My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.
“Consumers, take control of your personal data”
The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.
EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.
It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?
This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.
Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.
The main issue is how adequately the organiser has informed the guests on what they intend to use the information for, Dr Sonny points out. The Act stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed.
“For consent, the consumer has to opt in’ you agree to have your personal data processed and not opt out’, where consent is automatically assumed unless you say otherwise,” he argues.
The organiser will also need to justify why they need information they are asking for in the case of lucky draws, for instance, why do they need to collect more than the guest’s name?
The same principle applies for “commercial transactions” that we have taken for granted, such as at promotional counters where personal details are asked in exchange for product samples or memberships to product brand clubs, adds Dr Sonny who is an assistant professor at the law faculty of the International Islamic University Malaysia.
Know your facts
The strongest message PDPA seeks to convey is that the data subjects are the real “owner” of their personal data, Dr Sonny highlights. “The companies or industries (that process the data) are only data users’.”
He stresses that it is important for consumers to know their rights as stipulated in the Act: “right to access, right to correct data, right to prevent damage or distress, right to withdraw from data processing, right to prevent direct marketing, and very critically right to bring complaint on data abuses to PDP Commissioners.”
Data users, meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights. The right of access to personal data and right to correct their personal data allows data subjects to make a request to check and verify their information. Any personal data deemed inaccurate can be corrected or struck off the record.
Some are exempted
Unfortunately, not all of these grouses can be taken to the attention of the PDPA department. This is one of the limitations of the Act that data subjects need to be enlightened about, says Dr Sonny.
He is talking about the non-applicability of the PDPA in instances such as the processing of personal data by the government and its agencies (government-link companies may not be included); “non-commercial” transactions; for credit reporting business; data processed outside the country; and data collected solely for personal purposes.
Before they can take their complaint to the authority, data subjects will need to determine if the Act applies in their case, such as whether it is a commercial transaction or a public service announcement or if the data user is a government agency or based overseas.
For one, the Act does not have jurisdiction over two of the biggest depositories of personal data for Malaysians: the National Registration Department (government agency) and Facebook (data is not processed in Malaysia).
With many businesses moving towards social media networks for their transactions, this provision may provide a loophole for schemers and scammers. Data users like political parties, religious bodies and charitable organisations will have to be looked at on a case-by-case basis when issues arise action can be taken if the data abuse in question involves commercial transactions.
Sign for one, get all
As Nigel Tan, director of systems engineering at Symantec Malaysia advises, since not divulging any personal information is rarely possible these days, consumers need to think carefully before sharing their personal data.
“To take advantage of many services, we will inevitably have to provide personal information such as for handling of billing and shipping of purchased goods. Each person is responsible to protect his/her personal data and has the right to expect organisations to handle their personal data carefully and correctly.
“We strongly recommend that consumers pay attention to privacy policies of the organisation collecting the personal information. It is important to understand how an organisation will use your personal information before you share it with them. When needed, find out why the organisation needs your particular personal information and only share information that is required.”
Tan adds that with an increasing amount of online services which requires the sharing of personal information, consumers also need to equip themselves on how to share personal information safely online.
Dr Sonny agrees that data subjects need to be extra cautious when it comes to online transaction including on online social media networks, blogs and online video or photo sharing websites.
“Any disclosure of personal data by data subjects would be detrimental for themselves. So, data subjects need to be ever vigilant, critical and conscious whenever there is any person requesting your personal information for any business, transaction, communications or just “engagement”, and by any means: face to face, e-mails, phone, mail, brochures, etc,” he stresses.
They must first ask these questions before disclosing their personal data, Dr Sonny adds “Why do you need my data?”; “Do you really need this particular data?”; “How would I know if you really secure my data?”; “Who will be in charge of handling my requests, inquiries and complaint about the data processing?” and others.
Now that the Act is enforced, Dr Sonny also advises consumers to quickly identify people or companies who have been using their personal data without their knowledge, their consent or otherwise in contrary with the original purpose that they consented to initially.
“If those unpleasant practices still occur, they need to immediately request that the practices be stopped,” he notes, adding that data subjects need to get familiar on how to bring their complaints regarding alleged misuses or abuses of personal data to the relevant authority as stipulated by the law the PDP Commissioner.
“Given the recent rampant potential abuses, this aspect will be imminent in the near future.”