Dr.

Manique Cooray
MMU, Malacca
Lecture 5
Data Protection (For exams only need to know interpretations, rights and principles.)
S. 4, 5-12, rights from 30-43. Only need to know all these. Must understand the principles
Will be given situation, National Registration situation, where only 15% given consent,
the rest did not want to give consent. Need to mention on the principles, must keep secure
etc.
Mr. X gave his information and did not give consent, want to know how to proceed with
an action against the national registration. He is data subject, as a data subject, PDPA
gives rights. Apply the correct rights.
Sometimes, given situation and will be asked, who is data subject, who is data user, who
is data processor in the scenario. Data processor, National Registration, Data subject, the
citizens, all based on S. 4 interpretation.
Can also be related to privacy, in essay questions. Maybe link between DP and privacy.
About information, information of people. Names/addresses/birthdays etc. If this
information is misused, is MyKAD is lost, if information entered wrongly. If misused,
can bring action? This is what Data Protection is all about. The key people involved in
the processing of this information, data user/data subject/data processor. What do they
process? They process these things called personal data. There is also sensitive personal
data. Act is split into 4 parts, first, personal data principles (Other 3 not tested). Data
subject is to be split into 2, rights and principles. What are the rights a data subject has,
what are the principles. There is a difference between rights and principles.
What is Data Protection?
Data: Information
It is often viewed as a technical term relating to specific information management
practices.
Such information includes individuals names, addresses, telephone numbers, and
birth details. i.e., private details.
Therefore data protection must also be considered in relation to the law of
privacy.

It is more likely to be considered as a fundamental human right and accorded

specific protection under human rights conventions.
Purpose of Data Protection
Those who process information concerning individuals are subject to regulation
and constraint.
As individuals we have rights under data protection laws. i.e information is safe
Can bring action to people who misuse our personal details.

Examples of Data Protection

At home, receiving letters/bank statements. These are personal items, .
In schools, records of parents, names of parents, places of work, name of child,
birthdates.
In an office, each individual will have their own personal records, even medical records.
In a university, financial backgrounds, where parents work.
In hospitals, personal medical records of people. These can sometimes be called sensitive
personal data.
In banks, all the financial details of people.
Online information, store information in maybe cloud servers or dropbox.
Shopping, usage of credit cards
Normal conversation with each other, the amount of information given to people
Purpose of data Protection
As this area of law is changing the difficulty is keeping individuals informed as to who is
processing data relating to them, what the purpose of the processing is and what other
processing activities are involved.
They also have a right to more information than before in response to a request for access
and greater rights to control processing activity.
Rational for Data Protection
Political:
Proceeds from the influence of globalization
International economies are based on integration
Ex: EU Directive on Data Protection: Have minimum standards introduced into
domestic legislation that must be complied with, failure would result in
boycotting of data being transferred from the European Union countries that have
complied with EU directive to Malaysia
Technological
Emergence of the Internet
Digitisation of information
Increase importance of carrying out business on the Internet
For instance, in Malaysia almost all data whether banking or personal account
details are transmitted and stored daily.
Ex: MyKad, e-services provided by the Government, Health records are all
computerised.
Potential for misuse is also high
Economic
World trade relies much of information transmission

Here information is treated as a commodity.

Malaysia addressed some of these threats by having MSC.
One of the reasons is to make Malaysia a Knowledge based economy

The Personal Data Protection Act 2010: Date of Enforcement: 15 November 2013
Rational for the Act
Regulate the processing of personal data in commercial transactions and to
provide for matters connected therewith and incidental thereto.

See: Section 4 : Processing

See: section 4 : Personal data - (a) Anything which is computerised (anything
fed to a computer), (b) Any information used for commercial transaction
(definition also found in S. 4), which is processed either by computer or by a
filing system.
See: section 4 : Commercial transactions - Paying for something. Anything
which comes free of charge will not be applicable under this act. Eg. Social
network, those are free so when information taken from there, cannot use this act.
S. 4 Data user - People who actually processes the data. E.g. People at the National
Registrar or any government agency such as transport department.
S. 4 Data subject - The individual whose information is processed by the data user.
S. 4 sensitive personal data - The more private details, e.g. Medical details, HIV positive
or mentally unstable etc.
S. 4 use - Not meant for the authorities to take the details of an individual and give it to
some agency for any other matter.
S. 4 relevant filing system - Putting information according to categories, such as year of
birth or gender etc.
Scope of Rights and Obligations
Section 2(1) : Application: processes, control or authorizes
i.e. rights and obligations in relation to personal data involve three parties: the
data user; the data processor and the data subject.
Section 4 : (Data subject is the individual to whom the personal data relates).
Section 4 : Data user is the person, including bodies corporate, who either
processes the personal data or gives authorisation for the processing of the data.
Section 4 : Data processor is a person, who processes the data on behalf of the
data user.
The Act will be given effect to through 4 mechanisms (Will not be examined on the
Commissioner's duties / Tribunal process. Will only be tested n the first part which are on
the Data Protection Principles.)
The Data Protection Principles (Division 1)

Industry codes of practices (Division 3)

Commissioner (Part IV)
The Appeal Tribunal (Part VII)

Objectives
To regulate the processing of personal data in the context of commercial
transactions by data users, and to provide a safeguard for the interests of data
subjects.
New legal rights and obligations in connection with the employer-employee
relationship, mergers and acquisition transactions involving personnel issues and
the discharge of certain professional services, among others.

