personal data protection act 2010 - pikom › cms › pcc › pdpa_pcc.pdf · 2019-04-03 · ©...
TRANSCRIPT
© 2013 Deloitte Consulting
Personal Data Protection Act 2010
CIOs - are you ready for PDPA?
15th January 2013
PIKOM PDPA Awareness Seminar
Presented by:
Joanna Liew
Director of Deloitte Consulting Malaysia
© 2013 Deloitte Consulting
Agenda
Time Event
4:00pm Registration
4:30pm Overview of PDPA
4:45pm Key Components of PDPA
7 Principles of PDPA – Understanding the Core Pillars of the Act
Rights of Data Subject – Know Your Rights as an Employee and
Consumer
Compliance Requirements – What Employers Need To Do
Getting Ready for PDPA
Potential Impact and Risks
A Practical Approach for Operationalising PDPA in Your
Organisation
6:00pm Question & Answer Session
2
© 2013 Deloitte Consulting
Overview of PDPA
3
© 2013 Deloitte Consulting
Personal Data Protection in Malaysia
4
The Malaysian government gazetted the Personal Data Protection Act
2010 (PDPA) with the aim of regulating the collection, storage,
processing and use of any personal data.
It is not intended to obstruct the legitimate use of information but strives
to ensure that it is used fairly via its principles.
Applies
to
Any person who processes or authorizes the processing of
any personal data in respect of commercial transactions
Personal data processed in Malaysia
Uses of equipment in Malaysia for processing personal data
© 2013 Deloitte Consulting 5
The Malaysian Personal Data Protection Act
Protect personal data belonging to the
public from being misused through
commercial transactions
Protection of sensitive data from being
misused
Facilitate international trade
Protect consumer rights
Why PDPA?
Commercial transactions means any transaction of a commercial nature, whether contractual or not,
which includes any matters relating the supply or exchange of goods or services, agency, investments,
financing, banking and insurance. But does not include a credit reporting agency under the Credit
Reporting Agencies Act 2009.
© 2013 Deloitte Consulting
What is Personal Data?
6
Any personal information in respect of
commercial transactions
Relates directly or indirectly to a data
subject
Includes sensitive personal data e.g.
physical or mental health, political
opinions, religious beliefs, offences or
any other data as the Minister may
determine
Expression of opinion about the data
subject
Personal Data
means…..
© 2013 Deloitte Consulting
PDPA Enforcement Timeline
7
Jun ’10
Personal Data Protection
Act 2010 was gazette
From April
’13 onwards
(estimation)*
ENFORCEMENT
Companies are to be
given an estimated 3
MONTHS* for
compliance to PDPA
We are
here
today
Organisations should act now!
Jan ’13
Note:
* According to Deputy Minister Datuk Joseph Salang, Information Communication and Culture Ministry, at the
2nd Annual Personal Data Protection Summit 2012. (Bernama published on 12th December 2012). At this
point in time, no date has been set on the enforcement start date as it is dependent on the formation of the
Personal Data Protection Commission and appointment of the Commissioner.
Personal Data
Protection
Department was
set up
Feb ’12
© 2013 Deloitte Consulting
Personal Data Protection Department Organisation Chart
8
© 2013 Deloitte Consulting
List of Countries with Data Protection
9
• All countries Europe
• Japan, Korea, New Zealand, Hong Kong, Macao, Taiwan, Thailand, Philippines, Singapore
• (Indonesia, China - Midst of finalisation) Asia Pacific
• Chile, Argentina, Brazil, Mexico South America
• United States North America
• Israel Middle East
No action so far..
•Cambodia
•Vietnam
•Brunei
•Laos, etc..
© 2013 Deloitte Consulting
Various Roles Pertaining to PDPA
10
• Any other person or organization other than the data subject, data processor or data user
• Hold or process data but do not exercise responsibility or control the data
• Person or organization, authorized for the processing of data.
• Individuals whose data is collected for processing
Data Subject
Data User
3rd Party Data
Processor
© 2013 Deloitte Consulting
Key Components of PDPA
11
© 2013 Deloitte Consulting
7 Principles of PDPA
12
© 2013 Deloitte Consulting
The 7 Principles of PDPA
13
The 7
Principles
General
Notice & Choice
Disclosure
Security Retention
Data Integrity
Access
© 2013 Deloitte Consulting 14
PERSONAL DATA shall be processed if :-
The data subject has given consent
The processing is necessary for or directly related to that purpose
It is adequate and not excessive in relation to that purpose
SENSITIVE DATA shall be processed if :
Data subject has given explicit consent
Processing is necessary for employment, vital interest, medical,
legal, administration of justice and others where Minister thinks fit
Information has been made public by data subject
Principle No. 1 – General
© 2013 Deloitte Consulting 15
Busin
ess P
rocess
First Name
Last Name
Address
IC No
Bank Account No
Phone Number
Employee Information Personal Data:
Name
IC numbers, passport numbers
Driver’s license, birth certificate
Bank account numbers
Home address, personal phone no.
