Educational institutions -universities, colleges, schools, etc.- are among those who are regulated by the Personal Data Protection Act (PDPA) 2010. The data subjects include: students (obviously the main object here), staffs or employees, vendors, alumni, sponsors, as well as those applicants who have yet join the universities/schools.
The amount of personal data are potentially bulky: personal details, medical records, financial and scholarship records, academic records, student societies records, disciplinary records and even post-study information about the students. Given this situation, people who deal with students’ data in the educational institutions would need to ensure their handling of personal data is in line with the demands of the Act.
In introducing the subject matter to the community in the University, I will be speaking in this following workshop, together with my friend Noriswadi Ismail from Quotient Consulting Sdn Bhd and PDP Academy LLP, and Dr. Federico Feretti from Brunel Law School, London, UK.
The Minister of Information, Communications and Culture of Malaysia, Datuk Seri Rais Yatim was reported today (23 Oct 2012) as saying that the crucial Act will be enforced beginning of the year 2013 — that is less than two months from now. The report from The Sun Daily can be viewed here.
And when it is implemented, as prescribed by the Act itself, data users will have three months to prepare to comply with the rules and regulations on personal data that they collect, process or otherwise store. In total, companies as well as individual data users will only have five months to prepare themselves before the Data Protection Commissioner can knock their doors if he wishes to inspect their personal data system and the level of compliance.
Also, it would mean that the consumers, termed as data subjects, would be able to come and check the accuracy of their personal data collected and processed at their bankers, telecommunications providers, or any other services providers that they had contract with.
Among the first question people would ask about Personal Data Protection Act (PDPA) 2010 is “whether or not this Act applies to me?” or, if one could answer it in affirmative, “in what why the Act implicates me?”
The PDPA 2010 provides for definition of certain entities that would be in one way or another “implicated.” They are (1) Data User; (2) Data Processore and (3) Data Subject. Thus, the PDPA 2010 operates on these classes of person. It is in this frame you can have your answer whether the Act applies to you, or, in what why it implicates you.
The above is the title of my presentation at IT LAW FORUM organised by KL BAR jointly held with KDU University College on 12 November 2010. I spoke at the panel after Prof. Abu Bakar Munir who was the adviser for the Government of Malaysia on the drafting of PDP Act 2010 (See: the unamended PDP Bill).
While Prof. Abu Bakar talked mainly on the duties and obligation of Data Users as well as Data Protection Principles, I presented the topic from another perspective, i.e. the data subject which refers to the individuals whose personal data become the object of business by data users. That simply means you, me and everyone!.
For the recall of the event in general, you may want to check at the KL BAR blog site here.