PDPA: Businesses have responsibilities and burdens

• PDPA comes into pressure Jan 1, 2013, and companies have three months to comply
• Many have waited, and now might not have enough time to approaches in location

alt="PDPA: Businesses have obligations and burdens" src="/websites/default/documents/photos/digital%20economy/Foongpercent20Chengpercent20Leongpercent20thumb.jpg" fashion="margin:2px 5px; width:150px; top:216px; flow:left; " name="PDPA: Businesses have duties and burdens">Bread & Kaya with the aid of Foong Cheng Leong
 
WELCOME to the inaugural Bread & Kaya column! The time period is a Malaysianized version for bread-and-butter. This column objectives to be your bread-and-kaya serving of legal information relating to intellectual assets, cyberlaws, franchise, information privacy and the like.
 
You may additionally have read some of my articles in The Star’s Putik Lada column or in LoyarBurok. If this is the first time you’re studying my articles, “Hello.”
 
Without a doubt, 2013 may be an exciting 12 months for businesses. Many new legal guidelines and rules can be introduced, and the Personal Data Protection Act 2010 (PDPA) is certainly one of them.
 
It changed into stated that the PDPA would come into force on Jan 1, 2013. Businesses have three months from the date of enforcement to conform with the Act. Similarly, Singapore can have its very own Personal Data Protection Act 2012 entering force on Jan 2, 2013.
 
Notwithstanding the mentioned enforcement date of Jan 1, 2013, there's no legitimate authorities gazette confirming this as I write this column. Thus, the PDPA would still not be in pressure until one of these authorities gazette is published.
 
What is the PDPA?
 
The PDPA offers that any facts that without delay or circuitously pertains to a records issue (i.e. Person) who's identified or identifiable from that records, is non-public facts. This records may additionally take numerous forms, together with your name, passport number, cellphone wide variety and electronic mail deal with. 
 
A individual who techniques non-public records is called a statistics user. Companies processing individual customers or personnel' non-public records should follow the PDPA.
 
Under the PDPA, a facts person, in processing non-public facts, need to observe the following concepts:
 
(1) General Principle;
(2) Notice and Choice Principle;
(three) Disclosure Principle;
(4) Security Principle;
(5) Retention Principle;
(6) Data Integrity Principle; and
(7) Access Principle.
 
Failure to abide by means of any of the above ideas amounts to an offence. Upon conviction, the facts person is prone to a first-rate now not exceeding RM300, 000 or to imprisonment for a time period not exceeding two (2) years or to both (S. 5(2) PDPA).
 
[RM1 = US$0.33]
 
Under these standards, the gathering and use of private records need to be consented to by using the statistics subject and steps have to be taken to ensure that the information is saved securely. The processing of personal records cannot be immoderate in terms of the motive or associated reason of which the non-public facts is amassed.
 
Adequate be aware should be given to data topics that their private facts will be processed, used, and the motive of the equal. Such be aware must be in writing and within the Malay and English languages. Personal information no longer in use has to be destroyed.
 
Further, personal information can't be transferred outdoor Malaysia until such an area is targeted through the Government, consented to by the facts situation, or is essential for the overall performance of a agreement among the statistics consumer and the statistics problem.
 
The PDPA simplest applies to personal statistics processed in relation to “industrial transactions.”
 
What do you need to do?
 
If you are processing employees or people customers' non-public facts, you are suggested to, among others:-

1. Access how the PDPA impacts your corporation;
2. Prepare a privacy notice, in Malay and English, to be issued to capacity and cutting-edge personnel or clients;
3. Prepare a Personal Data Policy to control the processing and coping with of private records by way of personnel;
4. Prepare a Retention Policy for employees or clients' personal facts and audit the personal information of previous personnel or clients so one can dispose personal data which might be not in use;
5. Establish a information get admission to manner for personnel or clients to get admission to their personal records;
6. Ensure that the garage of the employees and customers' private information is stable.
7. Ensure that personal facts is handiest disclosed for the cause wherein the non-public records is accumulated and no longer disclosed to unrelated events;
8. Ensure that the relevant personnel which includes Human Resource or client dating personnel are correctly trained in statistics protection laws and exercise;
9. Review statistics collection bureaucracy in order that private information isn't accrued excessively; and
10. Ensure that non-public facts are transferred remote places lawfully.