Sensitive Personal Data:
Race, religion, health, political opinion,
offence records
Individual Customer Information Personal Data:
Name
IC numbers, passport numbers
Personal phone number
Home address, email address
Bank account numbers
Sensitive Personal Data
Race, religion, health, political opinion,
offence records
Third Party Information (if any) Contact name, number, address, etc
Sensitive Data
Example of Personal Data
© 2013 Deloitte Consulting 16
DATA SUBJECTS should be informed by written notice on:-
their personal data is being processed and a description of the
personal data is provided
the purpose of the collection
the source of the personal data
their rights to:
request access and correct
contact the data user for enquiries and complaint
be informed of the third parties to whom the data user discloses
or may disclose the personal data
Limit the choices and means of processing personal data
whether it is obligatory or voluntary for the data subject
to supply the personal data
Principle No. 2 – Notice & Choice
© 2013 Deloitte Consulting 17
NOTICE shall be given soonest possible:-
At the time the data subject is first asked by the data user to provide
his personal data
At the time the data user first collect the personal data
Before data user uses the personal data or discloses to a 3rd party
NOTICE shall be given in national and English language
Principle No. 2 – Notice & Choice (Cont’d)
© 2013 Deloitte Consulting 18
No PERSONAL DATA shall be disclosed without the consent of data
subject:-
for any other purpose(s) other than the purpose(s) it was collected,
or a purpose directly related to the purpose the data was collected
to any other party
Principle No. 3 – Disclosure
© 2013 Deloitte Consulting 19
A DATA USER needs to take practical steps to protect the personal data
from any:-
Loss
Misuse
Modification
Unauthorised or accidental disclosure
Alteration or destruction
Principle No. 4 – Security
Need to consider the following:-
The nature of personal data
The harm that would result from such misconduct
The place or location where the personal data is stored
The security measures to ensure reliability and integrity
Measures taken to ensure the security transfer of the personal data
© 2013 Deloitte Consulting 20
PERSONAL DATA processed for any purpose shall not be kept longer
than is necessary for the fulfilment of that purpose.
It shall be the duty of a data user to take all reasonable steps to ensure
that ALL personal data is destroyed or permanently deleted if it is no longer
required for the purpose it was collected.
Principle No. 5 – Retention
OR
© 2013 Deloitte Consulting 21
Data user shall take reasonable steps to ensure that the personal data is:-
Accurate
Complete
Not misleading
Kept up-to-date by having regard to the purpose of the data
Principle No. 6 – Data Integrity
© 2013 Deloitte Consulting 22
A DATA SUBJECT shall be given their rights and access to:-
Their personal data, and
The ability to correct that personal data if it is:
Inaccurate
Incomplete
Misleading
Not up-to-date
Principle No. 7 – Access
© 2013 Deloitte Consulting
Rights of the Data Subjects
23
© 2013 Deloitte Consulting 24
Rights of Data
Subject
Rights to prevent processing likely to cause damage
/ distress
Rights to correct
Rights to withdraw consent
Rights to access
Rights to prevent processing for purposes of
direct marketing
Obligations of Data Users Comply within 21 days
Rights of Data Subject & Obligations of Data User
@ 2013 Deloitte Consulting
Compliance Requirements
25
© 2013 Deloitte Consulting
Registration with the Commissioner
Gazette, published by the Minister will state the required data users or
certain classes of data users who are required to register with the
Commissioner
Submit an application for
registration to the
Commissioner
Provide a prescribed
registration fee and required
documents
Application for
Registration
Success
Issue certificate of
registration
Registration
Renewal
• Renew 90 days before date
of expiry
• Submit an application for
renewal
• Provide renewal fee and
required documents
Failure
Provide a written
notice with
reasons
26
© 2013 Deloitte Consulting
Registration with the Commissioner (Cont’d)
Conditions leading to revocation:
