Half day public-seminar_on_pdpa_2010_-_250711
-
Upload
quotient-consulting -
Category
Economy & Finance
-
view
1.014 -
download
1
description
Transcript of Half day public-seminar_on_pdpa_2010_-_250711
HALF-DAY PUBLIC SEMINAR ON MALAYSIAN PERSONAL DATA PROTECTION ACT (PDPA) 2010
25 July 2011, Monday, 9.30 am – 12 pmLegal Training Room, Menara SSM @ Sentral
By Noriswadi Ismail
Quotient Consulting
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Vignette 1
Harimau Malaya, Malaysian, holds a MalaysianID, passport, driving license, 3 Malaysian bankaccounts, 2 mobile accounts and 5 loyaltymembership cards. His details are alsoregistered in 2 private clinics, 1 governmenthospital and 2 insurance companies. He has 1
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
hospital and 2 insurance companies. He has 1bank account in London and Hong Kongrespectively. He travels frequently for businessand golfing. He is a director of 3 companies inMalaysia, London and Hong Kong. Also, an avidgolfer of 3 golf clubs (Malaysia, Indonesia andScotland).
Executive Summary
Q: What is PDPA 2010?
Q: Why we need to comply with PDPA 2010?
Q: What are the 7 data protection principles?
Q: Will PDPA 2010 kill my business operations?
Q: To what extend PDPA 2010 affects your business operations?
Q: We are a start-up and a semi medium sized company, howshould we strategise?should we strategise?
Q: When should we start?
Q: Is there any additional compliance cost for this purpose?
Q: How about formality and enforcement?
Q: What’s next and the must-to-do list?
Q: How to ensure such data protection & privacy managementsustainable?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
What is PDPA 2010?
::: An Informational privacy legislation
::: 10 Parts (Preliminary, Personal Data Protection Principles,Registration, Data user forum and Code of practice, Rights ofdata subject, Exemption, Personal data Protection Fund,Personal Data Protection Advisory Committee, Appeal Tribunal,Inspection, Complaint and Investigation, Enforcement,Inspection, Complaint and Investigation, Enforcement,Miscellaneous, Savings and Transitional Provisions)
::: 146 Sections
::: Jurisdiction: Malaysia
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
What is PDPA 2010?
::: Received Royal Assent on 2 June 2010, and gazetted a weeklater
::: Compliance commences: 3 months from the date ofenforcement
::: Application: To commercial transactions only, not applicableto Federal and State Governmentsto Federal and State Governments
::: Cross reference to: Electronic Commerce Act 2006’s definitionon commercial transactions “…any transaction of a commercialnature, whether contractual or not, which includes any mattersrelating to the supply or exchange of goods or services, agency,investments, financing, banking, insurance, but does not includea credit reporting business carried out by a credit reportingagency…”
7/23/2011 (c) 2011 Quotient Consulting, Information is Invaluable.
What is PDPA 2010?
• Oversees and enforces the Laws
• Fund: Personal Data Protection Fund
• An authorised person who processes data on behalf of the data user
Data Processor Regulator*
• A person / legal person who controls / authorises the processing of data
• Individual who is the subject of the personal data
Data UserData Subject
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
What is PDPA 2010?*Regulator
Data ProtectionCommissionerPersonal Data
Protection Advisory Data User Forum
Minister
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Protection Advisory Committee
Appeal Tribunal
What is PDPA 2010?
Question:What about
Question:What about What about
Government Linked Companies (GLCs)?
What about Government to Government’s engagements?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
What is PDPA 2010?
Question:
Question:What about
transactions between Question:
What about transborder data flow?
transactions between government and non-
governments?
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Why We need to complywith PDPA 2010?
Recognition of privacy (informational) as one of the fundamental human rights
Protection of invaluable data that are sensitive, being commoditised and having the vast potentials to being commoditised
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
What are the 7 data protection principles?
P1: General Principles – Consent, Lawful Purpose, Necessary, Adequate and Not Excessive
Sections 6(1) – (3)
P2 : Notice and Choice Principle Section 7 (1)
P3: Disclosure Principle Section 8, cross reference to Section 39
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
to Section 39
P4: Security Principle Section 9(1) & (2)
P5: Retention Principle Section 10
P6: Data Integrity Principle Section 11
P7: Access Principle Section 12
Will PDPA 2010 kill my business operations?
::: Yes, if, your business operations are inconsistent and noncompliance with the PDPA 2010’s 7 data protection principles;
::: Yes, if, your business operations do not have the necessaryframework, control, management and monitoring of the 7 dataprotection principles’ requirements;
::: No, as PDPA 2010 enhances trust, value and reputation ofyour business; and
::: No, as PDPA 2010 seeks to safeguard all of your data
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
To what extend PDPA 2010 affects your business operations?
