After a decade of delay, the Personal Data Protection Bill 2009 (PDP) has finally been tabled and passed by Parliament. This is a very important piece of legislation as it would affect almost everyone in the country. Generally, the enactment of the PDP is laudable. Prior to this, Malaysia adopted the sectoral approach in protecting personal data but this approach proved inadequate
The PDP will apply to anyone who processes or who has control over or authorises the processing of any personal data in respect of commercial transactions. The person who processes any personal data is called “data user” and the person whose personal data is being processed is known as “data subject”. The PDP imposes many obligations on the data user. It requires that the data user comply with the seven PDP principles, failing which he can be fined not exceeding RM300,000 or be jailed for a term not exceeding two years, or both.
Buying and selling of personal data is a criminal offence. Besides, any individual who feels annoyed with direct marketing will be able to prevent this from happening. The PDP principles require that a data user not process personal data unless with consent from the data subject, and it must be processed for a lawful purpose directly related to an activity of the data user.
It also states that a data user has the duty to inform a data subject about the processing of his personal data by way of written notice, and such notice must be given as soon as practicable by the data user. In the absence of consent from the data subject, personal data shall not be disclosed to any party other than the purpose for which the personal data was to be disclosed at the time of collection or for a purpose directly related to that purpose.
The data user must also take practical steps to implement security measures to protect and safeguard the personal data. In addition, personal data shall not be kept longer than is necessary and the data must be destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
There is, however, no time frame given and the PDP leaves it to the discretion of the data user, who must also take reasonable steps to ensure that the personal data is accurate, complete, not misleading and up-to-date. The PDP also provides the data subject with the right to have access to his personal data held by a data user.
If the personal data is inaccurate, incomplete, misleading or not up-to-date, the data subject can request that the data be corrected. Although the PDP confers many rights on individuals and imposes liabilities on those who breach the law, the Act is far from perfect due to its unique features and its narrow application.
For example, the National Registration Department processes most of our personal data; the Inland Revenue Board processes our income tax returns which contain our financial records and sources of income; the DNA Identification Act 2009 allows the Government to keep DNA profiles of individuals in the DNA databank.
As such, to exclude the Government from the application of the PDP would be contrary to the objective underlying the PDP in protecting the personal data of its citizens. It is not clear whether local authorities established under the Local Government Act 1976 and those agencies and statutory bodies established under their respective Acts of Parliament to perform specific public functions are also considered as part of the Government.
The Oxford English Dictionary defines the term “commercial” to mean “engaged in, or connected with, commerce and having profit as a primary aim rather than artistic etc. value”.
The Government has repeatedly emphasised that the PDP is critical in this age of e-commerce and it will solve such problems as credit card fraud, identity theft and selling of personal data without customers’ consent.
However, personal data protection is not just about safeguarding personal data in the commercial world. It is equally important to protect personal data such as medical and health records, employee records, financial records, and even criminal records.
For example, someone may have submitted his personal data in a contest or enquiry form. The use of personal data in these situations may not necessarily involve a “profit-making” element and it is hardly to be considered as “use in respect of commercial transactions”.
The effect of this restrictive limitation is that the PDP applies to, and within, the private sector, and then further narrows down to organisations which process personal data in commercial transactions.
In many other jurisdictions such as Britain and Hong Kong, breaches of data protection law are punishable under both criminal and civil law. Any individual who suffers any damage (which include injury to feelings) or distress by reason of a contravention of the provision of the PDP shall be entitled to file a civil suit and claim compensation for such damage or distress.
A similar provision was found in an earlier draft but omitted in the PDP.
This is ironic because while the PDP provides the right to prevent processing that is likely to cause damage or distress, there is no right to claim for compensation for causing such damage or distress.
The exclusion of the Government from the PDP and its narrow scope are undesirable. Most data protection laws in other jurisdictions do not have such restrictions.
This is a good beginning and it is hoped that with increased awareness of the importance of personal data protection among the public and the demand for stronger protection, the law will be further improved.
This article was first published in CHIP Magazine Malaysia.