With the advancement and sophistication of today’s technologies, the world is no longer safe from privacy. Worst of all, there is no law that is able to govern or defend against data privacy or personal data in the Cyberworld. As a result, hackers/perpetrators breach into the privacy of victims, stealing valuable and personal information without victim’s knowledge for various purposes, usually to commit frauds. With the rise of cybercrimes and data frauds, protection of personal information and data becomes more crucial. Therefore, a statute was proposed in Malaysia and was named the Personal Data Protection Act 2010 (PDPA) that seeks to regulate processing of personal data of individuals that are involved in commercial transactions. More importantly, it was drafted to provide protection to any individual’s personal data. The act was gazetted in the year June 2010 but was not put into force until November 2013. On the other hand, there are other countries that already have governing statutes to protect personal data since a long time ago. As such, the United Kingdom has amended such an act to safeguard the information for the interests of individuals. The act was called Data Protection Act 1998 (DPA). It was first composed in 1984 and was updated in 1998. Since the law of Malaysia is mainly based on the common law legal system, both acts might share similarities which will be further elaborated in the later sections.
“Personal Data Protection”Get custom essay
The Malaysia PDPA 2010 has important details that should be noted and elaborated in this assignment. First of all, PDPA is applicable through certain scenarios that must be fulfilled to have the personal data be protected. Furthermore, the processing of personal data should also comply with PDPA 2010 7 principles which are the General Principle, Notice & Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle. Besides that, knowing the rights of data subject is important as a mean to protect the interest and confidentiality of the data subject. Lastly, failure to adhere or comply with the act leads to consequences and penalties which will also be described here.
The act is only applicable to :
However, there are certain exceptions where the act does not apply to such as :
This principle disallows the data user from processing personal data unless the data subject has given permission to the data user to do so. Still, this principle is exempted from certain situations such as performance of a contract where data subject is involved, protecting vital interests of data subject, administration of justice many more. Moreover, the principle also states that personal data can be processed only if the data is processed for legal purpose related to an activity of the data user, or processing the data is necessary for that mentioned purpose and that the personal data is just enough and not excessive for the purpose.
This principle requires the data user to notify the data subject via written form as a consent to the data subject. The contents of the written form would be :
The written form to be sent to the data subject must be written in English and Bahasa Malaysia. Furthermore, a clear and readily accessible means shall be provided to the data subject to make a choice in both the languages.
With the acknowledgement of the data subject, the personal data can be revealed to parties and for purposes that has been granted by data subject only. The exception where disclosure can be done are :
Precaution and necessary steps are to be taken by the data user to protect the data from any loss, abuse, modification, unauthorized access, disclosure or destruction when the data user processes the data. The data user has to take into consideration of :
Under this principle, it is stated that processed personal data for any purpose is not allowed to be kept longer than necessary for the completion of the purpose. The data user will be responsible to conduct measures to ensure that data is deleted permanently once the data is no longer required.
The data user is required to verify and make sure that the data maintains its integrity that the data is still intact, up-to-date and has not changed. This way, data that is disclosed to other third parties is the same to avoid any further confusion. Not only that, it becomes an obligation for the data user also to obtain updates from the data subject on a regular basis for data integrity.
Under this principle, the data subject has the right to access his/her own personal data that is held by the data user. In the event that the personal data might be wrong or inaccurate, the data subject is able to alter and correct the data. However, there are certain exceptions in the Act where the data user may refuse the right to access under certain circumstances such as an element of confidentiality involved.
As a personal data belongs to a data subject, the data subject is entitled to several rights to the data.
The data user needs to inform the data subject whether the data is being processed. A requestor (can be the data subject) may write to the data user to make a data access request upon payment of a fee. From there, a copy of the personal data can be sent to the requestor.
In the event that the requestor considers that the copy of data supplied to the requestor is inaccurate, not up-to-date or incomplete, the requestor may make a data correction request to the data user to make the necessary correction to the personal data.
A data subject has the rights to withdraw his consent to the processing of his personal data. This can be done by writing a notice to the data user to inform of the consent where the data user shall cease the processing upon receiving the notice.
For reasons that the personal data belonging to the data subject might cause damage to himself or to another person or cause damage that would be unwarranted, the data subject can write a notice to the data user to stop the processing of personal data. However, this right shall not be applied for the same reasons that are stated in the exemptions of the General Principle such as the performance of a contract where data subject is involved.
If the personal data is processed for the purpose of direct marketing, the data subject has the rights to require the data user to halt the processing. The data subject, where he may be dissatisfied with the failure of the data user to comply with the notice written to him, an application can be submitted to the Commissioner to assert the data user to comply with the notice.
There are several punishments or liabilities that are enforced for certain offences made. Each offence carry different severity of liability and/or punishment.
The data user is liable to a fine that does not exceed RM300,000 and/or imprisonment for a term of not more than 2 years.
Fine of not more than RM500,00 and/or imprisonment for a term of not more than 3 years.
