PERSONAL DATA PROTECTION

Associate Professor Siti Hajar Mohd Yasin Faculty of Law Universiti Teknologi MARA

International Instruments
OECD Guidelines 1980 Council of Europe Convention 1981 European Directive 1995 APEC Privacy Framework 2004 Madrid Resolution 2009
2

OECD Guidelines 1980 (8 Principles)

Collection limitation Data Quality Purpose Specification Use Limitation Security Openness Individual Participation Accountability

Council of Europe Convention 1981

Personal Data shall be: obtained fairly and lawfully stored for specified and legitimate purposes and not used in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored

European Directive 1995

Personal data must be; Processed fairly and lawfully Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes adequate, relevant and not excessive accurate and, where necessary kept up to date

APEC Privacy Framework 2004 (9 Principles)

Preventing harm Notice Collection Limitation Uses of personal information Choice Integrity Security safeguards Access and correction accountability

Madrid Resolution 2009 (6 Principles)

Lawfulness and fairness Purpose specification Proportionality Data quality Openness Accountability

PDPA Journey
2000 2002 - 1st draft - PDPB Privacy & Personal Data Protection (Sweet & Maxwell) 2007 CTOS scandal / issue - expediate the process - a new Bill 2009 - Tabled 1st Reading 2010 (Apr) 2nd & 3 rd Reading (May) - Dewan Negara (June) - Royal Assent - Gazetted ? - Enforcement
8

The Personal Data Protection Act 2010

In Brief Scope and Application Data Protection Principles Exemptions Rights of Data Subject Criminal Offences Enforcement and Compliance Mechanisms

Scope and Application

Federal & States Govts

Reference Agencies
NonApplication

Credit

NonCommercial Transactions

Data Processed Outside Malaysia

Personal, Family, Household Affairs

10

Federal Government means the Government of Malaysia which includes all the ministries and Prime Ministers Department State Government means the government of a state which includes organizations such as the state secretarys office, state department, land and district offices and local authorities Commercial transactions means any transaction of a commercial nature whether contractual or not but does not include credit reporting business

PDPA applies to Data Users in three circumstances: A data user is established in Malaysia The processing is done by any person employed or engaged by the data user established in Malaysia The data user is not established in Malaysia, but uses equipment in Malaysia to process data Data user means a person who either alone or jointly or in common with other person processes any personal data or has control over or authorizes the processing of any personal data but does not include a data processor

Personal Data Data relates directly or indirectly to a data subject Who is identified or identifiable from that information and other information in the possession of data user

Cont
Automatic and Manual Data Processed wholly or partly by means of equipment operating automatically Relevant filing system

MANUAL DATA / RELEVANT FILING SYSTEM

AUTOMATIC

Cont
Processing collecting recording holding storing organising etc.

General Principle Access Principle Notice and Choice Principle

Data Integrity Principle

DATA PROTECTION PRINCIPLES

Disclosure Principle

Retention Principle

Security Principle
17

1. General Principle
Personal Data shall not be processed unless the data subject has given consent Sensitive data shall not be processed except in accordance with the provisions of section 40 PDPA Processing for a lawful purpose directly related to an activity of the data user The processing is necessary for or directly related to that purpose, and The personal data is adequate and not excessive in relation to that purpose.
18

Exemptions to Consent
Performance of a contract to which the data subject is a party At the request of the data subject with a view of entering into a contract Compliance with the legal obligation To protect the vital interest of the data subject Administration of justice Exercise of any functions conferred on 19 any person by or under any law

Case 1
In 2003, the European Court of Justice heard the case of Mr Lindqvist, a parishioner from Sweden. She was a volunteer at a local church. She took a course in website design and set up her own website to support other parishioners for confirmation. She posted information about herself on the website as well as information relating to 18 other colleagues including their names, jobs, telephone numbers and medical data. She failed to inform them about this and did not ask for consent. Her colleagues complained and she was forced to shut down the website. She was also prosecuted for criminal offences under Swedish data protection law. She was convicted and appealed. The court rejected her appeal.

Case 2
In 2002 the UK Information Commissioner investigated the case of a trade union employee who pursued a grievance with his employer about bullying at the work place. The employee took time off sick as a result of the bullying. The details of the employees grievance and his illness was discussed at meetings, then minutes of which were published on the trade unions website. The employee was not informed of the publication. The Information Commissioner found that a breach of Data Protection Act had occurred.

Case 3
In 2004, the supermodel, Naomi Campbell, successfully sued The Mirror newspaper, for invasion of her privacy. The Mirror had published a picture of Naomi leaving a Narcotics Anonymous meeting. As part of her case, Naomi argued that The Mirror was processing her sensitive information, in this case, her mental and physical health, without her consent. The case went to the House of Lords and Miss Campbell was awarded damages by the newspaper.

2.

Notice and Choice Principle

A data user shall inform the data subject that; the personal data of the data subject is being processed and provide a description of the personal data the purposes of the collection the source of the personal data the right of the data subject to request access the right to correct the right to contact the data user for enquiries and complaint
23

cont
the right to be informed of the third parties to whom the data user discloses or may disclose the personal data the right of choices and means to limit the processing of personal data whether it is obligatory or voluntary for the data subject to supply the personal data if it is obligatory, the consequence if the data subject fails to supply the personal data

24

3.

Disclosure Principle
No personal data shall, without the consent of the data subject, be disclosed for other purposes

4. Retention Principle
Personal data processed for any purpose shall not be kept longer that is necessary for the fulfillment of that purpose. Right to be forgotten
An employee lost his job when the police informed his employer of the criminal allegation on him 3 years before which remains on his file

5.

Data Integrity Principle

Data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date

6. Access Principle
A data subject shall be given access to his personal data and shall be able to correct that personal data if it is inaccurate, incomplete, misleading or not up-to-date

Case Study 1
A patient wrote to his medical practitioner requesting a copy of all his personal information that the practitioner held in his medical record. A period of thirty days passed. He had not received a response from the medical practitioner. The Australian Privacy Commissioner held that access should be provided.

Case Study 2
A woman make a request for a copy of a report prepared buy a private investigator for her insurance company. The insurance company refused to provide her with the full copy of the report. The New Zealand Privacy Commissioner advised the insurance company to release some of the information.
27

7. Security Principle
A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction
Practical steps depend on: the nature of personal data the harm that would result from such loss, misuse, modification, etc. place or location where the personal data is stored

Case Study In 2008, the UK Information Commissioner found Virgin Media Ltd. in breach of the Data Protection Act following the loss of an unencrypted CD containing the personal details of over 3000 customers

29

Case Study 2

30

Exemptions
Crime Prevention/Detection Offenders Apprehension/Prosecution Tax/Duty Assessment/Collection Physical/Mental Health Statistics/Research Court Order/Judgment Regulatory Functions Journalistic/Literary/Artistic

Partial

Total

Personal Family Household Recreational

31

Partial Exemptions
Crime and Taxation Not a blanket exemption Case by - case basis Will have to pass the test that allowing any of those data protection principles to apply is likely to prejudice the prevention, apprehension of crime etc. Blanket approach is unlawful R v. Secretary of States for the Home Department, ex parte Lord. There must be a substantial chance rather than a mere risk Data user needs to make a judgment
33

Physical and Mental Health

Access principle does not apply In certain circumstances, the data user can deny the data subject (patient) from having access to its personal data The exemption applies only if the condition is satisfied the subject access would be likely to cause serious harm to the physical or mental health of the data subject

34

Research and Statistics The exemption only applies where preparing statistics or carrying out research is the sole purpose The data are not processed for any other purpose The resulting statistics or research are not made available in the form which identifies the data subject

35

Journalism, literature and art 3 Conditions : the processing is undertaken with a view to the publication of the journalistic or artistic material the publication is in the public interest data user believes that compliance with the Principles is incompatible with the journalistic, literary or artistic purposes
36

Purposes Crime Prevention/ Detection Offenders Apprehension/ Prosecution Tax/duty Assessment/ Collection Physical/ Mental Health Statistics/ Research Court Order/ Judgment

