personal data protection act 2010 - pikom › cms › pcc › pdpa_pcc.pdf · 2019-04-03 · ©...

© 2013 Deloitte Consulting

Personal Data Protection Act 2010

CIOs - are you ready for PDPA?

15th January 2013

PIKOM PDPA Awareness Seminar

Presented by:

Joanna Liew

Director of Deloitte Consulting Malaysia


Agenda

Time Event

4:00pm Registration

4:30pm Overview of PDPA

4:45pm Key Components of PDPA

7 Principles of PDPA – Understanding the Core Pillars of the Act

Rights of Data Subject – Know Your Rights as an Employee and

Consumer

Compliance Requirements – What Employers Need To Do

Getting Ready for PDPA

Potential Impact and Risks

A Practical Approach for Operationalising PDPA in Your

Organisation

6:00pm Question & Answer Session

2


Overview of PDPA

3


Personal Data Protection in Malaysia

4

The Malaysian government gazetted the Personal Data Protection Act

2010 (PDPA) with the aim of regulating the collection, storage,

processing and use of any personal data.

It is not intended to obstruct the legitimate use of information but strives

to ensure that it is used fairly via its principles.

Applies

to

Any person who processes or authorizes the processing of

any personal data in respect of commercial transactions

Personal data processed in Malaysia

Uses of equipment in Malaysia for processing personal data

© 2013 Deloitte Consulting 5

The Malaysian Personal Data Protection Act

Protect personal data belonging to the

public from being misused through

commercial transactions

Protection of sensitive data from being

misused

Facilitate international trade

Protect consumer rights

Why PDPA?

Commercial transactions means any transaction of a commercial nature, whether contractual or not,

which includes any matters relating the supply or exchange of goods or services, agency, investments,

financing, banking and insurance. But does not include a credit reporting agency under the Credit

Reporting Agencies Act 2009.


What is Personal Data?

6

Any personal information in respect of

commercial transactions

Relates directly or indirectly to a data

subject

Includes sensitive personal data e.g.

physical or mental health, political

opinions, religious beliefs, offences or

any other data as the Minister may

determine

Expression of opinion about the data

subject

Personal Data

means…..


PDPA Enforcement Timeline

7

Jun ’10

Personal Data Protection

Act 2010 was gazette

From April

’13 onwards

(estimation)*

ENFORCEMENT

Companies are to be

given an estimated 3

MONTHS* for

compliance to PDPA

We are

here

today

Organisations should act now!

Jan ’13

Note:

* According to Deputy Minister Datuk Joseph Salang, Information Communication and Culture Ministry, at the

2nd Annual Personal Data Protection Summit 2012. (Bernama published on 12th December 2012). At this

point in time, no date has been set on the enforcement start date as it is dependent on the formation of the

Personal Data Protection Commission and appointment of the Commissioner.

Personal Data

Protection

Department was

set up

Feb ’12


Personal Data Protection Department Organisation Chart

8


List of Countries with Data Protection

9

• All countries Europe

• Japan, Korea, New Zealand, Hong Kong, Macao, Taiwan, Thailand, Philippines, Singapore

• (Indonesia, China - Midst of finalisation) Asia Pacific

• Chile, Argentina, Brazil, Mexico South America

• United States North America

• Israel Middle East

No action so far..

•Cambodia

•Vietnam

•Brunei

•Laos, etc..


Various Roles Pertaining to PDPA

10

• Any other person or organization other than the data subject, data processor or data user

• Hold or process data but do not exercise responsibility or control the data

• Person or organization, authorized for the processing of data.

• Individuals whose data is collected for processing

Data Subject

Data User

3rd Party Data

Processor


Key Components of PDPA

11


7 Principles of PDPA

12


The 7 Principles of PDPA

13

The 7

Principles

General

Notice & Choice

Disclosure

Security Retention

Data Integrity

Access


PERSONAL DATA shall be processed if :-

The data subject has given consent

The processing is necessary for or directly related to that purpose

It is adequate and not excessive in relation to that purpose

SENSITIVE DATA shall be processed if :

Data subject has given explicit consent

Processing is necessary for employment, vital interest, medical,

legal, administration of justice and others where Minister thinks fit

Information has been made public by data subject

Principle No. 1 – General


Busin

ess P

rocess

First Name

Last Name

Address

IC No

Bank Account No

Phone Number

Employee Information Personal Data:

Name

IC numbers, passport numbers

Driver’s license, birth certificate

Bank account numbers

Home address, personal phone no.

Sensitive Personal Data:

Race, religion, health, political opinion,

offence records

Individual Customer Information Personal Data:

Name

IC numbers, passport numbers

Personal phone number

Home address, email address

Bank account numbers

Sensitive Personal Data

Race, religion, health, political opinion,

offence records

Third Party Information (if any) Contact name, number, address, etc

Sensitive Data

Example of Personal Data


DATA SUBJECTS should be informed by written notice on:-

their personal data is being processed and a description of the

personal data is provided

the purpose of the collection

the source of the personal data

their rights to:

request access and correct

contact the data user for enquiries and complaint

be informed of the third parties to whom the data user discloses

or may disclose the personal data

Limit the choices and means of processing personal data

whether it is obligatory or voluntary for the data subject

to supply the personal data

Principle No. 2 – Notice & Choice


NOTICE shall be given soonest possible:-

At the time the data subject is first asked by the data user to provide

his personal data

At the time the data user first collect the personal data

Before data user uses the personal data or discloses to a 3rd party

NOTICE shall be given in national and English language

Principle No. 2 – Notice & Choice (Cont’d)


No PERSONAL DATA shall be disclosed without the consent of data

subject:-

for any other purpose(s) other than the purpose(s) it was collected,

or a purpose directly related to the purpose the data was collected

to any other party

Principle No. 3 – Disclosure


A DATA USER needs to take practical steps to protect the personal data

from any:-

Loss

Misuse

Modification

Unauthorised or accidental disclosure

Alteration or destruction

Principle No. 4 – Security

Need to consider the following:-

The nature of personal data

The harm that would result from such misconduct

The place or location where the personal data is stored

The security measures to ensure reliability and integrity

Measures taken to ensure the security transfer of the personal data


PERSONAL DATA processed for any purpose shall not be kept longer

than is necessary for the fulfilment of that purpose.

It shall be the duty of a data user to take all reasonable steps to ensure

that ALL personal data is destroyed or permanently deleted if it is no longer

required for the purpose it was collected.

Principle No. 5 – Retention

OR


Data user shall take reasonable steps to ensure that the personal data is:-

Accurate

Complete

Not misleading

Kept up-to-date by having regard to the purpose of the data

Principle No. 6 – Data Integrity


A DATA SUBJECT shall be given their rights and access to:-

Their personal data, and

The ability to correct that personal data if it is:

Inaccurate

Incomplete

Misleading

Not up-to-date

Principle No. 7 – Access


Rights of the Data Subjects

23


Rights of Data

Subject

Rights to prevent processing likely to cause damage

/ distress

Rights to correct

Rights to withdraw consent

Rights to access

Rights to prevent processing for purposes of

direct marketing

Obligations of Data Users Comply within 21 days

Rights of Data Subject & Obligations of Data User

@ 2013 Deloitte Consulting

Compliance Requirements

25


Registration with the Commissioner

Gazette, published by the Minister will state the required data users or

certain classes of data users who are required to register with the

Commissioner

Submit an application for

registration to the

Commissioner

Provide a prescribed

registration fee and required

documents

Application for

Registration

Success

Issue certificate of

registration

Registration

Renewal

• Renew 90 days before date

of expiry

• Submit an application for

renewal

• Provide renewal fee and

required documents

Failure

Provide a written

notice with

reasons

26


Registration with the Commissioner (Cont’d)

Conditions leading to revocation:

