By: Sonny Zulhuda
Among the first question people would ask about Personal Data Protection Act (PDPA) 2010 is “whether or not this Act applies to me?” or, if one could answer it in affirmative, “in what why the Act implicates me?”
The PDPA 2010 provides for definition of certain entities that would be in one way or another “implicated.” They are (1) Data User; (2) Data Processore and (3) Data Subject. Thus, the PDPA 2010 operates on these classes of person. It is in this frame you can have your answer whether the Act applies to you, or, in what why it implicates you.
The first cast under the Act is called “Data User”. Data User is a person who processes any personal data or has control over or authorizes the processing of any personal data, either alone or jointly or in common with other persons. These are the people (including legal persons, i.e. companies) who basically use people data for heir business process, or even as their business commodities. They collect personal data from people, store the data, rearrange the data, disclose it to others or use it for their own purposes.
These are the class of people in the society that is the target of the law. The PDPA 2010 has in its preamble an objective “to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto.” The data user, I would say, is the main cast in this legislation.
This however does not include those who processes the data not for his own purposes, i.e. only on behalf of another. This category leads us to the second cast, i.e. “Data Processor”.
The Act defines Data Processor, in relation to personal data, as any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes. This includes those to whom data users outsource their data processing or data storing processes.
A good example for this would be those who provides e-payment services to facilitate online banking. The personal data used to verify, process and authorise e-payment may not belong to the service provider, but rather to a particular bank. The fact that those service providers had never collected or controlled the data, but only processed them on their servers for the purpose authorised by data users.
The third category is supposedly the widest of all, i.e. “Data Subject”. It is defined in PDPA 2010 as an individual who is the subject of the personal data. Does this include ‘non-natural person’? No it doesn’t. Because it is only concerned about living individual who is identified or identifiable from the personal data. It is not companies or other non-natural person we are talking about. It does not even include personal data of dead people.
In an organization, the Data Subject covers those people inside the entity such as employees, outsourced providers, vendors as well as business partners and investors. From outside the organisation, it includes customers, both actual and prospective.
This means me, you and everyone whose data are collected, stored and processed elsewhere at various places: at your bank, your employer’s desktop, your insurance company, your hospitals computers, your school, your lawyers or your developer’s customer record. It can be everywhere, and yes, it had been everywhere! We are all Data Subject.