AFTER much consultation and debate, the Malaysian Personal Data Protection (PDP) Act 2010 will be operational come Jan 1, 2013.

This Act, instituted to regulate the processing of personal data in commercial transactions, makes it illegal for commercial organisations to sell personal information or allow the use of such data by third parties. Infringement of this law is serious, as the potential fine could be as much as RM100,000 and/or imprisonment of up to a year.

This new legislation is aimed at protecting all personal data transactions that have commercial value. Market research companies are in the business of collecting, processing, tabulating, analysing and reporting consumer and market information for paying clients.

There are currently more than 40 research companies in Malaysia, offering a complete range of research services and methodologies. Clearly, this PDP Act does cover all commercial market research work conducted by these companies.

This Act is specific about the rights and obligations of the three parties for whom it is intended. The three parties are categorised as:

● Users: The person, including corporate organisation, which either processes the personal data or gives authorisation for the processing of the data

● Data processors: Persons who, on behalf of the data user, processes the data

● Data subject: The individual to whom the personal data relates.

Almost all research projects conducted are commissioned by clients (users) to assist them in their business decisions. Through this commercial transaction, the role of market research companies would fall under the classification as data processors.

However, there are exceptions. This legislation, in addition to exempting Federal and State Governments, is not applicable if the data is processed outside Malaysia, unless the personal data is intended to be further processed in Malaysia.

A specific example would be in the area of online surveys. The respondent (data subject) could be residing in Malaysia but the company conducting the study could be based in Singapore. This would mean that the law is not applicable to the Singaporean company that is conducting the survey, unless it can be shown that the data is intended for use in Malaysia. Implications to industry

This legislation specifies seven principles where the processing of personal data by a data user must comply. I will examine each one within the context of market research practice:

● General Principle

The Act does not allow a data user to process any personal data unless the data subject has given his consent. The law also provides that any personal data processed must be for a lawful purpose directly related to the activity of the data user.

All properly designed questionnaires in a survey contain an introduction on the nature of the survey and the name of the survey company. The questionnaire also includes a screener to ensure that the right respondents are selected. If the respondent “passes” the screening questions, there will be a question to ask for the respondent's permission to proceed with the survey.

This procedure practiced by market research companies is very much in compliance with the General Principle as cited in the PDP Act.

● Notice & Choice Principle

This principle states that a data user is duty bound to inform the data subject (i.e. respondent) via a written notice, about the processing of his personal information and this must be accompanied by a notice that the respondent has the right to request for correction of the personal data and how to contact the data user with any inquiries or complaints.

The manner in which this is implemented by market research firms is that they would have to provide the respondents with an official letter, on behalf of their clients (data users). The letter will have to mention the purpose of the survey, assurance that the respondents' personal data will be kept confidential and contact details of the company.

● Disclosure Principle

The disclosure principle prohibits the user from revealing the data subjects' information without their permission. The biggest impact of this rule would be in the area of customer satisfaction surveys and research projects where the database is provided by the client (data users).

The data users would have to notify their customers or consumers that their personal information will be handed over to a research company, to gather their feedback about the company's services and opinion on their products and services.

This is going to involve some fundamental changes by both the clients and research companies.

However, for other types of research studies, the impact of disclosure will be minimal. The results from most surveys are reported as an aggregation from all the responses obtained from a targeted group of respondents.

The sample size obtained very much depends on the objectives of the survey and the depth of analysis required, but it is definitely not based on only one person! Quantitative surveys are not meant to be reported at an individual level but rather by a grouping of individuals. Therefore, the disclosure of individual data from a survey data is remote.

● Security Principle

The law requires that the respondents' data are protected from any loss, misuse, and unauthorised access. For this reason, research companies are obliged to take steps that ensure that the data obtained from the respondents are kept confidential.

One of the fieldwork procedures currently used by market research companies is that respondents are assigned numeric IDs. This will prevent the actual names of the respondents from being released to unauthorised parties without the respondent's consent.

● Retention Principle

This rule stipulates that the personal data should not be kept longer than is necessary and that it should be permanently deleted once its use is no longer required. The period is left open to the discretion of data users.

The general practice amongst market research companies is that all research records are kept between three to as long as five years. This is primarily for accounting purposes as opposed to client requirements. This is where market research companies would have to introduce new procedures, one of which is to notify its clients on the disposal of the research files earlier than the current time frame practiced.

● Data Integrity Principle

This rule places the responsibility on data users to ensure that the data collected are accurate, complete and up-to-date. The rule is embedded into the research process with market research companies, certainly among those which are members of ESOMAR (European Society for Opinion and Market Research).

● Access Principle

This rule relates to the procedure where the respondents are given access to their personal data that so that they can request for the data to be corrected, if it is inaccurate, incomplete or misleading.

The PDP Act will definitely affect the way market research is conducted and all market research companies will need to be aware of the rules and regulations under this Act.

As most market research companies operating in Malaysia have already been adopting the standards set by ESOMAR in their conduct of market research, their compliance with the PDP Act will be relatively easy.

Some minor changes will be required, primarily in the area of informing the respondents (data subjects) of their rights and disposal of data.

Nevertheless, the Disclosure Principle is an important rule. Market research companies working together with their clients would have to implement additional steps to ensure that permission is obtained from the respondents in research projects where the database is provided by the user.

● Barry Ooi is president of the Marketing Research Society of Malaysia.