Personal Data Protection Act 2010 | Getting the insurance industry to order

The Malaysian Personal Data Protection Act (PDPA) was gazetted sometimes on the 10th June 2010 and has since been a subject of intense discussion amongst the insurance practitioners and community – something that many of us would want to talk about but difficult when getting at some viable framework before the PDPA gets implemented. Anyway the exact enforcement date of this Act has yet to be decided but the target is set somewhere in the 3rd quarter of 2011. One of the main reason for the delay in the enforcement is due to the setting up of the Commission and the tribunal, and also getting the various infrastruture in place.

Personal Data Protection Act 2010
Data loss or leak can be your nightmare in 2011 and thereafter…. (special thanks to PA Consulting Group for the image)

Once implemented, the industry would be given a three-months grace period to complyPreview Changes. A three-months period is not exactly long enough for any (re)insurer to have any framework efficiently in place.

The least that the insurers can do now is to familiarise with the Act and not forgetting structuring out a viable framework – at least a framework that works when it matters.

Understand the PDPA is not exactly any mammoth task…. What’s important is for insurance practitioners to acquire a reasonable level of understanding of the core terms featured within the Act…

It is good to start off with the understanding of the seven (7) data protection principles that would form the basis of the PDPA:

(We have highlighted those key terms in CAPITAL LETTERS, which we had defined them below this section…. scroll down if you need to make the reference)

  1. General Principle
    • In general, the PROCESSING of PERSONAL DATA requires CONSENT….
  2. Notice & Choice Principle
    • In principle, DATA USERS are required to notify the DATA SUBJECTS regarding the purpose for which the data is collected and about the right to request access and correction of the PERSONAL DATA.
  3. Disclosure Principle
    • Simple understanding here…. no PERSONAL DATA shall be disclosed without the consent of the DATA SUBJECT.
  4. Security Principle
    • The DATA USER must take practical steps to protect the PERSONAL DATA from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
  5. Retention Principle
    • PERSONAL DATA processed for any purpose shall not be kept longer than is necessary for the fulfillment of the purpose to which it was obtained for
    • There are options for an exemption, i.e. by morphing & compiling those PERSONAL DATA into data processed for purposes of preparing statistics or carrying out research provided results of research do not reveal identity of DATA SUBJECT.
  6. Data Integrity Principle
    • DATA USER shall take reasonable steps to ensure the accuracy and to maintain the data current for the purpose it was collected for.
  7. Access Principle
    • DATA SUBJECT shall be given the necessary access to his or her personal data and shall be able to correct the PERSONAL DATA where the data is inaccurate or incomplete.




For readers who intend to have a copy of Personal Data Protection Act 2010 (Bill format) and its simplified notes, do register below. The documents will be sent once you have verified your email address via a confirmation email issued by our auto-responder. Do check your SPAM box if you did not receive our autoresponder reply. In respect of your information privacy, do not worry as your privacy is our main concern…

First Name:
Email address:
Last Name:


The other important core areas apart from the 7 principles …. are mainly to do with definitions and expressions in regards the usage of terms. We have simplified the more critical ones as follow:

Understand the important terms in the insurance context


    • in short PDPA only relates to personal (relates to an individual) information collected or processed (including in the course of being processed) in the context of commercial transactions. The individual is referred to as DATA SUBJECT in the PDPA
    • the data must also be capable of being recorded and be capable of automatic or manual processing….
    • knowledge of SENSITIVE PERSONAL DATA is vital, where CONSENT is a prerequisite – this includes medical history, political opinions, commission of any offence, etc.
    • may include the expression of an opinion about an individual
    • An individual who is identified or identifiable from the data (or information)
      possessed by the corporation….
  3. DATA USER (or Data Controller)


    • is a legal person, meaning an agent, employee, broker, insurance company, etc. and involves in the actual PROCESSING of the PERSONAL DATA
    • who either processes the data or gives authorisation for the PROCESSING of the data


    • any transaction of a commercial nature, whether contractual or otherwise
    • information processed or intended to be processed wholly or partly by


      • automatic means, i.e. electronic form
      • non-automated means which forms part of, or intended to form part of, a manual information filing system
    • includes collecting, recording, holding or storing PERSONAL DATA or carrying out any operation or set of operations on the PERSONAL DATA, which may involves adaptation, alteration, retrieval, consultation and use of…., disclosure by transmission, transfer, dissemination, correction, erasure or destruction of the PERSONAL DATA or information
    • important to know about DATA PROCESSOR
    • is a legal person who processes the data on behalf of the DATA USER
    • More than often EXPLICIT CONSENT is required to process SENSITIVE INFORMATION
    • For non-sensitive types, CONSENT could be implied
    • CONSENT to process non-sensitive PERSONAL DATA is not required if the data has been made public as a result of steps deliberately taken by the DATA SUBJECT
    • A DATA SUBJECT may withdraw his CONSENT to the processing of his or her personal data by giving a notice in writing


    • processed for the purpose of a credit reporting business carried out by a credit reporting agency under Credit Reporting Agencies Act 2009
    • processed outside Malaysia unless that personal data is intended to be further processed in Malaysia, and
    • relating to Malaysia federal and state governments


For the purpose of this blog posting we will not discuss FRAMEWORKS & MODELS for the purposes of efficient and effective implementation of PDPA compliance – suffice we keep it simple here by focusing on the understanding part. We hope to work on FRAMEWORKS in the later posting…..

