PDP Law Compliance for Educational Institution

By: Sonny Zulhuda

Educational institutions -universities, colleges, schools, etc.- are among those who are regulated by the Personal Data Protection Act (PDPA) 2010. The data subjects include: students (obviously the main object here), staffs or employees, vendors, alumni, sponsors, as well as those applicants who have yet join the universities/schools.

The amount of personal data are potentially bulky: personal details, medical records, financial and scholarship records, academic records, student societies records, disciplinary records and even post-study information about the students. Given this situation, people who deal with students’ data in the educational institutions would need to ensure their handling of personal data is in line with the demands of the Act.

In introducing the subject matter to the community in the University, I will be speaking in this following workshop, together with my friend Noriswadi Ismail from Quotient Consulting Sdn Bhd and PDP Academy LLP, and Dr. Federico Feretti from Brunel Law School, London, UK.

Banner PDP Workshop AIKOL 28052014 (4)

Personal Data Protection a Key Concern for Human Resources (HR) Professional

By: Sonny Zulhuda

More personally identifiable information (PII) is being captured in the commercial activities across sectors and industries. The workplace today has become a battleground for protecting employees’ valuable personal data that includes their personal records, financial status, medical information as well as the professional data relating to their jobs.

Image

As a result, it is not too much to say that managing human resource HR) data has now become a critical success factor for organisations both internally and externally. Internally, because an effective and sustainable personal data management supports the works of everyone in the organization who relies on those data. Externally, because personal data has now become a crucial issue closely linked with managing trust and competitiveness while trying to grab the best human capital in the industry.

Given this, a Human Resource (HR) manager plays a central role to ensure that personal data of the employees and anyone around them would remain as assets and not turn out as liabilities for the commercial organizations. And for Malaysian employers, dealing with personal data of their employees, customers as well as their service providers has transformed from largely a business and operational issue to a legal and compliance concern.

With the enforcement of the Personal Data Protection (PDP) Act 2010 (Act 709), the operational landscape for human resource management has tremendously changed. The Act tasks the employers with a series of obligations relating to the collection, use, disclosure and retention of the personal data in their control, including data of employees, job applicants, former workers, outsourced service providers, vendors and customers.

Even though measures from industrial laws and guidelines are abundant and in place, employers are still in the dark about the multi-dimensional effect of the PDP Act 2010 on the employment relationship. Many practical issues arose in the workplace and throughout the employment lifecycle. These questions would likely arise:

  • Who are implicated by the PDP Act 2010?
  • What are the seven data protection principles in the Act and how do I (as an HR manager) implement them in my scope of work? Continue reading

Do-Not-Call Registry (DNCR) to Protect Personal Data?

By: Sonny Zulhuda

In March, I featured in The Sunday Star (9/3/2014) reporting on the need to establish a “Do not call registry” to protect people’s personal information. The main issue discussed was to scrutinize an initiative to have a DNCR and its operational and legal challenges. The full report can be traced here.

Image

 

The question that was posed to me was: (1) How good is the idea of DNCR for Malaysian consumers? AND (2) Do you foresee any issues that might arise when they  implement this?

Here are my comments:

  • The PDPA 2010, unlike Singapore’s law, does neither provide nor mandate specifically about Do Not Call (DNC) registry.
  • Nevertheless, DNC registry is an advanced step towards protecting individuals personal data, therefore it is highly commendable. It does require a carefully-structured procedure and rules. Continue reading

Whither Digital Privacy: Be afraid, be very afraid!

By: Sonny Zulhuda

imageA quick takeaway from a closed session on Students’ Digital Privacy yesterday at Le Meridien KL (June 7th, 2013), I’d like to share what California-based Jeff Gould presented.

The SafeGov.org CEO told the audience of their research findings, among others:

  • The high significance of Facebook “Like” in profiling the identity of FB users;
  • Real possibility of identifying a person via DNA reconstruction taken from a gum;
  • Telco’s effort to provide some form of customer’s surveillance as their enhanced service;
  • ISP’s role in protecting children privacy through contractual agreements with the users/subscribers

Many things shared which are not new issues but came with novel modus operandi. We just need to be vigilant.

The closed session was attended by representatives from Cybersecurity Malaysia, Parents Action Group for Education (PAGE), FOMCA, Microsoft Corp, India-based CUTS and some local universities. Mr. Rosly Yahil from Cybersecurity Malaysia spoke about various initiatives taken in Malaysian context in dealing with the issues.

During the Q&A session, I managed to share with the floor on several issues and development on data privacy in Malaysia: Continue reading

Consumers to take control of their Personal Data

My Intro: The following passages were published by the Star in their Sunday Edition (6th January 2013) at pp 23-24. The article is about what Malaysian consumers should know and do in relation to their personal data. It is based on another interview the journalist had with me. For the benefit of the readers, I reproduce some parts of the article in this page. Should you want to read it in full, check the newspaper’s page HERE.

======================================

“Consumers, take control of your personal data”

The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.

Credit: The Star Online

Credit: The Star Online

EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner. Weeks later, she found herself inundated with phone calls and text messages offering different services and products.

It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?

This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.

Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.

Continue reading

PDP Act Compliance Program – Where to Start?

By: Sonny Zulhuda

success manThis New Year was marked by concerns about complying with the Personal Data Protection (PDP) Act 2010 for Malaysian data users: Bankers, Telco’s, Insurers, Hospitals, Marketers, Airliners, Property Sellers, and many more.

For data users, this is what you may consider:

1. Get to know about the law and its implication to you;

2. Make self-assessment on your current business processes to what extent it complies (or not) with the law;

3. Plan a massive personal-data compliance programme.

For the first one, the shortcut is to attend forum, workshops or training on Personal Data Protection law. There are now few such training in the market. Identify them and get involved. There are few types of training you can consider, according to your needs:

Continue reading

What You Need to Know about the PDPA

==============================

My Intro: The following article, appeared in The Star newspaper, is about public awareness on the Personal Data Protection Act (PDPA) 2010 (Act 709). The journalist had compiled the report out of few resources, including the PDP Department and myself (through series of interaction). It is indicated at the bottom of the article itself. I reproduce the article in this page for the benefit of more readers.

Cheers! Sonny Zulhuda

==============================

“What You Need to Know about the PDPA”

(Reproduced from The Star Online, published on Sunday, 30/12/2012)

PDPA 2010A freelance journalist from Penang was already coping with the pain from a hemorrhoids surgery when she had to endure another hurtful experience – she discovered that her surgeon had taken photographs of her private parts without her consent when she was under.

When she confronted him, she was told that it was “normal procedure” and a common practice for “medical purposes”. Outraged that her privacy had been violated, she sued the doctor.

This is one of the many cases of personal data breaches and privacy violations in the country. Hence, the enforcement of the Personal Data Protection Act (PDPA) this New Year is much lauded. In fact, it is long awaited – for some, over a decade long.

However, while pictures of one’s private parts may constitute as personal data, the aggrieved patient would not be able to take action under the Act – our PDPA only regulates commercial transactions. (The freelance journalist, however, won RM25,000 in damages in her civil court case.)

Here are some of the facts you need to know about the PDPA: Continue reading

  • June 2017
    M T W T F S S
    « May    
     1234
    567891011
    12131415161718
    19202122232425
    2627282930  
  • Visitor

    free counters

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,575 other followers