Personal Data Protection Act 2010: An Overview Analysis

Abstract

Essentially, the Personal Data Protection Act 2010 (‘PDPA’) protects data privacy (as opposed to general privacy). The PDPA basically applies to any form of processing of personal data in respect of commercial transactions. The PDPA governs the way personal data is collected, used, transferred or even deleted. Any person who processes personal data (‘data user’) of an individual (‘data subject’) is required to comply with the seven personal data protection principles (‘PDP Principles’) under the PDPA. The PDPA also grants several rights to data subjects. In this chapter, the author starts off by explaining the various definitions and terminologies under the PDPA, the application and non-application of the PDPA, followed by the detailed elaboration on the application of the PDP Principles. The author also sets out the various exemptions, the rights of data subjects as well as criminal offences in easy-to-read table formats.

Observations more than books and experience more than persons, are the prime educators (Amos Bronson Alcott, 29^th November 1799 – 4^th March 1888, Educator, Reformer, Writer & Philosopher)

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

3.1 Personal Data Protection Terminology

The Personal Data Protection Act 2010 (‘PDPA’) is influenced by and modeled upon the EU Data Protection Directive rather than the OECD Guidelines or the APEC Privacy Framework.¹ Some of the provisions in the PDPA also mirror those in the UK Data Protection Act 1998 [‘DPA 1998 (UK)’]. Since the PDPA is a new piece of law in Malaysia, reference has to be made to the laws, cases, guidelines, and guidance notes relating to data protection in the European Union (‘EU’) (including the UK) and some other jurisdictions having the similar data protection laws. It is a common practice that data protection regulators/commissioners regularly publish guidelines or guidance notes to further explain the application of the data protection legislation, and therefore it is likely that the Personal Data Protection Commissioner in Malaysia (‘PDP Commissioner’) will also follow this trend and publish guidelines or guidance notes in the near future. In the absence of any guidelines or guidance notes having been published by the PDP Commissioner thus far, the author has made references to two main instruments published by the Information Commissioner’s Office of the UK (‘ICO’), namely the Legal Guidance to Data Protection Act 1998 (‘Legal Guidance’) and the Guide to Data Protection (‘the Guide’). Reference is also made to the EU’s Article 29 Working Party’s Opinion 4/2007 on the Concept of Personal Data.

The PDPA applies to (a) any person who processes and (b) any person who has control over or authorises the processing of any personal data in respect of commercial transactions.² The PDPA regulates the processing of ‘personal data’, which does not cover ‘company data’.

3.1.1 Definition of ‘Data’ and ‘Personal Data’

According to Section 4, ‘personal data’ is defined as ‘any information in respect of commercial transactions, which:

1. 1)

   Is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose,

2. 2)

   Is recorded with the intention that it should wholly or partly be processed by means of such equipment, or

3. 3)

   Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data or expression of opinion about the data subject, but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010’.³

This section has two limbs: The first limb covers paragraphs (1) to (3) which seeks to explain the meaning of ‘data’, and the second limb covers the paragraph after the first limb which seeks to explain the meaning of ‘personal data’.

3.1.1.1 What is Data?

It can be deduced from the definition in Section 4 that the PDPA applies to electronic and manual data:

3.1.1.1.1 Electronic Data

Personal data within paragraphs (1) and (2) include those data being processed or recorded with the intention that they should wholly or partly be processed by means of equipment operating automatically in response to instructions given for that purpose.

A computer program is a set of instructions or commands that gives directions to the computer as to the sequence in which its operations should be conducted in order to carry out specific functions. The extent of automatic processing means that paragraphs (1) and (2) will apply to all forms of electronic data. For example, all data stored on a computer is considered electronic data. It is also said that the above definition is not technology-specific, and therefore, the use of any form of equipment that is operating automatically in response to instructions will be covered.⁴

The terms ‘recorded with the intention’ refers to data that is intended to be stored on a computer. Therefore, data recorded on paper with the intention that it will subsequently be stored on the computer is also considered to be an electronic data.⁵ Such an intention to process must exist at the time of recording.⁶

3.1.1.1.2 Manual Data

Personal data within paragraph (3) includes those data recorded or intended to be recorded as part of a relevant filing system.

3.1.1.1.3 ‘Relevant Filing System’

The definition of data as presented within paragraph (3) is designed to cover the relevant filing systems, such as manual filing and record keeping systems. ‘Relevant filing system’ is defined in Section 4 to mean ‘any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set of information is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.’ As such, in determining what manual data will be covered, the question of when data should be considered ‘readily accessible’ is of critical importance.

The meaning of ‘relevant filing system’ was considered in the UK Court of Appeal in Durant v Financial Services Authority. ⁷ Mr. Durant had lost certain litigation against Barclay’s Bank. The Financial Services Authority (‘FSA’) held certain information about the case that concerned Mr. Durant and others in paper files. Mr. Durant then sought the disclosure of certain information, both electronically and in manual files, which he claimed was personal data relating to him held by the FSA. Mr. Durant thought that obtaining those files might help him in filing another suit against Barclay’s Bank. The FSA had provided Mr. Durant with some information in response to his requests, but he sought further disclosure.

The court was of the view that although manual files ‘are not processed by means of equipment operating automatically in response to instructions given for that purpose’, the Parliament intended the DPA 1998 (UK) to apply to manual files ‘only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system.’

In other words, to qualify as a relevant filing system, the system should be structured or indexed in such a way as to enable the data user or his employee to easily access and extract the relevant data, without having to perform a manual search for them. It is not sufficient if the manual filing system requires the data user or his employee to leaf through files in a time-consuming and costly manner to discover whether they contain data relating to the person who has made the request for access to his personal data.⁸

Accordingly, the court held that a ‘relevant filing system’ is limited to a system:

1. 1)

   In which the files forming part of it are structured or referenced in such a way as to clearly indicate at the outset of the search whether specific data capable of amounting to the personal data of an individual requesting it is held within the system and, if so, in which file or files it is held; and

2. 2)

   Which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or data about the applicant can be readily located.

On the facts of that case, the FSA’s filing systems did not satisfy those requirements at the time. The manual files were not indexed with particular reference to Mr. Durant, but were arranged according to the subject matter. Substantial time and effort was needed in order to locate and extract the data sought by Mr Durant. The files were not structured or indexed so as to provide ready access to the data. This case was subsequently followed by Laddie J in Smith v Lloyds TSB Bank plc,⁹ in which the judge held that data kept in a non-computerised manual system was to be treated as data if the filing system was sufficiently structured so as to allow easy access to data specific to the data subject. The data controller (data user) should not to be put to a great deal of effort in extracting the relevant data.

As a response to the Durant case, the ICO issued a guidance note to address the impact of the decision. For example, when the files are structured in pure chronological order, it will not be a relevant filing system, because a data user has to leaf through the files in order to retrieve the data. However, if the files use individuals’ names as the file names and are indexed in such as way as to enable the easy retrieval of data without a manual search, such as is the case with sicknesses, absences, contact details, etc., it will likely be construed as a relevant filing system.¹⁰ The ICO acknowledged that the impact of the Durant case is that it is likely that only a very few manual files will be covered by the DPA 1998 (UK) because most of the personal data held in manual form does not fall within the restrictive interpretation held in Durant.¹¹ Nevertheless, as more and more data are being stored electronically, most of the personal data will be covered by the definition of ‘personal data’ under paragraphs (1) and (2) of Section 4.

The definition of ‘relevant filing system’ is in pari materia with Section 1 of the DPA 1998 (UK) and hence the above decision would be helpful, though it remains to be seen if the PDP Commissioner or the Malaysian courts would adopt such a restrictive interpretation.

3.1.1.2 What Is ‘Personal Data’?

The definition of personal data is one of the most fundamental aspects of the data protection law. However, it is nearly impossible to set out the definition conclusively since the definition and scope of personal data are very wide and remain open to many interpretations. The courts and the data protection regulators in both the EU and the UK have taken different views in approaching the definition of personal data. As the definition of personal data constitutes the threshold requirement of the application of data protection law, it is very important to understand what exactly the PDPA is attempting to regulate.

Name, home address, race, national ID number, occupation, gender and even an expression of opinion about an individual are considered personal data. With the advancement of technology, almost any form of recorded information, such as photograph,¹² video images recorded on CCTV could be deemed as personal data within the ambit of the PDPA if a specific individual is identified or identifiable from that information. Ian Lloyd is of the view that biometric data, such as fingerprint, face, and iris recognition, which forms the cornerstone of modern passports and national identity cards, is also a form of personal data.¹³

The European Commission has set up the Article 29 Working Party to act as an independent European advisory body on data protection and privacy. The Article 29 Working Party plays an important role in shaping the fundamental definitions and concepts of data protection. In this regard, the Article 29 Working Party has issued Opinion 4/2007 on the Concept of Personal Data (‘Opinion 4/2007’), which seeks to provide a common understanding of the definition of personal data.

3.1.1.2.1 ‘Any Information’

According to Opinion 4/2007, this phrase can be examined from three aspects, namely:

3.1.1.2.1.1 Nature

The definition of personal data includes any type of statement about a person. It includes ‘objective’ information, such as the presence of a certain substance in one’s blood, and ‘subjective’ information, such as the opinions or assessments of an individual. The information does not need to be true or proven for it to be considered personal data.¹⁴

3.1.1.2.1.2 Content

The definition of personal data includes any type of information. It includes general information, sensitive information, information touching on the individual’s private and family life, and information regarding the types of activities undertaken by the individual.¹⁵

3.1.1.2.1.3 Format

The definition of personal data includes any information available in any format, be it alphabetical, numerical, graphical, photographical, or acoustic. For example, it includes information stored on paper, in a computer memory by means of binary code, or on a videotape recorded on CCTV.¹⁶

3.1.1.2.2 ‘Relates Directly or Indirectly to a Data Subject’

The scope of ‘relates to’ in terms of an individual is very wide. Information can be considered to ‘relate’ to an individual when it is about that individual. The Article 29 Working Party noted that ‘data relates to an individual if it refers to the identity, characteristics, or behavior of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated.’¹⁷

The Article 29 Working Party took a wide interpretation of the terms ‘relates to’. It will be sufficient if one of the following elements is present in the personal data:

1. 1)

   Content element: Data ‘relates to’ an individual when it is ‘about’ that individual;

2. 2)

   Purpose element: Data ‘relates to’ an individual when the data is used with the ‘purpose’ of evaluating, treating in a certain way, or influencing the status or behaviour of an individual; or

3. 3)

   Result element: Data ‘relates to’ an individual when the use of such data is likely to have an ‘impact’ on an individual’s rights and interests. It is not necessary that the potential result be a major impact. It is sufficient if the individual may be treated differently from others as a result of the processing of such data.

These three elements do not need to apply cumulatively. The same piece of data may relate to different individuals at the same time, depending on what element is present with regard to the others. It is not necessary that the data ‘focuses’ on an individual in order for it to be considered that it relates to him.

In Durant v Financial Services Authority, the Financial Services Authority (‘FSA’) refused to disclose some other records as they were related to third parties and did not constitute personal data related to Mr. Durant. Counsel for Mr. Durant argued that the term ‘relates to’ ought to be interpreted broadly in order to cover any data that may be obtained from a search of a database made by reference to an individual’s name. On the other hand, counsel for the FSA argued that the term should be interpreted restrictively, i.e., that ‘there should be reference to or concern with a subject, implying a more-or-less direct connection with an individual.’

The Court of Appeal preferred the restrictive interpretation and held that the intention of the DPA 1998 (UK) was not to give an automatic right of access to information just because Mr. Durant’s name was mentioned in a record or because he has some interest in the matter. The mere fact of searching the database that made reference to a data subject’s name did not mean that the documents retrieved constituted personal data relating to him. In the context of this case, the issue was whether any information relating to the FSA’s investigation of Mr. Durant’s complaint about Barclay’s Bank fell within the definition of ‘personal data’ belonged to Mr. Durant. The court held that data will relate to an individual if it is information that affects [a person’s] privacy, whether in his personal or family life or in his business or professional capacity. It may amount to personal data if it affects the individual’s privacy or if the name appeared together with other information relating to the individual, such as his or her address, telephone number, or hobbies.

On the facts, just because the FSA’s investigation of the matter was related to the complaint from Mr. Durant, it did not render the information generated by that investigation personal data that belongs to Mr. Durant. A mere mention of the individual in a document does not necessarily mean that the document contains personal data of that individual. The court held that the information being sought by Mr. Durant did not ‘relate to’ him. The court noted that Mr. Durant’s claim was a misguided attempt to use the machinery of the DPA 1998 (UK) as a back-door approach to discover evidence that he could not obtain through the usual means of discovery.

According to the ICO, the impact of this decision is that mere reference to an individual’s name alone is not sufficient to amount to personal data. It will amount to personal data when the name appears together with other information that can be linked to the data subject or affect the data subject’s privacy, such as the data subject’s medical history; salary details, tax liabilities, bank statement, and spending habits.¹⁸ Therefore, the current position in the UK is that in order to amount to personal data, the information must affect a person’s privacy, whether in a personal or family capacity or in a business or professional capacity.

Hence, it remains to be seen which approaches the Malaysian courts will take. One must take note that as the notion of a general right to privacy is not yet explicitly recognised in Malaysia, it is doubtful that our courts will have too much regard for whether the data affects the data subject’s privacy. The wide interpretation taken by the Article 29 Working Party will be a better guidance to follow.

3.1.1.2.3 ‘Identified or Identifiable from that Information’

Under the PDPA, information about both identified and identifiable persons is considered personal data. An identified person appears to be an individual who is known in person and, based on the information, can be contacted or recognised by others. The most common way to identify an individual is by name. An identifiable person is an individual whose identity is ascertainable, but who is not necessarily known in person. His identity can be ascertained based on the information held and by making some further enquiries. However, name alone may not be enough to identify an individual if he or she is on a name list, because there could be a few individuals with the same name. Nevertheless, if there is further information, such as addresses, identification numbers, places of work, phone numbers, etc. that are sufficient to distinguish one such person from another, an individual can be identified when his name is checked against the other information.¹⁹

In the Hong Kong case of Eastweek Publisher Ltd v Privacy Commissioner for Personal Data,²⁰ a young lady was photographed without her knowledge and consent whilst walking in a public place. The photograph was then published in a magazine that commented about the dress sense of women in Hong Kong. The majority in the Court of Appeal held that the complaint could not be upheld. Although the court agreed that a photograph constituted personal data, the mere taking of photograph and using it as an anonymous photographic subject did not amount to the collection of personal data. Her identity was not known or not needed for the article, and hence, she was not identified from the photograph. Wong JA dissented and opined that the complainant was identifiable and had indeed been identified by her work colleagues.²¹

3.1.1.2.4 ‘From that and Other Information in the Possession of the Data User’

This phrase intends to cover personal data that by itself, does not identify an individual or make an individual identifiable, but that when combined or cross-checked with other information in the possession of the data user, allows the individual to be identified from the information.²²

For example, according to David Bainbridge, a computer database may not include names, but might, instead, operate on individuals’ national insurance numbers. If the person processing the data also has a card index that contains national insurance numbers and the names of the individuals to whom they belong, that is sufficient for the data being processing by computer to be classified as personal data because the individual can be identified by linking the two sources. Another example is when a data user has a set of numbered photographs of individuals and a card index which relate the photographs to named persons.²³

3.1.1.2.5 ‘Expression of Opinion About the Data Subject’

Personal data includes expressions of opinion about a data subject. This more often occurs in employment or medical records. For example, an employer may provide some comments in a job appraisal regarding an employee or a doctor may give his professional opinion about the health conditions of a patient.

3.1.1.2.6 ‘Sensitive Personal Data’

The requirements for processing sensitive personal data are much stricter than the general personal data mentioned above.

Under Section 4, ‘sensitive personal data’ means any personal data consisting of information as to the:

1. 1)

   Physical or mental health or condition of a data subject;

2. 2)

   His political opinions;

3. 3)

   His religious beliefs or other beliefs of a similar nature;

4. 4)

   The commission or alleged commission by him of any offence; and

5. 5)

   Or any other personal data as the Minister may determine by order published in the Gazette.

While the DPA 1998 (UK) includes the racial or ethnic origin of the data subject and his or her sexual life as one of the types of sensitive personal data, the PDPA seems to have omitted these two types of personal data. Given that race and gender are always considered sensitive issues in Malaysia, it was a missed opportunity for the PDPA to have omitted these personal data from the definition of sensitive personal data. According to the Guide, the reason for this special category of personal data is that these types of data could be used in a discriminatory way and are likely to be of a private nature. Therefore, they need to be treated with greater care than other general personal data.²⁴

3.1.1.2.7 ‘Processing’

According to Section 4, processing in relation to personal data means the ‘collecting, recording, holding, or storing the personal data, including:

1. 1)

   The organisation, adaptation, or alteration of personal data;

2. 2)

   The retrieval, consultation, or use of personal data;

3. 3)

   The disclosure of personal data via transmission, transfer, dissemination or otherwise making it available; or

4. 4)

   The alignment, combination, correction, erasure, or destruction of personal data.

The definition uses the term ‘holding or storing’ (the EU Data Protection Directive uses the term ‘storage’ only).²⁵ The definition under the PDPA is wider in the sense that merely being in possession of personal data will be considered as processing it for the purposes of the PDPA. Additionally, by using the term ‘including’, it is submitted that the definition of processing is not intended to be exhaustive and that it shall be construed widely in order to cover every conceivable use of data.

This can be seen in Bodil Lindqvist ²⁶ where the European Court of Justice (‘ECJ’) ruled that placing personal data about individuals on a webpage amounted to the processing of personal data by making them available on the Internet.