• Fail to comply with the Act,
conditions and restrictions
• Provide false representation of
fact
• Cease processing of personal
data
Revocation of
Registration
• Surrender within 7 days to the
Commissioner
Surrender of
Certification of
Registration
Fail to
comply
• Fine RM500,000
or / &
• Imprisonment of 3
years or less
Fail to
comply
• Fine RM200,000
or / &
• Imprisonment of 2
years or less
27
© 2013 Deloitte Consulting
Sectors of Data Users Affected by the PDPA
28
Communications Tourism and Hospitality
Services
Banking and Financial
Institutions Transportation Real Estate
Insurance and Takaful
Education Utilities
Health Direct Selling
and Direct Marketing
All relevant Statutory Bodies
@ 2013 Deloitte Consulting
Exemptions
29
© 2013 Deloitte Consulting
Full
Exem
pti
on
• At the request of the data
subject
• Performance of a contract where data subject is a party
• Compliance with legal obligation
• To protect vital interest of data subject
• Administration of justice
• Personal, family, household and recreational
• Other cases as prescribed by the Minister by order published in the Gazette
Par
tial
Exe
mp
tio
n • Crime Prevention/Detection
• Offenders
• Apprehension/Prosecution
• Tax/Duty Assessment/Collection
• Physical/Mental Health
• Statistics/Research
• Court Order/Judgment
• Regulatory Functions
• Journalistic/Literary/Artistic
Exemptions of PDPA
30
@ 2013 Deloitte Consulting
Breaches of the Act
31
© 2013 Deloitte Consulting
Fines & Penalties
32
Processes personal data without a
certificate of registration
Unlawful collecting, disclosing,
selling of personal data,
Continues to process personal data
after registration has been revoked
Not more than
RM500,000 /
Not more than 3
years or both
© 2013 Deloitte Consulting
Fines & Penalties
33
Not more than
RM300,000 /
Not more than 2
years or both
Contravenes with PDP Principles
Transfer of personal data to a place
outside Malaysia not specified by
the Minister and not in the Gazette
© 2013 Deloitte Consulting
Fines & Penalties
34
Not more than
RM250,000 /
Not more than 2
years or both Contravenes with regulations and
subsidiary legislation
© 2013 Deloitte Consulting
Fines & Penalties
35
Not more than
RM200,000 /
Not more than 2
years or both
Failure to surrender certificate of
registration upon revocation
Contravenes with conditions in
processing sensitive personal data
Fails to comply with
Commissioner’s requirement
Fails to comply with enforcement
notice
© 2013 Deloitte Consulting
Fines & Penalties
36
Not more than
RM100,000 /
Not more than 1
year or both
Refusal to comply with data
correction request
Continues to process after
withdrawal of consent to process
personal data
Non compliance with any code of
practice applicable to data user
© 2013 Deloitte Consulting
Getting Ready for PDPA
37
© 2013 Deloitte Consulting
Potential Privacy Related Risk to the Organization
38
© 2013 Deloitte Consulting
Potential Privacy Related Risks
Legal Risk Financial Risk Reputation Risk
Fine
& / or
Imprisonment
Reputation &
Brand
Damage
Lost Sales,
Investigations &
Operational
Clean Up Costs
* Reputational damage will be of most concern to organisations
particularly given the media attention such incidents command 39
© 2013 Deloitte Consulting
Violation Cases
40
© 2013 Deloitte Consulting
Actual Cases: Pfizer
41
© 2013 Deloitte Consulting
Actual Cases: Sony
42
© 2013 Deloitte Consulting
43
© 2013 Deloitte Consulting 44
Actual Cases: Apple Apps
© 2013 Deloitte Consulting 45
Google is “almost certain” to face
prosecution for collecting data from
unsecured wi-fi networks, according
to Privacy International (PI). The
search giant has been under scrutiny
for collecting wi-fi data as part of its
StreetView project.
June
9, 2010
Actual Cases: Google Street Australia
© 2013 Deloitte Consulting 46
Actual Cases: Tesco
© 2013 Deloitte Consulting 47
Actual Cases: Financial Institutions
© 2013 Deloitte Consulting 48
Actual Cases: Malaysia
© 2013 Deloitte Consulting 49
Actual Cases: Malaysia
© 2013 Deloitte Consulting 50
Actual Cases: Malaysia
© 2013 Deloitte Consulting 51
Deloitte’s IT-Business Balance Survey
What portion of the IT Budget of your organization is spent every
year on data security and data privacy?
