Numbers to Call Over Invasion of Privacy | Bank Negara Malaysia
I am sure almost every day you will get promotion call from bank, hospital, travel company and etc. You notice the caller number often in private number as shown in your hand phone. Since it is private number there is no way for you to track who is caller are from your phone.
You must be wondering how those telemarketers can get hold of your name and contact number.
Some of the banks call their customer database directly to promote supplementary credit cards, personal loan, insurances and etc. In order to save cost, some bank even outsources the telemarketing promotion service to a third party call centre.
If you find such calls irritating and an invasion of your privacy, you may ask the bank to remove your name from any promotion and mention you wish not to be disturb!
All financial service provider is required to inform the customer if the customer’s information is shared within the financial group.
NO information shall be shared or disclosed to third parties.
If yes then the financial service provider is required to obtain the customer’s permission or consent.
If you think your personal information is been shared without your permission then you may complaint to Bank Negara Malaysia at:
> Director
Corporate Communications Department
Bank Negara Malaysia
P.O. Box 10922
50929 Kuala Lumpur
> BNMTELELINK (Customer Contact Centre)
Tel: 1-300-88-5465(LINK)
Fax: 03-2174 1515
E-mail: bnmtelelink@bnm.gov.my
> BNMLINK Kuala Lumpur (Walk-in Public Service Centre)
Lower Ground, Block D
Bank Negara Malaysia
Jalan Dato’ Onn
50480 Kuala Lumpur
BNMLINK and BNMTELELINK are open from Monday to Friday, 9am to 5pm (except on public holidays)
Good sharing, Alan. Sometime you wonder who else has your contact details.
You mentioned: “All financial service provider is required to inform the customer if the customer’s information is shared within the financial group.” What about non-financial service providers? Does that apply to them?
Another things is while they can lay down the rule, can they really enforce it? And what are the penalties?
In many government agencies and departments, making the law is one thing; enforcing is another.
I am sure not about non-financial service providers.
The last I heard the parliament is doing something on Data Privacy Act and that should be covering non-financial service providers as well
Protecting personal data
The PDP is still a step in the right direction and a good beginning, although it lacks the right to claim for compensation in the case of breaches that cause damage or distress.
AFTER a decade of delay, the Personal Data Protection Bill 2009 (PDP) has finally been tabled and passed by Parliament. This is a very important piece of legislation as it would affect almost every one in the country.
Generally, the enactment of the PDP is laudable. Prior to this, Malaysia adopted the sectoral approach in protecting personal data but this approach proved inadequate.
It is time to have a comprehensive legislation to cover all aspects of personal data protection.
The PDP will apply to anyone who processes or who has control over or authorises the processing of any personal data in respect of commercial transactions.
The person who processes any personal data is called “data user” and the person whose personal data is being processed is known as “data subject”.
The PDP imposes many obligations on the data user. It requires that the data user comply with the seven PDP principles, failing which he can be fined not exceeding RM300,000 or be jailed for a term not exceeding two years, or both.
Buying and selling of personal data is a criminal offence. Besides, any individual who feels annoyed with direct marketing will be able to prevent this from happening.
The PDP principles require that a data user not process personal data unless with consent from the data subject, and it must be processed for a lawful purpose directly related to an activity of the data user.
However, it is not stated whether the consent must be express or can be implied.
It also states that a data user has the duty to inform a data subject about the processing of his personal data by way of written notice, and such notice must be given as soon as practicable by the data user.
In the absence of consent from the data subject, personal data shall not be disclosed to any party other than the purpose for which the personal data was to be disclosed at the time of collection or for a purpose directly related to that purpose.
The data user must also take practical steps to implement security measures to protect and safeguard the personal data.
In addition, personal data shall not be kept longer than is necessary and the data must be destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
There is, however, no time frame given and the PDP leaves it to the discretion of the data user, who must also take reasonable steps to ensure that the personal data is accurate, complete, not misleading and up-to-date.
The PDP also provides the data subject the right to have access to his personal data held by a data user.
If the personal data is inaccurate, incomplete, misleading or not up-to-date, the data subject can request that the data be corrected.
Although the PDP confers many rights on individuals and imposes liabilities on those who breach the law, the Act is far from perfect due to its unique features and its narrow application.
Here are a few of its shortcomings.
The PDP does not apply to the Federal and state governments (an earlier draft of the Bill read: this Act shall bind the Government), although massive amounts of personal data are stored with government departments.
For example, the National Registration Department processes most of our personal data; the Inland Revenue Board processes our income tax returns which contain our financial records and sources of income; the DNA Identification Act 2009 allows the Government to keep DNA profiles of individuals in the DNA databank.
As such, to exclude the Government from the application of the PDP would be contrary to the objective underlying the PDP in protecting the personal data of its citizens.
It is not clear whether local authorities established under the Local Government Act 1976 and those agencies and statutory bodies established under their respective Acts of Parliament to perform specific public functions are also considered as part of the Government.
The PDP only applies to processing of personal data in respect of commercial transactions.
The Oxford English Dictionary defines the term “commercial” to mean “engaged in, or connected with, commerce and having profit as a primary aim rather than artistic etc. value”.
The Government has repeatedly emphasised that the PDP is critical in this age of e-commerce and it will solve such problems as credit card fraud, identity theft and selling of personal data without customers’ consent.
However, personal data protection is not just about safeguarding personal data in the commercial world.
It is equally important to protect personal data such as medical and health records, employee records, financial records, and even criminal records.
These personal data may be used for employment, educational, professional, taxation, social security and welfare etc.
For example, someone may have submitted his personal data in a contest or enquiry form.
The use of personal data in these situations may not necessarily involve a “profit-making” element and it is hardly to be considered as “use in respect of commercial transactions”.
The effect of this restrictive limitation is that the PDP applies to, and within, the private sector, and then further narrows down to organisations which process personal data in commercial transactions.
It is unclear whether civil remedies are available under the PDP.
In many other jurisdictions such as Britain and Hong Kong, breaches of data protection law are punishable under both criminal and civil law.
Any individual who suffers any damage (which include injury to feelings) or distress by reason of a contravention of the provision of the PDP shall be entitled to file a civil suit and claim compensation for such damage or distress.
A similar provision was found in an earlier draft but omitted in the PDP.
