Personal Data Protection Act 2010

Transcription

1 Personal Data Protection Act 2010 CIOs - are you ready for PDPA? 15 th January 2013 PIKOM PDPA Awareness Seminar Presented by: Joanna Liew Director of Deloitte Consulting Malaysia

2 Agenda Time 4:00pm 4:30pm 4:45pm Event Registration Overview of PDPA Key Components of PDPA 7 Principles of PDPA Understanding the Core Pillars of the Act Rights of Data Subject Know Your Rights as an Employee and Consumer Compliance Requirements What Employers Need To Do Getting Ready for PDPA Potential Impact and Risks A Practical Approach for Operationalising PDPA in Your Organisation 6:00pm Question & Answer Session 2

3 Overview of PDPA 3

4 Personal Data Protection in Malaysia The Malaysian government gazetted the Personal Data Protection Act 2010 (PDPA) with the aim of regulating the collection, storage, processing and use of any personal data. It is not intended to obstruct the legitimate use of information but strives to ensure that it is used fairly via its principles. Applies to Any person who processes or authorizes the processing of any personal data in respect of commercial transactions Personal data processed in Malaysia Uses of equipment in Malaysia for processing personal data 4

5 The Malaysian Personal Data Protection Act Protect personal data belonging to the public from being misused through commercial transactions Why PDPA? Protection of sensitive data from being misused Facilitate international trade Protect consumer rights Commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any matters relating the supply or exchange of goods or services, agency, investments, financing, banking and insurance. But does not include a credit reporting agency under the Credit Reporting Agencies Act

6 What is Personal Data? Any personal information in respect of commercial transactions Personal Data means.. Relates directly or indirectly to a data subject Includes sensitive personal data e.g. physical or mental health, political opinions, religious beliefs, offences or any other data as the Minister may determine Expression of opinion about the data subject 6

7 PDPA Enforcement Timeline We are here today Companies are to be given an estimated 3 MONTHS* for compliance to PDPA Jun 10 Personal Data Protection Act 2010 was gazette Feb 12 Personal Data Protection Department was set up Jan 13 From April 13 onwards (estimation)* ENFORCEMENT 7 Organisations should act now! Note: * According to Deputy Minister Datuk Joseph Salang, Information Communication and Culture Ministry, at the 2nd Annual Personal Data Protection Summit (Bernama published on 12 th December 2012). At this point in time, no date has been set on the enforcement start date as it is dependent on the formation of the Personal Data Protection Commission and appointment of the Commissioner.

8 Personal Data Protection Department Organisation Chart 8

9 List of Countries with Data Protection Europe All countries Asia Pacific Japan, Korea, New Zealand, Hong Kong, Macao, Taiwan, Thailand, Philippines, Singapore (Indonesia, China - Midst of finalisation) South America Chile, Argentina, Brazil, Mexico North America Middle East United States Israel No action so far.. Cambodia Vietnam Brunei Laos, etc.. 9

10 Various Roles Pertaining to PDPA Individuals whose data is collected for processing Person or organization, authorized for the processing of data. Data Subject Data User Hold or process data but do not exercise responsibility or control the data Data Processor 3 rd Party Any other person or organization other than the data subject, data processor or data user 10

11 Key Components of PDPA 11

12 7 Principles of PDPA 12

13 The 7 Principles of PDPA General Access Notice & Choice Data Integrity The 7 Principles Disclosure Retention Security 13

14 Principle No. 1 General PERSONAL DATA shall be processed if :- The data subject has given consent The processing is necessary for or directly related to that purpose It is adequate and not excessive in relation to that purpose SENSITIVE DATA shall be processed if : Data subject has given explicit consent Processing is necessary for employment, vital interest, medical, legal, administration of justice and others where Minister thinks fit Information has been made public by data subject 14

15 Business Process Example of Personal Data First Name Last Name Address IC No Bank Account No Phone Number Sensitive Data Employee Information Personal Data: Name IC numbers, passport numbers Driver s license, birth certificate Bank account numbers Home address, personal phone no. Sensitive Personal Data: Race, religion, health, political opinion, offence records Individual Customer Information Personal Data: Name IC numbers, passport numbers Personal phone number Home address, address Bank account numbers Sensitive Personal Data Race, religion, health, political opinion, offence records Third Party Information (if any) Contact name, number, address, etc 15

16 Principle No. 2 Notice & Choice DATA SUBJECTS should be informed by written notice on:- their personal data is being processed and a description of the personal data is provided the purpose of the collection the source of the personal data their rights to: request access and correct contact the data user for enquiries and complaint be informed of the third parties to whom the data user discloses or may disclose the personal data Limit the choices and means of processing personal data whether it is obligatory or voluntary for the data subject to supply the personal data 16