With this new Act this would mean (re)insurers & (re)takaful entities must make sense of the following matters, amongst the more important ones:

  1. What are new contents for PRIVACY NOTICES and how is the PERSONAL DATA PROTECTION policy written as an integral part of it?
  2. Re-examining existing data collection practices, especially if this involves the purchasing of database from third party,
  3. How to obtain consent to process efficiently?
  4. What are the best practices in the use and transfer of personal information?
  5. What are the mechanisms to establish for individuals to exercise their access and correction rights,
  6. How are we to ensure data security, retention policies and practices conform to PDPA?
  7. What would be the mechanism when dealing with specific cross-border limitations in efforts to transfer and share data within one’s own global organisation?

In conclusion, do or die… do give a thought to the PENALTIES & FINES. The penalties & fines for breaching PDPA include the imposition of fines, and / or a term of imprisonment. Also, it is good to note, directors, CEOs, COOs, managers or other similar officers do have joint liability for non-compliance by the said (re)insurer or (re)takaful entities in the absence of any due diligence defence.

  Copyright secured by Digiprove © 2011

Related Posts with Thumbnails

20 comments for “Personal Data Protection Act 2010 | Getting the insurance industry to order

  1. Oven-boy
    December 19, 2012 at 06:16

    Since the PDPA is confirmed, are you writing any posting again?

  2. ELvin Low
    June 7, 2012 at 12:26

    i cant register for the copy of the act already, can pls advise.


  3. Rozilawati
    March 29, 2012 at 15:05

    Hi there, i already register myself but still do not know how can i download & have access to the PDPA 2010 Bill? Can you email directly to me? Thx.

    • April 1, 2012 at 20:20

      You just need to register your email address on the opt-in box within this PDPA writeup. Our autoresponder will deliver an email where you need to click on the link to confirm that you actually require the content. This is to verify the identity of the person who opted in…. there are a lot of spammers over the internet so we are trying to improve privacy. Once this is done the autoresponder would then deliver the said document to your email.
      However if you did not receive the email which we did send to you for the first time do check your SPAM box in your email. It is probably in your spam mail. All you need to do is to move it back to the inbox and click on the link to verify.
      If this is too difficult do email to us at:

      • George Hee
        April 4, 2012 at 22:12

        Dear sirs, would you be able to write more on this subject? I think it is important that ppl in the industry are made more aware of this development. Thk you

        • April 25, 2012 at 22:26

          Yes, I heard this PDPA would be implemented sometimes in June this year but most companies are still stuck trying to start something….

          • ELvin Low
            June 7, 2012 at 12:24

            any news on the enforcement of the act yet?

            • June 7, 2012 at 23:09

              Rais yatim said enforcement is in June this year. Not sure after 3 months from now this is going to be a reality.

  4. Internet Marketing Stategies
    October 20, 2011 at 08:36

    This is very interesting, You’re an excessively professional blogger. I’ve joined your rss feed and look forward to in search of more of your fantastic post. Also, I’ve shared your website in my social networks

  5. jane
    August 8, 2011 at 15:07

    when will this act be implemented?

    • August 21, 2011 at 22:32

      Looks like the first quarter of 2012, otherwise the second quarter

  6. February 14, 2011 at 13:48

    PDPA act compel every insurance company to be compliant by the deadline set by the Malaysian Govt. The most suitable & Cost effective way to be compliant with such rules is to get the help of an IT company who has ready framework and solution available with it, which can encompass insurers existing systems and make those systems PDPA compliant.

    Essentially the framework will comply with all the set guidelines and by implementing the same around the insurers IT platform, will make insurers IT systems PDPA compliant.

    There is such company available known as Patni Computer Systems Ltd, who is uniquely positioned itself since last 25 yrs in US, Europe & UK market and made many of it’s fortune 500 Insurance clients privacy act compliant of that region or country.

    Prasad Jakhadi

    • February 14, 2011 at 22:10

      We appreciate if you can provide us a writeup of how your system and software can help the Malaysian insurance industry position itself in as far as PDPA compliance is concerned.. great to have your view points.

      • February 15, 2011 at 17:48

        Thanks for the reply and encourging comment. May I know your private email id?

  7. February 2, 2011 at 01:47

    It is a problem I need to find more information about, appreciate the article.

    • February 7, 2011 at 19:49

      Register in our autoresponder, which you can find in the same posting for those information

  8. January 31, 2011 at 16:06

    [New Post] Personal Data Protection Act 2010 | Getting the insurance industry to order – via #twitoaster

Leave a Reply