Introduction To Personal Data Protection In Malaysia

Transcription

Personal Data Protection Law in MalaysiaMazmalek bin MohamedDirector GeneralPersonal Data Protection DepartmentMinistry of Communications & Multimedia

ACT 709(PERSONAL DATA PROTECTION ACT 2010 )

PRIVACY LAWSPHYSICALPRIVACYCOMMUNICATIONS& SURVEILLANCEPRIVACYTERRITORIALPRIVACYDATAPRIVACY

SENARIO DI MALAYSIASiapakah yang memiliki dataperibadi rakyat Malaysia?Kerajaan?(Akses secara sistematik)?Google? Facebook? Twitter?LinkedIn? Enjin Carian lain?/Groupon/Lazada?Pemilikan secara konteks?(Lain-Lain) – Bank/Telco/Insurans/Hotel/Pemaju Perumahan/Peguam/Doktor/Utiliti

DATA BREACHES IN THE NEWS - visualizations/worlds-biggest-data-breaches-hacks/

DATA BREACHES IN THE NEWS – AT HOME & ach-hiv.html

WHY PROTECT PERSONAL DATA?What Customers and International Organizations Say .Data protection is not just about protectingour personal informationBiometric data stored in one social-protectionprogram database can easily be linked toother systems using a common identifier, eventhose unrelated to social protection, such asfor law enforcement or commercial marketing.(World Economic Forum 2019)A global survey of 16,000 online customersacross 20 countries found that 74% wereconcerned about how companies useinformation about them collected online(United Nations Conference on Trade andDevelopment (UNCTAD) 2016)Personal data is precious and priceless –protect it!(Internet Society 2016)Globally 40% of respondents said thatwould never again do business with acompany that suffered from databreach(Global Commission on InternetGovernance 2016)Users worldwide are not confident thattheir personal data are protected. Twoin three users thought people who goon the Internet put their privacy at risk(World Economic Forum 2013)

PwC 20th ANNUAL GLOBAL CEO SURVEY (2017)Believes managing people’s data is acorporate differentiating factorSay breaches of data privacy andethics causes them to lose trust incompaniesThinks that breaches of data privacyand ethics have negative impact onstakeholder trust levels in theirindustry in the next 5 yearsFrom 1379 CEOs interviewed in 79 countries

PERSONAL DATA PROTECTION ACT 2010(ACT 709)01One of the recognized cyber legislation in theimplementation of the Multimedia Super Corridor02The 10th policy goal set out in CMA 1998 which is to ensureinformation security, and network reliability & integrity03Regulates the processing of personal data in commercialtransactions04Applies to organizations that process personal data incommercial transactions e.g. Bank, Telco, Insurance,Hospital & etc.

IMPORTANCE OF THE ACT 709To enhancepublicconfidenceand trustwith ongoingenforcement.To avoid andminimize theincidents ofdata breachTo increase theefficiency andgovernance ofpersonal dataTo ensureprudence andintegrity inpersonal datahandling

KEY PARTIESData UserData ProcessorData SubjectA person who either alone orjointly processes any personaldata or has control over orauthorizes the processing ofany personal data.Any person, who processesthe personal data solely onbehalf of the data user, anddoes not process thepersonal data for any of hisown purposes.An individual who isthe subject of thepersonal data.E.g. students, patients,employees, citizens,non-citizens, customers.E.g. Third parties/ vendors/dealers.11

PROCESSING OF PERSONAL tCombination

WHAT IS PERSONAL DATA?First NameLast NameAddressIC No.Bank Account No.Phone No.Sensitive PersonalDataEmployee Information Personal Data: Name IC numbers, passport numbers Driver’s license, birth certificate Bank account numbers Home address, personal phoneno. Sensitive Personal Data: Race, religion, health, politicalopinion, offence recordsIndividual Customer Information Personal Data: Name IC numbers, passport numbers Personal phone number Home address, email address Bank account numbers Sensitive Personal Data Race, religion, health, politicalopinion, offence records

WHAT IS COMMERCIAL ESSACTIVITIESINSURANCE

NON-APPLICABILITY PDPA 2010Federal& taProcessedOutside Agencies

Class of Data Users0102BANKING AND FINANCIAL INSTITUTION Investment bank under the Financial Services Act 2013 Islamic bank under the Islamic Financial Services Act 2013 Development Financial Institution under the Development Financial InstitutionAct 200203