This is ironic because while the PDP provides the right to prevent processing that is likely to cause damage or distress, there is no right to claim for compensation for causing such damage or distress.
The exclusion of the Government from the PDP and its narrow scope are undesirable.
Most data protection laws in other jurisdictions do not have such restrictions.
Nevertheless, the enactment of the PDP is still a step in the right direction as individuals will now have legal protection in safeguarding their personal data.
This is a good beginning and it is hoped that with increased awareness of the importance of personal data protection among the public and the demand for stronger protection, the law will be further improved.
The writer is a young lawyer. Putik Lada, or pepper buds in Malay, captures the spirit and intention of this column – a platform for young lawyers to articulate their views and aspirations about the law, justice and a civil society. For more information about the young lawyers, please visit malaysianbar.org.my/nylc.
fr:thestar.com.my/columnists/story.asp?file=/2010/6/10/columnists/putiklada/6434844&sec=putiklada
First reading of Personal Data Protection Bill
THE Personal Data Protection Bill, which aims to protect and regulate the use of private data, will be tabled for first reading in October.
Deputy Information, Commu-nication and Culture Minister Senator Heng Seai Kie said the Attorney-General Chambers had finalised the draft for the Bill.
“The Bill will not only be limited to cyber space laws as it will also include sectors such as tourism, finance, insurance, telecommunications and other fields that involve commercial transactions,” she told Datuk Bung Mokhtar Radin (BN — Kinabatangan).
Heng said the drafting of the law was aimed at monitoring the processing of private data by users and to give protection to individuals, whose data was being processed, and safeguard their rights and prevent abuse.
Heng said the Bill would also come with an enforcement mechanism to get data users to comply with the provisions.
She told Saifuddin Nasution (PKR — Machang) that it was important for the ministry to receive feedback on the proposed Act as it would have a huge impact on existing system on data usage, adding that it had already consulted various non-governmental groups and sectors.
To another question by Bung Mokhtar, Heng denied that fraud or abuse had delayed the formulation of the Personal Data Protection Act.
She said the Bill would be presented together with the Credit Reference Agencies Bill under the Finance Ministry, aimed at regulating credit reference agencies like Credit Tip Off Service (CTOS).
fr:thestar.com.my/news/story.asp?file=/2009/6/18/parliament/4138797&sec=parliament
Keeping it private
By SUBASHINI SELVARATNAM
The pluses and minuses of the Personal Data Protection Bill 2009.
It is past midnight and you are sleeping soundly. Suddenly, an SMS beeps in. It turns out to be a message from a hotel, which you have never been to in your life, giving away a free one-night stay. Annoyed, you go back to bed. But you toss and turn. You can’t get back to sleep and get even more irritated.
Many of us have experienced similar incidents with these unsolicited phone calls, SMSes and e-mail messages. And many have also noticed that these nuisance calls or messages are almost always after they had divulged their personal contact information.
It could have been a warranty card you filled up, or you handed over your business card to participate in a “lucky draw” somewhere, or you had just subscribed to some service. In any case, someone either sold your contact information or is misusing it.
At the very least, such misuse means you are inconvenienced or irritated by sales pitches. But more worrying is that your information could be used for more nefarious activities, such as scams, identity theft, and cheating.
The Personal Data Protection (PDP) Bill 2009, which was passed in the Senate (Dewan Negara) recently, is aimed at putting a stop to such misuse of your personal information, as well as the malicious use of the data.
University Malaya law professor Abu Bakar Munir, who played an advisory role in the drafting of the Bill, said it plays a crucial role in protecting a person’s details in commercial transactions whether online or offline.
“It makes it illegal for anyone – companies or individuals – to give out or sell someone else’s personal information without prior consent,” he said, adding that it stipulates penalities for such transgressions.
The Bill is expected to be gazetted into law this year. When it is, Malaysia will be among the first in Asean to have introduced such legislation.
Personal information, under the Bill, means any data that can identify an individual – name, age, MyKad details, photo, passport number, video and images captured via closed-circuit television.
“If you receive any unsolicited direct marketing messages or advertisements, you will be able to lodge a complaint with the personal data protection commissioner, who will investigate,” Abu Bakar said. At the time of writing, the mechanism for lodging such complaints had yet to be set up.
Those found guilty of contravening the rules could be fined a sum not exceeding RM200,000 or be jailed for a period not exceeding two years, or both.
Abu Bakar believes those penalities should be sufficient to dissuade anyone from illegally sharing someone else’s personal information.
Wide impact
But the ramifications of the PDP Bill 2009 becoming law has great depth and breadth. Foong Cheng Leong, an advocate and solicitor with Lee, Hishammuddin, Allen & Gledhill, sees it even affecting the way businesses and other organisations store the personal data of their customers.
He said the contents of the Bill would apply to local and foreign companies operating in this country, as long as the personal information in question is being processed in Malaysia.
It will require businesses to clearly tell customers that their personal information is being collected, why the data is being amassed, and what they want to do with the details.
“By doing this, the personal information of the customers is protected and it helps to control abuse of the data, such as selling the contact numbers to a third party,” said Foong, who specialises in intellectual property and information technology legal issues.
“It also forbids the businesses to transfer the personal information outside Malaysia without the consent of the customer or the designated countries which is provided by the personal data protection commissioner,” he said.
In this way, the customers will know where their personal information is residing.
According to Foong, it would be in the interest of the companies and organisations having people’s personal information now to already start ensuring that their data-collecting mechanisms are in sync with the requirements stated in the Bill.
“For a start, the companies need to ensure that their customer forms have a section that seeks consent from the customers to collect their personal information, as well as stating why the data is needed and what it will be used for,” he said.
“Any company that has been collecting such information before the law comes into force must still comply with the provisions of the Bill within three months thereof.”
Also, under the Bill, a customer can ask the company, from which he or she has bought products or services from, to show what personal data it has collected on him or her.
But there are exceptions to this rule, according to lawyer Tong Lai Ling, a partner at Raja, Darryl & Loh.
Tong said one exception is when providing that information will disclose confidential commercial data, in which case the company is not obligated to meet the customer’s request.
“Another exception is when the burden or expense of retrieving the data is disproportionate with the risk to the customer’s privacy in relation to personal data,” she said. Tong has 10 years of experience in cyberlaw.
