Date of Coming into Force - 1st January 2013
The Deputy Information, Communications and Culture Minister, Datuk Joseph Salang has officially announced that the Personal Data Protection Act 2010 will come into force on 1st January 2013.
The Act primarily aims to regulate amongst others, the collection, holding, processing and use of personal data in commercial transactions and to prevent any unlawful and malicious use of any such personal data collected. ‘Commercial transactions’ defined under the Act include any transaction of a commercial nature, whether contractual or not which relate to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
This piece of legislation therefore plays a crucial role in safeguarding the interest of individuals and makes it illegal for anyone, be it corporate entities or individuals, to use or sell personal information or allow such use of the data by third parties without the proper consent of individuals or data subjects.
What needs to be complied under the Act?
Under the Act, data users have to comply with the following 7 data protection principles when collecting and processing personal data of data subjects:
|1.||General Principle – Data users are prohibited from processing any personal data unless the data subject has given his consent to the processing of the personal data. Any personal data collected shall not be processed unless for a lawful purpose directly related to the activity of the data user and must not be excessive in relation to the purpose.|
|2.||Notice and Choice Principle – Data users are duty bound to inform the data subject by way of a written notice, about the processing of his personal data.|
|3.||Disclosure Principle – In the absence of consent by the data subject, data users are prohibited from disclosing the personal data of data subjectsPrescribed Form consisting of the following details.|
|4.||Security Principle – Data users are required to protect and safeguard the personal data of the data subject from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction by taking practical steps to implement security measures.|
|5.||Retention Principle – Personal data collected and processed shall not be kept for longer than is necessary. Once the data is no longer required for the purpose for which it was processed, the same must be destroyed or permanently deleted.|
|6.||Data Integrity Principle – Data users shall take reasonable steps to ensure that the personal data collected are accurate, complete, not misleading and kept up to date.|
|7.||Access Principle – Data subjects must be given access to their personal data held by the data users and can request for the data to be corrected if the data is inaccurate, incomplete, misleading or not up-to-date.|
Failure to comply with the provisions of the Act is punishable by a fine not exceeding RM300,000 and/or imprisonment for a term not exceeding two years, or both. Subject to the due diligence defence, directors, managers or other similar officers have joint and several liability for non-compliance by the body corporate.
Where personal data of data subjects have been collected by the data users before the date of coming into operation of the Act, i.e. before 1st January 2013, such data users will have 3 months from 1st January to comply with the provisions of the Act.
Given that data users have only 3 months to prepare and comply with the provisions of the Act, immediate steps will have to be taken by corporations and parties involved in the private sector to examine and embark on an audit exercise to ensure that their current policies, processes and practices are in compliance with the Act.
19 December 2012