0405TOURISM AND HOSPITALITIES Travel agent or Hotel under the Tourism Industry Act19920607EDUCATION Priv. higher edu. inst. under the Private Higher Educational InstitutionsAct 1996 Priv. school or educational institution registered under the Education Act1996

0809SERVICES Legal, audit, accountancy, engineering or architecture firm Retail dealing and wholesale dealing as defined under the Control Supplies Act1961 Private employment agency under the Private Employment Agencies Act 198110

1112PAWNBROKER Licensee under the Pawnbrokers Act 197213

ExemptionsPartialPrevention /Detection CrimeStatistics / ResearchCourt Order / JudgmentOffenders Apprehension /ProsecutionTax / Duty Assessment /CollectionPhysical / Mental HealthRegulatory FunctionsJournalistic / Literary /Artistic

The Principles of Data Protection01020304GENERALPersonal data shall be adequate,relevant and not excessive. Processedwith consent and for a lawful purpose0506DISCLOSUREDisclosure without consent is notpermissibleSECURITYProtect data from loss, misuse,unauthorized access, etc.Personal data shall not be kept longer thannecessary How much to retain data? How long does it take? How to store data?NOTICE & CHOICEInform the purposes for which thepersonal data is being processed,collected or disclosedRETENTION07DATA INTEGRITYPersonal data shall be accurate,up-to-date, verifiableACCESSThe right to access personal data.

The Personal Data ProtectionStandard is a minimum requirementissued by the Commissioner, thatprovides for common and repeateduse, rules, guidelines orcharacteristics for activities or theirresults.This standard applies to:Any person who processes; andAny person who has control overor authorizes the processing of,any personal data in respect ofcommercial transactions.It’s a minimum standard whichcomprises of three personal dataprotection principles, namelysecurity, retention and data integrity.SecurityStandardRetentionStandardData Integrity Standard

PERSONAL DATA PROTECTION STANDARD(Electronically and non-Electronically)SecurityStandardUpdate the Back up /Recovery System & antivirus to prevent personaldata intrusionControl and limitemployees’ access topersonal data systemRecord personal datatransferredconventionally such asthrough mail, delivery,RetentionStandardKeep personal data nolonger than necessaryunless there arerequirements by otherlegal provisionsDetermine the retentionperiod in all legislationbefore destroyingpersonal data e.g.:s.82 Income Tax Act1967(7 years)Data IntegrityStandardNotify on personal dataupdates by appropriatemethodsProvide personal dataupdate form for datasubjectsUpdate personal dataimmediately

HOW THE PDPA 2010 IMPROVES THE DATAGOVERNANCE1. Spells out the duties throughout datalifecycle2. Sets up data management standard3. Identifies data risks4. Improves security measures5. Promotes data integrity

MOVING FORWARD WITH PDPA 20101. Create awareness in the organisation1. Awareness of internal policies for securing personal data2. To inculcate the culture of personal data protection Knowing your current compliance level Understand the impact of PDPA 2010 Identify the gaps Designate a Data Protection Officer or Committee Define a data protection strategy Develop a short term compliance programme Develop polices for PDPA 2010 Policies spanning across legal, IT, marketing, human resource,customer services, etc. Focus on end-to-end data governance processes, policies andprocedures in line with the PDPA 2010.

1234RightMake5CoressAcctotohtRignctioreRifo ghtrtDir o PecretM venartkRet ProiginceLihtgkesstolyinPgtorevCau ense t PRiD r ocC ghison ttr estes sise ongWsntithdrawRights of Data Subjects

ElementsNotification

Data and Digital Economy

So .

COMPLAINT HANDLINGAny individual or relevant person may make a complaint inwriting to the Personal Data Protection Commissioner:via online system daftar.pdp.gov.my; orAddress to:.Personal Data Protection CommissionerLevel 6, Kompleks KKMM,Lot 4G9, Persiaran Perdana,Presint 4, 62100Putrajaya.

Thank You

jointly processes any personal data or has control over or authorizes the processing of any personal data. Data Processor Any person, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes. Data Subject An individual