The Personal Data Protection Act 2010 has come into force, but the public will have to do their part to make it effective.
EAGER to win the grand prize, Maria (not her real name) did not hesitate to “drop” her name card at the door for a lucky draw at a company dinner.
Weeks later, she found herself inundated with phone calls and text messages offering different services and products.
It is an accepted practice in Malaysia to leave our call cards or personal information at the registration counter of public events. But have you ever wondered what your personal data will be used for later? Or how it will be stored?
This has become so common here that no one thinks twice about the risks and implications, says personal data protection law expert Dr Sonny Zulhuda.
Under the newly enforced Personal Data Protection Act 2010 (PDPA), however, this practice will have to be reviewed, particularly for business entities that use these occasions as an opportunity to build their network of potential customers.
The main issue is how adequately the organiser has informed the guests on what they intend to use the information for, Dr Sonny points out.
The Act stipulates that consent for personal data processing should be required explicitly it has to be expressed, rather than implied or assumed.
“For consent, the consumer has to opt in' you agree to have your personal data processed and not opt out', where consent is automatically assumed unless you say otherwise,” he argues.
The organiser will also need to justify why they need information they are asking for in the case of lucky draws, for instance, why do they need to collect more than the guest's name?
The same principle applies for “commercial transactions” that we have taken for granted, such as at promotional counters where personal details are asked in exchange for product samples or memberships to product brand clubs, adds Dr Sonny who is an assistant professor at the law faculty of the International Islamic University Malaysia.
Data has become an integral part of life in today's world, and thanks to the advent of digital technology, collecting, editing, sharing and transferring data have never been easier.
Personal data, which includes identity card numbers, addresses and bank account details, is now the most valuable commodity as well as the most dangerous weapon. The enforcement of the personal data protection law is thus not only timely, but also necessary, to protect the safety and privacy of consumers who have been left too long at the scruples of companies and organisations when it comes to their personal data.
After all, can you remember the last time your day has not been interrupted by unsolicited phone calls, text or e-mail messages offering a product or service that you must have or event that you cannot miss?
In many respects, the new law puts the interest of the consumers (data subjects) at its heart, allowing them more control over their respective personal data. However, its effectiveness will depend on how well they understand their rights and limitations.
Know your facts
The strongest message PDPA seeks to convey is that the data subjects are the real “owner” of their personal data, Dr Sonny highlights. “The companies or industries (that process the data) are only data users'.”
He stresses that it is important for consumers to know their rights as stipulated in the Act: “right to access, right to correct data, right to prevent damage or distress, right to withdraw from data processing, right to prevent direct marketing, and very critically right to bring complaint on data abuses to PDP Commissioners.”
Data users, meanwhile, are obligated to provide the necessary mechanisms that will facilitate data subjects to exercise these rights.
The right of access to personal data and right to correct their personal data allows data subjects to make a request to check and verify their information. Any personal data deemed inaccurate can be corrected or struck off the record.
To exercise both rights, the consumer will need to make a request in writing to the data user, to which the company or organisation will have to comply within 21 days.
Another important data-subject right provided by the Act is the right to withdraw consent. This provision drives in the message that when a consumer gives consent for their personal data to be processed, it is not forever. When consent is withdrawn, the data user will have to stop processing the personal data. Failure to do so is an offence that carries a fine of up to RM100,000 or a maximum one-year jail, or both.
A multimedia marketing executive who only wants to be known as Yee is relieved that he can now request for his personal data to be deleted from his bank after he closes his account.
“Previously, I took a loan from a bank that I did not have an account with. After I finished paying off that loan, their sales agents kept calling me to offer me other loans and insurance. It was a hassle to get them to delete me from their database,” he says.
In fact, a data subject can even request the data user not to begin or stop in the middle of the processing of personal data, particularly if it is likely to cause damage or distress to the person. (PDPA also differentiates sensitive personal data which includes physical and mental health records, political opinions and religious beliefs.)
Crucially, taking heed of the public's distress over the rampant unsolicited telemarketing messages, the enforcement of the PDPA will give them the right to ask telemarketers to stop their communications (SMS, e-mail, calls, etc), even if prior consent has been obtained. Failure to comply will cost the direct marketing companies a maximum of RM200,000 fine or jail term up to two years, or both.
Consumers can also ask the direct marketing companies to stop processing their personal data for future profiling, screening or data mining activities.
Some are exempted
The recent festive season may have had your phone buzzing non-stop, e-mails clogging and mail boxes overflowing with well-wishes. But how many are from people you have provided personal details to?
And now with the general elections drawing near, telemarketing messages may not be the only unsolicited communication many are receiving (see chart).
Yee tells that he was irritated to receive not only invitations from entertainment outlets and nightspots to party with them, but also from certain groups to join in their celebrations.
“What I want to know is where they got my phone number,” he grumbles.
Unfortunately, not all of these grouses can be taken to the attention of the PDPA department.
This is one of the limitations of the Act that data subjects need to be enlightened about, says Dr Sonny.
