The regulatory body overseeing proper use of personal data has hauled up three companies for breaking the law this year.

But it is merely getting “warmed up” with more inspections to come.

The Department of Personal Data Protection (PDP) has begun enforcing the Personal Data Protection Act (PDPA) and will be doubling up checks and visits to companies to ensure they comply with the law.

In May, a private college operator was the first to be brought to court for processing the personal data of a former staff member without a certificate of registration from the Personal Data Protection Commissioner.

The department also took action against a recruitment agency and hotel operator for similar offences.

The hotel was slapped with another charge for processing personal data without the consent of its customers.

So far, these two offences – failing to obtain consent from data subjects and processing personal data without being registered, are the most common offences by companies under the Act.

“Most of such companies are from the tourism and hospitality industry and the health sector,” Personal Data Protection Commissioner Khalidah Mohd Darus tells Sunday Star.

The department, she says, wants to rev up its enforcement as this would boost trust and confidence in customers when doing business with such data users.

As for mobile apps, these must comply with PDPA as well, stresses Khalidah.

“Mobile apps are not required to register under the PDPA.

“But they must still comply with the Act since they process personal data in commercial transactions,” she says.

She explains that mobile apps, as data users, are allowed to process personal data, including collecting, recording and storing such information.

“But such details must be adequate, and not excessive, in relation to the purpose of the business,” adds Khalidah, pointing out that collecting excessive data will be violating the general principle of the Act.

Stressing that it’s better to be safe than sorry, Khalidah advises the public to practise self-control and not overtly share sensitive personal data, be it offline and online.

“I would also like to remind data users who haven’t registered to do so immediately,” she says, adding that companies can log on to PDP’s online system at daftar.pdp.gov.my

On Nov 16, the PDP had also flexed its muscles, when it asked the Malaysian Communications and Multimedia Commission to block a website under Section 130 of the PDPA for unlawful collection of personal data.

Bar Council cyber law and information technology committee co-chairman Foong Cheng Leong says an individual has a right under the PDPA to request a copy of the personal data processed by the data user.

“You also have a right to withdraw your consent in allowing your personal data to be processed by a data user.

“However, the data user has the right to refuse the request to delete the data if they are required to process such information by law,” he says.

Foong urges the public to always be aware of what companies will use their data for by reading the privacy policy.

“Online users should also be vigilant in what data they provide. If it isn’t necessary, online users need not give such data,” he says.

Cyber law expert Prof Abu Bakar Munir, who was involved in the drafting the PDPA, points out that the law clearly prohibits the collection of excessive data.

“Data users must also clearly state the purpose of collecting such information. If the data is no longer needed for that purpose, the data user has to destroy it,” says the former dean of Universiti Malaysia’s law faculty.

While the PDPA currently does not apply to the federal or state governments, Prof Abu Bakar thinks perhaps it is time that this area be given a relook.