Mrs. Lindqvist worked as a catechist in the parish of Alseda. She set up a website in order to allow parishioners to obtain information from the website. The website contained information about herself and 18 colleagues in the parish, including their full names, occupations, hobbies, and telephone numbers. Mrs. Lindqvist had not informed her colleagues about the existence of these webpages nor obtained prior consent from them. She was convicted by the Swedish court for a breach of the data protection law. She appealed and the Swedish court referred the case to the ECJ for a preliminary ruling (See Chap. 11 for detailed case analysis).

One of the questions at hand was whether the mere mention of a person by name, occupation, and telephone number on a webpage constituted ‘the processing of personal data’ within the meaning of the EU Data Protection Directive. The Swedish Government argued that as soon as personal data are processed by computer, whether by using a word-processing programme or in order to put them on an Internet page, they have been the subject of processing. The ECJ agreed with this argument and said that as the term ‘processing’ is defined as meaning ‘any operation or set of operations that are performed upon personal data, whether by automatic means or not, such as disclosure by transmission, dissemination, or otherwise making data available’,²⁷ It followed that the operation of loading personal data on a webpage was considered to constitute such processing. It also ruled that placing information on a webpage entailed the operation of loading that page onto a server and operations necessary to make the data accessible to people connected to the Internet. Therefore, the processing was, at least in part, performed by automatic means. The court rejected Mrs. Lindqvist’s defence of use for domestic purposes, i.e., her stating that what she did was in the course of leisure activities. The court thought that such an activity was not for domestic purposes because the data were communicated to ‘an indefinite number of people’ on the Internet.

3.1.2 The Main Actors Under the PDPA

The person who processes any personal data or has control over or authorises the processing of any personal data is referred to as ‘data user’, and the person whose personal data is processed by the data user is known as ‘data subject’.

3.1.2.1 ‘Data User’

A data user is defined as ‘a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor’.²⁸ Data user under the PDPA is equivalent to ‘data controller’ under the DPA 1998 (UK).

It is important to establish whether or not someone is a data user because Section 5(1) provides that it is the data user who must comply with the PDP principles and other related provisions under the PDPA. Section 14 provides that if the data user falls within a class of data users specified in the order made by the Minister, such a data user is required to register with the PDP Commissioner in accordance with the registration provisions laid down in Division 2 of the PDPA. However, one should take note that all other data users, who are not required to register with the Commissioner, will still have to comply with all the provisions of the PDPA, including the PDP Principles, except the registration provisions stated in Division 2.²⁹ In other words, as long as the person is involved in processing personal data, he or she is subject to the PDPA.

According to the Legal Guidance, the term ‘person’ means that the data controller (data user) must be a legal person and that this shall include human beings, such as individuals, and artificial legal persons, such as companies and other corporate and unincorporated entities.³⁰

The phrase ‘who either alone or jointly or in common with other persons’ seems to indicate that there can be more than one data user who share a central database of personal data. For example, a number of subsidiary companies within a group of companies may share a central database of all their employee records and customer lists.³¹ According to the Legal Guidance, the term ‘jointly’ refers to a situation in which the data controllers (data users) agree between themselves as to the purpose and manner of any data processing of the personal data, whereas ‘common’ refers to a situation in which, although the data controllers (data users) share a central database of personal data, each of them has their own individual purposes and manner of processing and they process the data independently from one another.³²

Under the DPA 1998 (UK), the data controller must decide the purposes for which personal data is to be processed and the way in which personal data is to be processed. This element is not expressly provided for under our definition of ‘data user’. It can be said that our definition is wider in the sense that even the mere holding of personal data without any intention of processing it further will make the person a data user because the concept of ‘processing’ under the PDPA is so wide that it can be used to encompass all types of activities/operations that a particular data user may want to use on the personal data in question.³³

What about a holding/group company that has several subsidiaries within the group? Abu Bakar Munir is of the view that it is likely that each company within a holding/group company will be considered separately as a data user due to the concept of separate legal entity and the fact that each company within the group may be involved in different kinds of businesses and processing various kinds of personal data of data subjects.³⁴

3.1.2.2 ‘Data Subject’

‘Data subject’ is defined as ‘an individual who is the subject of the personal data’.³⁵ David Bainbridge argues that the use of the term ‘individual’ suggests that the data subject must be a human being/living individual and that an artificial legal person, such as a company or corporate or unincorporated entity, is not a data subject.³⁶ However, unlike the DPA 1998 (UK), in which the definition of personal data expressly refers to data related to a living individual, the PDPA is silent as to whether the term ‘data subject’ relates only to living individuals or also covers deceased individuals.

3.1.2.3 ‘Data Processor’

Apart from the data user, there is another category of person who also processes personal data. Such a person is known as a ‘data processor’, which is defined as ‘any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes’.³⁷ As Section 5(1) provides that only a data user has to comply with the PDP Principles and Section 4 expressly excludes the data processor from the definition of the data user,³⁸ this means that a data processor does not have to comply with the PDP Principles. However, if the data processor processes personal data for his or her own purposes, then he or she will become a data user and must then comply with all of the PDP Principles. As a data user is still liable for the actions perform by the data processor,³⁹ it is therefore important for the data user to ensure that the data processor complies with the PDPA. If the data processor sub-contracts its processing operations, the data user should ensure that every sub-contractor must still comply with the PDPA and abide by the instructions given by the data user.⁴⁰

Having said this, the data processor may still have to comply with one particular principle, i.e., the security principle. Section 9(2) states that when the processing of personal data is carried out by a data processor on behalf of the data user, the onus is on the data user to take steps to ensure that the data processor shall comply with the security principle by requiring the data processor to provide sufficient guarantees with respect to the technical and organisational security measures and take reasonable steps to ensure compliance with those measures. This can be done by entering into a written contract with the data processor, requiring the data processor to act only on instructions from the data user and to comply with the security principle.⁴¹ The data user should also choose the data processor carefully and have in place effective means of allowing the data user to monitor, review, and audit the data processor’s processing system.⁴² Examples of data processors are Internet Service Providers, web-hosting companies, call centres, companies that provide servers and database back-up facilities, companies engaged to carry out database quality control or to conduct market surveys, companies engaged to use clients’ databases to prepare report for clients, etc.⁴³

3.2 Application of the Personal Data Protection Act 2010

3.2.1 Application of the PDPA

Section 2(1) states that the PDPA applies to:

• Any person who processes; and

• Any person who has control over or authorises the processing of, any personal data in respect of commercial transactions.