Consent
 
The phrase consent isn't always described within the PDPA. However, in early December 2012, Deputy Minister of Information, Communications and Culture Datuk Joseph Salang introduced that "on every occasion consent is required for records processing, it's going to must take delivery of expressly in place of impliedly or be assumed."
 
This could imply that there ought to be a few type of energetic communication between the parties. For instance, if a corporation wishes to gain more facts about an man or woman, the former might need to get the individuals' specific consent by using contacting the character.
 
In this regard, all organizations will need to make sure that every one viable purposes for processing the private facts are set out before the collection of the information. Additional methods can also want to be hooked up to ensure consent is captured.
 
Express consent may be won in numerous approaches -- for example by using filling in a shape, ticking a field on a internet site, over the phone and face-to-face.
 
Although explicit consent appears to present people introduced protection, this isn't always necessarily actual. Malaysia's restrained view at the definition of consent could have an impact on companies and people. Additional price may be incurred in establishing new procedures and practices such as new paperwork, garage, impact analysis and compliance sporting activities. Individuals may also be swamped with requests for consent every so often, even though the man or woman could in the long run consent.
 
Companies will want to wait for people' explicit consent before they could roll out new tasks.
 
To provide an example on how the PDPA will have an effect on enterprise:
 

Company X desires to roll out a brand new security device to enter the office. The gadget makes use of the employees' non-public facts as specific identifiers. In view of the specific consent requirement, Company X will need to get the employees' express consent to use employees' personal information. If sure employees refuse to accomplish that, such machine can't be absolutely utilized.

 
In the occasion that a facts situation disputes that specific consent were given, the statistics person will need to reveal that express consent were given. Assuming that we undertake the implied consent regime, it's miles debatable that a facts issue had implied consent to processing of personal statistics if the information issue uses the records user's services.
 
However, with specific consent, evidence have to be supplied and this will be tough, in particular in digital transactions.
 
In this kind of case, Section 114A of the Evidence Act 1950 may be beneficial to facts customers as it places a presumption of book by using someone if his or her name seems on a particular content material. The affected individual will want to show that he did provide express consent. This can be steeply-priced, highly bureaucratic and time consuming.
 
Closing
 
The PDPA is supposed to convey an cease to unsolicited verbal exchange, but it will cause drastic modifications to Malaysian companies.
 
Much valuable commercial records will be misplaced because of the PDPA. It is mentioned that many Malaysian industries had taken the wait-and-see technique. This is alarming considering that three months to conform with the PDPA will likely be no longer enough.
 
The Personal Data Protection Department these days issued Malaysian Personal Data Protection Department's Public Consultation No. 2/2012 entitled "Class Of Data User Under The Personal Data Protection Act 2010 And Proposed Fees" which units out the class of information customers that is required to check in with the Commission.  [Click here to download].
 
The release of such session paper is commendable. I wish that the Commission or the Personal Data Protection Department will difficulty more of those consultation papers and guidelines on the translation of the PDPA.
 
Foong Cheng Leong is a blogger pretending to be a lawyer, and a attorney pretending to be a blogger. He blogs at xes.cx and foongchengleong.com, and tweets at @xescx and @FCLCo.

Related Stories:

PDPA: Mandatory data breach notification; SMBs inclined

The coming of the Personal Data Protection Act

Clock ticking for Personal Data Protection Act compliance

The tale of laws: Section 114A and the PDPA

For more generation information and the present day updates, observe @dnewsasia on Twitter or Like us on Facebook.

Keyword(s) :

Bread & Kaya Foong Cheng Leong PDPA Section 114A Stop 114A Data Protection Personal Data Protection Act

Author Name :

Foong Cheng Leong

The business benefits of doing good | Wendy Woods