Individuals will have rights including being informed about their personal data as
well as the right to access, correct and also control the processing of their personal
data by other parties.

Specific rights relating to the processing of personal data for direct marketing
purposes.

A number of advisory, regulatory and enforcement bodies is created.

(Commissioner)

Data Protection Principles

Section 5(1): Fine: RM 300,000 or imprisonment for a term not exceeding 2 yrs or
both if contravene these Data Protection Principles

General Principle: Section 6 : The processing (section 4 ) of personal data

requires consent but see section 6(2)(a)
.

Notice and Choice Principle section 7: Data users are required to notify the data
subjects regarding the purpose for which the data is collected and about the right
to request access and correction of the personal data;

Disclosure Principle section 8: (Disclosure section 4 )

No personal data shall be disclosed without the consent of the data subject

Security Principle section 9: A data user shall take practical steps to protect the
personal data from any loss, misuse, modification, unauthorised or accidental
access or disclosure, alteration or destruction

In recent years, the escalating number of security breaches involving significant

amounts of personal data have resulted in the promulgation of specific security
breach regulations in other jurisdictions.

These security breach regulations impose an obligation upon data users to notify
the data subjects and the data protection authority when personal data have been
compromised.
PDPA is currently silent on security breach notification obligations.
The security principle merely obliges the data user to take practical steps to
protect the personal data. This indicates that there would be a relatively greater
degree of subjectivity, in determining the appropriate level of security.
The data processor is subject to a more onerous obligation that requires the
provision of sufficient guarantees in respect of the technical and organizational
security measures.
It is expected that security breach regulations will be quickly introduced.
Retention Principle: Section 10. The personal data processed for any purpose shall
not be kept longer than is necessary for the fulfilment of the purpose to which it
was obtained for.
Data Integrity Principle Section 11: A data user shall take reasonable steps to
ensure the accuracy and to maintain the data current for the purpose it was
collected for.
Access Principle: A data subject shall be given access to his personal data and
shall be able to correct the personal data where the data is inaccurate or
incomplete.

Exceptions:
Section 45
Section 46
Rights of Data Subjects
Right of Access: Section 30
Compliance with data request section 31
Circumstances where data user may refuse to comply with data request
Notification of refusal to comply with data access request
Refusal to comply with data access requests
The circumstances in which the data user is entitled to refuse to comply with the
data subjects access request are relatively extensive. This include where access is
regulated by another law. Therefore, information which is subject to existing
confidentiality obligations and those which are governed by another law such as
the Banking and Financial Act 1989 and also the upcoming Whistleblower Act
2010, are unlikely to be subject to data subject access.
Other circumstances where the data user may refuse access include where the
burden or expense of providing access is disproportionate to the risks to the data
subject's privacy, and where providing access would disclose confidential
commercial information.

Right to correct personal data: Section 34

Compliance with data correction request: section 35
Circumstances where data user may refuse to comply with data correction
request: section 36
Notification of refusal to comply with data access request: section 37

Right to prevent processing likely to cause damage or distress: section 42

Right to prevent processing for purposes of direct marketing: section 43

direct marketing: section 43(5)

Limitations
Section 3(2)

applies only to personal data processed in Malaysia.

Section 3(1)
Federal and State governments are excluded from complying,
whereas credit reporting or referencing agencies will be separately regulated by
another law.

Section 4 : Commercial: Personal data processed only for the purpose of the
individuals personal affairs.

To qualify as personal data, the data must relate, either directly or indirectly, to
a data subject who can be identified from the data.

Personal information means any data that can identify an individual, name, age,
MyKad details, photo, passport number, video and images captured via closedcircuit television.

The data must also be capable of being recorded and be capable of automatic or
manual processing.

Sensitive personal data which requires explicit data subject consent, include
medical history, religious beliefs, political opinions and the commission or alleged
commission of any offence.

Miscellaneous provisions
Transfer of PD outside Malaysia
The PDPA specifies that no personal data may be transferred outside Malaysia
unless the place has been specified by the Minister.

Notwithstanding, such transfer may take place if, among others, the data subject
has given consent, the transfer is necessary for the performance of a contract with
the data user, the data user has taken reasonable steps to ensure that the data will
not be processed in a manner which would contravene the PDPA, or the transfer is
necessary to protect the data subject's vital interests.

Penalties and Remedies

The penalties for breaching the PDPA include the imposition of fines, and/or a
term of imprisonment not exceeding two years. Directors, CEOs, managers or
other similar officers have joint and several liability for non-compliance by the
body corporate, subject to the due diligence defence.

The Commissioner is not empowered to order compensation for damage, and

there is no express right to pursue a civil claim for non-compliance.

See also section 120 : obstruction of search

Section 133 : offences by body corporate

Conclusion

Not easy in some circumstances to draw a line between commercial and

non-commercial transactions.
The general consensus is that any and every organizations that collects
your personal data should be subject to the rules in the Bill.(The Bill was
very different from the final act) (Should find the Bill and read it)
Data subjects will have, for the first time, clearly defined rights to access,
to correct and to generally control how third parties use and manage their
personal data.