What You Need to Know about the PDPA

==============================

My Intro: The following article, appeared in The Star newspaper, is about public awareness on the Personal Data Protection Act (PDPA) 2010 (Act 709). The journalist had compiled the report out of few resources, including the PDP Department and myself (through series of interaction). It is indicated at the bottom of the article itself. I reproduce the article in this page for the benefit of more readers.

Cheers! Sonny Zulhuda

==============================

“What You Need to Know about the PDPA”

(Reproduced from The Star Online, published on Sunday, 30/12/2012)

PDPA 2010A freelance journalist from Penang was already coping with the pain from a hemorrhoids surgery when she had to endure another hurtful experience – she discovered that her surgeon had taken photographs of her private parts without her consent when she was under.

When she confronted him, she was told that it was “normal procedure” and a common practice for “medical purposes”. Outraged that her privacy had been violated, she sued the doctor.

This is one of the many cases of personal data breaches and privacy violations in the country. Hence, the enforcement of the Personal Data Protection Act (PDPA) this New Year is much lauded. In fact, it is long awaited – for some, over a decade long.

However, while pictures of one’s private parts may constitute as personal data, the aggrieved patient would not be able to take action under the Act – our PDPA only regulates commercial transactions. (The freelance journalist, however, won RM25,000 in damages in her civil court case.)

Here are some of the facts you need to know about the PDPA: Continue reading “What You Need to Know about the PDPA”

Personal Data Protection Act 2010 will be Enforced from 01.01.2013 — Or so it was said…

By Sonny Zulhuda

That is it. No more waiting or being complacent.

The Minister of Information, Communications and Culture  of Malaysia, Datuk Seri Rais Yatim was reported today (23 Oct 2012) as saying that the crucial Act will be enforced beginning of the year 2013 — that is less than two months from now. The report from The Sun Daily can be viewed here.

Credit: The Sun Daily (c) 2012
Credit: The Sun Daily (c) 2012

And when it is implemented, as prescribed by the Act itself, data users will have three months to prepare to comply with the rules and regulations on personal data that they collect, process or otherwise store. In total, companies as well as individual data users will only have five months to prepare themselves before the Data Protection Commissioner can knock their doors if he wishes to inspect their personal data system and the level of compliance.

Also, it would mean that the consumers, termed as data subjects, would be able to come and check the accuracy of their personal data collected and processed at their bankers, telecommunications providers, or any other services providers that they had contract with.

Who will be implicated? Continue reading “Personal Data Protection Act 2010 will be Enforced from 01.01.2013 — Or so it was said…”

Incidents on personal data abuse affecting banks

by: Sonny Zulhuda

In my last post I made note about why banks should or must care to protect the personal data with them. In this post I just want to put that note in real perspective, learning from real cases and incidents involving major banks in the world.

First, it was reported that Citigroup breach exposed data on 210,000 customers (here for the full report)

Citigroup admitted Wednesday (June 8th, 2011) that an attack on its website allo

wed hackers to view customers’ names, account numbers and contact information such as email addresses for about 210,000 of its cardholders in North America. Although hackers may have not gained complete information on cardholders, the contact information is enough for scammers to try and elicit more information through targeted attacks. The email addresses, for example, could be used to send “phishing” messages asking for other sensitive information which could potentially give identity thieves enough to start committing fraud.

Second,  you’ll see how Data breaches lead to massive fines for three HSBC firms (here for the report)

Three HSBC firms have been fined more than £3 million by the Financial Services Authority (FSA) for failing to secure customer data. The FSA claimed the three firms sent large amounts of unencrypted data – often on discs sent via the post – and staff were untrained on the issue of identity theft. The FSA said that, in April 2007, HSBC Acutaries lost a floppy disk in the post that contained 1,917 pension numbers and addresses. And, in February 2008, HSBC Life lost an unencrypted disk holding data on 180,000 policy holders – also in the post.

Continue reading “Incidents on personal data abuse affecting banks”

PDP Act 2010–Where do we go from here?

By: Sonny Zulhuda

Panelists L-R: Prof. Abu Bakar (UM), Sonny (IIUM) and Edwin from KL BAR. Source: KL BAR

The above is the title of my presentation at IT LAW FORUM organised by KL BAR jointly held with KDU University College on 12 November 2010. I spoke at the panel after Prof. Abu Bakar Munir who was the adviser for the Government of Malaysia on the drafting of PDP Act 2010 (See: the unamended PDP Bill).

While Prof. Abu Bakar talked mainly on the duties and obligation of Data Users as well as Data Protection Principles, I presented the topic from another perspective, i.e. the data subject which refers to the individuals whose personal data become the object of business by data users. That simply means you, me and everyone!.

For the recall of the event in general, you may want to check at the KL BAR blog site here.

In this page I will recall especially the discussion (Q&A) that arose in the forum. Continue reading “PDP Act 2010–Where do we go from here?”

Rights of Individual under Data Protection Law

By: Sonny Zulhuda

In the week that passed I spoke in one national seminar on Personal Data Protection Act that took place in the The Ritz Carlton Kuala Lumpur, July 21, 2010. The audience came from various industries including banks, regulators, insurance, medical services, investment as well as legal firms.

My session that went between 12.00 -01.00 pm focused on the Rights of Individuals as Data Subjects under the newly-passed Personal Data Protection Act 2010 of Malaysia. Those rights of data subjects were provided in Part Two, division 4, sections 30-44. In short, those rights can be enlisted as follows:

  • Right to access
  • Right to correct data
  • Right to withdraw consent for data processing
  • Right on sensitive data
  • Right to prevent distress/damage
  • Right to prevent direct marketing

The session was ended with discussing some prominent issues that confronted individuals such as issues of workplace monitoring, junk mail/spam, data theft, and pictures taken at public places. One important message (of many) that I discussed with audience was that, in order to achieve better implementation of law, organizations should see and manage it using the perspective of individuals, not merely that of the organisation; because in organisations, their people (employers, employees, business partners) are all data subjects too.

ID Theft and Consumer Protection — From the GCC Review Workshop

By: Sonny Zulhuda

Initiated by the Communications and Multimedia Consumer forum of Malaysia (CfM), this national workshop took place on Thursday, 6th May 2010 at the MCMC Headquarter, Cyberjaya, Selangor, Malaysia. Participants came from various quarters such as universities, industries as well as government agencies. The main agenda was to review the provisions of General Consumer Code and to come up with recommendations to improve them.

Before the participantsgo to smaller group discussions, the floor heard presentation from some representatives of the Consumer Forum as well as the Government. Among others, En. Maz Malek (from the Ministry of Information, Communications and Culture) strongly emphasised that consumers interest is government interest, and is a national interest. In order to reflect this seriousness, the Government urges that consumer complaints would have to be entertained and settled in 72 hours (3 days). He also stressed about the newly-passed Personal Data Protection Act that would reform the legal landscape of consumer protection in Malaysia.

Mr. Abdul Rosyid from the Ministry of Domestic Trade, Cooperatives and Consumerism Affairs informed the workshop participants that Direct Selling Act and Consumer Protection Act have been emended to include electronically-effected transactions under their protection. Nevertheless, there are still lots of pressing issues going on in the public that are not entirely settled. He mentioned among others the issue of misuse of personal data and incidents of unknown parties sending sms-es asking people to provide their personal data under the pretext of awarding presents or bonuses, etc. This is simply phishing/smishing issues in which personal data and identities are stolen.

This unwanted disclosure, namely information theft or data theft, is on rise due to at least two motives; Continue reading “ID Theft and Consumer Protection — From the GCC Review Workshop”