Fine of not more than RM500,000 and/or imprisonment for a term of not more than 3 years.
Fine of not more than RM100,000 and/or imprisonment for a term of not more than 1 year.
Fine of not more than RM200,000 and/or imprisonment for a term of not more than 2 years.
The Data Protection Act 1998 covers not only personal data but ‘data’ in general as a whole as compared to the PDPA 2010 which legislates personal data alone. Even so, DPA 1998 comes first before the PDPA 2010 was even drafted, the DPA 1998 would have enough laws to protect the personal data of the people of the United Kingdom(UK). PDPA 2010 only involves the data subject and data user/processer, this is however, different for DPA 1998 which consists of a data controller, data processor and data subject. A data controller is someone who decides on the purposes of the data that is to be processed whereas the data processor is an individual who processes the data on behalf of the data controller.
The Act applies to a data controller in 2 scenarios :
Besides that, an invidual is considered as being established in UK through these several options :
The First principle specifies that the processing of data must be done fairly and lawfully.
Every data that is collected and processed must have its purpose and its reasons which should be stated in a notice by the data controller to the data subject. With that, the data can only be processed for that stated purpose and no other. The Commissioner is also to be notified by the data controller regarding the purpose of the data processing.
The information collected should just be enough and not more than necessary nor any less. As an example, filling up a form of membership card only requires full name, race, address, phone number and identification number. Other sensitive personal information that was not asked for such as birth identification number, religion and others are not required.
This principle requires that data should be accurate at all times and should be constantly updated where necessary. Information obtained and recorded by the data controller from the data subject should be accurate by having regards that the data controller have taken reasonable precautions for the ensuring that the data is accurate. The data subject may notify the data controller that the data is inaccurate with the data in hand as proof and fact that it is inaccurate.
Once the data has served its purpose, it must be disposed as it is no longer required and is not necessary. In conjunction to the third principle, data would be deemed excessive as the data no longer has any purpose.
Any processing of data conducted by the data controller has to be regarded with the rights of the data subject such as rights to access personal data, prevent automated decisions for processing of personal data, preventing the processing of personal data for the purposes of direct marketing and others. There is a timescale where the responses to subject access requests have to be made within 40 days of the receipt of request.
The data controller must be aware of the harm that might result from the unauthorized or unlawful processing or loss or damages that is done to the data. Therefore, it is important to uphold aspects of security to ensure that data is not disclosed or altered in any way. Since the data might have been accessed by employees of the data controller, he has to make sure that the employees are reliable and trustable for the confidentiality of the data. Besides that, the data controller has to pick a reliable data processor so that data is safe. Then, the data processor has to carry out the processing under a contract with the data controller and only to act upon the instructions of the data controller.
As the Act is legislated in UK, protection towards the data is legit even in EEA. Once data is transferred outside of EEA, protection of the data is not guaranteed to be safe and may be abused for various purposes whilst not protected under this Act. Consent should be given to data subject beforehand for the opinion on the data being transferred outside of the EEA and UK.
The data subject has the rights to access personal data that is stored by the data controller. Therefore, the data controller should supply any the personal data of the data subject, purpose of the data and parties who the data controller has disclosed to. There is a small fee of 0 for supplying the information to the data subject. A request in writing must be made to the data controller by the data subject in order to be supplied with the required information.
Should there be any inaccuracy to the personal data held by the data controller, the data subject is entitled the right to force the data controller to correct the mistakes in the data.
The data subject is entitled the power to write a notice to the data controller to end the processing of the personal data for a specified purpose and reasons such as the likely of the data to cause damage or distress as well as causing damage/distress to other parties.
Personal data that is used for direct marketing attempts can be stopped by the data subject. Likewise, a written notice need to be sent to the data controller to cease the processing of the personal data. With the failure of the data controller to comply, the court can order him to take such steps for complying with the notice if the court is satisfied and thinks fit.
The data subject can specify to require the data controller to ensure that the decisions taken on behalf of the data controller is not done automatically towards the processing of the personal data. The data controller then has to write a notice to the data subject that specifies the steps he intends to take to comply with the requirement of the data subject.
If an issue between the data subject and the data controller got out of hand, the data subject can seek the Information Commissioner to review the user of the personal data belonging to the data subject. The Information Commissioner has the power to enforce the ruling of DPA and penalize the data controller under any offence that the data controller has violated.
In the event that damage or dissatisfaction has invaded to the data subject, the data subject has the right to use the law to obtain compensation for damages that have been caused from inaccuracy, disclosure or loss of the data.
Personal Data Protection. (2017, Jun 26).
Retrieved August 19, 2022 , from
Save time with Studydriver!
Get in touch with our top writers for a non-plagiarized essays written to satisfy your needs
A professional writer will make a clear, mistake-free paper for you!Get help with your assigment
Please check your inbox
I'm Chatbot Amy :)
I can help you save hours on your homework. Let's start by finding a writer.Find Writer