Personal Data Protection Act 2010 Quick Summary

Refer to Malaysia Technology News.

The Personal Data Protection Act 2010 (PDPA) was passed by Parliament in May 2010.

The act is however not applicable to the following 5 scenarios:
  1.     Federal & states governments
  2.     Credit reference agencies
  3.     Data processed outside Malaysia
  4.     Personal and family
  5.     Non-commercial transactions

It is applicable to the following 7 activities which relate personal data:
  1.     Collecting
  2.     Recording
  3.     Holding
  4.     Storing
  5.     Organising
  6.     Publishing on the Internet
  7.     Making available

There are a total of 7 principles to take note in the event of exemptions (when personal data protection is to be breached):
  1.     General principle
  2.     Notice and choice principle
  3.     Disclosure principle
  4.     Security principle
  5.     Retention principle
  6.     Data integrity principle
  7.     Access principle

For example, in the event of crime prevention, the following principles must be upheld (at least):
  1.     General principle
  2.     Notice & choice principle
  3.     Disclosure principle
  4.     Access principle.

And depending on the 5 scenarios stated earlier, when we say exemption, it consists of:
  1.     Crime prevention/detection - partial exemption
  2.     Offenders apprehension/prosecution - partial exemption
  3.     Tax/duty assessment/collection - partial exemption
  4.     Physical/mental health - partial exemption
  5.     Statistic/research - partial exemption
  6.     Court order/judgment - partial exemption
  7.     Regulatory functions - partial exemption
  8.     Journalistic/literary/artistic - partial exemption
  9.     Personal and family - full exception

Also, take note that in the event of potential personal data breach, data subject has the following 6 rights:
  1.     Right to be informed
  2.     Right to access
  3.     Right to correct
  4.     Right to withdraw consent
  5.     Right to prevent processing likely to cause distress
  6.     Right to prevent processing for direct marketing purposes

In corporate sense, a director, CEO, COO, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management - may be charged severally or jointly in the same proceeding with the body corporate; and

If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves:

- that the offences was committed without his knowledge, consent or connivance;and
- that the had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (s.133)

Enforcement mechanism can consist of one or a combination of the followings:
  1.     Data protection commissioner
  2.     Advisory committee
  3.     Appeal tribunal
  4.     Codes of practice
  5.     Enforcement notice
  6.     Prosecution
  7.     Revocation of registration