Malaysia: The Personal Data Protection Bill 2009

 Introduction

New technology and changes in market trends have contributed to the growing importance of knowledge in the global economy. This has made personal data in commercial transaction a valuable commodity for business.

According to Malaysia’s Information, Communications, Culture and Arts Minister, Datuk Seri Dr Rais Yatim, the Personal Data Protection Bill 2009 is a form of cyber-legislation modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights requirements.

Purpose

  • The bill seeks to protect personal data belonging to the public from being misused through commercial transactions.
  • It’s aim is to protect public interests by regulating personal data processing in commercial transactions by users.
  • The bill places high importance on the protection of sensitive personal data, such as a person’s information on his health, physical attributes, mental status and his religious preferences from being misused.
  • The overall objective of the bill is to enhance consumers’ confidence in the global economy.

Outline

  • The bill provides for the appointment of a personal data protection commissioner and the setting up of an advisory committee to advise the commissioner on the enforcement of the Act
  • New regulations on data protection would ensure that personal data would not be given out except with the consent of their owners
  • Section 5(1) states that personal data processing must adhere to the personal data protection principles, namely the general, notice, choice, due diligence, security, storage, integrity and access principles
  • Once the law came into effect, credit reference agencies like CTOs would have to apply to the Personal Data Protection Commissioner’s office before they can keep any personal data on individuals in their data bases

Involvement

  • private database collection agencies would have to strictly comply with the Act
  • Credit reference agencies, in particular Credit Tip Off Sdn Bhd (CTOS) will be monitored for their activities as commercial transactors of information.

If convicted under the Act

  • A personal data user faces imprisonment up to two years jail or a fine up to RM200,000 or both

Source:

 Extract

PERSONAL DATA PROTECTION BILL 2009

 PART 1

PRELIMINARY

Short title and commencement

1. (1)    This Act may be cited as the Personal Data Protection Act 2009.

(2)        This Act comes into operation on a date to be appointed by the Minister by notification in the Gazette, and the Minister may appoint different dates for different provisions of this Act.

Application

2. (1)    This Act applies to—

(a)        any person who processes; and

(b)        any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions.

(2)        Subject to subsection (1), this Act applies to a person in respect of personal data if—

(a)        the person is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any other person employed or engaged by that establishment; or

(b)        the person is not established in Malaysia, but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia.

(3)        A person falling within paragraph (2)(b) shall nominate for the purposes of this Act a representative established in Malaysia.

(4)        For the purposes of subsections (2) and (3), each of the following is to be treated as established in Malaysia:

(a)        an individual whose physical presence in Malaysia shall not be less than one hundred and eighty days in one calendar year;

(b)        a body incorporated under the Companies Act 1965 [Act 125];

(c)        a partnership or other unincorporated association formed under any written laws in Malaysia; and

(d)        any person who does not fall within paragraph (a), (b) or (c) but maintains in Malaysia—

(i)         an office, branch or agency through which he carries on any activity; or

(ii)        a regular practice.

Non-application

3. (1)    This Act shall not apply to the Federal Government and State Governments.

(2)        This Act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malaysia.

Interpretation

4. In this Act, unless the context otherwise requires—

“credit reporting agency” has the meaning assigned to it in the Credit Reporting Agencies Act 2009 [Act ];

“this Act” includes regulations, orders, notifications and other subsidiary legislation made under this Act;

“register” means the Register of Data Users, Register of Data User Forums or Register of Codes of Practice;

“personal data” means any information in respect of commercial transactions, which—

(a)        is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b)        is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

(c)        is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2009;

sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;

“prescribed” means prescribed by the Minister under this Act and where no mode is mentioned, means prescribed by order published in the Gazette;

“Advisory Committee” means the Personal Data Protection Advisory Committee established under section 70;

vital interests” means matters relating to life, death or security of a data subject;

“Fund” means the Personal Data Protection Fund established under section 61;

“use”, in relation to personal data, does not include the act of collecting or disclosing such personal data;

“collect”, in relation to personal data, means an act by which such personal data enters into or comes under the control of a

data user;

“Minister” means the Minister charged with the responsibility for the protection of personal data;

“disclose”, in relation to personal data, means an act by which such personal data is made available by a data user;

“relevant person”, in relation to a data subject, howsoever described, means—                         

(a)        in the case of a data subject who is below the age of eighteen years, the parent,  or person who has parental responsibility for the data subject;

(b)        in the case of a data subject who is incapable of managing his own affairs, a person who is appointed by a court to manage those affairs, or a person authorized in writing by the data subject to act on behalf of the data subject; or

(c)        in any other case, a person authorized in writing by the data subject to make a data access request, data correction request, or both such requests, on behalf of

the data subject;

“authorized officer” means any officer authorized in writing by the Commissioner under section 110;

“correction”, in relation to personal data, includes amendment, variation, modification or deletion;

 “requestor”, in relation to a data access request or data correction request, means the data subject or the relevant person on behalf of the data subject, who has made the request;

“data processor”, in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes;

