Speech by Pn Adlin Abdul Majid, Advocate & Solicitor from Lee Hishamuddin, given in Labour Law Seminar held by Legal Plus Sdn. Bhd (www.legalplus.com.my) on Apr 9, 2015
3. Introduction
Written / Oral
3
PERSONAL DATA PROTECTION ACT 2010
Application
• Applies to any person who processes or has control over or authorises
processing of personal data in respect of commercial transactions
• Applies if:
• PERSON ESTABLISHED IN MALAYSIA: Personal data is processed,
whether or not in context of that establishment, by that person or
any other person employed or engaged by that establishment
• PERSON NOT ESTABLISHED IN MALAYSIA: Uses equipment in
Malaysia to process personal data (otherwise than for purpose of
transit in Malaysia)
NOT
applicable
• Federal & State Governments
• Personal data processed outside Malaysia, unless intended to be further
processed in Malaysia
Complaints-based system
4. Application to employment relationships
4
• Any transaction of a commercial nature, whether contractual
or not
• Includes matters relating to:
• Supply or exchange of goods or services;
• Agency;
• Investments;
• Financing;
• Banking; &
• Insurance
• Does not include a credit reporting business
commercial transactions
Draft Guidelines on
Management of Employee Data
5. 7 Principles of data protection
Written / Oral
5
Data Subject
General Principle
Data Processor/
3rd Party
Data User
Security Principle
Retention Principle
Integrity Principle
Notice &
Choice Principle
Disclosure
Principle
Access Principle
Employee
Employer
Service
providers
9. What do you need consent for?
Written / Oral
9
Consent?
Non-sensitive
personal data
Disclosure of
personal data
to third parties
Transfer of
personal data
overseas
Sensitive
personal data
(explicit
consent)
10. Exemptions to consent
10
No Exemption Example
(a) For the performance of a contract to which
the data subject is a party
Existing bank customers
(b) For the taking of steps at the request of the
data subject with a view to entering into a
contract
Before the sale & purchase of a car, the
information requested by the salesman
in order to execute the contract
(c) For compliance with any legal obligation to
which the data user is the subject, other
than an obligation imposed by a contract
When an organisation is under a duty
pursuant to eg. tax laws, to provide
information of its employees to
authorities
(d) In order to protect the vital interests of the
data subject
In a situation where a person is
unconscious & needs medical
treatment to save his life
(e) For the administration of justice For the enforcement of a court order
(f) For the exercise of any functions conferred
on any person by or under any law
If an organisation is tasked to perform
a service by a law
11. Written / Oral
11
Explicit consent given by data subject
Processing is necessary
Personal data has been made public
Sensitive personal data may only be processed if…
13. Consent: What does it entail?
Written / Oral
13
PDPA Regulations
DRAFT GUIDELINES ON
CONSENT
• Key test: Ability to
demonstrate that
consent exists /
given
• Data subject must
be fully aware of &
understand consent
• Consent
understood to have
been given when
individuals DO NOT
OBJECT or
volunteer personal
data after purposes
clearly explained
15. Notice & choice
Written / Oral
15
• Data user shall provide a WRITTEN NOTICE to the data subject. To
include:
• That personal data of the data subject is being processed by or
on behalf of the data user
• Description of the personal data
• Purpose it is collected & further processed
• Class of 3rd parties to whom data user discloses / may disclose
the personal data
• Whether it is obligatory for the data subject to provide the
personal data
• Must be given as soon as practicable
• In national language & English
• Must be able to keep a record of service of notice
17. 17
Channels of serving notices to employees
Notice to
employees
Emails
Employment
forms
Employment
contracts
Salary slips
18. Right to access personal data
18
Right to
access
Full
disclosure
Partial
disclosure
Refuse to
disclose
Must respond within 21 days
19. When can you refuse to disclose / partially disclose?
Written / Oral
19
No sufficient
information on
identity of requestor
/ data subject
No sufficient
information to locate
personal data
Burden or expense of
providing access
Would disclose
information of
another individual
Another data user
controls personal
data
Violation of court
order
Would disclose
confidential
commercial
information
Access is regulated
by another law
21. 21
s10 PDPA
Employment
Draft
Guidelines
*Must destroy personal data
once purpose of processing has
lapsed
*Be aware of obligations
imposed by law, such as s61 of
Employment Act 1955
*Fresh consent needed for
future uses
*Should minimise cost by
deleting / anonymise when no
longer necessary
Retention of employee records
22. Retention of former employees’ data
22
HK
Guidance
Necessary for legal
/ contractual /
statutory obligation
Directly related to
managing the
relationship
between employer
& former employee
Need to defend
organisation in civil or
criminal suit
Consented to by
former
employee
Needed for job
references /
reapplication
24. Conclusion
24
PRE-EMPLOYMENT
• Receipt of CVs
BEGINNING OF EMPLOYMENT
• Requests for personal data: Non-sensitive personal
data / sensitive personal data
DURING EMPLOYMENT
• Further requests for personal data
• Security / Access / Integrity / Disclosure
END OF EMPLOYMENT
• Retention