Here we are finally. After months of speculations, the Malaysian Personal Data Protection Act (PDPA) came in force last week on November 15, 2013. To be honest, we weren’t really expecting this, since deadlines after deadlines have gone by. We have been doing our workshops since December last year, and only had a vague prediction that 2014 could be the year it is enforced after it missed the August deadline this year.
Well, surprise, we are now in a new era of data privacy and protection, and companies and individuals will be going head to head over the new currency: Information.
For the benefit of those who haven’t attended any of our workshops, here’s a summary of the 7 principles of the Act:
1) General Principle – Consent is key for this principle. Any information collected must only be used for the purpose it was given. For instance, I am giving you my information for you to process my housing loan. The next thing I know, your company is trying to sell me frozen yoghurt. Not nice. Additionally, don’t collect more than what is needed for that purpose. If you are collecting for a lucky draw, you don’t technically need to know his Credit Card number, do you?
2) Notice and Choice – My favourite. This constitutes a privacy statement at data collection points. You need to tell data subjects the nature of the data processed, purpose, rights and obligations of subject and of course, in both Malay and English. Yes you need both languages. The data subject should have a record or copy of the agreed notification. Time to be creative.
3) Disclosure – Only disclose what the data subject has consented during collection and also maintain a disclosure list to third parties
4) Security – This is where we generally come in directly. While the others constitutes a lot of process changes, this principle simply states, “practical steps” must be taken to protect information from misuse, loss, modifications, destruction etc. Basically the entire scope of Confidentiality, Integrity and Availability. Unfortunately, breach notification and safe harbour principles are not included in the our PDPA.
5) Retention – Once the data has fulfilled its purpose, it should not be further retained.
6) Data Integrity – Steps must be taken to ensure personal data is accurate, complete, not misleading and updated to serve its purpose(s).
7) Access – Data subject must be able to access data held by the data user. The channel to correct inaccurate, misleading data must be provided to the data subject.
Additionally, PDPA has certain restrictions as follows:
a) Sensitive Personal Data – certain types of data (political opinions, religion, physical and mental health etc) cannot be processed without explicit consent. I suppose I won’t be seeing any more forms with “Religion” anymore. I always fill in “The Force” for fun, anyway.
b) Cross Border – This is a major one. Personal data cannot be transferred to a place outside Malaysia unless the minister specifies or individual has consented. In light with cloud computing, questions will arise if we store our customer CRM in the cloud like AWS or even Google Docs. How will this affect us?
c) Explicit rules for Direct Marketing – Direct marketing, to sell and solicit products and services, is affected the most. Now data subject can ask marketer to remove and not process the data anymore for direct marketing. There is a jail term of 2 years and RM300K fine.
d) Registration – Certain industries are required to register. For those not listed, well, we don’t need to register, but the Act still covers us!
e) Codes of Practices – In the near future, data user forums will be formed, where codes of practices/guidelines for compliance will be created. The commissioner still has the final say on the effectiveness of these codes of practices. This should be interesting, as in PKF we already have a special audit for Personal Information Management, as well as a product to specially scan for certain types of personal information in our client’s network.
In conclusion, we always knew this day would come so we are not overly surprised. We have given hundreds of hours of free workshops over last year and I hope, if you are one of them who received, that it has spurred you on to compliance even before this announcement.
Because 3 months is an awfully short time for compliance. No better time than now to get started! Contact us at avantedge@pkfmalaysia.com or +603 6203 1888 if you require more information on our Personal data services, scans and workshops.
Are CROs required to register?
CRO = contract research organisations? You will need to comply, but registration is only limited to certain classes. Under health, it would be Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998. Also, any body corporate registered under the Registration of Pharmacists Act 1951.