By: Sonny Zulhuda
In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).
In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.
The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.
The examples of activities in the higher learning institutions that involve the collection, retention, processing, sharing, or usage of personal information are as follows:
- new students application
- students’ academic records
- co-curricular activities
- career development, job-services, talent match-making
- alumni relations development
- students’ disciplinary enforcement, etc.
The above list may go on and on, and it is important for the university management to ensure they anticipate every activity within their data protection policy. During the workshop, we also identified various ways and avenues the university obtains (“collects”) personal information on and off campus.
For example, the registrar collects data of prospective students and staff; finance processes financial information; legal office maintains students’ disciplinary issues; hostels store students’ room registration including hostel activities; etc.
During the talk, many questions arose pertaining to the data protection issues and challenges in the university context. Among the issues raised were:
- Is CCTV allowed at the University?
The university should take note that CCTV is a form of personal data collection and processing. While CCTV use at the university compound is a justifiable need, data users (the university) needs to comply with the provisions of the PDPA 2010 while using the surveillance technology. The university must be clear with the purpose of the use of CCTV. They also are expected to provide adequate notification about such use, so as to allow people set their reasonable expectation to their privacy while hanging around the premise. On top of that, the University needs to set their privacy policy relating to the use of the CCTV including on the retention and security of data images obtained from the CCTV itself.
Reference: Sections 6, 7, 8, 9, 10 PDPA 2010
- Should lecturers be able to access students’ record?
Lecturers, on behalf of the University, process their respective students who attend their classes or whom they supervise (e.g. for postgraduate research activities). Such processing activities include accessing students’ academic record for the purpose of the teaching/learning and research supervision. This processing would have been impliedly consented by the students themselves. Nevertheless, questions may arise on what types of students’ records should be accessible by their lecturers? The answer is factual and should be based on the need for that particular purpose. In this respect, we can say that lecturers may have access to the students’ records in relation to their subjects with that respective lecturers, however, lecturers should not access students’ data beyond that. Having said that, if any lecturer is also tasked with other official duties, such as being an academic advisor, disciplinary unit, legal office, deanship etc., then those lecturers should be allowed access to more personal information in accordance to their functions. Thus, there is not blanket rule here it seems.
Reference: Sections 6, 7, 8 of PDPA 2010
- Can the University share students’ data to outsiders such as the Ministry, talent-hunters, job-providers, students’ prospective employers, media, etc?
Disclosure of personal data can only be done by data users upon two conditions: (1) The data is disclosed to third parties who are already informed and consented to by the students; and (2) The data can only be disclosed for a particular purpose already consented to by the students. Therefore if the University is approached by a third party such as talent hunters or industries who wish to ‘solicit’ their graduating students to join them after school, this can only be done upon consent by the students. However, there are some exemptions to this rule, whereby the university may be allowed to share their students’ data without the latter’s consent, IF the requesting parties are among those provided under the exemption rules of the PDPA 2010. For example, police officer who investigates a criminal case which relates to the students.
Reference: Sections 6, 8, 41 PDPA 2010
- Can the University retain personal data of their graduate students?
The PDPA only provides that the data user shall not retain personal information of data subject longer than necessary. So data of graduates that relate to their matters during their stay at the university may not need to be retained forever. Some parts of their data are surely needed as part of their alumni relations programme. Therefore those data may be retained forever, as the University wishes to keep in touch with their alumni. For other (non-alumni matters) personal information, how long can they be kept? The word “necessary” triggers justifications here. The university management needs to sit to formulate their privacy policy including justifications on data retention.
Reference: Sections 7, 10 PDPA 2010
Those are among issues or questions arose during my talk at the universities. For a record, I had talked on Personal Data Protection laws in several universities in Malaysia including; International Islamic University Malaysia (IIUM/UIAM), Universiti Kebangsaan Malaysia (UKM), Universiti Sains Islam Malaysia (USIM), Universiti Teknologi Malaysia (UTM), Universiti Teknologi Petronas (UTP), Universiti Malaysia Pahang (UMP), Universiti Sultan Sainal Abidin (UniSZA) and the Brickfields Asia College (Law Department). The discussion has been very good and stimulating. This was a good sign that universities in Malaysia are now increasingly aware of the map ahead: data protection roll-out is now the next big thing.
TRIBUTE 