Professional Documents
Culture Documents
Pdpa 2010
Pdpa 2010
Pdpa 2010
Associate Professor Siti Hajar Mohd Yasin Faculty of Law Universiti Teknologi MARA
International Instruments
OECD Guidelines 1980 Council of Europe Convention 1981 European Directive 1995 APEC Privacy Framework 2004 Madrid Resolution 2009
2
Collection limitation Data Quality Purpose Specification Use Limitation Security Openness Individual Participation Accountability
Preventing harm Notice Collection Limitation Uses of personal information Choice Integrity Security safeguards Access and correction accountability
Lawfulness and fairness Purpose specification Proportionality Data quality Openness Accountability
PDPA Journey
2000 2002 - 1st draft - PDPB Privacy & Personal Data Protection (Sweet & Maxwell) 2007 CTOS scandal / issue - expediate the process - a new Bill 2009 - Tabled 1st Reading 2010 (Apr) 2nd & 3 rd Reading (May) - Dewan Negara (June) - Royal Assent - Gazetted ? - Enforcement
8
Reference Agencies
NonApplication
Credit
NonCommercial Transactions
10
Federal Government means the Government of Malaysia which includes all the ministries and Prime Ministers Department State Government means the government of a state which includes organizations such as the state secretarys office, state department, land and district offices and local authorities Commercial transactions means any transaction of a commercial nature whether contractual or not but does not include credit reporting business
PDPA applies to Data Users in three circumstances: A data user is established in Malaysia The processing is done by any person employed or engaged by the data user established in Malaysia The data user is not established in Malaysia, but uses equipment in Malaysia to process data Data user means a person who either alone or jointly or in common with other person processes any personal data or has control over or authorizes the processing of any personal data but does not include a data processor
Personal Data Data relates directly or indirectly to a data subject Who is identified or identifiable from that information and other information in the possession of data user
Cont
Automatic and Manual Data Processed wholly or partly by means of equipment operating automatically Relevant filing system
AUTOMATIC
Cont
Processing collecting recording holding storing organising etc.
Disclosure Principle
Retention Principle
Security Principle
17
1. General Principle
Personal Data shall not be processed unless the data subject has given consent Sensitive data shall not be processed except in accordance with the provisions of section 40 PDPA Processing for a lawful purpose directly related to an activity of the data user The processing is necessary for or directly related to that purpose, and The personal data is adequate and not excessive in relation to that purpose.
18
Exemptions to Consent
Performance of a contract to which the data subject is a party At the request of the data subject with a view of entering into a contract Compliance with the legal obligation To protect the vital interest of the data subject Administration of justice Exercise of any functions conferred on 19 any person by or under any law
Case 1
In 2003, the European Court of Justice heard the case of Mr Lindqvist, a parishioner from Sweden. She was a volunteer at a local church. She took a course in website design and set up her own website to support other parishioners for confirmation. She posted information about herself on the website as well as information relating to 18 other colleagues including their names, jobs, telephone numbers and medical data. She failed to inform them about this and did not ask for consent. Her colleagues complained and she was forced to shut down the website. She was also prosecuted for criminal offences under Swedish data protection law. She was convicted and appealed. The court rejected her appeal.
Case 2
In 2002 the UK Information Commissioner investigated the case of a trade union employee who pursued a grievance with his employer about bullying at the work place. The employee took time off sick as a result of the bullying. The details of the employees grievance and his illness was discussed at meetings, then minutes of which were published on the trade unions website. The employee was not informed of the publication. The Information Commissioner found that a breach of Data Protection Act had occurred.
Case 3
In 2004, the supermodel, Naomi Campbell, successfully sued The Mirror newspaper, for invasion of her privacy. The Mirror had published a picture of Naomi leaving a Narcotics Anonymous meeting. As part of her case, Naomi argued that The Mirror was processing her sensitive information, in this case, her mental and physical health, without her consent. The case went to the House of Lords and Miss Campbell was awarded damages by the newspaper.
2.
A data user shall inform the data subject that; the personal data of the data subject is being processed and provide a description of the personal data the purposes of the collection the source of the personal data the right of the data subject to request access the right to correct the right to contact the data user for enquiries and complaint
23
cont
the right to be informed of the third parties to whom the data user discloses or may disclose the personal data the right of choices and means to limit the processing of personal data whether it is obligatory or voluntary for the data subject to supply the personal data if it is obligatory, the consequence if the data subject fails to supply the personal data
24
3.
Disclosure Principle
No personal data shall, without the consent of the data subject, be disclosed for other purposes
4. Retention Principle
Personal data processed for any purpose shall not be kept longer that is necessary for the fulfillment of that purpose. Right to be forgotten
An employee lost his job when the police informed his employer of the criminal allegation on him 3 years before which remains on his file
5.
Data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date
6. Access Principle
A data subject shall be given access to his personal data and shall be able to correct that personal data if it is inaccurate, incomplete, misleading or not up-to-date
Case Study 1
A patient wrote to his medical practitioner requesting a copy of all his personal information that the practitioner held in his medical record. A period of thirty days passed. He had not received a response from the medical practitioner. The Australian Privacy Commissioner held that access should be provided.
Case Study 2
A woman make a request for a copy of a report prepared buy a private investigator for her insurance company. The insurance company refused to provide her with the full copy of the report. The New Zealand Privacy Commissioner advised the insurance company to release some of the information.
