Friday, March 18, 2011

Personal Data Protection Act 2010 | Getting the insurance industry to order.

The Malaysian Personal Data Protection Act (PDPA) was gazetted sometimes on the 10th June 2010 and has since been a subject of intense discussion amongst the insurance practitioners and community - something that many of us would want to talk about but difficult when getting at some viable framework before the PDPA gets implemented. Anyway the exact enforcement date of this Act has yet to be decided but the target is set somewhere in the 3rd quarter of 2011. One of the main reason for the delay in the enforcement is due to the setting up of the Commission and the tribunal, and also getting the various infrastruture in place.




Once implemented, the industry would be given a three-months grace period to complyPreview Changes. A three-months period is not exactly long enough for any (re)insurer to have any framework efficiently in place.
The least that the insurers can do now is to familiarise with the Act and not forgetting structuring out a viable framework - at least a framework that works when it matters.
Understand the PDPA is not exactly any mammoth task.... What's important is for insurance practitioners to acquire a reasonable level of understanding of the core terms featured within the Act...
It is good to start off with the understanding of the seven (7) data protection principles that would form the basis of the PDPA:
(We have highlighted those key terms in CAPITAL LETTERS, which we had defined them below this section.... scroll down if you need to make the reference

  1. General Principle
    • In general, the PROCESSING of PERSONAL DATA requires CONSENT....
  2. Notice & Choice Principle
    • In principle, DATA USERS are required to notify the DATA SUBJECTS regarding the purpose for which the data is collected and about the right to request access and correction of the PERSONAL DATA.
  3. Disclosure Principle
    • Simple understanding here.... no PERSONAL DATA shall be disclosed without the consent of the DATA SUBJECT.
  4. Security Principle
    • The DATA USER must take practical steps to protect the PERSONAL DATA from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
  5. Retention Principle
    • PERSONAL DATA processed for any purpose shall not be kept longer than is necessary for the fulfillment of the purpose to which it was obtained for
    • There are options for an exemption, i.e. by morphing & compiling those PERSONAL DATA into data processed for purposes of preparing statistics or carrying out research provided results of research do not reveal identity of DATA SUBJECT.
  6. Data Integrity Principle
    • DATA USER shall take reasonable steps to ensure the accuracy and to maintain the data current for the purpose it was collected for.
  7. Access Principle
    • DATA SUBJECT shall be given the necessary access to his or her personal data and shall be able to correct the PERSONAL DATA where the data is inaccurate or incomplete.
The other important core areas apart from the 7 principles .... are mainly to do with definitions and expressions in regards the usage of terms. We have simplified the more critical ones as follow:

Understand the important terms in the insurance context:

1. PERSONAL DATA3. DATA USER (or Data Controller)
  • is a legal person, meaning an agent, employee, broker, insurance company, etc. and involves in the actual PROCESSING of the PERSONAL DATA

  • who either processes the data or gives authorisation for the PROCESSING of the data


  • 4.COMMERCIAL TRANSACTIONS
    any transaction of a commercial nature, whether contractual or otherwise

    5.PROCESSING
    information processed or intended to be processed wholly or partly by
  • non-automated means which forms part of, or intended to form part of, a manual information filing system


  • includes collecting, recording, holding or storing PERSONAL DATA or carrying out any operation or set of operations on the PERSONAL DATA, which may involves adaptation, alteration, retrieval, consultation and use of...., disclosure by transmission, transfer, dissemination, correction, erasure or destruction of the PERSONAL DATA or information

  • important to know about DATA PROCESSOR


  • 6.DATA PROCESSOR
    is a legal person who processes the data on behalf of the DATA USER
    7. CONSENT

  • More than often EXPLICIT CONSENT is required to process SENSITIVE INFORMATION

  • For non-sensitive types, CONSENT could be implied

  • CONSENT to process non-sensitive PERSONAL DATA is not required if the data has been made public as a result of steps deliberately taken by the DATA SUBJECT

  • A DATA SUBJECT may withdraw his CONSENT to the processing of his or her personal data by giving a notice in writing


  • 8.NON-APPLICATION OF PDPA - PDPA does NOT apply to any PERSONAL DATA:
    • processed for the purpose of a credit reporting business carried out by a credit reporting agency under Credit Reporting Agencies Act 2009

    • processed outside Malaysia unless that personal data is intended to be further processed in Malaysia, and
    • relating to Malaysia federal and state governments
    • IMPLICATIONS
      For the purpose of this blog posting we will not discuss FRAMEWORKS & MODELS for the purposes of efficient and effective implementation of PDPA compliance - suffice we keep it simple here by focusing on the understanding part. We hope to work on FRAMEWORKS in the later posting.....
      With this new Act this would mean (re)insurers & (re)takaful entities must make sense of the following matters, amongst the more important ones:
      1. What are new contents for PRIVACY NOTICES and how is the PERSONAL DATA PROTECTION policy written as an integral part of it?
      2. Re-examining existing data collection practices, especially if this involves the purchasing of database from third party,
      3. How to obtain consent to process efficiently?
      4. What are the best practices in the use and transfer of personal information?
      5. What are the mechanisms to establish for individuals to exercise their access and correction rights,
      6. How are we to ensure data security, retention policies and practices conform to PDPA?
      7. What would be the mechanism when dealing with specific cross-border limitations in efforts to transfer and share data within one's own global organisation?

      In conclusion, do or die... do give a thought to the PENALTIES & FINES. The penalties & fines for breaching PDPA include the imposition of fines, and / or a term of imprisonment. Also, it is good to note, directors, CEOs, COOs, managers or other similar officers do have joint liability for non-compliance by the said (re)insurer or (re)takaful entities in the absence of any due diligence defence.

  • automatic means, i.e. electronic form


  • in short PDPA only relates to personal (relates to an individual) information collected or processed (including in the course of being processed) in the context of commercial transactions. The individual is referred to as DATA SUBJECT in the PDPA

  • the data must also be capable of being recorded and be capable of automatic or manual processing....

  • knowledge of SENSITIVE PERSONAL DATA is vital, where CONSENT is a prerequisite - this includes medical history, political opinions, commission of any offence, etc.

  • may include the expression of an opinion about an individual2.DATA SUBJECT

      • An individual who is identified or identifiable from the data (or information)
        possessed by the corporation....

    No comments:

    Post a Comment

    Related Posts Plugin for WordPress, Blogger...