0 10 20 30 40 50
Less than 1%
Between 1% and 3%
Between 3% and 5%
Between 5% and 10%
More than 10%
(%)
Po
rtio
n o
f IT
Bu
dg
et
Americas (excld. USA)
Asia-Pacific
EMEA
Source: Deloitte IT-Business Balance Survey 2009
© 2013 Deloitte Consulting
Surveys on Current Awareness of Organisations
52
What is the current awareness level of the organisations on their
security and privacy incidents?
Source: Deloitte IT-Business Balance Survey 2010-2011
© 2013 Deloitte Consulting
A Practical Approach to PDPA Compliance
53
© 2013 Deloitte Consulting
Organisation & Governance
54
Governance
Physical Security
Request for Access
Outsourcing
Training and Awareness
Key
Considerations
© 2013 Deloitte Consulting
Governance – Reporting Lines
55
© 2013 Deloitte Consulting EMPLOYMENT REFERENCES 56
Human Resource
Disclosure, Sharing & Selling of
Information
Retention & Disposal of
Records
Handling Sensitive
Information
Access Request
Notification
Key
Considerations
© 2013 Deloitte Consulting 57
Information Technology
Data Usage &
Monitoring
Data
Back-up & Archival
Portable Devices
Security & Access
Systems Implementation
Password
Key
Considerations
© 2013 Deloitte Consulting 58
Information Technology
Privacy Impact Assessments (PIA) for New System
Implementation
• Privacy protection should be designed into a system, rather than
bolted-on later.
• PIA is normally required for government projects but can be
used as a guide for organisations to:
o Start early to ensure that project risks are identified and
appreciated before the problems become embedded in the
design.
o Commence a PIA as part of the project initiation phase (or
its equivalent in whichever project method the organisation
uses).
o If the project is already under way, start today, so that any
major issues are identified with the minimum possible delay.
Source: www.ico.gov.uk
© 2013 Deloitte Consulting
Tips Towards Mobile Privacy
59
Source: Deloitte Knowledgebase
© 2013 Deloitte Consulting
PDPA in Cloud Environment
• Service Models
• Identify the Data Controller
• Responsibilities of the Data Controller
• Selecting a Cloud Provider
60
© 2013 Deloitte Consulting 61
Sales & Marketing
Notification & Consent
Marketing Activities
Calls
Faxes
Mail/Email
Campaigns
Key
Considerations
© 2013 Deloitte Consulting 62
Marketers: Prepare to Self-Regulate
Audit your use of consumer data
Rewrite privacy policies
Emphasize user benefits
Sales & Marketing
© 2013 Deloitte Consulting
63
Notification (Examples)
© 2013 Deloitte Consulting
64
Notification (Examples)
© 2013 Deloitte Consulting
Notification (Examples)
65
© 2013 Deloitte Consulting 66
Drafting a Good Privacy Notice
At a minimum, a privacy notice should include the following:
Sender is clearly identified
Purpose and Use is defined very clearly
Who are you disclosing the information to is indicated
How to access (if applicable)
Various mediums can be used to deliver privacy notices. i.e
electronically, verbal, etc
© 2013 Deloitte Consulting
Moving Forward with PDPA
67
© 2013 Deloitte Consulting 68
How to Move Forward?
Create awareness in the organisation • Awareness of internal policies for securing personal data
• To create a culture of high awareness
Knowing your current compliance level • Understand the impact of PDPA
• Identify the gaps
Designate a Chief Data Protection Officer or Committee • Define an information protection strategy
• Develop short term compliance programmes
Developing polices for PDPA • Policies spanning across legal, IT, marketing, human resource, customer services,
etc.
• Focus on end-to-end Data Privacy & Protection Governance processes, policies and
procedures in line with PDPA
Periodic compliance review • Conduct annual compliance or specific
audit checks
What’s your PDPA
compliance
roadmap?
© 2013 Deloitte Consulting 69
Deloitte’s 3A Approach
PDPA
Implementation
Lifecycle
“Know the Law”
“Comply & Fine Tune” “Understand the Gaps”
© 2013 Deloitte Consulting
Questions to Ponder on…
70
What are the common risks faced by your relevant department? i.e IT Department?
From your perspective, what are the short term initiatives that you can implement?
How would you as a key person in IT help promote awareness amongst your colleagues in your respective departments?
© 2013 Deloitte Consulting
Question & Answer
71
© 2013 Deloitte Consulting 72
For inquiries in relation to PDPA 2010, please
e-mail [email protected]. Alternatively, we
can be contacted at: +60 3 7495 3800
Joanna Liew
Contact Us
Ho Sai Weng
Kwan Wen Ching
© 2013 Deloitte Consulting
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/my/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
© 2013 Deloitte Consulting