17 Principle No. 2 Notice & Choice (Cont d) NOTICE shall be given soonest possible:- At the time the data subject is first asked by the data user to provide his personal data At the time the data user first collect the personal data Before data user uses the personal data or discloses to a 3 rd party NOTICE shall be given in national and English language 17

18 Principle No. 3 Disclosure No PERSONAL DATA shall be disclosed without the consent of data subject:- for any other purpose(s) other than the purpose(s) it was collected, or a purpose directly related to the purpose the data was collected to any other party 18

19 Principle No. 4 Security A DATA USER needs to take practical steps to protect the personal data from any:- 19 Loss Misuse Modification Unauthorised or accidental disclosure Alteration or destruction Need to consider the following:- The nature of personal data The harm that would result from such misconduct The place or location where the personal data is stored The security measures to ensure reliability and integrity Measures taken to ensure the security transfer of the personal data

20 Principle No. 5 Retention PERSONAL DATA processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. It shall be the duty of a data user to take all reasonable steps to ensure that ALL personal data is destroyed or permanently deleted if it is no longer required for the purpose it was collected. OR 20

21 Principle No. 6 Data Integrity Data user shall take reasonable steps to ensure that the personal data is:- Accurate Complete Not misleading Kept up-to-date by having regard to the purpose of the data 21

22 Principle No. 7 Access A DATA SUBJECT shall be given their rights and access to:- Their personal data, and The ability to correct that personal data if it is: Inaccurate Incomplete Misleading Not up-to-date 22

23 Rights of the Data Subjects 23

24 Rights of Data Subject & Obligations of Data User Rights to correct Rights to withdraw consent Rights to prevent processing likely to cause damage / distress Rights to access Rights of Data Subject Rights to prevent processing for purposes of direct marketing Obligations of Data Users Comply within 21 days 24

25 Compliance Requirements 2013 Deloitte Consulting

26 Registration with the Commissioner Gazette, published by the Minister will state the required data users or certain classes of data users who are required to register with the Commissioner Application for Registration Submit an application for registration to the Commissioner Provide a prescribed registration fee and required documents Success Failure Provide a written notice with reasons Issue certificate of registration 26 Registration Renewal Renew 90 days before date of expiry Submit an application for renewal Provide renewal fee and required documents

27 Registration with the Commissioner (Cont d) Revocation of Registration Conditions leading to revocation: Fail to comply with the Act, conditions and restrictions Provide false representation of fact Cease processing of personal data Fail to comply Fine RM500,000 or / & Imprisonment of 3 years or less Surrender of Certification of Registration Surrender within 7 days to the Commissioner Fail to comply Fine RM200,000 or / & Imprisonment of 2 years or less 27

28 Sectors of Data Users Affected by the PDPA Communications Tourism and Hospitality Services Banking and Financial Institutions Transportation Real Estate Insurance and Takaful Education Utilities Health Direct Selling and Direct Marketing All relevant Statutory Bodies 28

29 Exemptions 2013 Deloitte Consulting

30 Full Exemption Partial Exemption Exemptions of PDPA At the request of the data subject Performance of a contract where data subject is a party Compliance with legal obligation To protect vital interest of data subject Administration of justice Personal, family, household and recreational Crime Prevention/Detection Offenders Apprehension/Prosecution Tax/Duty Assessment/Collection Physical/Mental Health Statistics/Research Court Order/Judgment Regulatory Functions Journalistic/Literary/Artistic Other cases as prescribed by the Minister by order published in the Gazette 30

31 Breaches of the Act 2013 Deloitte Consulting

32 Fines & Penalties Not more than RM500,000 / Not more than 3 years or both Processes personal data without a certificate of registration Continues to process personal data after registration has been revoked Unlawful collecting, disclosing, selling of personal data, 32

33 Fines & Penalties Not more than RM300,000 / Not more than 2 years or both Contravenes with PDP Principles Transfer of personal data to a place outside Malaysia not specified by the Minister and not in the Gazette 33

34 Fines & Penalties Not more than RM250,000 / Not more than 2 years or both Contravenes with regulations and subsidiary legislation 34

35 Fines & Penalties Failure to surrender certificate of registration upon revocation Not more than RM200,000 / Not more than 2 years or both Contravenes with conditions in processing sensitive personal data Fails to comply with Commissioner s requirement Fails to comply with enforcement notice 35

36 Fines & Penalties Not more than RM100,000 / Not more than 1 year or both Refusal to comply with data correction request Non compliance with any code of practice applicable to data user Continues to process after withdrawal of consent to process personal data 36