“processing”, in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including—

(a)        the organization, adaptation or alteration of personal data;

(b)        the retrieval, consultation or use of personal data;

(c)        the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or

(d)        the alignment, combination, correction, erasure or destruction of personal data;

“registration” means the registration of a data user under section 16;

“data user” means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor;

“relevant data user”, in relation to—

(a)        an inspection, means the data user who uses the personal data system which is the subject of the inspection;

(b)        a complaint, means the data user specified in the complaint;

(c)        an investigation—

(i)         in the case of an investigation initiated by a complaint, means the data user specified in the complaint;

(ii)        in any other case, means the data user who is the subject of the investigation;

(d) an enforcement notice, means the data user on whom the enforcement notice is served;

“credit reporting business” has the meaning assigned to it in the Credit Reporting Agencies Act 2009;

“Commissioner” means the Personal Data Protection Commissioner appointed under section 47;

“third party”, in relation to personal data, means any person other than—

(a) a data subject;

(b) a relevant person in relation to a data subject;

(c) a data user;

(d) a data processor; or

(e) a person authorized in writing by the data user to process the personal data under the direct control of the data user;

“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set of information is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

data subject” means an individual who is the subject of the personal data;

“appointed date” means the relevant date or dates, as the case may be, on which this Act comes into operation;

“code of practice” means the personal data protection code of practice in respect of a specific class of data users registered by the Commissioner pursuant to section 23 or issued by the Commissioner under section 24;

“commercial transactions” means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2009.

PART II

PERSONAL DATA PROTECTION

Personal Data Protection Principles

5. (1) The processing of personal data by a data user shall be in compliance with the following Personal Data Protection

Principles, namely—

(a) the General Principle;

(b) the Notice and Choice Principle;

(c) the Disclosure Principle;

(d) the Security Principle;

(e) the Retention Principle;

(f) the Data Integrity Principle; and

(g) the Access Principle,

as set out in sections 6, 7, 8, 9, 10, 11 and 12.

(2) Subject to sections 45 and 46, a data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

General Principle

6. (1)    A data user shall not—

(a)        in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or

(b)        in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with the provisions of section 40.

(2)        Notwithstanding paragraph (1)(a), a data user may process personal data about a data subject if the processing is necessary—

(a)        for the performance of a contract to which the data subject is a party;

(b)        for the taking of steps at the request of the data subject with a view to entering into a contract;

(c)        for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;

(d)        in order to protect the vital interests of the data subject;

(e)        for the administration of justice; or

(f)        for the exercise of any functions conferred on any person by or under any law.

(3)        Personal data shall not be processed unless—

(a)        the personal data is processed for a lawful purpose directly related to an activity of the data user;

(b)        the processing of the personal data is necessary for or directly related to that purpose; and

(c)        the personal data is adequate but not excessive in relation to that purpose.

Notice and Choice Principle

7. (1)    A data user shall by written notice inform a data subject—

(a)        that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;

(b)        the purposes for which the personal data is being or is to be collected and        further processed;

(c)        of any information available to the data user as to the source of that personal data;

(d)        of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;     

(e)        of the class of third parties to whom the data user discloses or may disclose the personal data;

(f)        of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;

(g)        whether it is obligatory or voluntary for the data subject to supply the personal data; and

(h)        where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.

(2)        The notice under subsection (1) shall be given as soon as practicable by the data user—

(a)        when the data subject is first asked by the data user to provide his personal data;

(b)        when the data user first collects the personal data of the data subject; or

(c)        in any other case, before the data user—

(i)         uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or

(ii)        discloses the personal data to a third party.

(3)        A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.

Disclosure Principle

8. Subject to section 39, no personal data shall, without the consent of the data subject, be disclosed

(a)        for any purpose other than—

(i)         the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or

(ii)        a purpose directly related to the purpose referred to in subparagraph (i); or

(b)        to any party other than a of the class of third parties as specified in paragraph 7(1)(e).

Security Principle

9. (1)    A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard—

(a)        to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;

(b)        to the place or location where the personal data is stored;

(c)        to any security measures incorporated into any equipment in which the personal data is stored;

(d)        to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and

(e)        to the measures taken for ensuring the secure transfer of the personal data.

(2)        Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor—

(a)        provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and

(b)        takes reasonable steps to ensure compliance with those measures.

Retention Principle

10. (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose.

(2)        It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.

Data Integrity Principle

11.       A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

Access Principle

12.       A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.

 

Comments
3 Responses to “Malaysia: The Personal Data Protection Bill 2009”
  1. Good day! I simply wish to give a huge thumbs up for the great info you could have right here on this post.
    I will likely be coming again to your weblog for more
    soon.

Trackbacks
Check out what others are saying...
  1. […] Malaysia: The Personal Data Protection Bill 2009 « Eternity in an Hour […]

  2. […] TERMS AND CONDITIONSElevated Calculated risk Borrowers Course of action to Unsecured LoansMalaysia: The Personal Data Protection Bill 2009 […]



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: