Legal Protection of Your Identification Data: What It Means to Business Operators?
Historically and logically, data protection is intertwined with privacy. By virtue of both the technological advancement and the need for open data, many are increasingly concerned about how they can protect their data and in turn protect their privacy. In particular, the unprecedented development in e-wallets and the government’s incentives to accelerate the adoption of e-wallets mean that business operators should enhance their data protection practices.
In Malaysia, we have the Personal Data Protection Act (“PDPA”) which came into force on 15 November 2013. The purpose of the PDPA is to regulate the processing of personal data of individuals involved in commercial transactions by data users to protect personal data. The Malaysian government recognises that personal information is a valuable commodity and has also formed an agency i.e. the Personal Data Protection Department (“PDPD”) under the Ministry of Communications and Multimedia Commission (“MCMC”) to oversee the implementation of the PDPA. In essence, the PDPD is responsible for ensuring that personal data is not misused and misapplied.
What is Personal Data?
Under the PDPA, “personal data” is defined as any information in respect of commercial transactions, which is being processed or recorded for processing or filing, that relates directly or indirectly to a data subject, and includes “sensitive personal data”. This includes name, IC numbers, passport numbers, driver’s license, email address birth certificate, bank account numbers, home address and personal phone numbers.
The PDPA also further defines “sensitive personal data” as any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the alleged or actual offence records or any other personal data as the Minister may determine by order published in the Gazette.
Why Business Operators Should Give Protection to Personal Data?
The PDPA applies to both data users and data processors. Data user means the person who either processes the personal data or gives authorisation for the processing of the data whether alone or jointly. Data processor means any person, other than the employee of the data user, who processes the personal data solely on behalf of the data user and not for his own purposes.
Processing is defined broadly under the PDPA to include collecting, recording, holding, storing, using or disclosing personal data and carrying out any operation or set of operations on personal data.
Based on the definitions above, it is inevitable that many business operators would become data users or data processors and hence they are bound to comply with the PDPA to protect the personal data they process.
How Should Business Operators Protect Personal Data?
As a starting point, business operators should consider taking the following steps to protect personal data as well as to comply with the PDPA:
1. Identify whether they fall under the Personal Data Protection (Class of Data Users) Order 2013 for data users who are obliged to be registered by filing an online application of the PDPD’s official website.
Classes of data users which are required to be registered with the PDPD under the MCMC are as follows:
(b) Banking and Finance;
(e) Tourism and hospitalities;
(h) Direct selling;
(i) Real estate;
(k) Pawnbroker; and
2. Conduct an audit and review of current data collection processes to ensure that they comply with the seven (7) principles of data protection as set out under the PDPA, which are summarised as follows: –
(a) General Principle
Consent is required and must be lawful, necessary or directly related and not excessive. This means Business Operators should ask for permission for processing personal data of someone else. Consent must be in a form which is recorded and can be maintained by the data user. The PDPD has advised that so long as the privacy notice is made known to data subjects, there is an existence of consent. Having said that, explicit consent should be obtained for sensitive personal data.
(b) Notice and Choice Principle
Data users shall, by written notice, notify data subjects of the usage of their data. The notice shall be in both national and English languages. Data users should give notice as soon as it is practicable.
(c) Disclosure Principle
Data users shall not disclose the personal data of a data subject without his/ her consent for any purpose other than for which it was disclosed and any purpose directly related to this or any unauthorised third party.
(d) Security Principle
Data users shall take practical steps to protect data from any loss, misuse, medication unauthorised or accidental access or disclosure, alteration or destruction.
Data users must have regard to the nature of the personal data, the harm that would result when the personal data is misused, the storage place of the personal data and the security measures incorporated when using the personal data.
(e) Retention Principle
The personal data processed shall not be kept longer than necessary for the fulfilment of the purpose for which it was obtained. It should be the data user’s duty to take all reasonable steps to ensure that all personal data is deleted or removed when it is no longer required.
(f) Data Integrity Principle
Data users shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up to data having regards to the purpose for which the personal data was collected and processed.
(g) Access Principle
A data subject shall be given access to his personal data to be able to correct that data where it is inaccurate, incomplete, misleading or not up to date.
3. Implement a security policy which is compliant with the security standards (electronic and non-electronic processing), retention standards and integrity standards as provided under the Personal Data Protection Standard 2015 (“Standard”). It is noteworthy to point out that the Standard suggests a few practical steps for personal data stored electronically, among others as follows:-
(a) Registering all employees involved in the processing of personal data;
(b) Controlling and limiting employees’ access to a personal data system to collect, processing and store of personal data;
(c) Providing user ID and password for authorised employees to access personal data;
(d) Storing personal data in an appropriate location which is unexposed and safe from physical or natural threats;
(e) Installing a closed-circuit camera at the data storage site or 24-hour security monitoring (if necessary);
(f) Updating the backup/ recovery system and anti-virus to prevent personal data intrusion;
(g) Not permitting any transfer of personal data through removable media device and cloud computing service unless with the written consent by an officer authorised by the top management of the data user organisation; and
(h) Binding third parties with contracts for operating and carrying out personal data processing activities (if applicable).
4. Carry out relevant training and awareness programmes to ensure that all personnel are aware of the requirements of the PDPA to avoid any inadvertent contravention of the same; and
5. Assign an officer/department to handle personal data collection issues and act as a liaison for any inquiries or complaints from data subjects.
Failure to Comply with PDPA – Penalties and Offences
The negligence of business operators in not complying with the principles stipulated in PDPA may result in a hefty fine of RM 500,000 or 3 years imprisonment.
It is important to note that where the offence is committed by a body corporate, any person who at the time of the commission of the offence was a director, CEO, COO, manager, secretary or other similar officers of the body corporate, may be liable severally or jointly in the proceeding with the body corporate.
Business operators as data users or processors should observe the processing of personal data closely to the PDPA. In short, data users should adopt appropriate security measures such as having a secure online storage system and assess or audit its risk in processing personal data regularly.
1 The Star, ‘E-Wallet Market Race’ (2020) <https://thestar.com.my/business/businessnews/2020/06/29/e-wallet-marketrace#:~:text=In%20the%20budget%202020%20announcement,and%20Touch%20’n%20Go%20eWallet.> accessed 10 January 2021.
Azarith Sofia Aziz (Senior Associate 2) firstname.lastname@example.org
Hezelyn Ng Sze Hui (email@example.com)