Privacy Impact Assessment (PIA) – In the Light of the Data Protection Law in Malaysia

By: Sonny Zulhuda

ImageLast time In May ’12, I was invited by the Federation of Public Listed Companies (FPLC) and the Malaysian Institute of Corporate Governance (MICG) to speak in their National Conference on IT Governance, Data Protection and Cyber Security.

I chose to speak about the importance of the Privacy Impact Assessment (PIA) as an implementing tool for complying with the data management rules and obligations under the law. The exact title of my presentation was “Privacy Impact Assessment for a Better Corporate Governance: The New Legal Landscape in Managing Corporate Data Assets.”

In fact, this was the first time I spoke about it. I just felt that people especially the corporate citizens need to be told in a more practical way on why and how they should comply with the laws on personal data management, i.e. the Personal Data Protection Act 2010 as far as Malaysia is concerned.

The PDPA itself is, of course, silent about this PIA. But that does not mean having or executing a PIA would be useless. PIA is indeed a very helpful organisational tool to ensure compliance with the law on data protection. Malaysian law is not excepted. Continue reading

Advertisements

Stopping Data Theft through the Back Door: Shifting the Duty to the Boardroom?

By: Sonny Zulhuda

The following is the abstract of the paper I presented (in a poster) at the recent 7th Asian Law Institute (ASLI) Conference at the International Islamic University Malaysia, 25-26 May 2010.

“In the information economy that relies heavily on the sustainability of information technology and the availability of data for business, data theft is equal to a catastrophe that causes massive losses to organisations. Authorities and technologists have put in place myriad of criminal laws and security tools to address this issue, only to see that the incidents of data theft become more rampant. The complications is because data theft involves a range of security issues, ranging from flawed physical control to a weak personal data management, from a single mistake of people on data processing, to a collective negligence of decision makers in the boardroom.

“In the context of corporation, the idea of holding the management board responsible is now increasingly attractive due to the fact that the victims of data theft would see a better chance of getting compensation. This is a rising trend on the law on data theft where certain duties are imposed on the management board of the companies.

“The law, as appears in some jurisdictions such as the US and the UK, obliges the board to exercise certain level of due diligence in managing data asset in the company. Besides, new laws impose duty on the companies to disclose or quickly notify threat or actual attack of data theft that occurs and potentially affects their clients, partners, customers or anyone who happen to be their data subjects. This paper reckons that in shifting some duties to the companies, the incidents of data theft can be better prevented. It argues that it is a good move for other countries like Malaysia to emulate such legal development.”

Data Protection Principles under PDP Law

By: Sonny Zulhuda

Understanding data protection principles is crucial to (re)formulate the business processes. For companies and organisations that in any way involve the use and exploitation of personal data of their employees, customers (actual and potential) and business partners, series of actions need to be taken to comply with the legal regime on data protection.

In Malaysia, this is particularly a cause of concern nowadays as the new law on personal data protection clearly requires data users to take certain actions.

Laid in the main body of the law is the prescription of data protection principles from which stemming all the rights, duties and liabilities of each of data user and data subject (Note: ‘data user’ is those who use, collect, process, etc. the personal data that belong to certain individuals. Those individual are called ‘data subject’).

In Personal Data Protection Bill that was recently passed by Malaysian Lower House of Representatives, the principles of personal data protection is laid down in Part II, sections 5-12. Continue reading

Legal and Industrial Frameworks on Data Management

By: Sonny Zulhuda

At the closing week of year 2009, I’ll present my paper entitled: ‘Corroborative Intersection between Information Security Standards and the Legal Framework on Data Management’ at the Second International Conference on Computer ad Electrical Engineering (ICCEE 2009), 28-30 December 2009, Dubai, United Arab Emirates. The conference is organized by IEEE and IACSIT, both are renowned international associations for the electronic, computer and IT industry professionals. having gone through review and recommendations, over 200 papers will be presented at the two-day parallel sessions, discussing various aspects of computer and electronic industries. My paper talks about legal and industrial frameworks. I am looking forward to meeting the participants in person and having some networking sessions.

Here is the abstract:

This paper examines the intersection between the industrial standards and the legal framework in defining the scope of information security obligations in relation to the management of data and information assets. It undertakes two primary tasks; namely assessing the scope of legal compliance as stated in the internationally-accepted information security standards, in particular the Information Security Management Standards (ISMS); and identifying the legal trends adopted by laws in major jurisdictions, especially the UK and the US. It found that the intersection between the standards and the law is crucial and corroborative; one is found to compliment the other.

Some more snapshots and briefs will come soon.

CSR in Cyberspace: A Quest for the Missing Link (An Abstract)

By: Sonny Zulhuda *

The tremendous participation of companies in technological race and in exploiting the cyberspace is often marked with over-excitement and the sense of lawlessness. This is not true if one regards the cyberspace as a space without rule. The fact remains that there are rules in cyberspace just as people have rules in the real physical world.

When it comes to the notion of corporate social responsibility (‘CSR’), the matter may become more confusing: what kind of responsibility companies could have, and to whom they owe such responsibility. Assume that an online business entity does not have a physical presence – not physically registered, therefore not legally incorporated: does it assume a corporate status to subject it to the CSR? As for the incorporated ones, question may arise as to what responsibilities they bear when embarking in the online environment and to whom they are owed.

Continue reading

“Yourself 2.0: A Cool or a Fool?”

By: Sonny Zulhuda

ag00011_The Internet has now taken us to a new dimension of life complete with its new set of lifestyle. The Web 2.0 that famously led its users (Who? Me you and everyone here!) to be the Time Magazine’s 2006 Man of the Year had made us a reader and a writer at the same time; a consumer and a producer at once.

This is the new you. Yourself 2.0 does not only read news or download articles from the Net, but also write blogs or upload creative works online. That is the new you.

Continue reading

On the Misuse of Workplace Technologies

By: Sonny Zulhuda

This week I was speaking about the misuse and abuse of workplace technologies during a session of a two-day seminar/workshop on employment law in Kuala Lumpur. The workshop was attended by mostly legal executives from a range of local companies. The technologies meant here are those Internet-associated tools such as electronic mails, blogs, Internet messaging and online networking sites (e.g. facebook, myspace, hi5, and the likes).

The main concern on which this presentation is grounded was that organizations need to ensure a good return of investment (ROI) over the technologies they use at their workplace. This is because the ROI may be interrupted by range of risks of the use (and misuse/abuse) of the technologies such as wasted productivity, financial loss due to business discontinuity or system defect, and also legal liabilities.

Continue reading

  • October 2017
    M T W T F S S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,574 other followers