SINCE the implementation of the Personal Data Protection Act 2010 (PDPA Act 2010) on Nov 15, 2013, there has been continued confusion not only in the corporate sector but also public entities in both appreciating the objectives and purposes of the Act.
On the public sector level, the sale of data issue raised by deputy minister Ching Sin Woon in “Ministry probes sale of database” (The Star, Dec 31) is another case in point when he said that data/database containing private details of students cannot be sold to the private sector.
I would like to add to his position/view on the law.
The sale is not only unforgivable but liable to prosecution under the PDPA Act 2010.
Such data is highly sensitive and is not only protected under the PDPA Act 2010, but also attracts serious criminal liability questions on the basis that the use and sale of such private personal data breaches several penal provisions of the PDPA Act 2010 such as the breach of data confidentiality; sale of data; illegal transmission of data, improper retention of data, etc.
Hence, investigation and proper prosecution by the Personal Data Protection Commission (PDPC) must be commenced swiftly to address this criminal/illegal activity to protect public policy and public interest.
On the private front, banks, companies and entities engaged in cross border business and trade activities appear to have adopted contrasting standards of compliance which are not within the purview, scope and nature of the Act.
This is aptly raised by “VRK” in “There is still confusion over Data Protection Act” (The Star, Dec 31).
The implementation to date has not been consistent, if not unsatisfactory at best since the first guidelines were issued by the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi) some time ago.
In its haste to comply with the PDPA Act 2010, the private sector (where such private companies have a business presence) failed to take note that the Malaysian Act itself, i.e. PDPA Act 2010, is rather unique and not exactly the same with the personal data law of other countries such as the UK Data Protection Act 1998 and the Singapore Personal Data Protection Act 2012.
To compound the matter, there appears to be two different compliance standards for the private sector on one hand and the public sector on the other.
As an update for compliance purposes for 2015, the most recent action by the Personal Data Protection Commissioner in issuing the “Personal Data Protection Standard 2015” (which came into force on Dec 23) is rather timely to correct different data standards implementation for both sectors within industry.
Perhaps, to further educate the public and private industry in understanding the law, there is an urgent need for the Personal Data Protection Commissioner to correct the prevalent misunderstanding and misapplication of the data law by the private sector so that the objectives and purposes of the Act are achieved.
This can be further enhanced with better PDPA awareness programmes and integrated PDPA guidelines for implementation and enforcement at both the private and public sectors.
Did you find this article insightful?