General Principle x

Notice & Choice Principle x

Disclosure Principle x

Security Principle

Retention Principle

Data Integrity Principle

Access Principle x

Regulatory Functions
Journalistic/ Literary/Artistic

x
x

x
x

x
x x x
37

x
x

Right to be Informed

Right to Prevent Processin g for Direct Marketing Purposes

Right to Access

RIGHTS OF DATA SUBJECTS

Right to Prevent Processing Likely to Cause Distress Right to Withdraw Consent
38

Right to Correct

Rights of Data Subject

1. Right of Access to Personal Data
An individual is entitled to be informed by the data user whether the personal data of which that individual is the data subject is being processed Access - request in writing - upon payment of a fee - a data user should comply within a specified time period Get a copy
39

Right of Access

What Data Subject Must Do Request in writing (oral is insufficient) Pay fee (if any) What Data User Must Do To comply within 21 days If unable inform the requestor plus reasons 14 days extension Standard access request form can be developed and used (not mandatory, any written request is sufficient) To supply a copy in an intelligible form

40

Data User May Refuse Access Request

No information supplied to prove the identity of the requestor No information supplied to locate the personal data Burden or expenses of providing access is disproportionate to the risks to the data subjects privacy Complying with the request will disclose other individuals data Providing access would constitute a violation of the law Providing access would disclose confidential information of others Such access is regulated by another law
41

2. Right to Correct Personal Data

Where a data user is satisfied that the personal data is inaccurate, incomplete, misleading or not up-to date, he shall not later than twentyone days; - make the necessary correction - supply the requestor with a copy of the personal data as corrected

42

Data User May Refuse to Make Correction

No information supplied to prove the identity of the requestor No information supplied to prove the inaccuracy of the personal data The data user is not satisfied that the personal data is inaccurate

43

3. Right to prevent processing likely to cause damage or distress

At any time, a data subject can require the data user to cease the processing of or not to begin the processing of the personal data if it causes or likely to cause substantial damage or distress

44

What Data Subject Must Do

Forward notice in writing Specify why the processing is or will cause damage or distress The notice may specify the purpose or manner of processing is objectionable

45

What Data User Must Do

Data user must respond within 21 days The response must specify: A statement that the data user has complied or intend to comply, or A statement that the data user regards the data subject notice as unjustified

46

Exemptions The right does not apply

Data subject has given his consent; or The processing is necessary for the performance of a contract concerning the data subject

47

Right to Prevent Processing for Purposes of Direct Marketing

A data subject may at any time By notice in writing Require the data user to cease or not to begin the processing or personal data for direct marketing purposes

What is Direct Marketing?

Communications by whatever means Any advertising or marketing material Directed to particular individuals
48

What Data User Must Do

No option Will have to comply To cease Not to begin

49

Criminal Offences

Criminal Offences

51

No. 1 2 3 4 5 6 7 8.

Section S. 16(4) S 18(5) S.5 S. 29 S. 37(4) S. 38(4) S.40(3)

Offences Processing without a certificate of registration Processing after registration is revoked Contravening Data Protection Principles Non-Compliance with Code of Practice Failure to Inform the Refusal to Comply with the Data Correction Request Processing after consent been withdrawn Processing of Sensitive Data Failure to Comply with the Commissioners Requirement (Processing likely to cause damage or distress) Failure to Comply with the Commissioners Requirement (Direct Marketing) Transfer of Data to Places Outside Malaysia without any law or adequate protection Collects, disclose or procure to disclose data without consent of Data User Selling or offer to sell Abetment and Attempt to commit any of the offences

Penalty Fine <RM500,000.00/ Imprisonment < 3 years/ Both Fine <RM500,000.00/ Imprisonment < 3 years/Both Fine <RM500,000.00/ Imprisonment < 2 years/Both

Fine <RM100,000.00/ Imprisonment < 1 year/Both

Fine <RM100,000.00/ Imprisonment < 1 year/Both Fine <RM100,000.00/ Imprisonment < 1 year/Both Fine <RM200,000.00/ Imprisonment < 2 years/Both Fine <RM200,000.00/ Imprisonment < 2 years/Both Fine <RM200,000.00/ Imprisonment < 2 years/Both Fine <RM300,000.00/ Imprisonment < 2 years/Both Fine <RM500,000.00/ Imprisonment < 3 years/Both Fine <RM500,000.00/ Imprisonment < 3 years/Both

