it's been a long time since I last posted on my blog. my blog is now the second site in the Google's search of the "PDPA2010" -which is the Malaysia's Personal Data Protection Act.  I take it as an inspiration to continue blogging. I'm not sure it will only be dedicated to studies and research, but I will share my experiences of any kind here.
follow me... :)

The End!

In the previous blogs I tried to focus on the privacy issues in the internet, with focus on most controversial ones.

The stories of cyber crime are becoming more and more regular and sometimes shocking everyday. 

We ourselves are sometimes the victims, hopefully the issues are not so devastating but still we are experiencing how disgusting it is to be invaded in privacy.

I'm sure we have learned so much through this blog assignment. We have come across stories and realities that we had never even thought about. but these are the realities that we should be aware of. Both as individual internet users or data subjects, or as members of organizations (data users) who deal with other peoples' personal data.

We as managers should always be aware of ethical issues, and we shall never forget, even our organization may be a victim of unauthorized and illegal data disclosure.

It's on us to start the change, with knowledge, profession and ethics.

Good Luck and always hope for better days to come!

SHIVA

PDPA 2010, oppositions and limitations…

 From opposition point of view, despite agreements in principle for the need of such law, there are some few concerns raised, mainly:

• On the applicability of the law, it is argued it should extend the application to the biggest data pool in the country, i.e. the Government (The law in section 3 excludes Federal & State Governments. from its application).
• Argument that the Commissioner should be answerable to Parliament instead of Minister.
• That the law provides too wide exemptions. One MP cited that this is not in line with the international standard as found in the EU Directive.
• That time frame should be prescribed on certain obligations such as the retention period.

The ruling proponents’ side maintains that the Government should be excluded from the application due to certain necessities. But obviously this policy has been opted by the Government, or perhaps there are other laws or rules in place that would control the misuse of personal data at the Government agencies.

The argument that PDP Commissioner should be answerable to Parliament is refuted on the basis that such manner would be a distortion from the established doctrine of separation of powers that is adopted by the Malaysian constitution.

The debates have left some questions on the efficiency of the Act implementation in future.

Well, with all these controversies, the law is still considered a real gift for the people who have suffered enough for the abuse of their own personal data.

We hope some day a same Act will be passed in Iran, protecting the users from the damage other than the financial one! 

the overall review of PDPA

Personal Data Protection Act, 2009 (“PDPA”) has been passed by the Dewan Negara on 4 May 2010. The authorities are now aiming to create awareness to the public as to the concept of data protection compliance and data security. PDPA applies to local and foreign companies operating in Malaysia that process any personal data in their commercial transactions relating to supply or exchange of goods or services.

PDPA gives individuals in Malaysia the right to know what personal data is held about them and sets out rules to make sure that this personal data is handled properly by the organizations holding the data.

Personal data are information about a living individual and is identified through a name in combination with your home address, office address, and telephone number. Description of a person without a name is also personal data if it can be used to identify a person such as designation, email address, age or address.

Organizations, companies or individuals are required register under the PDPA as data users if they collect and hold personal information about individuals in respect of commercial transactions whether contractual or not in any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.

For all the MBA students (mainly those who want to work in a country like Malaysia where the privacy of data subjects is protected by a similar legislation) it is necessary to discover the concepts of data protection compliance and how it will help them to guide their organizations toward compliance readiness.

PDPA applies to local and foreign companies operating in Malaysia that processes any personal data in their commercial transactions relating to supply or exchange of goods or services such as insurance companies, cooperatives, Private Colleges and Universities, banks and financial institutions, accountants, engineers, surveyors, lawyers, private hospitals and clinics and any businesses and companies that store personal data.

The rights of data subjects under the PDPA are provided in Part two, division 4, and sections 30-44. In short, those rights can be enlisted as follows:

• Right to access
• Right to correct data
• Right to withdraw consent for data processing
• Right on sensitive data
• Right to prevent distress/damage
• Right to prevent direct marketing

There are still some prominent issues that can confront individuals such as issues of workplace monitoring, junk mail/spam, data theft, and pictures taken at public places that should be taken into consideration.

