Fair and Lawful Collection
Commissioner of Data Protection
Data User Forum
Statistics obtained from the Ministry of Energy, Communications and Multimedia web site (www.ktkm.gov.my) forecast that the market value of e-commerce in Malaysia will reach more than $1 billion by 2002. While this is welcome news, it is also accompanied by the worry that in the increasingly global e-commerce marketplace, data collected from consumers cannot be adequately protected under the existing legal framework.
To address this issue, Malaysia has introduced the Personal Data Protection Bill 2000. The bill seeks to establish a set of common rules and guidelines for the handling and treatment of personal data by regulating the collection, possession, processing, use and protection of data belonging to any person or organization. It is hoped that the provision of adequate security in the handling of personal information will create confidence among consumers and provide for a secure electronic environment. This is in line with the objectives of Malaysia's Multimedia Super Corridor, to establish a productive community within which a multimedia chain of goods and services can be produced and delivered across the world.
If passed, the bill will have an impact on organizations (data users) which collect, hold and process data from individuals (data subjects) as part of their operational activities. The bill requires compliance with a set of nine privacy principles which address:
- the manner of collection of personal data;
- the purposes of collection of personal data;
- the use of personal data;
- the disclosure of personal data;
- the accuracy of personal data;
- the duration of retention of personal data;
- access to and correction of personal data;
- the security of personal data; and
- the information that is to be generally available.
Under the proposed law, personal data must be collected in a fair and lawful manner. In addition, the data collected must be limited to data that is directly related to and necessary for a data user's activity or business.
A data subject should be made aware at the time of collection of the purpose for which the data is to be used, the types of organizations to which the data may be disclosed and whether it is obligatory to provide such data. In addition, he/she should be provided with contact details of the data user to enable him/her to gain access to the collected data. Other rights accorded to data subjects include the right to have any errors in the personal data corrected and the right to prevent the collection of data that is likely to cause damage or distress.
Trans-border data flows are prohibited under the bill unless the country into which the data is to be transferred provides an equivalent data protection regime. If there is no similar protection, the transfer of data is allowed only if the data subject consents.
Commissioner of Data Protection
The bill provides for the appointment of a commissioner of data protection who will ensure legislative compliance by the data user, the data subject and the public. A data subject will have the right to lodge a complaint with the commissioner against any data user who commits an offence under the provisions of the bill. A further right of appeal lies with the Personal Data Protection Tribunal, which aims to promote transparency, and provide a fast and economic avenue of appeal.
A data user forum will also be established, whose members will comprise data users and other relevant members of the industry. The forum will be responsible for developing codes of practice regarding issues related to the bill. The purpose of this forum is to encourage data users to adhere to a policy of self-regulation, as well as ensuring that the views of the industry and consumers are taken into account throughout the bill's implementation.
Certain circumstances are specifically exempt from the bill. This includes exemptions for:
- personal data held for domestic and recreational purposes;
- certain employment-related personal data; and
- access, use and disclosure requirements where their application is likely to prejudice competing public or social interests (eg, national security, defence and international relations, and the prevention or detection of crime).
The introduction of the proposed bill is a step in the right direction for Malaysia to participate meaningfully in the international digital economy.
There is hesitation on the part of both the business community and consumers to participate actively in the e-commerce environment. This is largely due to a feeling of general mistrust about the security aspects of data collection and protection. The proposed bill will serve to reassure sceptics and provide an incentive for them to take the leap into the brave new economy. It is also hoped that by providing international standards of personal data protection, Malaysia's desire to emerge as a leading investment centre for the IT industry can be further advanced.
For further information on this topic please contact Haslyna Hashim at Zaid Ibrahim & Co by telephone (+603 257 9999) or by fax (+603 254 4888) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer