1 / 46

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk 11 April 2013 Adlin Abdul Majid. Content. Introduction The 7 Principles Compliance. Joining the global privacy & data p rotection community. Introduction. Written / Oral. Introduction.

judith
Download Presentation

THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk 11 April 2013 Adlin Abdul Majid

  2. Content • Introduction • The 7 Principles • Compliance

  3. Joining the global privacy & data protection community

  4. Introduction Written / Oral

  5. Introduction Written / Oral

  6. Introduction data subject • Individual who is subject of personal data data user • Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data • Does not include data processor Written / Oral data processor • Person (other than data user’s employee) who processes personal data solely on behalf of data user • Does not process for own purpose

  7. Introduction personal data • Any information in respect of commercial transactions: • that relates directly or indirectly to a data subject • who is identified or identifiable from that information or from that & other information in the possession of a data user • includes any sensitive personal data & expression of opinion about the data subject • May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone no, photograph, e-mail address, fingerprint, DNA)

  8. Introduction sensitive personal data • Any personal data consisting of information as to: • the physical or mental health or condition of a data subject; • his political opinions; • his religious beliefs or other beliefs of a similar nature; • the commission or alleged commission by him of any offence; or • any other personal data determined by the Minister • Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject)

  9. Introduction

  10. Introduction commercial transactions • Any transaction of a commercial nature, whether contractual or not • Includes matters relating to: • Supply or exchange of goods or services; • Agency; • Investments; • Financing; • Banking; & • Insurance • Does not include a credit reporting business

  11. Introduction commercial transactions The Personal Information Protection & Electronic Documents Act (PIPEDA)

  12. Introduction commercial transactions PIPEDA Case Summary #342 Collection of personal data of tenants by landlords Yes PIPEDA Case Summary #309 Collection of information of a child in a daycare organisation Yes PIPEDA Case Summary #345 Collection of information by a private school No, look at the core activity of the school’s services Rodgers v. Calvert, 2004 ON SC (CanLII) Collection of personal information in a membership list, which charged membership fees No, charging a fee for membership does not mean it is for a commercial transaction PIPEDA Case Summary #2009-008 Collection of personal information by a social networking site Yes, the personal data is used for the success of the website. 13

  13. Content • Introduction • The 7 Principles • Compliance

  14. Principles of data protection • For data to be processed lawfully in Malaysia, data user shall comply with following principles: • General Principle • Notice & Choice Principle • Disclosure Principle • Security Principle • Retention Principle • Data Integrity Principle • Access Principle

  15. Principles of data protection Written / Oral * Notice & Choice Principle *Access Principle * Disclosure Principle

  16. Principles of data protection 1 • Data user shall not process a personal data about a data subject UNLESS the data subject has given his consent to the processing of the personal data • Personal data shall not be processed UNLESS: • For lawful purpose directly related to activity of data user • Necessary for or directly related to purpose • Adequate but not excessive in relation to purpose Written / Oral * Notice & Choice Principle *Access Principle * Disclosure Principle

  17. What do you need consent for? Written / Oral

  18. Exemptions to consent

  19. Sensitive personal data may only be processed if… Written / Oral

  20. Principles of data protection • Data user shall provide a written notice to the data subject. To include: • That personal data of the data subject is being processed by or on behalf of the data user • Description of the personal data • Purpose it is collected & further processed • Class of 3rd parties to whom data user discloses / may disclose the personal data • Whether it is obligatory for the data subject to provide the personal data • Must be given as soon as practicable • In national language & English 2 Written / Oral * Notice & Choice Principle *Access Principle * Disclosure Principle

  21. Channels of serving notice • Application forms • Terms & conditions • RFQs / RFPs • Agreements • Letters of employment • Salary slips • E-mails

  22. Principles of data protection • Personal data shall not without the consent of the data subject, be disclosed: • For any purpose other than the purpose disclosed at the time of collection or related purpose; or • To any party other than 3rd parties of the class in notice Written / Oral * Notice & Choice Principle *Access Principle * Disclosure Principle 3

  23. Disclosure to third parties Malaysia Related companies / affiliates / consultants Notification of disclosure to 3rd parties Authorities Personal data • Notification of disclosure to 3rd parties • Data processors’ compliance with PDPA Data processors

  24. Disclosure to third parties Malaysia Overseas Related companies / affiliates / consultants Notification of disclosure to 3rd parties Notification of transfer out of Malaysia Authorities Personal data • Notification of disclosure to 3rd parties • Data processors’ compliance with PDPA Data processors

  25. Principles of data protection • A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction • If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor: • provides sufficient guarantees in respect of the technical & organisational security measures governing the processing • takes reasonable steps to ensure compliance with those measures Written / Oral * Notice & Choice Principle *Access Principle 4 * Disclosure Principle

  26. What is “adequate”? Written / Oral

  27. Principles of data protection • The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose • No time limit but if it is not required for its initial purpose, it must be destroyed Written / Oral * Notice & Choice Principle *Access Principle 5 * Disclosure Principle

  28. Principles of data protection A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected & further processed Written / Oral * Notice & Choice Principle *Access Principle 6 * Disclosure Principle

  29. Principles of data protection Written / Oral * Notice & Choice Principle 7 *Access Principle • A data subject shall be given access to his personal data held by a data user • Able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date • EXCEPT where compliance with a request to such access or correction is refused under PDPA * Disclosure Principle

  30. Other key provisions Rights of data subject • Right to access personal data • Right to correct personal data • Right to withdraw consent • Right to prevent processing likely to cause damage or distress • Right to prevent processing for purpose of direct marketing

  31. Other key provisions Data user registration Data user forum

  32. Content • Introduction • The 7 Principles • Compliance

  33. Why is compliance important? Written / Oral

  34. Why is compliance important? Written / Oral

  35. Compliance Top-down approach Written / Oral Analysis of status quo & existing gaps Solutions should address gaps by complying with legal requirements in an effective manner

  36. Compliance TOP MANAGEMENT COMMITMENT Prevent Detect Respond • Risk assessment & regular re-assessment • Policies • Guidelines • Training • Internal Investigations • Dealings with authorities • Employment related consequences • Monitoring • Compliance Audit • Concern / incident reporting

  37. Compliance Privacy Impact Assessment Compliance Written / Oral

  38. Compliance Privacy Impact Assessment • LOOK OUT FOR: Description of personal data How personal data is collected Was consent sought? How? Purpose of processing How personal data is kept – security? Procedures to ensure accuracy? Access? Retention period? Is personal data destroyed? Disclosure / transfer

  39. Compliance Compliance

  40. Compliance: Policies Written / Oral

  41. Compliance: Documents Compliance Application forms Terms & conditions Contracts of employment Employee handbooks Service agreements Notices

  42. Remember: Transitional provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into operation of PDPA

  43. Thank you Adlin Abdul Majid (aam@lh-ag.com) Lyssa Loh (lll@lh-ag.com)

More Related