‘Person’ in the context of Section 2(1) refers to the ‘data user’, as the ‘data user’ is defined as ‘a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor’.⁴⁴

3.3 Applicability Criteria under the PDPA

According to Section 2(2), the PDPA shall apply to data users in the following two circumstances:

• Where the data user is established in Malaysia and the personal data is processed, whether or not in the context of that establishment, by that person or any person employed or engaged by that establishment; or

• Where the data user is not established in Malaysia but uses equipment in Malaysia for processing the personal data otherwise than for the purposes of transit through Malaysia. For the second circumstance, the data user must nominate a representative established in Malaysia,⁴⁵ but such nomination does not absolve the data user from any legal action.⁴⁶

3.3.1 Establishment in Malaysia

A Malaysian company processing personal data is subject to the PDPA by virtue of Section 2(2)(a). However, the effect of the second limb of Section 2(2)(a), which covers any person employed or engaged by that establishment, is not clear. There is no similar provision found in the DPA 1998 (UK).⁴⁷ The provision is susceptible to two interpretations: (1) if a Malaysian company engages a third party company to process personal data on its behalf, the third party company is also subject to the PDPA because the company is ‘engaged’ by the Malaysian company to perform the act of processing of personal data, and hence, they should be considered as joint data users, or (2) the third party company may be considered as a data processor on the basis that it is engaged by the Malaysian company to process data solely on behalf of the Malaysian company. If the second view is taken, then the third party company is not subject to the PDPA.

The term ‘establishment’ is further defined in Section 2(4) to include:

• An individual whose physical presence in Malaysia shall not be less than 180 days in one calendar year,

• A body incorporated under the Companies Act 1965,

• A partnership or other unincorporated association formed under any written laws in Malaysia, and

• Any person who maintains an office, branch, or agency or a regular practice in Malaysia but does not fall within sub-sections (a)–(c).

A data user who is an individual does not have to be a Malaysian citizen, as evidenced from sub-section (a). A data user who resides in Malaysia for more than 180 days will be regarded as an individual for the purposes of the PDPA. Regarding those multinational companies that have offices or operate businesses in Malaysia, they will be regarded as having an establishment in Malaysia under sub-section (d). It is, however, not clear whether the term ‘agency’ here refers to one who has the power to enter into a legally binding contract on behalf of his principal or has the broader sense of one who acts on behalf of another.

3.3.2 Establishment Outside Malaysia

Section 2(2)(b) applies to situations in which a non-Malaysian company uses equipment, e.g., computers, computer networks, servers, application systems, situated in Malaysia to process personal data. The non-Malaysian company will be subject to the PDPA, and it must nominate a representative in Malaysia.

However, if the non-Malaysian company merely transfers personal data to another company located in another country via equipment situated in Malaysia, the PDPA will not apply, because the law allows the processing of personal data for the purposes of transit through Malaysia to other countries.⁴⁸ A typical example of this would be the use of telecommunications equipment to transmit and receive data packets solely as a conduit from one server to another, without involving any storing or processing activities.⁴⁹

3.4 Non-application of the Act

Interestingly, the PDPA sets out the organisations and broad categories of processing activities that fall outside the application of the PDPA.

The PDPA shall not apply at all in the following circumstances:

• Personal data processed by the Federal Government and State Governments,⁵⁰

• Personal data processed outside Malaysia (unless that personal data is intended to be further processed in Malaysia),⁵¹

• Personal data processed in non-commercial transactions,⁵²

• Personal data processed under the Credit Reporting Agencies Act 2010,⁵³

• Personal data processed for the purposes of transit through Malaysia,⁵⁴ and

• Personal data processed by an individual only for the purposes of that individual’s personal, family, or household affairs, including recreational purposes.⁵⁵

3.5 The Seven Personal Data Protection Principles

The personal data protection principles (‘PDP Principles’) form the fundamental backbone of the PDPA. Section 5(1) states that a data user must comply with all the seven PDP Principles as set out in Sections 6–12. Section 5(2) states that a data user who contravenes any one of the PDP Principles shall be liable for a maximum fine of three hundred thousand ringgit (RM300,000) or subject to imprisonment for a maximum term of 2 years or both, unless his processing activity is exempted under Sections 45 or 46. The objective of these principles is to protect the interests of the individuals whose personal data is being processed. Hence, the key to complying with the PDPA is to follow the seven PDP Principles religiously, unless a relevant exemption applies.

An overview of the PDP Principles is set out as follows (Table 3.1):

Table 3.1 Summary of the PDP principles

3.5.1 General Principle

General rule: According to Section 6(1), a data user shall not process personal data about a data subject, unless the data subject has given his consent to the processing of the personal data, and shall not process sensitive personal data about a data subject, except in accordance with the conditions laid down in Section 40.

Exceptions: Notwithstanding the above, Section 6(2) provides that the data subject’s consent is not required to be obtained if the processing is necessary:

• For the performance of a contract to which the data subject is a party,

• For the taking of steps at the request of the data subject with a view to entering into a contract,

• For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract,

• In order to protect the vital interests of the data subject,

• For the administration of justice, or

• For the exercise of any functions conferred on any person by or under any law.

3.5.1.1 The Meaning of ‘Consent’

‘Consent’ is the key element under the PDPA. Generally, personal data should not be processed unless consent has been given by the data subject, although certain exceptions may apply. However, ‘consent’ is not defined in the PDPA. The existence and validity of consent are questions of fact in each case. It is not certain whether the consent must be expressed or explicit or whether it is acceptable if such consent is implied from the data subject’s conduct.⁵⁶ The EU Data Protection Directive defines ‘consent’ as ‘any freely given, specific, and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.⁵⁷ This definition suggests that consent comprises the following elements:

• It involved a positive and definite act;

• The data subject must be given a genuine choice to decide whether to give consent;

• Consent must be given specifically for the particular processing activity; and

• The data subject must be given all the necessary details of the processing activity in order for him to make an informed decision.

