The Malaysian Personal Data Protection Act (PDPA) was gazetted sometimes on the 10th June 2010 and has since been a subject of intense discussion amongst the insurance practitioners and community – something that many of us would want to talk about but difficult when getting at some viable framework before the PDPA gets implemented. Anyway the exact enforcement date of this Act has yet to be decided but the target is set somewhere in the 3rd quarter of 2011. One of the main reason for the delay in the enforcement is due to the setting up of the Commission and the tribunal, and also getting the various infrastruture in place.
Once implemented, the industry would be given a three-months grace period to complyPreview Changes. A three-months period is not exactly long enough for any (re)insurer to have any framework efficiently in place.
The least that the insurers can do now is to familiarise with the Act and not forgetting structuring out a viable framework – at least a framework that works when it matters.
Understand the PDPA is not exactly any mammoth task…. What’s important is for insurance practitioners to acquire a reasonable level of understanding of the core terms featured within the Act…
It is good to start off with the understanding of the seven (7) data protection principles that would form the basis of the PDPA:
(We have highlighted those key terms in CAPITAL LETTERS, which we had defined them below this section…. scroll down if you need to make the reference)
- General Principle
- In general, the PROCESSING of PERSONAL DATA requires CONSENT….
- Notice & Choice Principle
- In principle, DATA USERS are required to notify the DATA SUBJECTS regarding the purpose for which the data is collected and about the right to request access and correction of the PERSONAL DATA.
- Disclosure Principle
- Simple understanding here…. no PERSONAL DATA shall be disclosed without the consent of the DATA SUBJECT.
- Security Principle
- The DATA USER must take practical steps to protect the PERSONAL DATA from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
- Retention Principle
- PERSONAL DATA processed for any purpose shall not be kept longer than is necessary for the fulfillment of the purpose to which it was obtained for
- There are options for an exemption, i.e. by morphing & compiling those PERSONAL DATA into data processed for purposes of preparing statistics or carrying out research provided results of research do not reveal identity of DATA SUBJECT.
- Data Integrity Principle
- DATA USER shall take reasonable steps to ensure the accuracy and to maintain the data current for the purpose it was collected for.
- Access Principle
- DATA SUBJECT shall be given the necessary access to his or her personal data and shall be able to correct the PERSONAL DATA where the data is inaccurate or incomplete.
GET A COPY OF PERSONAL DATA PROTECTION ACT (PDPA) 2010 & SIMPLIFIED NOTES RELATING TO PDPA
For readers who intend to have a copy of Personal Data Protection Act 2010 (Bill format) and its simplified notes, do register below. The documents will be sent once you have verified your email address via a confirmation email issued by our auto-responder. Do check your SPAM box if you did not receive our autoresponder reply. In respect of your information privacy, do not worry as your privacy is our main concern…
The other important core areas apart from the 7 principles …. are mainly to do with definitions and expressions in regards the usage of terms. We have simplified the more critical ones as follow:
For the purpose of this blog posting we will not discuss FRAMEWORKS & MODELS for the purposes of efficient and effective implementation of PDPA compliance – suffice we keep it simple here by focusing on the understanding part. We hope to work on FRAMEWORKS in the later posting…..
With this new Act this would mean (re)insurers & (re)takaful entities must make sense of the following matters, amongst the more important ones:
- What are new contents for PRIVACY NOTICES and how is the PERSONAL DATA PROTECTION policy written as an integral part of it?
- Re-examining existing data collection practices, especially if this involves the purchasing of database from third party,
- How to obtain consent to process efficiently?
- What are the best practices in the use and transfer of personal information?
- What are the mechanisms to establish for individuals to exercise their access and correction rights,
- How are we to ensure data security, retention policies and practices conform to PDPA?
- What would be the mechanism when dealing with specific cross-border limitations in efforts to transfer and share data within one’s own global organisation?
In conclusion, do or die… do give a thought to the PENALTIES & FINES. The penalties & fines for breaching PDPA include the imposition of fines, and / or a term of imprisonment. Also, it is good to note, directors, CEOs, COOs, managers or other similar officers do have joint liability for non-compliance by the said (re)insurer or (re)takaful entities in the absence of any due diligence defence.