Under the Bill, the collection of sensitive personal data such as medical reports, political affiliations and religious beliefs is also subject to conditions.
“For example, a housing developer cannot ask for a medical report when entering into a sales and purchase agreement with a buyer,” she said.
Not perfect
The Bill isn’t as encompassing as it could be, said Tong at Raja, Darryl & Loh.
“For example, it only applies to personal data gathered as a result of commercial transactions. As such, it would seem that only companies, religious bodies, political parties and charitable organisations that engage in business will be subject to Personal Data Protection rules if they collect customer data,” she said.
The general consensus is that any and every organisation that collects your personal data should be subject to the rules in the Bill.
Also, it is not easy in some circumstances to draw a line between commercial and non-commercial transactions, said Foong at Lee, Hishammuddin, Allen & Gledhill.
He and Tong pointed out that according to the Bill, information collected by federal and state governments is not subject to the stipulations provided for.
“What if the Selangor State Development Corporation (PKNS) forms a business joint venture with the Government.
“PKNS, created under the Selangor State Development Corporation Enactment, 1964, means it should be treated as a separate legal entity,” said Foong.
“But it is not clear whether or not PKNS in such a situation would be bound by the data protection rules in the Bill. A similar predicament arises with any other local authority, statutory body, or state corporate entity.”
Also, the fact that the Bill exempts the Government from personal data protection rules should be of great concern to everyone, he said. “The Government is the biggest collector of personal data – from the time we are born to the day we die.”
Foong believes the Government should play its role as the protector of the personal information of its citizens.
He said the Government has stated that it has its own mechanism for protecting the personal data of its citizens. But it has not revealed if the mechanism is as extensive as that set down in the Bill for the handling of personal data.
The Bill stipulates seven principles governing the handling of such data – covering everything from getting permission from the citizen to why the information is needed, to what can be stored, to how long it can be stored, and to how much of it can be shared.
University Malaya’s Abu Bakar recommends that the Government develop a set of rules and regulations, i.e. a code of practice, to protect the personal information of the rakyat, or have separate legislation to that respect.
Last bit
Despite some shortcomings, the Personal Data Protection Bill 2009 is still a good start towards empowering Malaysians to maintain their privacy.
When it becomes law, it will need to be finetuned from time to time so that it provides better protection and does not become antiquated.
So, the next time you get an SMS or phone call in the middle of the night or any other time for a free night’s stay or another unsolicited service or product, it could be the other guy that gets the wake-up call.
Note: The Personal Data Protection Act 2010 has received the Royal Assent on June 2, 2010 which now makes it an Act. However, the Act will only take effect when the Government gazettes it.
fr:red1049.com.my/news/story.aspx?file=/2010/6/15/it_news/6298072&sec=it_news
New regulations to ensure data protection
WE refer to the letter by Cheers “A call to ensure one’s privacy is not involved” (The Star, April 27).
The letter explained the issue of data privacy and the question of how personal information such as telephone or mobile number can be accessed by other parties.
As the regulator for the communications and multimedia industry, the Malaysian Communications and Multimedia Commission (MCMC) would like to clarify that all communication service providers are governed by a consumer code where they must not disclose customers personal information to other parties.
Part 2 of the General Consumer Code (GCC), has set out the responsibility of a service provider in the protection of consumer information.
A service provider may collect and maintain necessary data/information of consumers for tracking practices. However, the collection and maintenance of such data/information shall follow the following good practices whereby it should not be transferred to any party without prior approval from the consumer.
Service providers must also take appropriate measures to provide adequate security, and respect consumers’ preferences regarding unsolicited mail and telephone calls.
Service providers must be open, transparent, and meet generally accepted fair information principles including providing notice as to what personal information they collect, use, and disclose.
However, personal information could come from many other sources. For example, some may disclose or communicate their personal information when they fill any application form or during navigation on any websites or through online registration.
As such, consumers are advised to read carefully the terms and conditions before they divulge any of their personal information.
In addition, last April, Parliament passed the Personal Data Protection Bill 2009 that seeks to protect personal data belonging to the public from being misused through commercial transactions.
The bill placed high importance on the protection of sensitive personal data, such as a person’s information on his health, physical attributes, mental status and his religious preferences from being misused.
A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.
Their job will be to monitor the activities of commercial transaction of information. Any private database collection agencies would have to strictly comply with the Act.
The Bill is a form of cyber-legislation and Malaysia is the first among Asean countries to introduce this law.
It is modelled after the provisions outlined by some European countries in relation to the protection of national security, defence and basic human rights.
The new regulations on data protection would ensure that personal data would not be given out except with the consent of their owners.
CORPORATE COMMUNICATIONS DEPARTMENT,
Malaysian Communications and Multimedia Commission.
fr:thestar.com.my/news/story.asp?file=/2010/6/24/focus/6534618&sec=focus
A call to ensure one’s privacy is not invaded
OF LATE I have been getting calls from banks and hospitals on my private mobile phone, informing me that a survey is being done for a certain bank and that I can get help if I want to re-finance my housing loans.
In the first place I would like to know how these telemarketeers got hold of my number and secondly, what makes them think that I need their services.
I find such calls irritating and an invasion of my privacy. Who is at fault? Who has given these people access to my number?
Last week I got a similar call. When I told the caller that I am not interested I got an SMS — “no manner”.
I called the bank and all they could say is “we did not get this lady to call”. May I then ask how she got my number.
I am sure I am not the only “victim” and I hope the proper authorities will investigate.
CHEERS,
Kuala Lumpur.
fr:thestar.com.my/news/story.asp?sec=focus&file=/2010/4/27/focus/6134669
Personal Data Protection Bill good for the marketing community too
WHAT’S THE BIG IDEA?
By HAFIDZ MAHPAR
THE 17-year-old protagonist in Nancy Werlin’s Edgar-winning novel The Killer’s Cousin makes a habit of swapping his supermarket card with total strangers.
He is following the advice of a girl he likes who told him: “The marketing people use these things (the cards) to track our spending patterns. But if you swap, you thwart ‘em. I trade at least once a week.”
If the novel is to be believed, grocery card-swapping happens all the time between total strangers, and you only need to send the signal by dangling your card in a public place.