The phrase ‘the data subject must signify his agreement’ is interpreted to mean that there must be some active communication between the parties.⁵⁸ No consent shall be inferred from a non-response to a communication, for instance, from a customer’s failure to return or respond to a leaflet.⁵⁹ Also, consent obtained under duress or on the basis of misleading information is not valid consent.⁶⁰

This issue is very important because marketing companies usually incorporate their processing intentions in a mail-order form or a similar document. For instance, a notice such as ‘tick here if you do not wish us to share your personal data with other companies who may wish to provide you with information about goods or services that may be of interest to you’ is commonly found on mail-order forms. Such an approach is called an ‘opt-out,’ i.e., unless the data subject indicates his wishes not to have his personal data processed, he is deemed to have given his consent to such a processing act. In reality, many data subjects do not read or even become aware of such a notice being placed on the form, especially when such a notice is placed at the bottom of the form in small print that hardly can be read by anyone. Some may not even understand the implications of their data being processed by these companies.

An alternative approach is called an ‘opt-in,’ i.e., the notice is given to the data subject, and he is given a choice to indicate his intentions regarding whether he wishes to have his personal data processed by the data user. Under this approach, in the absence of expressed consent being given in the form of a positive indication, companies cannot assume that the data subject has given his consent to the processing of any personal data for any purposes.

The Oxford English Dictionary defines ‘consent’ as meaning voluntary agreement, permission, or compliance.⁶¹ Black’s Law Dictionary also defines ‘consent’ as ‘an act of reason, accompanied with deliberation, the mind weighing as in a balance the good or evil on each side’.⁶² This seems to suggest that there must at least be some knowledge before consent is given. Abu Bakar Munir argues that consent here refers to a positive act. The learned author cited Bell v Alfred Franks & Bartlett Co,⁶³ in which Shaw LJ stated that ‘if acquiescence can arise out of the passive failure to do anything, consent must involve a positive demonstration act, something of an affirmative kind. It is not to be implied.’⁶⁴

As Section 6(1) provides that ‘a data user shall not process personal data about a data subject, unless the data subject has given his consent to the processing of the personal data …’ one may argue that the PDPA adopts the ‘opt-in’ approach, i.e., a data subject has to positively indicate his intention to have his personal data be processed by the data user. This is because more often than not, a data subject has no knowledge regarding the ‘opt-out’ mechanism.

However, Ian Lloyd argues that at least pending any court decision either in the UK or before the ECJ, it appears that an ‘opt-out’ or ‘opt-in’ approach might still be acceptable in the UK, provided the data subject is readily able to give an indication of his wishes.⁶⁵ The learned author did suggest that the key to determining the acceptability of the approach depends on the clarity of the notice given to the data subjects. One example can be seen in Innovations (Mail Order) Ltd v Data Protection Registrar. ⁶⁶ In that case, Innovations was in the mail-order business and also in the business of selling its customer lists to other retailers and service providers. Customers who ordered goods from Innovations were not aware of the fact that Innovations was selling their personal data. Innovations only informed the customers by way of notice when acknowledgment forms were sent to the customers. The notice informed the customers that they could have their names removed from the lists if they applied formally to Innovations. The Data Protection Tribunal (now the Information Tribunal) opined that the data were not collected fairly, because customers ought to have been informed at the time the data were collected, not later. The Tribunal held that if the purpose for which the data were intended to be used was not obvious at the time of collection of data, the data subject must be informed of that non-obvious purpose at that time. If the data subject was not so informed, the data subject’s expressed consent must be sought before any processing can be commenced.

The above decision was followed in British Gas Trading Ltd v Data Protection Registrar,⁶⁷ in which British Gas Trading only inserted a note informing customers that they could opt-out of receiving any marketing materials by writing in. The Tribunal ruled against British Gas Trading, saying that customers should be given an opportunity to object, for example, by ticking an ‘opt-out’ box at the time data were collected from them, without having to perform a positive act like writing in.

Hence, it appears that as long as the data subject is given a reasonable opportunity to express his intentions (whether to ‘opt-in’ or ‘opt-out’) at the time of collection of data, this may be sufficient to amount to consent. The law is still unclear at this point. In this regard, guidelines or guidance notes should be issued by the PDP Commissioner in order to spell out how consent ought to be given, whether it should be performed by way of a positive indication of wishes or a mere opportunity to object to such processing.

However, it is noted that consent once given is not a permanent condition. Under Section 38, even if the data subject has previously consented to such processing, he can at any time by notice in writing request the data user to cease processing his personal data. The data user shall cease the processing of personal data upon receiving such a notice, failing which he shall be liable to a fine not exceeding one hundred thousand ringgit (RM100,000) or subject to imprisonment not exceeding 1 year or both. Although such a withdrawal of consent cannot have a retrospective effect, it would render any future processing of personal data unlawful.

In respect to sensitive personal data, Section 40(1)(a) provides that a data user shall not process any sensitive personal data, except when the data subject has given his explicit consent to such processing, unless the processing falls under one of the exceptions laid down in Section 40(1)(b) or when the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject under Section 40(1)(c).

Unlike the general personal data mentioned above, the requirement for sensitive personal data is more stringent, i.e., it requires ‘explicit consent’. Again, such terms are not defined in the PDPA. However, the Legal Guidance suggests that:

The use of the word ‘explicit’ suggests that the consent of the data subject should be absolutely clear. In appropriate cases, it should cover the specific detail of the processing, the particular type of data to be processed (or even the specific information), the purpose of the processing and any special aspects of the processing that may affect the individual, for example, any disclosure that may be made of the data.⁶⁸

The PDPA also does not expressly state that a data user must keep written evidence in order to prove that he has obtained consent from data subjects. However, since the onus is on the data user to prove that proper consent has been obtained, it may be prudent for the data user to keep a record of the consents given by data subjects. The Electronic Commerce Act 2006 recognises electronic consent as amounting to a form of written consent. If consent is obtained electronically, the law requires that the record be retained in the format in which it was generated, sent, or received and that it be accessible, intelligible, and identify the origin and destination of the record and the date and time it is sent or received.⁶⁹

3.5.1.2 How Should Personal Data Be Processed?

Section 6(3) provides that personal data shall not be processed, unless:

• The personal data is processed for a lawful purpose directly related to an activity of the data user,

• The processing of the personal data is necessary for or directly related to that purpose, and

• The personal data is adequate but not excessive in relation to that purpose.

