Principles under the Personal Data Protection Act (PDPA) 2010

ARC News   •   July 05, 2018

The Personal Data Protection Act 2010 (“PDPA 2010”) was passed by the Malaysian parliament and came into force on 15 November 2013. With the aim of regulating the processing of personal data in respect of commercial transactions, the PDPA  2010 applies to any transaction of a commercial nature which include amongst other the supply or exchange of goods or services, agency, investments, financing, banking and insurance. However, the PDPA 2010 does not apply to credit reporting business carried out by a credit reporting agency.

The PDPA 2010 sets out 7 principles in processing personal data, namely:

  1. General Principle

A data user shall not process personal data of a data subject unless the data subject has consented to the processing of his/her personal data. Nonetheless, this principle does not apply if the processing of the personal data is essential:

  • for taking steps (at the request of the data subject) in entering into a contract;
  • for the performance of a contract of which the data subject is a party;
  • for compliance with legal obligation (provided that the data user is the subject), save for obligation imposed by contract;
  • to protect vital interests of the data subject;
  • for administration of justice; or
  • for exercising any functions conferred by law.

In addition, the personal data of a data subject can only be processed, if:

  • the processing is for a lawful purpose directly related to an activity of a data user;
  • the processing is necessary for or directly related to that purpose; and
  • the personal data is adequate and not excessive in relation to that purpose.

With regard to sensitive personal data (e.g.: physical or mental health condition, political opinion, religious belief), the data can only be processed in the following circumstances:

  • data subject has given explicit consent to the processing of the personal data;
  • the processing is necessary:
  • for employment purpose;
  • to protect the vital interest of the data subject in situation where consent cannot be given by the data subject or data user cannot reasonably be expected to obtain the consent of the data subject;
  • to protect the vital interests of another person, in a case where consent of the data subject has been unreasonably withheld;
  • for medical purpose and is undertaken by a healthcare professional;
  • for legal proceeding;
  • for obtaining legal advice;
  • for establishing, exercising or defending legal rights;
  • for administration of justice; or
  • for the exercise of any functions conferred on any person under the law;
  • The personal data has been made public by the data subject.
  1. Notice and Choice Principle

A written notice in Malay and English languages comprising the following information shall be given to the data subject:

  • description of the personal data that is being processed by the data user;
  • purpose of processing the personal data;
  • source of the personal data;
  • data subject’s right to access to and to request correction of the personal data;
  • data user’s contact details for inquiries or complaints;
  • class of third parties to whom the personal data may be disclosed;
  • choices and means available to the data subject for limiting the processing of his/her personal data; and
  • whether it is mandatory or voluntary for the data subject to supply his/her personal data.

The notice shall be given to the data subject, when:

(a)        the data subject is first asked to provide his/her personal data;

(b)       the data user first collects the personal data; or

(c)        the data user first uses the personal data or discloses the personal data to a third party.

  1. Disclosure Principle

The personal data of the data subject can only be disclosed with the consent of the data subject. Furthermore, the disclosure of the personal data shall be confined to the class of third parties as stated in the notice; and purpose for which the personal data was to be disclosed at the time of collection of the personal data.

However, a data user may also disclose the personal data not specified in the categories above if:

  • the data subject consented to the disclosure;
  • the disclosure is necessary for investigation, detecting/preventing a crime or authorized by law/court order;
  • the data user reasonably belief that he has the right to disclose the personal data under the law;
  • the data user reasonably belief that the data subject would consented to the disclosure under the given circumstance; or
  • the disclosure was justified as being public interest as determined by the Minister.
  1. Security Principle

A data user shall take sensible steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In the event the personal data is processed by a third party service provider on behalf of the data user, the data user shall procure sufficient guarantees from the third party service provider in respect of its technical and organisation security measures in governing the processing of the personal data.

  1. Retention Principle

The personal data processed shall be kept for a period as deemed necessary by the data user. It shall be duty of the data user to destroy or permanently delete all personal data if the personal data is no longer required.

  1. Data Integrity Principle

The data user shall take reasonable steps to ensure that personal data in its possession is accurate, complete, not misleading and kept up to date.

  1. Access Principle

A data subject shall be given the right to access and correct his/her personal data held by the data user unless compliance with such request is not permitted by the PDPA 2010. Among the scenarios set out in the PDPA 2010 for refusal to comply with data access request are as below:

  • the data user is not supplied with sufficient information to determine the identity of the requestor;
  • the data user is not supplied with sufficient information to locate the personal data;
  • disclosure of the personal data of the requestor would result in disclosure of personal data relating to another individual who can be identified from that information unless consented by that individual;
  • providing access would constitute a violation of a court order;
  • providing access would disclose confidential commercial information; or
  • access to the personal data is regulated by another law.

Similarly, a data user may refuse data correction request in amongst others the following scenarios:

  • the data user is not supplied with sufficient information to determine the identity of the requestor;
  • the data user is not supplied with sufficient information to ascertain in what aspect the data is inaccurate, incomplete, misleading or not up to date; or
  • the data user is not satisfied that the correction is accurate, complete, not misleading or up to date.

The data user is given a time frame of 21 days to comply with the data access / data correction request. The time frame can be extended for a further period of 14 days.

Non-compliance with the PDPA 2010 would amount to an offence and would ultimately attract maximum fines of RM500,000.00 or 3 years imprisonment. In the event the offence is committed by a body corporate, any person who at the time of commission of the offence was a director, CEO, COO, manager, secretary or other similar officer of the body corporate may be liable severally or jointly in the proceeding with the body corporate. The officers may be able to escape liability if the offence was committed without his knowledge, consent or connivance and the officer has taken all reasonable precautions and had exercised due diligence in preventing the commission of the offence.

As the Department of Personal Data Protection is actively conducting investigations on compliance with the PDPA 2010, business owners are strongly encourage to revisit its current policies and procedures to ensure compliance.

Yeo Shu Pin is a Partner at Messrs. Afif Rahman & Chong

Disclaimer: Every attempt to ensure the accuracy and reliability of the information provided in this publication has been made. This publication does not constitute legal advice and is not intended to be used as a substitute for specific legal advice or opinions. Please contact the authors for a specific technical or legal advice on the information provided and related topics.