In order to achieve better implementation of PDPA2010, organizations should see and manage it using the perspective of individuals, not merely that of the organization; because in organizations, their people (employers, employees, business partners) are all data subjects too.

A case of privacy leakage, could it be met by the PDPA?!

We discussed about the issue of “cyber stalking” in the class. There are many things that cyber criminals do to achieve your personal data, stalk you and following that they will commit many other crimes. Mostly they will bully you to pay them, and in return they won’t release your personal data.

This stalking will also be possible through cell phone communications monitoring.

What would you do when you realized an unknown has in his/her possession records of your SMS exchanges and the actual recordings of your telephone conversations and sent them to your own desktop? Shocked, fear, terrorized, humiliated (somehow), and so on, you name it. But yes, it’s a nightmare!

This case happened in Malaysia!

A lady who experienced this had brought a lawsuit against one of the major telecommunication providers for allegedly revealing the content of her private communication to a third party.

This particular lawsuit is the first that could trigger the provisions of Personal Data Protection Act 2010. Since the law has not been seriously enforced yet and this case proceeding has not started yet, hopefully we can hear more updates in near future about how the case was resolved and how the PDPA was enforced.

Meanwhile, the telecommunications company involved had issued a statement that they would carry out an investigation relating to the said allegation.

For the time being it’s not bad if we take a look at the privacy policies of these servers to check if they had done modifications based on the PDPA2010. If not, will the plaintiff be able to prove his claim and accuse this company of PDPA infringement?! 

Which data are not protected by PDPA?

Although the PDPA 2010 is one of the most important internet and ICT legislations passed in Malaysia, the provisions of this statute prove that there are limitations in the data coverage scope of this act. The following graph illustrates the limitations and the further comments come as follows:

The personal data contained in the following fields will not be protected under the PDPA2010:

• electoral rolls,
• taxpayers database under the Inland Revenue system,
• criminal records belonging to justice system,
•  traffic offences record under the road and traffic regulation,
• and many more personal data within the Federal and States Governments.

Also, personal data stored and kept in these and many other foreign online providers who do not have local centers of data processing are not protected under the Act:

•   Google,
•  Yahoo!,
•  Facebook,
• Twitter,
• Blackberry Message system

Other unprotected sources of data users are:

The personal data retained by charity, social, political and non commercial institutions

Your (often-outdated) personal data retained by variety of credit reporting agencies in Malaysia (such as you-know-who);

Your personal data kept by thousands or millions of your friends or family members who kept them in their mobile, computers, archive, both paper and paperless medium.

As you can see, although we consider the PDPA to be a breakthrough move toward data protection, still there are so many threats imposed to our personal data, to be exposed, change or sold.

There is still a long way to go… and there will never be 100 percent protection ever. It all on us!

What does PDPA 2010 offer?!

Under the PDPA,
 Businesses which process their individual customer’s personal data will need to reevaluate their current data.
 Privacy policies, processes and consent should be reconfirmed

Consumers will also have a new set of rights,

·         Being informed about their personal data

·         Determine the right to access, correct and control their data

·         Control the processing of their personal data by other parties

By implementation and enforcement of this act, safety, security protection, integrity and reliability of the network and services will be guaranteed.  The Malaysian Communications and Multimedia Commission (MCMC) is the agency at the forefront to fight against crimes committed in the communication network.

In order to better understand the PDPA 2010 we should take the following steps:

• Overview of PDPA 2010
• Key terms to be aware e.g. Personal Data, Sensitive Personal Data, Data User, Data Subject, Processing
• 8 Principles of Data Protection
• Registration of Data Users
• Rights of Data Subject e.g. right to access, right to correct personal data
• Offences and consequences
• Transitional provisions
• Steps to be taken now to be in compliant with the Act