It is noted that the above three conditions are to be read conjunctively and that all the conditions must be satisfied before any personal data can be processed. This principle imposes limits on how a data user may process the personal data.

There is no definition of what constitutes ‘lawful purpose’, though the meaning of ‘unlawful’ has been described as ‘something that is contrary to some law or enactment or is one without lawful justification or excuse’.⁷⁰ The Guide states that a processing activity may be unlawful if it involves committing a criminal offence or it results in⁷¹:

• A breach of duty of confidence,

• A data user exceeding its legal powers or exercising those power improperly,

• An infringement of copyright,

• A breach of an enforceable contractual agreement,

• A breach of industry-specific legislation or regulations, and

• A breach of statute or common law, whether criminal or civil.

If the personal data was obtained for one purpose that the data subject has given his consent for, and subsequently, the data user wishes to use the personal data for some other purposes that are not directly related to the activity the data user consented to or are not necessary for or directly related to the original purpose, the data user must obtain fresh consent from the data subject for the subsequent use of the personal data. The Guide states that in practice, the data user must often obtain consent to use or disclose personal data for a purpose that is additional to or different from the purpose he originally obtained it for or originally envisaged.⁷² For example, the purpose of conventional telephone directories is the disclosure of subscribers’ telephone numbers. If one were to use the directories to find out the personal data of an unknown subscriber from a certain telephone number or to find out the names and telephone numbers of the persons living in a particular area, this would be another use that is completely different from what a subscriber would expect when agreeing to be included in the directories.⁷³ Another example is when employees’ personal data collected for payroll purposes cannot be further used for direct marketing purposes without obtaining fresh consent from the employees.⁷⁴

In respect to the adequacy and non-excessiveness of the personal data, this depends on the purpose of the processing activity. According to the Guide, in complying with this principle, data controller (data user) should identify the minimum amount of personal data that is required in order to fulfill this purpose, which is a question of fact in each case.⁷⁵ The general rule is that a data controller (data user) should not collect excessive data that is not needed or irrelevant for the purposes of processing the personal data. Where sensitive personal data is involved, it is even more important to ensure that only a minimum amount of data should be collected.⁷⁶ If a data controller (data user) needs to collect particular data about only certain data subjects, he should collect it from those particular data subjects only and not all data subjects, because it is likely to be excessive in relation to the rest of the data subjects.⁷⁷ A data controller (data user) should not collect personal data on the basis that it might be useful in the future, without a view of how it will be used. However, it is permissible to collect data for a foreseeable event that may never occur, such as when an employer collects details regarding the blood types of employees engaged in hazardous occupations.⁷⁸

For example, employers may need to know (for certain posts) if the potential job applicants have a car and a driver’s license, so it would be acceptable for the employers to ask for such information. However, it would not be acceptable for the employers to ask for the model or the color of the job applicants’ cars.⁷⁹

3.5.2 Notice and Choice Principle

Section 7(1) states that a data user has a duty to inform a data subject by way of written notice:

• That the personal data of the data subject is being processed by or on behalf of the data user, and a description of the personal data shall be provided to the data subject,

• Of the purposes for which the personal data is being or will be collected and further processed,

• Of any information available to the data user as to the source of that personal data,

• That the data subject has the right to request access to and the right to request for the correction of the personal data, including how to contact the data user with any inquiries or complaints in respect to the personal data,

• Of the class of third parties to whom the data user discloses or may disclose the personal data,

• Of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data,

• Whether it is obligatory or voluntary for the data subject to supply the personal data, and

• When it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he or she should fail to supply the personal data.

The requirements under Section 7(1) are to be read conjunctively, i.e., a data user must comply with all of the above requirements (if applicable).⁸⁰ The simplest way to comply with this principle is by way of a ‘privacy notice’ incorporating all of the above requirements.⁸¹ The intention of this principle is to require data users to be open and transparent about their processing activities so as to empower data subjects by making them aware of what personal data is being collected and processed.⁸²

Pursuant to Section 7(2), the written notice under Section 7(1) shall be given as soon as practicable by the data user:

• When the data subject is first asked by the data user to provide his personal data,

• When the data user first collects the personal data of the data subject, or

• Before the data user uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected or discloses the personal data to a third party.

Section 7(3) further provides that such notice shall be in the National and English languages and that the data subject shall be provided with a clear and readily accessible means of exercising his choice.

It is submitted that Section 7(2) is giving effect to the decisions in Innovations and British Gas Trading mentioned above, in which the Tribunal ruled that the data controller (data user) ought to give notice to the data subject about the purpose of such collection of data at the time of collection.

3.5.3 Disclosure Principle

Section 8 states that subject to the exceptions laid down in Section 39,⁸³ in the absence of the consent of the data subject, personal data shall not be disclosed:

1. 1)

   For any purpose other than

   • The purpose for which the personal data was to be disclosed at the time of collection of the personal data or

   • A purpose directly related to the purpose referred to in the above paragraph or

2. 2)

   To any party other than a third party of the class of third parties specified in Section 7(1)(e).

In short, this principle says that a data user shall not disclose personal data:

• For purposes other than those that were already disclosed at the time of collection,

• For purposes that are not directly related to the purpose for which the personal data were to be disclosed at the time of collection, or

• To any third party other than those that were already disclosed in the written notice to the data subject.

