7 Principles of the personal data protection act 2 PDF

Preview

Summary

Notes...

Description

7 Principles of the personal data protection act 2010

1. General principle A data user should not process personal data of a data subject. If only the data subject has agreed to process his/her personal data, then it is permitted. Despite that, this principle will not be applied if the processing of personal data is crucial for :  Taking steps in entering into a contract by the request of data subject  The performance of a contract as a party  Compliance with legal law and obligation (with condition in which the user data is the data subject), except for the obligation that have been rule by contract  Protection of the essential interests of the data subject  Administration of justice  Practising any function consulted by law The personal data of data subject can only be implemented if :  It is for lawful reason relating to the data user’s activity  It is necessary and relevant for the related purpose  The personal data is appropriate and not extend the relation for the purpose Regarding the sensitivity of persona data that includes physical, mental health, political opinion, and religious belief, those data can only be processed if :  The data subject have a clear and obvious awareness to the personal data that will be processed  The processing is necessary  For hiring purpose  To secure the crucial interest of the data subject in state where the consent cannot be provided by the data subject or data user cannot achieve the consent from data subject  To secure the important interest of other person in cases where the data subject’s consent are detained for unsolid reason  For the medical purpose that been handled by healthcare professional  For legal proceeding  To organize, practising and securing legal rights  For administration of authority  To carry out any activities under the law  Personal data have been exposed to public by data subject

2. Notice principle The notice about the data subject should be written out in both Malay and English language that covers :  The description of the personal data  The reason behind the personal data’s processing  Source of the personal data  Data subject’s right to access and demand for correcting the personal data  Contact details of data users for feedback, questions and complaint  The group of third parties that can have access to the personal data  Choices that the data subject have to restrict the processing of his/her personal data  Whether the data subject is compulsory or voluntary should offer his/her personal data or not

The notice need to be hand out to the data subject when :  The data subject is required first to give his/her personal data  The data user gathered first his/her personal data  Data user first utilizes that personal data or reveals the personal data to third party

3. Disclosure principle  The personal data can only be leaked with the permission of data subject. The disclosure of the personal data should be limited to the class of third party as in the notice and the reason why personal data will be exposed by the collection of the personal data should be stated.

However, data user may expose the personal data that have not been stated in the categories above when :  Data subject agree to disclose the personal data  The exposure is needed for the purpose of investigating, tracking or prevent a crime or permitted by the law or court order  Data user have trust and confidence that he/she has right to expose the personal data according to law  Data user believe that data subject agree with the disclosure of personal data under certain condition or the exposure are necessary for public interest as set up by the Minister

4. Security principle  Data user should take a reasonable action to secure the personal data against any loss, misuse, modification, unauthorized or accidental access, alteration or destruction of the personal data. If the personal data is processed by the third party on behalf of the data user, data user will gain a sufficient guarantee from the service provider of third party for the security of technical and organization in processing personal data.

5. Retention principle  The personal data that have been processed should be kept for a duration that are seen to be necessary to be kept by the data user. It should be a responsibility of the data user to delete or destroy the personal data permanently if the personal data is no longer relevant or not needed.

6. Data integrity principle  Data user shall take a reasonable action to ensure the personal data in its behold is accurate, complete, not misleading and kept up to date.

7. Access principle Data subject will be given a right to have access and correct his/her personal data that is being held by the data user unless the compliance with those request are not allowed by PDPA 2010. Among the scenario that have been stated by PDPA 2010 for the refusal to obey with the request of the data access are :  The data user is not given a sufficient information to recognize the identity of the requestor  The data user is not given a sufficient information to track the personal data  Exposure of the personal data of the requestor will disclose other’s person data that can be identified from those information unless permitted by the individual affected  Giving access to an unauthorized person will violate the court order  Giving access to an unauthorized person will expose confidential information, or  Access to the personal data is bounded with other law Likewise, a data user can also refuse the data correction and modification under the circumstances :  The data user is not given a sufficient information to recognize the identity of the requestor

 The data user is not given a sufficient information to identify in what criteria the data is not accurate, not complete, misleading or not up to date  Data user is not satisfied that the correction is accurate, complete, not misleading or up to date.

Data user is given within 21 days to fulfill the request of the data access or correction of data. The duration of the time can be extended up to 14 days.

IMPORTANCE OF ACT 709 - Strengthen public and confidence trust People feel more confidence and have belief that their personal data will be kept and not disclose to other individuals as there will be a fines imposed up to RM500,000 or 3 years imprisonment to those irresponsible individuals that do not comply with the existing act

- To prevent and reduce the incident of data breach Individuals can use this act to protect their personal data in case data breach happen and use it against the irresponsible individuals according to the court order as other people cannot use or access others’ personal data as they wish for their own interest and without consent of the data subject.

- To improve the relevancy and governance of personal data When an act is established, it must be reliable sources to be used and its validity cannot be denied. Therefore, the relevancy and managing of the personal data can be improved by the presence of this act in the terms of complying with the 7 principles PDPA 2010

- To safeguard prudence and integrity in personal data Personal data can be protected safely and carefully according to its honorableness, solidness and and ethics by having such law. No one can argue with such law established as well....