principles. What are the rights a data subject has,
what are the principles. There is a difference between rights and principles.
What is Data Protection?
Data: Information
It is often viewed as a technical term relating to specific information management
practices.
Such information includes individuals names, addresses, telephone numbers, and
birth details. i.e., private details.
Therefore data protection must also be considered in relation to the law of
privacy.
The Personal Data Protection Act 2010: Date of Enforcement: 15 November 2013
Rational for the Act
Regulate the processing of personal data in commercial transactions and to
provide for matters connected therewith and incidental thereto.
Objectives
To regulate the processing of personal data in the context of commercial
transactions by data users, and to provide a safeguard for the interests of data
subjects.
New legal rights and obligations in connection with the employer-employee
relationship, mergers and acquisition transactions involving personnel issues and
the discharge of certain professional services, among others.
Individuals will have rights including being informed about their personal data as
well as the right to access, correct and also control the processing of their personal
data by other parties.
Specific rights relating to the processing of personal data for direct marketing
purposes.
Notice and Choice Principle section 7: Data users are required to notify the data
subjects regarding the purpose for which the data is collected and about the right
to request access and correction of the personal data;
Security Principle section 9: A data user shall take practical steps to protect the
personal data from any loss, misuse, modification, unauthorised or accidental
access or disclosure, alteration or destruction
These security breach regulations impose an obligation upon data users to notify
the data subjects and the data protection authority when personal data have been
compromised.
PDPA is currently silent on security breach notification obligations.
The security principle merely obliges the data user to take practical steps to
protect the personal data. This indicates that there would be a relatively greater
degree of subjectivity, in determining the appropriate level of security.
The data processor is subject to a more onerous obligation that requires the
provision of sufficient guarantees in respect of the technical and organizational
security measures.
It is expected that security breach regulations will be quickly introduced.
Retention Principle: Section 10. The personal data processed for any purpose shall
not be kept longer than is necessary for the fulfilment of the purpose to which it
was obtained for.
Data Integrity Principle Section 11: A data user shall take reasonable steps to
ensure the accuracy and to maintain the data current for the purpose it was
collected for.
Access Principle: A data subject shall be given access to his personal data and
shall be able to correct the personal data where the data is inaccurate or
incomplete.
Exceptions:
Section 45
Section 46
Rights of Data Subjects
Right of Access: Section 30
Compliance with data request section 31
Circumstances where data user may refuse to comply with data request
Notification of refusal to comply with data access request
Refusal to comply with data access requests
The circumstances in which the data user is entitled to refuse to comply with the
data subjects access request are relatively extensive. This include where access is
regulated by another law. Therefore, information which is subject to existing
confidentiality obligations and those which are governed by another law such as
the Banking and Financial Act 1989 and also the upcoming Whistleblower Act
2010, are unlikely to be subject to data subject access.
Other circumstances where the data user may refuse access include where the
burden or expense of providing access is disproportionate to the risks to the data
subject's privacy, and where providing access would disclose confidential
commercial information.
Limitations
Section 3(2)
Section 3(1)
Federal and State governments are excluded from complying,
whereas credit reporting or referencing agencies will be separately regulated by
another law.
Section 4 : Commercial: Personal data processed only for the purpose of the
individuals personal affairs.
To qualify as personal data, the data must relate, either directly or indirectly, to
a data subject who can be identified from the data.
Personal information means any data that can identify an individual, name, age,
MyKad details, photo, passport number, video and images captured via closedcircuit television.
The data must also be capable of being recorded and be capable of automatic or
manual processing.
Sensitive personal data which requires explicit data subject consent, include
medical history, religious beliefs, political opinions and the commission or alleged
commission of any offence.
Miscellaneous provisions
Transfer of PD outside Malaysia
The PDPA specifies that no personal data may be transferred outside Malaysia
unless the place has been specified by the Minister.
Notwithstanding, such transfer may take place if, among others, the data subject
has given consent, the transfer is necessary for the performance of a contract with
the data user, the data user has taken reasonable steps to ensure that the data will
not be processed in a manner which would contravene the PDPA, or the transfer is
necessary to protect the data subject's vital interests.
Conclusion