The Personal Data Protection Bill 2009 (PDP) was tabled in Parliament for first reading in November 2009. The bill was first introduced almost ten years ago and despite the pressing urgency for such legislation in an age where statistics from the USA estimates 1 in 4 Americans was a victim of identity theft, was only passed on 2 June 2010. Rather more disappointing is that the commencement date for the operation of the Act or sections thereof has yet to be determined.
The PDP is stated to be an Act to regulate the processing of personal data in commercial transactions.
At the outset, it is important to note that the PDP expressly excludes the Federal Government and State Governments and data processed exclusively outside Malaysia from the application of the Act.
Set out below are the key features of the PDP. This summary is not exhaustive as to the entire ambit of the PDP and reference to the PDP is advised for the full text of provisions.
Commercial Transactions means any transaction of a commercial nature, whether contractual or not which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010;
Data processor, in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes;
Data subject means an individual who is the subject of the personal data;
Disclose is, in relation to personal data, defined as an act by which such personal data is made available by a data user;
Personal data is defined as any information in respect of commercial transactions which is processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; is recorded with the intention that it should wholly or partly be processed by means of such equipment or is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system and that relates directly or indirectly to a data subject, who is identified or identifiable from that and other information in the possession of the data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;
Processing in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data including organization, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making the same available or the alignment, combination, correction, erasure or destruction of personal data; and
Sensitive personal data means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, religious or other similar beliefs, the commission or alleged commission by him of any offence or any personal data as gazetted by the Minister.