37 Getting Ready for PDPA 37

38 Potential Privacy Related Risk to the Organization 38

39 Potential Privacy Related Risks Legal Risk Reputation Risk Financial Risk Fine & / or Imprisonment Reputation & Brand Damage Lost Sales, Investigations & Operational Clean Up Costs 39 * Reputational damage will be of most concern to organisations particularly given the media attention such incidents command

40 Violation Cases 40

41 Actual Cases: Pfizer 41

42 Actual Cases: Sony 42

43 43

44 Actual Cases: Apple Apps 44

45 Actual Cases: Google Street Australia Google is almost certain to face prosecution for collecting data from unsecured wi-fi networks, according to Privacy International (PI). The search giant has been under scrutiny for collecting wi-fi data as part of its StreetView project. June 9,

46 Actual Cases: Tesco 46

47 Actual Cases: Financial Institutions 47

48 Actual Cases: Malaysia 48

49 Actual Cases: Malaysia 49

50 Actual Cases: Malaysia 50

51 Portion of IT Budget Deloitte s IT-Business Balance Survey What portion of the IT Budget of your organization is spent every year on data security and data privacy? More than 10% Between 5% and 10% Between 3% and 5% Between 1% and 3% Americas (excld. USA) Asia-Pacific EMEA Less than 1% 51 Source: Deloitte IT-Business Balance Survey (%)

52 Surveys on Current Awareness of Organisations What is the current awareness level of the organisations on their security and privacy incidents? 52 Source: Deloitte IT-Business Balance Survey

53 A Practical Approach to PDPA Compliance 53

54 Organisation & Governance Governance Training and Awareness Key Considerations Physical Security Outsourcing Request for Access 54

55 Governance Reporting Lines 55

56 Human Resource Disclosure, Sharing & Selling of Information Notification Key Considerations Retention & Disposal of Records Access Request Handling Sensitive Information 56 EMPLOYMENT REFERENCES

57 Information Technology Data Usage & Monitoring Password Data Back-up & Archival Key Considerations Systems Implementation Portable Devices Security & Access 57

58 Information Technology Privacy Impact Assessments (PIA) for New System Implementation Privacy protection should be designed into a system, rather than bolted-on later. PIA is normally required for government projects but can be used as a guide for organisations to: o Start early to ensure that project risks are identified and appreciated before the problems become embedded in the design. o Commence a PIA as part of the project initiation phase (or its equivalent in whichever project method the organisation uses). o If the project is already under way, start today, so that any major issues are identified with the minimum possible delay. 58 Source:

59 Tips Towards Mobile Privacy 59 Source: Deloitte Knowledgebase

60 PDPA in Cloud Environment Service Models Identify the Data Controller Responsibilities of the Data Controller Selecting a Cloud Provider 60

61 Sales & Marketing Notification & Consent Campaigns Marketing Activities Key Considerations Mail/ Calls Faxes 61

62 Sales & Marketing Marketers: Prepare to Self-Regulate Audit your use of consumer data Rewrite privacy policies Emphasize user benefits 62

63 Notification (Examples) 63

64 Notification (Examples) 64

65 Notification (Examples) 65

66 Drafting a Good Privacy Notice At a minimum, a privacy notice should include the following: Sender is clearly identified Purpose and Use is defined very clearly Who are you disclosing the information to is indicated How to access (if applicable) Various mediums can be used to deliver privacy notices. i.e electronically, verbal, etc 66

67 Moving Forward with PDPA 67

68 How to Move Forward? Create awareness in the organisation Awareness of internal policies for securing personal data To create a culture of high awareness Knowing your current compliance level Understand the impact of PDPA Identify the gaps Designate a Chief Data Protection Officer or Committee Define an information protection strategy Develop short term compliance programmes Developing polices for PDPA Policies spanning across legal, IT, marketing, human resource, customer services, etc. Focus on end-to-end Data Privacy & Protection Governance processes, policies and procedures in line with PDPA Periodic compliance review Conduct annual compliance or specific audit checks What s your PDPA compliance roadmap? 68

69 Deloitte s 3A Approach Know the Law PDPA Implementation Lifecycle Comply & Fine Tune Understand the Gaps 69

70 Questions to Ponder on What are the common risks faced by your relevant department? i.e IT Department? From your perspective, what are the short term initiatives that you can implement? How would you as a key person in IT help promote awareness amongst your colleagues in your respective departments? 70

71 Question & Answer 71

72 Contact Us Joanna Liew Ho Sai Weng Kwan Wen Ching For inquiries in relation to PDPA 2010, please Alternatively, we can be contacted at:

73 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.