27
7. Security Principle
A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction
Practical steps depend on: the nature of personal data the harm that would result from such loss, misuse, modification, etc. place or location where the personal data is stored
Case Study In 2008, the UK Information Commissioner found Virgin Media Ltd. in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of over 3000 customers
29
Case Study 2
30
Exemptions
Crime Prevention/Detection Offenders Apprehension/Prosecution Tax/Duty Assessment/Collection Physical/Mental Health Statistics/Research Court Order/Judgment Regulatory Functions Journalistic/Literary/Artistic
Partial
Total
31
Partial Exemptions
Crime and Taxation Not a blanket exemption Case by - case basis Will have to pass the test that allowing any of those data protection principles to apply is likely to prejudice the prevention, apprehension of crime etc. Blanket approach is unlawful R v. Secretary of States for the Home Department, ex parte Lord. There must be a substantial chance rather than a mere risk Data user needs to make a judgment
33
34
Research and Statistics The exemption only applies where preparing statistics or carrying out research is the sole purpose The data are not processed for any other purpose The resulting statistics or research are not made available in the form which identifies the data subject
35
Journalism, literature and art 3 Conditions : the processing is undertaken with a view to the publication of the journalistic or artistic material the publication is in the public interest data user believes that compliance with the Principles is incompatible with the journalistic, literary or artistic purposes
36
Purposes Crime Prevention/ Detection Offenders Apprehension/ Prosecution Tax/duty Assessment/ Collection Physical/ Mental Health Statistics/ Research Court Order/ Judgment
General Principle x
Disclosure Principle x
Security Principle
Retention Principle
Access Principle x
Regulatory Functions
Journalistic/ Literary/Artistic
x
x
x
x
x
x x x
37
x
x
Right to be Informed
Right to Access
Right to Correct
Right of Access
What Data Subject Must Do Request in writing (oral is insufficient) Pay fee (if any) What Data User Must Do To comply within 21 days If unable inform the requestor plus reasons 14 days extension Standard access request form can be developed and used (not mandatory, any written request is sufficient) To supply a copy in an intelligible form
40
42
No information supplied to prove the identity of the requestor No information supplied to prove the inaccuracy of the personal data The data user is not satisfied that the personal data is inaccurate
43
44
Forward notice in writing Specify why the processing is or will cause damage or distress The notice may specify the purpose or manner of processing is objectionable
45
Data user must respond within 21 days The response must specify: A statement that the data user has complied or intend to comply, or A statement that the data user regards the data subject notice as unjustified
46
Data subject has given his consent; or The processing is necessary for the performance of a contract concerning the data subject
47
49
Criminal Offences
Criminal Offences
51
No. 1 2 3 4 5 6 7 8.
Offences Processing without a certificate of registration Processing after registration is revoked Contravening Data Protection Principles Non-Compliance with Code of Practice Failure to Inform the Refusal to Comply with the Data Correction Request Processing after consent been withdrawn Processing of Sensitive Data Failure to Comply with the Commissioners Requirement (Processing likely to cause damage or distress) Failure to Comply with the Commissioners Requirement (Direct Marketing) Transfer of Data to Places Outside Malaysia without any law or adequate protection Collects, disclose or procure to disclose data without consent of Data User Selling or offer to sell Abetment and Attempt to commit any of the offences
Penalty Fine <RM500,000.00/ Imprisonment < 3 years/ Both Fine <RM500,000.00/ Imprisonment < 3 years/Both Fine <RM500,000.00/ Imprisonment < 2 years/Both
13
Transfer of data to places outside Malaysia whenever there is no law in force to protect the personal data or there is no adequate level of protection. Collect, disclose or procures the disclosure of personal data without the consent of data user Failure to comply with the enforcement notice
54
If a body corporate commits an offence, any person who at the time of the commission of the offence was a director, chief executive officer, manager, secretary, etc, may be charged severally or jointly in the same proceeding. If the body corporate is found to have committed the offence, the officers are deemed to have committed the offence personally.
55
Examples of transfer
Tabung Haji transfers online the particulars of pilgrimage to Saudi Arabia Malaysian staff of a Malaysian bank working in Singapore, Jakarta, Bangkok & etc IT department of Tesco Malaysia located in India Malaysian company publishes the names, home addresses & contact info of its staff in the companys publication which are made available to the branches in Dubai, Hong Kong etc. Manager of Great Eastern Takaful takes his lap top which has personal data on its hard disk for meetings in overseas
Is it a transfer?
Lindqvist case European Court of Justice Transfer occurs when someone accesses the website. A mere placing of data on website is not regarded as a transfer
All European Union countries ( Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK), European Economic Area ( Norway, Iceland and Liechtenstein), Australia, Canada, Hong Kong, New Zealand, Macao, Japan, Korea, Taiwan, Argentina, etc.
All ASEAN members, India, China, etc Section 129(2)(c) adequate protection may be afforded by other means such as safe harbor principles, industry codes, etc.
Exemptions
Data subject has given his consent Transfer is necessary for the performance of a contract Transfer for the purpose of legal proceedings To protect the vital interest of the data subject Public interest Data user has taken all reasonable precautions and exercised all due diligence
ENOUGH IS ENOUGH
64
65
66
Personal Data has value and there are people out there exploiting it. I think custodial sentences clearly have to be part of that.
Michael Wills U.K Justice Minister
68
69
UK Information Commissioner
My message to those at the top of
70
Conclusions
Data Protection is not rocket science It is all about respect and common sense It is about striking a balance between the need of an organisation to process data and the privacy of the individual Good data protection is good business, good for all.
71
In Print
Information & Communication Technology Law Legal & Regulatory Challenges Thomson Reuters (2009)
72