Data Protection Principles under PDP Law

By: Sonny Zulhuda

Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.

In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.

Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).

In Personal Data Protection Bill that was recently passed by Malaysian Lower House of Representatives, the principles of personal data protection is laid down in Part II, sections 5-12.

Those principles are;

• General Principle
• Notice and Choice Principle
• Disclosure Principle
• Security Principle
• Retention Principle
• Data Integrity Principle
• Access Principle

section 6 – General Principle

It provides, among others, that data user shall not process personal without the consent of the data subject concerned. More stringent requirements are imposed on the category of ‘sensitive personal data.’ By virtue of this principle, too, the processing of personal can only be done for a lawful purpose directly related to data user’s activity. It also requires that the data processed must not be excessive (imagine if a bank requires from its customer to declare the history of his illnesses, a data which is not directly related and is likely excessive)

section 7 – Notice and Choice Principle

It prescribes, among others, that when collecting personal data, data user shall properly notify the data subjects as to the purpose of that collection/processing, as well as the related rights of data subject with regards to that processing.

section 8 – Disclosure Principle

This principle puts forward the restriction on disclosure of the personal data.

section 9 – Security Principle

This is another set of compliance issue with regards to the security measures that have to be adopted by the data users. The bottom line is that data users are responsible to the security, integrity and reliability of the personal data that they process or store.

section 10 – Retention Principle

How long organisations or companies can keep the personal data? This question is addressed by this principle. There is no number anyway, but the word ‘necessary’ is central here. One may wonder how is that being ascertained? And what will happen if the time is over for the retention?

section 11 – Data Integrity Principle

Wondering why your bank’s circulars never reach you despite their assurance that they had posted them to your address? Your address may be incomplete! This section provides that it is the duty of data user to ensure the accuracy and completeness of the personal data they collect.

section 12 – Access Principle

PDP law is pushing for more accountability. No joke, but this law requires data users to provide certain mechanism where individuals should be able to have access to and correction upon their personal data. A good thing for consumer protection in general.

In sum, this Personal Data Protection Principles will become a central concern of organisations and companies across the industries and businesses in the years to come. They simply need to reformulate their business processes!