The Killer’s Cousin was written more than a decade ago, and I’m not sure whether card-swapping is still popular today (if it ever was), with all the fear of identity thefts. Probably it’s never a good idea in the first place to try tricking marketers that way, because you may end up receiving a lot of spam and junk mail that are irrelevant to your actual needs and wants.
Nonetheless, I understand people’s desire to “thwart” marketing people. I try to avoid contests, for example, if I feel there’s a possibility of abuse of my personal information that is required to be given in the form.
It’s not a great feeling to know your personal data is being traded to different parties via the so-called “mailing lists”.
So I welcome the Personal Data Protection Bill, which aims to curb data abuse in the commercial sector, The bill is expected to be gazetted into law this year, making Malaysia one of the first Asean countries to introduce such legislation.
It was reported that when the law comes into effect, companies have to seek customer consent when collecting the latter’s personal information and they must state why the data is needed and for what purpose.
Those companies that have been slacking so far in managing a good customer database for marketing purposes – and I hear most Malaysian companies fall into this category – need a wake-up call because they can no longer rely on third-party mailing lists.
Companies also need to accelerate their learning curve to ensure that their data-collection method is in line with the legislation.
Although the Personal Data Protection Act constrains marketers somewhat, in the long run it will not only create more professional and ethical marketers but also more effective marketers. This is provided that they are willing to invest in building a strong database, updating it regularly and tapping on the information intelligently.
The third-party mailing lists normally consist of demographic data such as gender, age and income; and such data is not tailor-made for a company’s specific consumer profiling needs. What have become increasingly more important in doing market segmentation are psychographic data, which relate to values, attitudes, interests and lifestyles.
Age, for example, may not tally with what people buy. The novel I mentioned earlier was actually taken from the young adults section of a bookstore, and while I only bought it recently, I must admit I have not been a young adult for some time now.
(I actually started reading young adult books many years before Malaysian bookstores began having a young adults section, which bridges the gap between Enid Blyton books and, say, The Da Vinci Code. Those days I devoured books by S.E. Hinton, Robert Cormier, Paul Zindel, Katherine Paterson and Judy Blume, among others. And I dare say that while the protagonists are normally teenagers, these books can be as entertaining as any adult novel.)
I believe the marketing community as a whole views the bill as a positive thing. After all, marketers are themselves consumers.
It may not be very clear how the bill, once it becomes law, would affect direct marketing activities in the country in the immediate term. There could well be some confusion initially, and marketers may make a misstep or two as they create and use their own customer database.
But I have faith that in the long run, marketers would thank the Government for introducing this piece of legislation.
·Hafidz Mahpar, a StarBiz associate editor, bought Nancy Werlin’s The Killer’s Cousin after being blown away by Impossible, her fantasy/horror/romance novel inspired by Simon & Garfunkel’s ballad Scarborough Fair.
fr:biz.thestar.com.my/news/story.asp?file=/2010/6/26/business/6552272&sec=business
Personal data protection commission to function from next January
KUALA LUMPUR: A commission under the Personal Data Protection Act 2009 will be created by January next year, said Information, Communication and Culture Minister Datuk Seri Dr Rais Yatim.
He said the secretary-general of the ministry, Datuk Wira Kamaruddin Siaraf, was now discussing with the Public Service Department (PSD) on the manpower needs, emoluments and other service requirements for the commission.
“The commission has already been created in terms of legislation, it’s just that we need to cooperate with the PSD and accept the location of the building, which we are working on now.
“I think it’s not later than January next year, but probably by the end of the year, we can resolve the size of the manpower required. We are also planning the logistics for the new department,” he told reporters after presenting the 2009 Excellent Service Awards to ministry staff, here Tuesday.
Rais said that with the existence of the commission, the number of agencies and departments under the ministry had increased to 19.
He said the commission was closely linked to the Malaysian Communications and Multimedia Commission (MCMC) as it applied computer forensic knowledge.
“In addition, the commissioner is not just anybody. He has to be trained in interrogations, cross-examinations in court proceedings and others,” he said.
Rais said the position of other companies, including Credit Tip Off Services Sdn Bhd (CTOS) which had been using one’s personal data all this while, was now placed under the new Act.
The Act, passed by Parliament in April, among others aimed at regulating the processing of the personal data of an individual, who is involved in commercial transactions, by the data user to provide protection to the individual’s personal data and thereby protecting the interest of the individual concerned.
According to the act, any personal data user who breaches the provision under Section 5(1) has committed an offence and faces a maximum jail term of two years, a RM200,000 fine or both.
fr:thestar.com.my/news/story.asp?file=/2010/6/29/nation/20100629152453&sec=nation
Service providers governed by code
WE refer to “A call to ensure one’s privacy is not involved” (The Star, April 27), which explained the issue of data privacy and the question of personal information such as telephone or mobile numbers being accessed by other parties.
As the regulator, the Malaysian Communications and Multimedia Commission would like to clarify that all communication service providers are governed by a consumer code and must not disclose customers’ personal information to other parties.
Part 2 of the General Consumer Code, sets out the responsibility of a service provider in the protection of consumer information. A service provider may collect and maintain the necessary data/information of consumers for tracking practices.
However, the collection and maintenance of such data/information shall not be transferred to any party without prior approval of the consumer.
Service providers must also take appropriate measures to provide adequate security, and respect consumers’ preferences regarding unsolicited mail and telephone calls.
Service providers must be open, transparent, and meet generally accepted fair information principles, including providing notice as to what personal information they collect, use, and disclose; the choices consumers have with regard to the collection, use and, disclosure of that information; the access consumers have to the information; the security measures taken to protect the information, and the enforcement and redress mechanisms that are in place to remedy any violation of these.
However, personal information could come from many other sources. For example, people may disclose or communicate their personal information when filling in application forms or during navigation on websites or through online registration.
As such, consumers are advised to read carefully the terms and conditions before they divulge any personal information.
In addition, last April, Parliament passed the Personal Data Protection Bill 2009 that seeks to protect personal data belonging to the public from being misused through commercial transactions.
The Bill placed high importance on the protection from misuse of sensitive personal data, such as information on a person’s health, physical attributes, mental status and religious preferences.
A personal data protection commissioner will be appointed and an advisory committee created to advise the commissioner on the enforcement of the Bill.
Their job will be to monitor the commercial transaction of information. Any private database collection agency would have to strictly comply with the law.
The Bill is a form of cyber legislation and Malaysia is the first among Asean countries to introduce this law, which is modelled after the provisions that were outlined by some European countries in relation to the protection of national security, defence and basic human rights.
The new regulations on data protection would ensure that personal data would not be given out except with the consent of their owners.
CORPORATE COMMUNICATIONS DEPARTMENT,
Malaysian Communications and Multimedia Commission.
fr:thestar.com.my/news/story.asp?file=/2010/7/5/focus/6532517&sec=focus
Personal data and the law
Putik Lada
By FOONG CHENG LEONG
As the Personal Data Protection Act 2010 will be in force any time soon, data users are advised to be familiar with, and to start adhering to, its principles.
THE Personal Data Protection Act 2010 that is set to be enforced regulates the collection of personal data by parties for commercial transactions and will change the way we do business.
In brief, personal data is defined as any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.
A data user is basically the party using the personal data of an individual, which is referred to as data subject in the Act.
Personal data may take various forms and may be a name combined with other information, passport/identity card number, telephone number, photograph, fingerprint, or DNA.
A name itself cannot be personal data as there may be many individuals with the same name. However, where the information is combined with other information such as an address, this may be sufficient to identify an individual.
Unfortunately, the Act is only limited to personal data in respect of commercial transactions. Social media networking websites such as Facebook and Twitter, and foreign website owners are not subject to the Act.
This limits the type of personal data that are protected, for example, intimate photographs of individuals. As such data is normally not collected through commercial transactions, their distribution may not contravene the Act.
In Hong Kong, such data is covered. In an incident relating to the online circulation of nude photos of certain celebrities, the Privacy Commissioner for Personal Data decreed that such photographs are caught under the Hong Kong Personal Data (Privacy) Ordinance.
The Act sets out seven principles which a data user must adhere to when dealing with personal data. They are General, Notice and Choice, Disclosure, Security, Retention, Data Integrity and Access.
Failure to comply with any of the seven principles amounts to an offence punishable with a fine not exceeding RM300,000 or imprisonment not exceeding two years or both.
Under these principles, the collection and use of personal data must be consented to by the data subject, and steps must be taken to ensure that they are updated, correct and stored securely.
Further, adequate notice must be given to data subjects that their personal data will be used, and the purpose of the same. Data subjects should also be given the choice to opt out from giving certain personal data. Personal data no longer in use has to be destroyed.
Consent is not defined in the Act but a positive consent — written, oral or electronic — would be sufficient. However, positive consent would not apply in a scenario where a data user sends a form requesting consent and the form states that consent is assumed if no response is given. Failure to respond may not be considered as consent under the Act.
As the Act only applies to personal data in respect of commercial transactions, whether blogs would fall under its purview would depend on the circumstance of the case. If a blog is established purely for a recreational purpose, the Act may not apply due to the limitation of the definition of personal data.
A website generally collects personal data in two situations: when a user visits the website, and when a user provides information to the website operator, e.g. through an online form.
Information collected from a visitor to the website would include the IP address of the visitor and also cookies. Cookies are files used by websites to collect information about a user’s online activity. It can recognise a computer when a user logs on and can allow a website to store and remember usernames and passwords. Such information must be properly kept and not revealed to third parties.
As for the latter situation, website operators should inform the visitor that his or her information will be kept and used by them and their related parties. If website operators wish to use the information for other purposes, such as for marketing, they should obtain consent from the data subject.
Also, if personal data will be transferred outside Malaysia, consent should be obtained, otherwise any reference to the owner should be removed as it is an offence under the Act for a data user to transfer personal data outside Malaysia.
Companies need to be careful when sending out marketing materials. Under the Act, data users may be liable to a fine not exceeding RM200,000 or imprisonment not exceeding two years or both if they refuse to cease sending unsolicited marketing materials.
Following the security principle, personal data collected by website operators must be kept properly to ensure that they are not leaked. Proper security measures such as encryption must be in place.
If personal data is meant to be revealed to the public, notice should be given ahead and consent obtained. For example, a web forum should indicate to its users that information will be revealed to the public if requested. However, if the personal data is requested by a competent authority, consent may not be required.
In addition, website operators should also consider inserting a privacy policy statement on their websites in a specific page accessible by a visitor.
The privacy policy should state:
> WHAT will be done with the personal data;
> WHO is collecting the personal data;
> WHAT personal data is being collected;
> whether the personal data will be transferred out of Malaysia: AND
> whether the personal data will be disclosed to third parties.
As the Act will be in force any time soon, data users are advised to start adhering to its principles. Notice and consent of data subjects are the keys to allow a data user to use personal data. As such, data users should revise their data collecting system to be in line with the seven principles.
Unfortunately, at this stage, the extent and applicability of the Act is unknown and it seems to be wide and far reaching and, to a certain extent, excessive. In this regard, a Personal Data Protection Commissioner should be appointed soon to address these uncertainties.
In many jurisdictions with data protection legislation, the respective Commissioners play a vital role in determining the scope and applicability of the Act and will from time to time issue good practice notes or clarifications to the public.
> The writer is a young lawyer. Putik Lada, or pepper buds in Malay, captures the spirit and intention of this column – a platform for young lawyers to articulate their views and aspirations about the law, justice and a civil society. For more information about the young lawyers, please visit malaysianbar.org.my
fr:thestar.com.my/columnists/story.asp?file=/2010/8/5/columnists/putiklada/6796369&sec=putiklada
Bancassurance got a very high Sales conversion in Telemarketing 🙂
Bancassurance gains ground
By DALJIT DHESI
More consumers opting for No. 2 distribution channel in insurance industry, agency still leading
PETALING JAYA: Bancassurance is fast becoming a formidable No. 2 distribution channel in the insurance industry behind agency.
Agency as a whole is still the main distribution channel but industry observers generally agree bancassurance is beginning to gain headway as more consumers are turning to this channel judging from the growing demand for bancassurance products.
Two reasons for this are the selling of simple insurance products by banks with their large branch network and depositors opting for single premium (SP) products amid the low interest rates.
An industry player who requested anonymity said there was definitely a growing competition between agency and bancassurance.