S.42(6) 9 S. 43(4) 10. 11 12

S. 129(5) S. 130(3) S. 130(4) and (5) S. 131(1) and (2)

13

Half of the maximum term provided for that offence

Some Criminal Offences

Contravene any of the Data Protection Principles Failure to comply with the requirements of the Data Protection Commissioner in relation to the right to prevent processing that cause damage or distress Failure to comply with the requirements of the Data Protection Commissioner in relation to the right to prevent processing for direct marketing purposes
53

 Transfer of data to places outside Malaysia whenever there is no law in force to protect the personal data or there is no adequate level of protection. Collect, disclose or procures the disclosure of personal data without the consent of data user Failure to comply with the enforcement notice

54

 If a body corporate commits an offence, any person who at the time of the commission of the offence was a director, chief executive officer, manager, secretary, etc, may be charged severally or jointly in the same proceeding. If the body corporate is found to have committed the offence, the officers are deemed to have committed the offence personally.

55

Transfer of Data to Outside Malaysia Outbound

What amounts to a transfer?
PDPA does not define transfer OECD Movements of personal data across national borders Council of Europe Convention Transfer of data across national borders by whatever mediums Transfer is not the same as transit through a country

Examples of transfer
Tabung Haji transfers online the particulars of pilgrimage to Saudi Arabia Malaysian staff of a Malaysian bank working in Singapore, Jakarta, Bangkok & etc IT department of Tesco Malaysia located in India Malaysian company publishes the names, home addresses & contact info of its staff in the companys publication which are made available to the branches in Dubai, Hong Kong etc. Manager of Great Eastern Takaful takes his lap top which has personal data on its hard disk for meetings in overseas

Placing Personal Data on Website

Is it a transfer?
Lindqvist case European Court of Justice Transfer occurs when someone accesses the website. A mere placing of data on website is not regarded as a transfer

What PDPA says

Sect 129 No transfer unless to such places specified by the Minister

The Minister may specify if: a) there is a law substantially similar to PDPA, or b) there is a law that serves the same purpose as PDPA, or c) that place ensures an adequate level of protection equivalent to the protection afforded by PDPA Q : What countries fall under (a) and (b) ?

All European Union countries ( Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK), European Economic Area ( Norway, Iceland and Liechtenstein), Australia, Canada, Hong Kong, New Zealand, Macao, Japan, Korea, Taiwan, Argentina, etc.

What about countries which do not have data protection laws?

All ASEAN members, India, China, etc Section 129(2)(c) adequate protection may be afforded by other means such as safe harbor principles, industry codes, etc.

Exemptions

Data subject has given his consent Transfer is necessary for the performance of a contract Transfer for the purpose of legal proceedings To protect the vital interest of the data subject Public interest Data user has taken all reasonable precautions and exercised all due diligence

Enforcement and Compliance Mechanisms

Data Protection Commissioner Advisory Committee Appeal Tribunal Codes of Practice Enforcement Notice Prosecution Revocation of Registration
63

ENOUGH IS ENOUGH

64

The Star Malaysia 18 Sept 2011

65

66

Data Protection Does Matter

We need sensible safeguards that protect privacy in this dynamic world. As President, I will strengthen privacy protections and to hold government and business accountable for violations of personal privacy.
Barrack Obama
67

Personal Data has value and there are people out there exploiting it. I think custodial sentences clearly have to be part of that.
Michael Wills U.K Justice Minister

68

International Chamber of Commerce

Privacy and business competitiveness are not either/or options. Appropriate privacy protection is a business enabler, not a barrier.

69

UK Information Commissioner
My message to those at the top of

organisations is to respect the privacy of individual.

70

Conclusions
Data Protection is not rocket science It is all about respect and common sense It is about striking a balance between the need of an organisation to process data and the privacy of the individual Good data protection is good business, good for all.

71

Some of our IT Law Books......

In Print

Cyber Law: Policies and Challenges Butterworths Asia (1999)

Privacy and Data Protection Sweet & Maxwell (2002)

Internet Banking: Law and Practice LexisNexis UK (2004)

Information & Communication Technology Law Legal & Regulatory Challenges Thomson Reuters (2009)

72

May I recommend you to read this!