He is talking about the non-applicability of the PDPA in instances such as the processing of personal data by the government and its agencies (government-link companies may not be included); “non-commercial” transactions; for credit reporting business; data processed outside the country; and data collected solely for personal purposes.
Before they can take their complaint to the authority, data subjects will need to determine if the Act applies in their case, such as whether it is a commercial transaction or a public service announcement or if the data user is a government agency or based overseas.
For one, the Act does not have jurisdiction over two of the biggest depositories of personal data for Malaysians: the National Registration Department (government agency) and Facebook (data is not processed in Malaysia).
With many businesses moving towards social media networks for their transactions, this provision may provide a loophole for schemers and scammers.
Data users like political parties, religious bodies and charitable organisations will have to be looked at on a case-by-case basis when issues arise action can be taken if the data abuse in question involves commercial transactions.
Although there are other laws governing these data users, this is an area that the Government would need to look into later for the PDPA, says Dr Sonny, especially in light of the rising incidents of hacking and data breaches in the world. As he points out, many countries who have enforced a personal data protection law have streamlined it to cover both public and private entities.
Similarly, although data users are required to comply with seven principles to safeguard the integrity of the personal data in their keep, there are instances when they are exempted from the principles.
Total exemption is awarded for personal data processed by an individual for the purposes of his or her personal, family or household affairs, including recreational purposes.
Partial exemptions are given in investigations of crime, collection of tax and court order or judgment in these cases, for instance, the data users do not need to get the individual's consent for the processing of their personal information (general principle) or notify them (notice and choice principle), or keep the personal data private (disclosure principle).
Other partial exemptions include those for research and statistics or journalism, literature and art. However, the claim for exemption will also have to be on a case-by-case basis.
An area regulated by the Malaysian Medical Association Code of Ethics and the Malaysian Medical Council Guideline: Medical Records and Medical Reports covers the physical and mental health records of a patient under the PDPA, the personal data can be withheld from the individual if it is in the best interests of the patient.
However, all exemptions are void when it comes to the issue of national security.
Sign for one, get all
The PDPA prevents companies and organisations from using people's personal data to make unsolicited calls to sell various products and services.
Still, consumers will need to be vigilant about the fine print!
One common practice that has caught many consumers unaware is that when you sign up for one service, you will usually get a “bulk” service from the company, its subsidiaries and even partners.
Take one bank's privacy and security statement “We may pass your personal information to our other group companies and agents, as permitted by law.”
A customer service officer from the bank revealed that customers can write in to stop receiving SMS or e-mail offering goods and services from their other departments and their partners. In effect, the onus remains on the customer to take control of their personal data.
While many are still putting their houses in order data users have a three-month grace period from the PDPA enforcement date another bank concedes that they will not be able to issue a blanket “stop” to all marketing communications after a request is submitted due to technical issues.
“There is no mechanism or database yet for us to alert our sales agents that a customer has withdrawn his or her consent for further promotions and offers. There is also no way for us to monitor all of our agents when they call our customers,” says the officer when enquired.
It is the same case for memberships with many product brand clubs.
With many of these finer points yet to be ironed out, data subjects are cautioned to be more prudent with their personal data.
As Nigel Tan, director of systems engineering at Symantec Malaysia advises, since not divulging any personal information is rarely possible these days, consumers need to think carefully before sharing their personal data.
“To take advantage of many services, we will inevitably have to provide personal information such as for handling of billing and shipping of purchased goods. Each person is responsible to protect his/her personal data and has the right to expect organisations to handle their personal data carefully and correctly.
“We strongly recommend that consumers pay attention to privacy policies of the organisation collecting the personal information. It is important to understand how an organisation will use your personal information before you share it with them. When needed, find out why the organisation needs your particular personal information and only share information that is required.”
Tan adds that with an increasing amount of online services which requires the sharing of personal information, consumers also need to equip themselves on how to share personal information safely online.
Dr Sonny agrees that data subjects need to be extra cautious when it comes to online transaction including on online social media networks, blogs and online video or photo sharing websites.
“Any disclosure of personal data by data subjects would be detrimental for themselves. So, data subjects need to be ever vigilant, critical and conscious whenever there is any person requesting your personal information for any business, transaction, communications or just “engagement”, and by any means: face to face, e-mails, phone, mail, brochures, etc,” he stresses.
They must first ask these questions before disclosing their personal data, Dr Sonny adds “Why do you need my data?”; “Do you really need this particular data?”; “How would I know if you really secure my data?”; “Who will be in charge of handling my requests, inquiries and complaint about the data processing?” and others.
Now that the Act is enforced, Dr Sonny also advises consumers to quickly identify people or companies who have been using their personal data without their knowledge, their consent or otherwise in contrary with the original purpose that they consented to initially.
“If those unpleasant practices still occur, they need to immediately request that the practices be stopped,” he notes, adding that data subjects need to get familiar on how to bring their complaints regarding alleged misuses or abuses of personal data to the relevant authority as stipulated by the law the PDP Commissioner.
“Given the recent rampant potential abuses, this aspect will be imminent in the near future.”