3.5.4 Security Principle

Section 9(1) requires that a data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard to:

• The nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction,

• The place or location where the personal data is stored,

• Any security measures incorporated into any equipment in which the personal data is stored,

• The measures taken for ensuring the reliability integrity and competence of personnel having access to the personal data, and

• The measures taken for ensuring the secure transfer of the personal data.

According to the Guide, in order to comply with this principle, a data controller (data user) should⁸⁴:

• Design and organise the security measures to fit the nature of the personal data he holds and the harm that may result from a data security breach;

• Be clear about who in the organisation is responsible for ensuring data security;

• Make sure he has the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and

• Be ready to respond to any data security breach swiftly and effectively.

In taking security measures, one could take into account the physical security of the premises; the security measures incorporated into the computer systems, such as firewalls, passwords, and encryption controls; the level of training and supervision of employees; and the manner in which data and equipment is disposed of.⁸⁵ For example, in disposing of the computers, the data users should make sure that all data in the computer’s memory are permanently destroyed and cannot be retrieved in any manner. Data users should also install secure and highly reliable systems in order to prevent any unauthorised access, such as hacking or cracking.⁸⁶ Any unauthorised access to computer data is an offence under the Computer Crimes Act 1997. Some companies and organisations adopt technical standards such as the Information Security Management System (ISMS) and other technical audit approaches based on specific industry sector requirements. Adopting these standards and approaches may help companies and organisations in complying with the security principle.⁸⁷

Section 9(2) states that when the processing of personal data is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor also complies with the security principle, such as requiring the data processor to provide sufficient guarantees in respect to the technical and organizational security measures governing the processing to be carried out and to take reasonable steps⁸⁸ to ensure compliance with those measures.

3.5.5 Retention Principle

According to Section 10, the personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. The data user has a duty to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed. A data user’s obligations under the PDPA begin from the moment he collects the personal data until the time when the personal data has been returned, deleted, or destroyed.⁸⁹

According to the Guide, in order to comply with this principle, a controller (data user) should⁹⁰:

• Review the length of time he keeps personal data;

• Consider the purpose or purposes he holds the personal data for in deciding whether (and for how long) to retain it;

• Securely delete personal data that is no longer needed for this purpose or these purposes; and

• Update, archive, or securely delete personal data if it goes out of date.

This principle requires the data user to regularly review the personal data he holds and to delete personal data that is no longer of value or relevance to the data user’s activities.⁹¹ Personal data that the data user no longer needs to access regularly, but which still needs to be retained should be securely archived. It is a good practice to maintain a data retention policy that clearly sets out the retention periods for different categories of personal data, how data should be retained, archived, or deleted after a certain period of time, and audit and review mechanisms.⁹²

The retention period depends on the purposes for which the personal data is retained. If it is necessary to retain the personal data for one of the reasons set out in Section 6(2) of the PDPA, such as for the performance of a contract or for compliance with any legal obligation, then the personal data should continue to be retained for as long as the reason applies. Where personal data is retained for more than one purpose, the personal data should continue to be retained until it is no longer needed for all purposes. When personal data is shared between organisations, the shared personal data should be returned to the organisation that supplied it, without keeping a copy for themselves.⁹³ However, personal data should not be retained indefinitely just because there is a small possibility that it may be needed in the future.

Personal data may be retained so that data user may defend any future legal claims. Certain laws and regulations (such as those related to tax or employment laws) may also require personal data be retained for a certain prescribed period of time. Some of these laws and regulations are as shown in the table below (Table 3.2):

Table 3.2 Laws and regulations that stipulate retention period

3.5.6 Data Integrity Principle

Section 11 requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by considering the purpose, including any directly related purposes, for which the personal data were collected and further processed. The word ‘accurate’ is not defined. The DPA 1998 (UK) states that data is inaccurate if it is incorrect or misleading as to any matter of fact. According to the Guide, in order to comply with this principle, a data controller (data user) should⁹⁴:

• Take reasonable steps to ensure the accuracy of any personal data he obtains;

• Ensure that the source of any personal data is clear;

• Carefully consider any challenges to the accuracy of information; and

• Consider whether it is necessary to update the information.

The PDPA does not prescribe the methods to ensure that the personal data is accurate. It merely requires the data user to take reasonable steps to ensure that the personal data is accurate. The Guide states that what amounts to ‘reasonable steps’ will depend on the circumstances and the nature of the personal data and what it will be used for. It says that if a data controller (data user) will be using the personal data in making decisions that may significantly affect a data subject or others, the data controller (data user) will have to put more effort into ensuring accuracy. If the personal data is given by the data subject himself or by a reliable source, it will be reasonable to assume that the personal data is accurate.⁹⁵

As to the question of whether updating is required, this would depend on the nature of the data and the purpose for which the data is processed. If the data is merely to be used as an historical record of a transaction between the data user and the data subject, no updating is required. However, when the personal data has a material impact on making certain decisions or taking certain actions, such as when the personal data is used to decide whether to grant credit or confer or withhold some other benefit, regular updating may be required.⁹⁶ This data integrity principle is linked to the data subject’s right to correct his personal data in order to ensure that it is accurate, complete, not misleading, and up-to-date under Section 34 of the PDPA.

3.5.7 Access Principle

Section 12 also provides that a data subject shall be given access to his personal data held by a data user and be able to correct that personal data when the personal data is inaccurate, incomplete, misleading, or not up-to-date, except when compliance with a request for such access or correction is refused under the PDPA.

3.6 Exemptions

The PDPA provides for two types of exemptions—total and partial. Total exemption means the PDPA shall not apply at all. Partial exemption means certain PDP Principles and other related provisions of the PDPA shall not apply to some processing activities.⁹⁷ The Minister also has the power to exempt the application of any of the PDP Principles to any data user or impose any terms or conditions as he thinks fit (Table 3.3).⁹⁸

Table 3.3 Exemptions

3.7 Rights of Data Subject

The PDPA confers a number of rights to the data subject (Table 3.4):

Table 3.4 Rights of data subject

3.8 Criminal Offences

The PDPA creates a number of new criminal offences for the failure to comply with the provisions under the PDPA (Table 3.5):

Table 3.5 Criminal offences