Corporate Office (HR, Legal,
Finance, Audit & Administration)
Marketing & Business
Development
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Business Partners & Contractors
Local & International engagements
To what extend PDPA 2010 affects your business operations?
Categorisationof data
Documentation(Forms,
Agreements & Policies)
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
ICT deployment(Data security)
Human capital (skills &
trainings)
We are a start-up and a semi medium sized company, how should we strategise?
Partial Outsourcing
Route
Controls & Systems
Planning & Execution
Back-to-BackArrangement & Execution
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Adequacy
Route & Execution
We are a start-up and a semi medium sized company, how should we strategise?
Resources & Skills
Cost
Culture & Awareness
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Limitations
When should we start?
Assumption 1 If the date of enforcement is within Quarter 2 of 2012, it’s recommended to start the planning & execution by Quarter 4 of 2011 – Quarter 1 of 2012
Assumption 2 If the date of enforcement is within Quarter 1 of 2012, it’s
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
within Quarter 1 of 2012, it’s recommended to start the planning & execution NOW
Key Assumption The proposed Malaysian Data Protection Commissioner will be established in Quarter 1 of 2012
Vignette 2
Keranamu is a Government Consultant whoadvises on strategic acquisition of certainstakes in Company 76, a public listedcompany, incorporated in Hong Kong. Theproposed acquisition is channeled through aleading Government Investment arm.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
leading Government Investment arm.Company 76 appoints an European-basedconsultant to act on their behalf in thenegotiations.
Is there any additional compliance cost for this purpose?
::: Yes, subject to the budget, resourceplanning & business plans
::: No, if it has been anticipated
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
How about formality and enforcement?
Registration of Data User – Certificate
(Renewal, Revocation & Surrender)
Notification & Access Request Enforcement Notice
Report, complaint and investigation by
Commissioner
Power of investigation,
search & seizure with warrant
Power of arrest
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Access Request
Inspection of Personal Data
System
Variation or cancellation of
Enforcement Notice
Enforcement Notice Power of arrest
Prosecution
How about formality and enforcement?
Register
Transfer of personal data to places Compounding of
offences
Offences by body corporate
Jurisdiction:Sessions Court
Protection of Informers
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
data to places outside Malaysia
Unlawful collecting of personal data
Abetment and attempt punishable
as offences
offences Informers
Protection against suit and legal proceedings
Vignette 3
Truly Asia Travels & Tours has been appointedby some governmental agencies and privatecompanies as their exclusive travel agent. Theterms of reference include managing suchflight, hotel, travel itinerary and related
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
flight, hotel, travel itinerary and relatedbookings. The amount of data processing ofdata subjects, transfers and sharing are doneglobally.
What’s next and the to-do-list?
::: Strategic planning
::: Resource planning
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
::: Dissemination planning
What’s next and the to-do-list?::: Strategic planning
Board Leadership DPP as part and parcel of organisation/company’s Key Performance Indicators (KPIs)
Senior Management Driving DPP across the whole
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Senior Management Driving DPP across the whole spectrum of organisation/company
Managers &Working Team
Overseeing & monitoring the required affected portfolios thatintersect with PDPA 2010
What’s next and the to-do-list?::: Resource Planning
Portfolio & Reporting creation/structure
Subject to the setting of the Corporate Office’s structure
Skills & knowledge enhancement Training, Consultation & Certification
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Certification
What’s next and the to-do-list?::: Dissemination Planning
Data Protection & Privacy Campaign
Across the organisation / company
World’s Data Protection Day Event
28th January (of the year)
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Event
How to ensure such data protection & privacy management sustainable?
Monitored
Trust
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
Culture
Monitored compliance, controls and execution
Vignette 4
Hospitals A1, A2 & A3 are governmenthospitals. These hospitals deal with patientswho mostly consist the public and engage withlocal and international consultants.
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
local and international consultants.
Vignette 5
Universities B1, B2 & B3 are publicuniversities. These universities engage withlocal and international students, consultants,international academics and universities
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable
international academics and universitiesglobally.
THANK YOU
QC TM
London. Kuala Lumpur. JakartaLondon. Kuala Lumpur. Jakarta
Data Diagnosis | Privacy Impact Assessment | Data Protection & Privacy Strategy
Training | Data Protection & Privacy Certification | Public & Private Consultations
7/23/2011 (c) 2011 Quotient Consulting, Information Is Invaluable