“The quality of some agents needs to be further improved. There are dedicated agents but there are also some who ‘product push’. Customers also seem to be more confident of banks due to their strong financial standing and stability.
“Agency will still maintain its position as a leading distribution channel but over time bancassurance may overtake agency as the top channel,” he added.
Statistics compiled by the Life Insurance Association of Malaysia showed that in terms of market share in the distribution channels last year, bancassurance commanded 31.9% compared with 27.6% in 2008. Agency was at 67.1% in 2009 and 70% in 2008.
It also showed that bancassurance continued to be a major source of SP in terms of new business for the first six months of this year with 66% of total SP business derived from this channel.
Last year, in terms of weighted premium market share in the distribution channels, bancassurance commanded 14.3% compared with 14.5% in 2008. Agency achieved 85.7% in 2009 and 85.5% in 2008.
The scenario was different for regular premium (RP) new business. Bancassurance only contributed 12% of total new business in 2009 but this was higher than 8% in 2008.
CIMB Aviva Assurance Bhd marketing director Angela Christine Tan, while acknowledging competition between the two channels, said other reasons for the rapid growth of bancassurance were wider Internet usage and social networking among the younger generation as well as easy access to information.
“The younger generation has a wider communication platform nowadays via Internet and social networking and the traditional method of having personal service from an agent may not be the deciding factor when it comes to purchasing an insurance product.
“Easily accessible information also allows consumers to compare products offered by different companies. Bancassurance products are basically more affordable due to the pricing structure,” she noted.
She added that the company registered positive growth over the last 12 months for new business contribution from its bancassurance and bancatakaful operations and anticipated double-digit growth by year-end.
Tan viewed the channels as reaching out to different target groups. Agency was the preferred channel for those who preferred a face-to-face and personalised service, she said, adding that these people were usually from the middle- to high-income bracket.
Bancassurance customers were typically those who preferred having their financial needs catered for under one roof, she said, adding that this group would generally be the lower- to middle-income earners who favoured affordable products with the same level of coverage as those offered by the agents.
Meanwhile, Uni.Asia Life Assurance Bhd CEO Ooi Say Teng said the company’s bancassurance business registered a growth of 69% while agency grew by 45% for the financial year ended March 31.
He said the strong business relationship with bank partners and the ability to understand and work based on the banks’ specific needs also contributed to the growth of bancassurance.
He added that the company saw bancassurance and agency growing side by side in terms of RP new business, noting that their existence complemented rather than competed with each other.
The current low penetration rate of 41% had created the avenue for effective use of multiple distribution channels which many life insurers had decided to get into, he said.
fr:biz.thestar.com.my/news/story.asp?file=/2010/10/15/business/7202901&sec=business
Protecting your personal data
At long last, we now have a venue to bring up grouses about our personal data being given away without our knowledge – the Personal Data Protection Department, which was officially launched on Thursday.
ISSUES related to Personal Data Protection have been dabbled with for a long time in this part of the world. The Personal Data Protection Act 2010 (PDPA) is one of the cyber legislations aimed at regulating the processing of personal data in commercial transactions.
The Act was passed by Parliament in May 2010 and the Personal Data Protection Department was created a year later. At a cyber seminar in November 2001, I raised the importance of Malaysia creating an Act to protect the personal data of an individual.
Awareness had risen not only because of rapid commercial development involving violations of personal data such as credit status of individuals, but also invasion through the means of communication tools being detected and questioned.
During the seminar, I spoke on the rights and liabilities pertaining to information; protection of information from unlawful use; the right to information; the status of information belonging to individuals and the overall issues pertaining to the future of online trade and commerce using other people’s data.
When you purchase an item online, your credit card data is online as well. Your banking activities precipitate the storage, retrieval as well as the movement of your credit and debit records.
To some quarters, these are useful if not valuable information. Wrongly used, your very own data could be the meat for a sly move or the subject matter of fraud.
Whichever way you look at it, modern life has involved us in a multi-faceted approach towards preserving our rights in respect of personal data.
Now, 11 years later, we are dealing with personal data again with the opening of the department (on Thursday) and a seminar on its legislation. In this context, our Government’s efforts to recognise individual interests through efforts to protect personal data should be given due recognition.
While the PDPA functions in the commercial environment, abuse of telephony communication networks or other channels through violations of personal data are also closely associated with the Communications and Multimedia Act (CMA) 1998.
For example, a person who intentionally infiltrates and gets without permission any information, including data through telephony or other means of communications under S.234 of the CMA, can be jailed up to one year or fined up to RM50,000 or both, if convicted.
The word “intercepts, attempts to intercept or procures through any other person, any communications” have very broad implications and applications to the extent of involving the personal data of an individual.
On the other hand, the CMA is complementary to the PDPA and the expedient should be used in the best interest of the people in terms of integrity and security of personal data of an individual. The promulgation of the personal data protection legislation was also mentioned in the CMA to “ensure information security, and network strength and reliability”.
Defining personal data
To ordinary citizens, a common question is: What is actually personal data? Under Section 4 of the PDPA, personal data means any information concerning commercial transactions stored or recorded and which can be managed automatically or as a file system.
It does not matter whether the information is being processed, stored automatically or filed by any party. But it will only be an offence if the information data is used in the commercial environment.
The next question is: If certain personal data are not involved in any commercial transaction, does the question of offence or abuse arise? This seems to be the implications and applications of the new law. Hence, the commercial environment should be involved before a criminal offence is recognised under the PDPA.
Generally, personal data has a very wide scope, covering sensitive and personal information such as blood type, health records and descriptions, political and religious beliefs, mental or physical conditions, or any other data needed by the authority from time to time.
Normal personal data also involves details on bank accounts, credit cards, telecommunication links like telephone or any other information stipulated by the minister under the PDPA from time to time.
The lists of personal data under the PDPA could also be expanded by the authority based on the demands of the living environment. However, details or information of one’s credit ratings are put under the Credit Rating Agency Act 2010 and so are not covered by the PDPA. It is clear that while the register or lists of personal data could be added according to the needs and interests of the consumers in the commercial environment in the future, the public need to know their rights under the new law.
It should also be stressed that the PDPA comprises seven key principles that must be adhered to under S.5(1) to protect the integrity of personal data. They are:
> A user is not allowed to process the personal data of another user without permission. The process here simply means data handling through an automated or computerised system or method or any other process;
> The user must comply with the Principle of Notice and Choice in which the information and purpose of the preliminary communication are conveyed to the data subject;
> The Principle of Disclosure spells out the need to disclose the use of personal data;
> The Principle of Security states that when processing personal data of any subject, precautionary measures must be taken so that the data is safe, and not tampered with, abused, missing or given to irrelevant parties;
> The Principle of Storing specifies that any personal data shall not be kept in a processing system longer than needed;
> The Principles of Data Integrity: all personal data must be accurate, complete, non-confusing and up-to-date in line with the purpose of storing and processing; and
> The Principle of Access: a user must be given access to his/her own personal data, which is kept by another user, and to be allowed to update the data.
With these principles in place, users and e-commerce practitioners will be more confident that their personal information are well protected. In the meantime, a practical and reasonable code of practice can be formulated by private effort or on the initiatives of Personal Data Commissioner.
Scope of the Act
Under the law, the Federal and State Governments are exempted from the PDPA application. This is to give the space and the right for the Government to use one’s basic personal data to be processed for legal administrative purposes.
The law will also speed up the development of electronic connection and transactions like e-commerce and e-business. It can be concluded that the existence of the law will, among others, help Malaysia to become a communication and electronic trade centre; an attractive location for investment in multimedia and communications industry; and an international trade partner which is able to offer personal data protection assurance according to international standards.
More than 100 countries have or are in the process of introducing personal data protection legislation as the borderless transaction environment entails a free flow of information through electronic networks worldwide to cater to the needs to comply with international standards.
The activities and scopes of the Personal Data Protection Act, among others, cover the Registration of Personal Data Users; Creation of the Consumer Data Forum; Creation of the Personal Data Practice Code; Appointment, Functions and Powers of Personal Data Protection Commissioner, including Financial Provisions; Creation of the Personal Data Protection Provident Fund; Creation of the Personal Data Protection Advisory Committee; Creation of the Appeal Tribunal; Inspection Procedures, Complaints and Investigation; and Enforcement.
Personal data processed by an individual for the purpose of personal, family or household affairs, including for recreational purposes, are excluded from the provisions of this Act.
The security, integrity and protection of personal data are a fundamental factor to shift the country from a manufacturing-based economy to high-value knowledge economy through the support of ICT infrastructure. The rise of electronic-based transactions has assailed the status of personal data which previously did not have a high commercial value.
This Act, of course, is able to strengthen personal data protection as a social obligation. This is important in order to protect the privacy of an individual, apart from the objective of producing dignified, integral and responsible traders in daily practices hinged on widespread use of e-commerce characteristics.
The importance of decisiveness and efficiency in all matters pertaining to enforcement must be stressed. May the Personal Data Protection Commissioner implement this principle in an effort to produce a resilient society for the benefit of future generations.
> Datuk Seri Dr Rais Yatim, who is Information, Communication and Culture Minister, officially opened the new Personal Data Protection Department in Kuala Lumpur on Thursday.
fr:thestar.com.my/news/story.asp?file=/2012/2/12/nation/10716006&sec=nation
Much to do to keep data private
While the Government gets set to enforce the Personal Data Protection Act, all involved should comply with the provisions of the Act now instead of adopting a wait and see’ attitude.
SINGAPORE recently had the first reading of its Personal Data Protection Act in Parliament. Many in the republic were buoyed by the development, confident that the passing of the bill “should be just around the corner”.
Surprisingly, Singapore lags behind Malaysia in this matter; Malaysia is the first country in the South-East Asian region to draft such a bill way back in 2000. Our Personal Data Protection Act (PDPA) was gazetted in 2010 after gestating through several public consultations and revisions.
Long overdue
However, now that the “sunrise period” before the law takes effect for the Information, Communications and Culture Ministry to train personnel and put procedures in place is fast fading, many are asking when our law will be enforced. Especially since it appears that the Ministry has just missed the “deadline”.
In February, Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim had announced that the Act would be enforced by the middle of this year.
We are now in the second half of the year and there has been no news of the impending implementation of the PDPA. When contacted, all that ministry sources would say is that enforcement details would be announced as early as next month.
Universiti Malaya’s data protection law expert Prof Abu Bakar Munir says it is imperative that the Act is enforced soon as all our personal information is fast flowing out there, making its security a big concern.
“With petabytes of data transferred and stored on a daily basis, personal data is the new oil of the Internet and the new currency of the digital world. That is why people are concerned about privacy, especially when they transact online,” he said at a recent media forum on the PDPA’s enforcement hosted by security firm Symantec.
Due to the growth of the social media network and mobile devices, users around the world send around 47 billion (non-spam) email and 95 million tweets daily. Each month, users share about 30 billion pieces of contents on Facebook.
Crucially, he stresses, people need an avenue to seek redress for violations of their personal data and privacy.
Although it has been highlighted numerous times, the selling and buying of data is still very rampant in Malaysia. Advertisements and email spam publicising the sale of email and phone lists are still widespread while many people are still being targeted through telemarketing calls and unsolicited messages or email.
Underlining the urgency for the enforcement of the PDPA, Symantec Malaysia systems engineering director Nigel Tan highlights that on average 1.1 million identities were exposed per breach globally in 2011.
The Symantec Internet Security Threat Report for the year showed that an approximate total of 232 million identities were exposed globally.
Tan also cites a survey they conducted with Ponemon Institute a leading research centre dedicated to privacy, data protection and information security policy in 2010 which showed that 88% of companies in the United States experienced data loss. The average cost of a breach is US$7.2mil (RM22mil).
Serious threat
Although the research was only conducted in the US, it should be treated as a warning to other countries as data breach is a threat everywhere in the world.
Subhendu Sahu, Symantec’s director for Government and Public Sector (Asia South Region), concurs with Tan on the growing need for personal data protection.
The threat landscape is evolving rapidly, he argues.
“For one, hackers have moved from pure hacktivism to causing real damage to national infrastructure, so it has become extremely important for government and companies that deal with nationally important data to have significantly stronger security safeguards.”
However, when it comes to the enforcement of the PDPA, timing is not important he says.
“What is more important is that data protection is viewed as a serious issue.”
