Personal Data Protection Is Common Sense, Not Rocket Science

By Brandon Teoh


The Personal Data Protection Act 2010 (PDPA) was passed by Parliament in May 2010.

Nobody really cares about it until recently when big social media players like Google and Facebook made changes to their data privacy policies which sparked debates all over.

The move by these technology powerhouses was inspired by many different factors, chief among them was the need for product innovation. To keep moving forward, social media platforms must unify and capitalise on the big data. To do that, they have got to create a common data structure for all products; at least they need to try as hard as possible.

And when it is being carried out, it is by common sense and by law that these powerhouses actually also amended their data policies which were aimed to protect consumers in terms of personal data protection – which is a good thing – these guys are doing their jobs professionally.

Another aspect to look at these changes of data policy is about marketing effort – by suggesting that any potential intrusion that will happen to your personal data from Google or Facebook’s end is going to be legal per se; because they have implemented the necessary prevention steps.

So, these guys are very smart people out there and they moved fast and they are in total control.

In terms of Malaysia point of view, our data privacy act came among the slowest in the world. No doubt that Malaysia is progressing but Symantec feels that there are still some rooms for improvement.

Symantec is agreeable to the act by pointing out that its key principles are similar to those outlined in the APEC Privacy Framework which was adopted in the APAC region since 2005.

Nevertheless, Symantec felt that the Malaysian goverment should consider an inclusion of the mandatory notification requirements for Data Breach in the act.

Breach notification has an important educational leverage for users and policy makers. Nonetheless, it should also incorporate reasonable limits to prevent overnotification as such that a ‘safe harbor’ principle must be properly thought of.

An Overview of Personal Data Protection Act 2010 (PDPA)

In a recent media forum, Professor Abu Bakar Munir, Faculty of Law, University of Malaysia (former adviser to Government of Malaysia on Data Protection) gave an overview of the act.

The act was passed not just because everybody else has done it, but surveys found that Malaysians were starting to pay attention. More than 70% of respondents expressed concerns about personal data privacy especially when using the Internet and about 50% of defiant banking customers did not want to transact online because of insecurity.

Having such act will ensure that day to day businesses can be carried out smoothly, it helps to save time and money and also creating harmony for customer-business relationships. In other words, it is good for the economy.

The act is however not applicable to the following 5 scenarios:

  1. Federal & states governments
  2. Credit reference agencies
  3. Data processed outside Malaysia
  4. Personal and family
  5. Non-commercial transactions

It is applicable to the following 7 activities which relate personal data:

  1. Collecting
  2. Recording
  3. Holding
  4. Storing
  5. Organising
  6. Publishing on the Internet
  7. Making available

“Personal data protection is not a rocket science, it’s common sense,” said Prof. Abu Bakar Munir.

I truly agree, personal data protection is about protecting people who you yourself is one of them and may become a victim one day.

There are a total of 7 principles to take note in the event of exemptions (when personal data protection is to be breached):

  1. General principle
  2. Notice and choice principle
  3. Disclosure principle
  4. Security principle
  5. Retention principle
  6. Data integrity principle
  7. Access principle

For example, in the event of crime prevention, the following principles must be upheld (at least):

  1. General principle
  2. Notice & choice principle
  3. Disclosure principle
  4. Access principle.

And depending on the 5 scenarios stated earlier, when we say exemption, it consists of:

  1. Crime prevention/detection – partial exemption
  2. Offenders apprehension/prosecution – partial exemption
  3. Tax/duty assessment/collection – partial exemption
  4. Physical/mental health – partial exemption
  5. Statistic/research – partial exemption
  6. Court order/judgment – partial exemption
  7. Regulatory functions – partial exemption
  8. Journalistic/literary/artistic – partial exemption
  9. Personal and family – full exception

Also, take note that in the event of potential personal data breach, data subject has the following 6 rights:

  1. Right to be informed
  2. Right to access
  3. Right to correct
  4. Right to withdraw consent
  5. Right to prevent processing likely to cause distress
  6. Right to prevent processing for direct marketing purposes

“There are still several organisations that do not have privacy policy,” said Prof. Abu Bakar Munir. “Some state that they do have privacy policy but they actually don’t” he added.


(L-R) Prof. Abu Bakar Munir, Professor of Law, University of Malaya, Subhendu Sahu, Director for Government and Public Sector, ASR, Symantec, Nigel Tan, Director of Systems Engineering, Malaysia, Symantec

In corporate sense, a director, CEO, COO, manager, secretary; or other similar officer of the body corporate or was purporting to act in any such capacity or was in any manner or to any extent responsible for the management of any of the affairs of the body corporate or was assisting in such management – may be charged severally or jointly in the same proceeding with the body corporate; and

If the body corporate is found to have committed the offence, he shall be deemed to have committed the offences unless, having regard to the nature of his functions in that capacity and to all circumstances, he proves:

– that the offences was committed without his knowledge, consent or connivance;and
– that the had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence. (s.133)

Enforcement mechanism can consist of one or a combination of the followings:

  1. Data protection commissioner
  2. Advisory committee
  3. Appeal tribunal
  4. Codes of practice
  5. Enforcement notice
  6. Prosecution
  7. Revocation of registration


Symantec’s Offerings

Enough of the boring stuff, who really cares much anyway ? What should we do next ?

Symantec recommended the following 4 steps to compliance with the Personal Data Protection Act 2010 (PDPA).

1.) Identify – who should have access to sensitive data ?

–> Symantec solutions: Symantec validation and ID protection service

2.) Authorise – how do you provide secure access to applications and services ?

–> Symantec solution: Symantec O3

3.) Inspect – where is your sensitive data ? How is it being used ?

–> Symantec solution: Symantec data lost prevention

4.) Protect – How do you enforce policies ? How do you prevent a breach ?

–> Symantec solutions: Symantec disk encryption, Symantec file encryption, Symantec email encryption

And that is all, simple and straight forward.

So, the next time you receive uninvited calls from banks marketing financial services, ask them for the referral. I think that is illegal anyway. What do you think ?

Leave a Reply

Please Login to comment
Notify of