Enforcement of the Personal Data Protection Act 2010
Further to our earlier notice on the Personal Data Protection Act 2010 (“the Act”), we would like to inform that the much anticipated Act has finally come into force on 15th November 2013.
Along with the enforcement of the Act are three regulations and an order on the class of data users, the highlights of each of are as set out below.
(i) Personal Data Protection Regulations 2013
The Regulations provide guidance on compliance with the Act, particularly in relation to the seven principles of data protection. The notable provisions are:
- The requirement of consent from a data subject for processing of personal data may be in any form that such consent can be recorded and maintained properly by the data user. The burden of proof that consent has been obtained lies on the data users.
- If the data user is below eighteen years old, such consent shall be obtained from the parent, guardian or a person having parental responsibility over the subject.
- The minimum information to be provided to the data subjects for purposes of data access comprises the designation of the contact person, phone number, fax number (if any), email addresses (if any) and all other related information.
- The data user shall maintain a list of disclosure of personal data to third parties.
- The implementation of a proper security policy which complies with the security standard set out by the Commissioner.
- Retention of personal data in accordance with the standard set by the Commissioner.
- The manner of complying with and refusing data access request from the data subject in accordance with the standard set by the Commissioner.
- All personal data system is open for inspection by the Commissioner and the data user may be notified of such intention by the Commissioner.
- Contravention of the standards prescribed by the Commissioner with respect to security, retention and data integrity principles is tantamount to an offence punishable with a fine not exceeding RM250,000, or imprisonment to a term not exceeding 2 years, or both.
The relevant guidelines and rules on the applicable minimum standards relating to security, retention and data integrity principles have yet to be issued by the Commissioner.
(ii) Personal Data Protection (Registration of Data User) Regulations 2013
The Regulations provide for the registration of data users. Separate applications are required from data users who fall within the different classes of data users as prescribed under the Order on class of data users (see below) . All applicable data users will have to register with the Commission, and each registration granted shall not be less than a year. Each registration is subject to renewal, and the certificate of registration must be displayed at a conspicuous place of the business premise.
The fees applicable for registration and renewal of data users range from RM100 for a sole proprietor, RM200 for a partnership, RM300 for a private limited company to RM400 for a public limited company for each class of registration.
(iii) Personal Data Protection (Class of Data Users) Order 2013
The Order prescribes the classes of data users which require registration with the Commissioner. The classes of data users include:
(a) A licensee under the Communications and Multimedia Act 1998 [Act 588].
(b) A licensee under the Postal Services Act 2012 [Act 741].
- Banking and financial institution
(a) A licensed bank and licensed investment bank under the Financial Services Act 2013 [Act 758].
(b) A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
(c) A development financial institution under the Development Financial Institution Act 2002 [Act 618].
(a) A licensed insurer under the Financial Services Act 2013.
(b) A licensed takaful operator under the Islamic Financial Services Act 2013.
(c) A licensed international takaful operator under the Islamic Financial Services Act 2013.
(a) A licensee under the Private Healthcare Facilities and Services Act 1998 [Act 586].
(b) A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private
Healthcare Facilities and Services Act 1998.
(c) A body corporate registered under the Registration of Pharmacists Act 1951 [Act 371].
- Tourism and hospitalities
(a) A licensed person who carries on or operates a tourism training institution, licensed tour
operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992 [Act 482].
(b) A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act
(a) Malaysian Airlines System (MAS)
(b) Air Asia
(c) MAS Wings
(d) Air Asia X
(f) Berjaya Air
(g) Malindo Air
(a) A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
(b) A private school or private educational institution registered under the Education Act 1996 [Act 550].
- Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993 [Act 500].
(a) A company registered under the Companies Act 1965 [Act 125] or a person who entered into partnership under the
Partnership Act 1961 [Act 135] carrying on business as follows:
(b) A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies
Act 1961 [Act 122].
(c) A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment
AgenciesAct 1981 [Act 246].
- Real estate
(a) A licensed housing developer under the Housing Development (Control and Licensing) Act 1966 [Act 118].
(b) A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah.
(c) A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.
(a) Tenaga Nasional Berhad
(b) Sabah Electricity Sdn Bhd
(c) Sarawak Electricity Supply Corporation
(d) SAJ Holding Sdn Bhd
(e) Air Kelantan Sdn Bhd
(f) LAKU Management Sdn Bhd
(g) Perbadanan Bekalan Air Pulau Pinang Sdn Bhd
(h) Syarikat Bekalan Air Selangor Sdn Bhd
(i) Syarikat Air Terengganu Sdn Bhd
(j) Syarikat Air Melaka Sdn Bhd
(k) Syarikat Air Negeri Sembilan Sdn Bhd
(l) Syarikat Air Darul Aman Sdn Bhd
(m) Pengurusan Air Pahang Berhad
(n) Lembaga Air Perak
(o) Lembaga Air Kuching
(p) Lembaga Air Sibu
(iv) Personal Data Protection (Fees Regulation) 2013
The Regulation sets the maximum fee payable to a data user in any data request access by the data subject. The prescribed amount ranges from a maximum fee of RM2 per request for data access without a copy to RM10 per data access request with a copy and RM5 per data access request for sensitive personal data without a copy to RM30 per request for sensitive personal data access with a copy.
The Regulation also provides for the fees payable to the Commissioner for a copy of statement of the grounds of decision and the fees to inspect, make copies and extract entries in the Register.
The grace period for compliance with the Act is three (3) months from 15th November 2013. Failure to comply with the provisions of the Act constitutes an offence which is punishable either by a fine, a term of imprisonment, or both.
It is thus vital that compliance audit and measures of implementation are being taken by all affected by the Act. All applicable data users which are required to register with the Commissioner should also do so within the grace period.
Su Siew Ling
Cheah Chiew Lan