Privacy preserving data mining Li Xiong CS573 Data Privacy and Anonymity.
Personal Data Protection Act - Employee Data Privacy
-
Upload
legalpadmin -
Category
Law
-
view
91 -
download
5
Transcript of Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act 2010: Employee Data Privacy
Labour Law Conference
9 – 10 April 2015
Adlin Abdul Majid
Content
• Introduction
• Issues & Implications
• Conclusion
2
Introduction
Written / Oral
3
PERSONAL DATA PROTECTION ACT 2010
Application
• Applies to any person who processes or has control over or authorises processing of personal data in respect of commercial transactions
• Applies if:
• PERSON ESTABLISHED IN MALAYSIA: Personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment
• PERSON NOT ESTABLISHED IN MALAYSIA: Uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia)
NOT applicable
• Federal & State Governments
• Personal data processed outside Malaysia, unless intended to be further processed in Malaysia
Complaints-based system
Application to employment relationships
4
• Any transaction of a commercial nature, whether contractual or not
• Includes matters relating to:
• Supply or exchange of goods or services;
• Agency;
• Investments;
• Financing;
• Banking; &
• Insurance
• Does not include a credit reporting business
commercial transactions
Draft Guidelines on Management of Employee Data
7 Principles of data protection
Written / Oral
5
Data Subject General Principle
Data Processor/ 3rd Party
Data User Security Principle
Retention Principle
Integrity Principle
Notice & Choice Principle
Disclosure Principle
Access Principle
Employee
Employer Service
providers
Content
• Introduction
• Issues & Implications
• Conclusion
6
Issues & Implications
7
Notice
Access
Retention
Consent
Issues & Implications
8
Notice
Access
Retention
Consent
What do you need consent for?
Written / Oral
9
Consent?
Non-sensitive personal data
Disclosure of personal data
to third parties
Transfer of personal data
overseas
Sensitive personal data
(explicit consent)
Exemptions to consent
10
No Exemption Example
(a) For the performance of a contract to which the data subject is a party
Existing bank customers
(b) For the taking of steps at the request of the data subject with a view to entering into a contract
Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract
(c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract
When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities
(d) In order to protect the vital interests of the data subject
In a situation where a person is unconscious & needs medical treatment to save his life
(e) For the administration of justice For the enforcement of a court order
(f) For the exercise of any functions conferred on any person by or under any law
If an organisation is tasked to perform a service by a law
Written / Oral
11
Explicit consent given by data subject
Processing is necessary
Personal data has been made public
Sensitive personal data may only be processed if…
Example of explicit consent
12
Consent: What does it entail?
Written / Oral
13
PDPA Regulations DRAFT GUIDELINES ON
CONSENT
• Key test: Ability to demonstrate that consent exists / given
• Data subject must be fully aware of & understand consent
• Consent understood to have been given when individuals DO NOT OBJECT or volunteer personal data after purposes clearly explained
Issues & Implications
14
Notice
Access
Retention
Consent
Notice & choice
Written / Oral
15
• Data user shall provide a WRITTEN NOTICE to the data subject. To include:
• That personal data of the data subject is being processed by or on behalf of the data user
• Description of the personal data
• Purpose it is collected & further processed
• Class of 3rd parties to whom data user discloses / may disclose the personal data
• Whether it is obligatory for the data subject to provide the personal data
• Must be given as soon as practicable
• In national language & English
• Must be able to keep a record of service of notice
Issues & Implications
16
Notice
Access
Retention
Consent
17
Channels of serving notices to employees
Notice to employees
Emails
Employment forms
Employment contracts
Salary slips
Right to access personal data
18
Right to access
Full disclosure
Partial disclosure
Refuse to disclose
Must respond within 21 days
When can you refuse to disclose / partially disclose?
Written / Oral
19
No sufficient information on
identity of requestor / data subject
No sufficient information to locate
personal data
Burden or expense of providing access
Would disclose information of
another individual
Another data user controls personal
data
Violation of court order
Would disclose confidential commercial information
Access is regulated by another law
Issues & Implications
20
Notice
Access
Retention
Consent
21
s10 PDPA
Employment Draft
Guidelines
*Must destroy personal data once purpose of processing has
lapsed
*Be aware of obligations imposed by law, such as s61 of
Employment Act 1955
*Fresh consent needed for future uses
*Should minimise cost by deleting / anonymise when no
longer necessary
Retention of employee records
Retention of former employees’ data
22
HK Guidance
Necessary for legal / contractual /
statutory obligation
Directly related to managing the relationship
between employer & former employee
Need to defend organisation in civil or
criminal suit
Consented to by former
employee
Needed for job references /
reapplication
Content
• Introduction
• Issues & Implications
• Conclusion
23
Conclusion
24
PRE-EMPLOYMENT
• Receipt of CVs
BEGINNING OF EMPLOYMENT
• Requests for personal data: Non-sensitive personal data / sensitive personal data
DURING EMPLOYMENT
• Further requests for personal data
• Security / Access / Integrity / Disclosure
END OF EMPLOYMENT
• Retention
Thank you ([email protected])