©The Star (Used by permission)
A freelance journalist from Penang was already coping with the pain from a haemorrhoids surgery when she had to endure another hurtful experience she discovered that her surgeon had taken photographs of her private parts without her consent when she was under.
When she confronted him, she was told that it was “normal procedure” and a common practice for “medical purposes”. Outraged that her privacy had been violated, she sued the doctor.
This is one of the many cases of personal data breaches and privacy violations in the country. Hence, the enforcement of the Personal Data Protection Act (PDPA) this New Year is much lauded. In fact, it is long awaited for some, over a decade long.
However, while pictures of one's private parts may constitute as personal data, the aggrieved patient would not be able to take action under the Act our PDPA only regulates commercial transactions. (The freelance journalist, however, won RM25,000 in damages in her civil court case.)
Here are some of the facts you need to know about the PDPA:
> What is the scope of the PDPA?
The Act regulates the processing of personal data in commercial transactions. The Act applies to any person who processes personal data for commercial transactions (data user). This includes those who control and authorise the processing of personal data for commercial transactions. If you have a list of customers with their contact details for your part–time cupcake–making enterprise, for example, you may be subjected to the Act.
> What is “personal data”?
Personal data is defined as information that relates directly to a person or consumer in a commercial transaction (data subject).
It is personal data if the information can identify the person and includes any expression of opinion about him or her. It includes: name, address, MyKad number, passport number, health record, e–mail address, photographs, images from CCTV recording, information in personal file, bank account details and credit card details.
> What are “commercial transactions”?
Commercial transactions mean any transaction of a commercial nature, regardless of whether it is contractual. This includes the collection of personal data of potential customers.
> What is “processing” of personal data?
Processing personal data is the act of collecting, recording, holding or storing personal data. The data can be stored offline or online, including in paper files, paper stacks, computer database, e–mail, instant messenger, USB sticks, external hard disks, Cloud computing system or other storage systems on the Internet.
> What are your rights as a data subject (a person whose data is processed)?
As a data subject, you have a right to seven protection principles under the PDPA.
General Principle: Any processing of your personal data requires your consent.
Notice and Choice Principle: Data users are required to notify you of the purpose for which your personal data is collected and about the right to request access and correction of your personal data.
Disclosure Principle: The data user is not allowed to disclose your personal data to any third party without your consent.
Security Principle: A data user needs to take practical steps to protect your personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Retention Principle: Your personal data cannot be kept longer than is necessary to fulfil the original purpose it was obtained for by the data user.
Data Integrity Principle: A data user needs to take reasonable steps to ensure the accuracy and currency of your personal data in their “keep”.
Access Principle: You should be given access to your personal data and shall be able to make corrections where it is inaccurate or incomplete.
Source: JPDP and Dr Sonny Zulhuda, International Islamic University Malaysia.
> For enquiries or to lodge your personal data complaint, call 03–8911 5000/7901 or e–mail jpdp@kpkk.gov.my