In protecting privacy, data protection laws aim to regulate the practices of information management to minimise the risks to the elements of privacy.
For the first time, Malaysia has a privacy-specific legislation, which is Personal Data Protection Act (PDPA) 2010 [Act 709]. PDPA has been passed and Gazetted for about 2 years ago. As of today, the PDPA status is “Not Yet in Force”.
The Personal Data Protection Act 2010 aims at regulating the processing of personal data in commercial transactions. The proper implementation of the legislative scheme and its compliance by the business sector will move Malaysia a long way towards meeting the data protection requirements imposed by major trading partners around the world.
At present, apart from this legislation and certain sectoral secrecy obligations, information of a personal nature is protected only as confidential information through contractual obligations or the common law. Before the enactment of the PDPA, Malaysia did not have a comprehensive law that protected personal data. However there are some rules and regulations specifically governing the multimedia industry and internet banking which was provided in the General Consumer Code (GSC) and the Minimum Guidelines on the Provisions of Internet Banking Services by Licensed Banking Institutions (Minimum Guidelines).
The Minimum Guidelines have recently been replaced by the Guidelines on the Provision of Electronic Banking (E-Banking) Services by Financial Institutions (E-Banking Guidelines). More general guidance on data management is found in the Guidelines on Data Management and Management Information System (MIS) Framework by which were all issued by Bank Negara Malaysia (The Central Bank).
Before going into details, one needs to know the highlights or the basic of the Act [Personal Data Protection 2010 (Act 709)]. The PDPA applies only to personal data processed in Malaysia. Federal and State governments are excluded from complying the Act. PDPA is not applied to any non-commercial transactions; any data processed outside Malaysia; any personal, family and household affairs; among others. The Act protects ‘Personal Data’. In order to qualify as personal data, the data must relate, either directly or indirectly to a data subject who can be identified from the data.
The data also must be capable of being recorded and be capable of automatic or manual processing. ‘Sensitive personal data’which requires explicit data subject consent, includes medical history and political opinions. The PDPA specifies that no personal data may be transferred outside Malaysia unless the place has been specified by the Minister. Notwithstanding, such transfer may take place if, among others, the data subject has given consent or the transfer is necessary to protect the data subject's vital interests. As for the fines and sanctions, the penalties for breaching the PDPA include the imposition of fines not exceeding two hundred and fifty thousand ringgit, and/or a term of imprisonment not exceeding two years.
1. The Star online, “Parliament: Personal Data Protection Bill passed”, Monday April 5, 2010; see http://thestar.com.my/news/story.asp?file=/2010/4/5nation/20100405210518&sec=nation
2. ‘Personal Data Protection in Malaysia: Law and Practices’ by Abu Bakar Munir and Siti Hajar Mohd Yasin, p 237
3. Personal Data Protection 2010 (Act 709)
4.‘The Malaysian Personal Data protection Act: What it means to Data users’ by Professor Abu Bakar Munir