By Bryan Boo
With the advent of technological advancement such as the Internet of Things and 5G connectivity, it is no doubt that the world is shifting towards digitising and automating our lives as we know it. However, while these technologies make our lives easier on the one hand, it does leave us vulnerable in so many other ways. As such, cybersecurity is a topic that is commonly discussed today.
Many of the applications and services today require users to fill in an application form providing their personal details. Some airports require guests to register their personal details before being granted access to the internet. However, these information may be misused if in the wrong hands. This is even more worrying when news of companies and corporations experiencing data breaches.
Section 5 of the Personal Data Protection Act 2010 provides principles that a data user, who is someone who processes, has control over or authorises the processing of any personal data, must comply with.
5. (1) The processing of personal data by a data user shall be in compliance with the following Personal Data Protection Principles, namely—
(a) the General Principle;
(b) the Notice and Choice Principle;
(c) the Disclosure Principle;
(d) the Security Principle;
(e) the Retention Principle;
(f) the Data Integrity Principle; and
(g) the Access Principle
(a) the General Principle;
Provides that, unless falling within the exceptions under Section 6(2) PDPA, a data user shall not process personal data about a data subject (which is the person who is the subject of the personal data) unless with the consent of the data subject.
(b) the Notice and Choice Principle;
Provides that data users must inform the data subjects in writing of the type of data being collected, the purpose the data is being collected for, its sources and the right to request access and correction, among other things.
(c) the Disclosure Principle;
Provides that no personal data shall be disclosed for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user unless with the consent of the data subject.
(d) the Security Principle;
A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction
(e) the Retention Principle;
The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose and that it shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
(f) the Data Integrity Principle;
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose
(g) the Access Principle
A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date unless disallowed to under the PDPA. A data user who contravenes Section 5 of the PDPA shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both unless the personal data falls under the exception of Section 45 or Section 46 PDPA.
Conclusion
While it might be tempting for companies and businesses to obtain and retain information of their clients, customers or even strangers, particularly for the purposes of marketing and advertisement, it must be borne in mind that there is a burden under the PDPA placed on such company or business in handling the personal data so collected. As such, great care must be taken to ensure that the company or business is in compliance with the PDPA vis-a-vis the handling, processing and/or retention of personal data so collected.