Having a policy is the first important step. Around 50% to 60% of all countries are in some stage of implementing data privacy legislation and framework, he notes.
In the region, Malaysia is the closest to fully implementing some semblance of legislation on personal data protection.
Admittedly, data protection is viewed as a serious issue in Malaysia.
Under the Act, personal data breach is a crime it is categorised under 13 criminal offences with penalties ranging from a maximum jail term of one year, a RM200,000 fine or both, to a maximum jail term of three years, a RM500,000 fine or both.
Prof Abu Bakar reveals that the decision to treat the offence for non-compliance to the act as criminal instead of civil was made based on the “local context”.
“For the Act to be able to be enforced effectively, taking into account the track record of the country, the penalties had to be criminal.
“In this part of the world, without criminal penalties, it will be difficult to enforce the PDPA,” he says.
Some of the offences detailed in the Act are processing of personal data after consent has been withdrawn, selling and offering to sell personal data and abetment to commit any of the offences.
However, for the Act to be enforced, the government would have to establish a Personal Data Protection Commission and appoint a commissioner.
A Personal Data Protection Department has been set up, and while it is taking on the responsibility of processing all matters concerning data protection in the country, including dealing with public grouses, its scope of powers is unclear.
The PDPA states for the enforcement mechanisms and power to be granted to the commissioner, Prof Abu Bakar points out, which includes the right to enter premises and seize equipment without a warrant for the purposes of investigation into offences, the power to arrest and recommend for prosecution.
Conceding that time is needed to ensure that the selection of the Commissioner and the finalisation of the rules and regulations of the Act are done properly, Prof Abu Bakar moots one solution, which is to “upgrade” the existing department into a commission.
He nonetheless stresses that while the onus is on the Government to get the PDPA ball rolling, it is also crucial that companies comply with the Act now instead of adopting a “wait and see” attitude.
“Once the enforcement date is announced, companies will only have three months to comply with the Act and that is too short a time.”
This includes implementing policies and supporting processes as well as revamping systems and applications to meet the requirements of the Act.
Among the main things that companies will have to do when the Act is enforced is to register with the commission to get the “licence” to collect and process data. Another is to get the consent of the “owners” of the personal information they have amassed.
This will no doubt cause a headache for organisations like financial services and telecommunication companies, which have collected and maintained a high volume of customer’s personal data.
Privacy policy
While he proposes that companies find a manageable method to attain customers’ consent, Prof Abu Bakar is advising organisations to review their privacy policy as soon as possible.
There are still several organisations including big corporations that do not even have a privacy policy, he says.
“Some state that they have a privacy policy when they actually do not. Some companies have a privacy policy that is actually a terms and conditions policy, while others embed their privacy policy in the terms and conditions section when it should be a separate document altogether.”
The review of the privacy policy needs to be accompanied by a change in mindset and practice of employees in processing and managing of the personal information, he adds.
“Some organisations collect data too early online or have privacy policies which are too brief or not prominently located.”
Tan echoes Abu Bakar’s observation of companies’ lack of readiness in complying with the PDPA upon its enforcement.
“Based on my personal observations, I would put the percentage of companies doing so at less than 50%,” he says, noting that those that already are, have been working on compliance as early as two years ago when the Act was first gazetted.
Subhendu advises companies to constantly review their security policies, bring in external experts to vet internal processes, and set incident response and recovery practices.
Ultimately, Malaysia needs to take the next step enforcing the PDPA soon, as the digital technology has grown beyond expectations.
Subhendu makes a case in point: countries with more mature data protection and privacy legislation are reviewing their own laws to address new “problems” created by new digital developments.
One is the “right to be forgotten” law that is being deliberated in the European Commission that would allow people to demand their personal data, which organisations hold on them, be deleted as long as there is no legitimate ground for such organisations to hold such data.
“The inclusion of the right to be forgotten’ is reflective of the rapid rise of social media. The speed and expansion of digital technology has gone beyond what legal frameworks had originally foreseen,” says Subhendu.
At the end of the day, however, it is all about respect and common sense, Prof Abu Bakar opines, anchoring the massive task at hand into perspective.
“Data protection is not rocket science. But there is a lot to do and time is running out.”
fr:thestar.com.my/news/story.asp?file=/2012/9/30/nation/12105336&sec=nation
Woes mount as data protection enforcement sits idle
Have you gone a day without receiving irritating phone calls, SMS or email messages offering personal loans, free medical check-up or new credit cards?
If your answer is “No”, you are not alone; thousands of Malaysians are bombarded with such messages daily.
If you have received many unsolicited sales calls and messages daily, then it is also likely that your data has been collected and sold to a third party without your consent.
A check of the classified sections of a few dailies by Sunday Star showed that there are still individuals and organisations who are offering databases of personal information for sale despite the public uproar they have caused in the past.
According to the National Consumer Complaints Centre (NCCC), which have received complaints from many consumers inundated with unsolicited calls and SMSes coaxing them to buy a service or goods, the main reason for this abuse is that Malaysia has yet to enforce the Personal Data Protection Act (PDPA) although it was gazetted into law in June 2010.
“The law needs to be enforced as many unscrupulous people are taking advantage of this situation to use people’s personal data for transactions without their knowledge,” said NCCC senior manager Matheevani Marathandan.
Under the PPDA, it is a crime for companies to use an individual’s personal data for commercial transactions without his or her consent.
It also prohibits the selling and buying of personal data.
The offence carries a maximum fine of RM500,000, a three-year jail term or both.
Prof Abu Bakar Munir, a professor of law at Universiti Malaya who was also involved in the drafting of the PDPA, said it is urgent that the Act be implemented soon.
“Personal data is the new currency of the digital world, so people are concerned about their privacy,” said Prof Abu Bakar, who was one of the speakers at a recent media forum on the PDPA’s enforcement hosted by security firm Symantec.
Campaign Against Spam SMS spokesman Lim Chong Wei said the PDPA should have been enforced earlier.
“The problem is that there is too little enforcement,” he said, adding that the lack of enforcement has kept SMS spam high on the list of complaints to the Malaysian Communications and Multimedia Commission in the last few years.
fr:thestar.com.my/news/story.asp?file=/2012/9/30/nation/12105032&sec=nation