• Fail to comply with the Act,

conditions and restrictions

• Provide false representation of

fact

• Cease processing of personal

data

Revocation of

Registration

• Surrender within 7 days to the

Commissioner

Surrender of

Certification of

Registration

Fail to

comply

• Fine RM500,000

or / &

• Imprisonment of 3

years or less

Fail to

comply

• Fine RM200,000

or / &

• Imprisonment of 2

years or less

27


Sectors of Data Users Affected by the PDPA

28

Communications Tourism and Hospitality

Services

Banking and Financial

Institutions Transportation Real Estate

Insurance and Takaful

Education Utilities

Health Direct Selling

and Direct Marketing

All relevant Statutory Bodies


Exemptions

29


Full

Exem

pti

on

• At the request of the data

subject

• Performance of a contract where data subject is a party

• Compliance with legal obligation

• To protect vital interest of data subject

• Administration of justice

• Personal, family, household and recreational

• Other cases as prescribed by the Minister by order published in the Gazette

Par

tial

Exe

mp

tio

n • Crime Prevention/Detection

• Offenders

• Apprehension/Prosecution

• Tax/Duty Assessment/Collection

• Physical/Mental Health

• Statistics/Research

• Court Order/Judgment

• Regulatory Functions

• Journalistic/Literary/Artistic

Exemptions of PDPA

30


Breaches of the Act

31


Fines & Penalties

32

Processes personal data without a

certificate of registration

Unlawful collecting, disclosing,

selling of personal data,

Continues to process personal data

after registration has been revoked

Not more than

RM500,000 /

Not more than 3

years or both


Fines & Penalties

33

Not more than

RM300,000 /

Not more than 2

years or both

Contravenes with PDP Principles

Transfer of personal data to a place

outside Malaysia not specified by

the Minister and not in the Gazette


Fines & Penalties

34

Not more than

RM250,000 /

Not more than 2

years or both Contravenes with regulations and

subsidiary legislation


Fines & Penalties

35

Not more than

RM200,000 /

Not more than 2

years or both

Failure to surrender certificate of

registration upon revocation

Contravenes with conditions in

processing sensitive personal data

Fails to comply with

Commissioner’s requirement

Fails to comply with enforcement

notice


Fines & Penalties

36

Not more than

RM100,000 /

Not more than 1

year or both

Refusal to comply with data

correction request

Continues to process after

withdrawal of consent to process

personal data

Non compliance with any code of

practice applicable to data user


Getting Ready for PDPA

37


Potential Privacy Related Risk to the Organization

38


Potential Privacy Related Risks

Legal Risk Financial Risk Reputation Risk

Fine

& / or

Imprisonment

Reputation &

Brand

Damage

Lost Sales,

Investigations &

Operational

Clean Up Costs

* Reputational damage will be of most concern to organisations

particularly given the media attention such incidents command 39


Violation Cases

40


Actual Cases: Pfizer

41


Actual Cases: Sony

42


43


Actual Cases: Apple Apps


Google is “almost certain” to face

prosecution for collecting data from

unsecured wi-fi networks, according

to Privacy International (PI). The

search giant has been under scrutiny

for collecting wi-fi data as part of its

StreetView project.

June

9, 2010

Actual Cases: Google Street Australia


Actual Cases: Tesco


Actual Cases: Financial Institutions


Actual Cases: Malaysia


Deloitte’s IT-Business Balance Survey

What portion of the IT Budget of your organization is spent every

year on data security and data privacy?

0 10 20 30 40 50

Less than 1%

Between 1% and 3%

Between 3% and 5%

Between 5% and 10%

More than 10%

(%)

Po

rtio

n o

f IT

Bu

dg

et

Americas (excld. USA)

Asia-Pacific

EMEA

Source: Deloitte IT-Business Balance Survey 2009


Surveys on Current Awareness of Organisations

52

What is the current awareness level of the organisations on their

security and privacy incidents?

Source: Deloitte IT-Business Balance Survey 2010-2011


A Practical Approach to PDPA Compliance

53


Organisation & Governance

54

Governance

Physical Security

Request for Access

Outsourcing

Training and Awareness

Key

Considerations


Governance – Reporting Lines

55

© 2013 Deloitte Consulting EMPLOYMENT REFERENCES 56

Human Resource

Disclosure, Sharing & Selling of

Information

Retention & Disposal of

Records

Handling Sensitive

Information

Access Request

Notification

Key

Considerations


Information Technology

Data Usage &

Monitoring

Data

Back-up & Archival

Portable Devices

Security & Access

Systems Implementation

Password

Key

Considerations


Information Technology

Privacy Impact Assessments (PIA) for New System

Implementation

• Privacy protection should be designed into a system, rather than

bolted-on later.

• PIA is normally required for government projects but can be

used as a guide for organisations to:

o Start early to ensure that project risks are identified and

appreciated before the problems become embedded in the

design.

o Commence a PIA as part of the project initiation phase (or

its equivalent in whichever project method the organisation

uses).

o If the project is already under way, start today, so that any

major issues are identified with the minimum possible delay.

Source: www.ico.gov.uk


Tips Towards Mobile Privacy

59

Source: Deloitte Knowledgebase


PDPA in Cloud Environment

• Service Models

• Identify the Data Controller

• Responsibilities of the Data Controller

• Selecting a Cloud Provider

60


Sales & Marketing

Notification & Consent

Marketing Activities

Calls

Faxes

Mail/Email

Campaigns

Key

Considerations


Marketers: Prepare to Self-Regulate

Audit your use of consumer data

Rewrite privacy policies

Emphasize user benefits

Sales & Marketing


63

Notification (Examples)


64




65


Drafting a Good Privacy Notice

At a minimum, a privacy notice should include the following:

Sender is clearly identified

Purpose and Use is defined very clearly

Who are you disclosing the information to is indicated

How to access (if applicable)

Various mediums can be used to deliver privacy notices. i.e

electronically, verbal, etc


Moving Forward with PDPA

67


How to Move Forward?

Create awareness in the organisation • Awareness of internal policies for securing personal data

• To create a culture of high awareness

Knowing your current compliance level • Understand the impact of PDPA

• Identify the gaps

Designate a Chief Data Protection Officer or Committee • Define an information protection strategy

• Develop short term compliance programmes

Developing polices for PDPA • Policies spanning across legal, IT, marketing, human resource, customer services,

etc.

• Focus on end-to-end Data Privacy & Protection Governance processes, policies and

procedures in line with PDPA

Periodic compliance review • Conduct annual compliance or specific

audit checks

What’s your PDPA

compliance

roadmap?


Deloitte’s 3A Approach

PDPA

Implementation

Lifecycle

“Know the Law”

“Comply & Fine Tune” “Understand the Gaps”


Questions to Ponder on…

70

What are the common risks faced by your relevant department? i.e IT Department?

From your perspective, what are the short term initiatives that you can implement?

How would you as a key person in IT help promote awareness amongst your colleagues in your respective departments?


Question & Answer

71


For inquiries in relation to PDPA 2010, please

e-mail [email protected]. Alternatively, we

can be contacted at: +60 3 7495 3800

Joanna Liew

[email protected]

Contact Us

Ho Sai Weng

[email protected]

Kwan Wen Ching

[email protected]

mailto:[email protected]





Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of

member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/my/about for a detailed

description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.


personal data protection act 2010 - pikom › cms › pcc › pdpa_pcc.pdf · 2019-04-03 · ©...

Documents