Beyond Data Protection: Strategic Case Studies and Practical Guidance
Abstract
The book deals with data protection issues from practical viewpoints. 40% of the content focus on the Malaysian Personal Data Protection Act (PDPA) 2010 progress, whilst 60% of the content focus on leading comparative practical guidance from Europe. Part of the PDPA provisions is mirrored from European approaches and practices. The approach of this book is straightforward, handy and readable and is supplemented by practical applications, illustrations, tables and diagrams. Practical examples highlighted in this book range from cloud computing, radio frequency identification technology, social media networks and information security to basic related aspects of data protection issues covering strategic leadership, management, governance and audit in businesses, organisations and local authorities. Recommended best practices have been outlined for practical guidance accompanied with future challenges and opportunities for Malaysia and ASEAN. The book is equally suitable for academics, practitioners, governmental officials and regulators dealing with data protection within their sector-specific legislation.
Chapters (11)
Personal data protection is increasingly gaining its popularity and legal recognition in many jurisdictions around the world including Malaysia. In June 2010, the Malaysian Parliament finally enacted the Personal Data Protection Act 2010 (‘PDPA’), after a long wait of more than 10 years since the late 1990s. The PDPA will have significant impacts on how personal data is processed by organisations and business entities. In the first part of this chapter, the author explains the rationale for having a personal data protection law in Malaysia, and makes a conclusion as to whether the PDPA has addressed most of the rationale cited in this chapter.
Data protection, also known as data privacy in certain jurisdictions, forms one of the four facets of privacy law. The right to privacy is not expressly enshrined under the Federal Constitution of Malaysia or any specific legislation in Malaysia. In the absence of specific legislation, one has to resort to the common law approach in seeking recognition and protection under the common law right to privacy. Interestingly, the Malaysian courts have taken two different approaches towards recognising the ‘right to privacy’ in Malaysia. A few cases have been brought to courts in the recent years, which have shed some lights as to whether the right to privacy is recognised and protected under the Malaysian laws. The author examines these cases, in detail, in the second part of this chapter.
Essentially, the Personal Data Protection Act 2010 (‘PDPA’) protects data privacy (as opposed to general privacy). The PDPA basically applies to any form of processing of personal data in respect of commercial transactions. The PDPA governs the way personal data is collected, used, transferred or even deleted. Any person who processes personal data (‘data user’) of an individual (‘data subject’) is required to comply with the seven personal data protection principles (‘PDP Principles’) under the PDPA. The PDPA also grants several rights to data subjects. In this chapter, the author starts off by explaining the various definitions and terminologies under the PDPA, the application and non-application of the PDPA, followed by the detailed elaboration on the application of the PDP Principles. The author also sets out the various exemptions, the rights of data subjects as well as criminal offences in easy-to-read table formats.
While it is commendable that the Personal Data Protection Act 2010 (‘PDPA’) was finally passed by the Malaysian parliament after a long wait of a decade, the PDPA has received several criticisms due to its peculiar limitations. This chapter addresses many of these limitations and draws comparative analysis with data protection law in other jurisdictions. In addition to the PDPA, there are also several sectoral rules and regulations which specifically govern processing of personal data in certain sectors such as the banking and financial institutions sectors, healthcare sector, insurance sector, telecommunications and multimedia sectors. The Malaysian Parliament also passed the Credit Reporting Agencies Act 2010 to govern the processing of credit information by credit reporting agency in Malaysia. The author examines the relevant rules and regulations in these respective sectors.
The approach of this chapter is by way of issues-based. As prelude, it touches on digital economy and its connection with data protection in general. Complementing the previous Chaps. 1–3, it then unveils the trends and the hypes of Malaysian scenarios and cases in dealing with data protection. As a disclaimer, the given scenarios and cases have nothing to do with existing parties, companies and organisations that I consulted and engaged. The final section draws the attention on what I coined as: ‘bubble’ relationship—government-business-consumer—that is, how to manage and draw the data protection governance within the ‘bubble’ in view of the PDPA.
The difficulty to translate new laws and regulations into practice is uncommon. Typically, there are baggage of predictions, speculations and mosaics of interpretations. Owing to these, the PDPA, is partly trapped, within the latter’s landscape. Whilst awaiting a clear direction, this chapter provides strategic guidance to the readers via twofold. Firstly, it attempts to explain how selected technologies could be appraised by collectively adopting the PDPA 2010s 7 data protection principles. It anticipates critical concerns that may be prevalent, the requited strategic approaches and guidance. Secondly, it guides the readers to go beyond than the Malaysia’s contour by appreciating the EU and US’s experience.
This chapter advocates about leadership and strategy that company, organisation and institution should be able to adopt. It brings the readers to consider how crucial accountability plays its role and the need to continuing such best practices. This is neither a secret recipe, nor, exceptional in data protection, as it may also be applicable to other subject matters. Data protection, at times, is slightly understated, but certainly, it is not underrated. It raises the eyebrows of the board of directors, executive committee and senior management if breach happened. Otherwise, it may be regarded as another mundane, routine and monotonous compliance tick-in-the box exercise if it is fully complied with. In order to debunk the latter, I attempt to impress the readers that data protection is not another area of law that adds the burden; rather, it boosts the brand, governance and leadership of your company, organisation and institution.
One of the most radical changes to European data protection to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU data protection law. Under the current data protection directive, the rules are twofold. If the controller is based in an EU Member State, that controller will be subject to the law of that Member State and to the scrutiny of the regulator of that country. However, if the controller is based outside the EU but uses equipment in the EU to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator. In the case of non-EU controllers, linking the applicability of the law to the location of equipment produces bizarre situations as in a densely networked world, the use of data processing equipment is literally ubiquitous. Therefore, the European Commission is trying to introduce a completely different approach. Under the proposed Data Protection Regulation, if the controller is based in an EU Member State and it has one main establishment, then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator. But a controller that is based outside the EU will be subject to the Regulation and to the scrutiny of each and every regulator where it offers products or services to EU residents or monitors the behaviour of EU residents. This chapter analyses the existing EU rules and proposed changes, and considers its practical implications for the future of data protection.
This descriptive chapter aims to impress the readers on various latest technologies that relate to critical information security. It is based on my analysis, observation and experience whilst dealing with this. The demanding technology’s offerings, deployment and its usage have had pushed Internet users like us to be more cautious and considerable whilst managing personal data. Each section of this chapter highlights some practical guidance for readers and proffers useful explanations that could be potentially considered in our daily life and business.
This chapter is specially designed to provide you, the reader, with a lucid description of how data protection is viewed through the lens of a local authority. Within it’s four sections the chapter explains why local authorities process personal information and what it does with it, how it protects it and what happens when it is not protected. Personal data is a valuable commodity. As creatures of statute, local authorities derive their powers either from the Act of Parliament, which sets them up, or from other legislation regulating their activities. In this twenty-first century’s information society, organisations including local authorities are acutely aware of the power of information and their obligations to it.
This chapter will firstly describe the concepts of personal data and privacy, how these are similar and different in the same time, and what is the regulator aim with regards to the protection of the individual rights and freedoms. Subsequently, two most representative case law will be described and analysed in order to understand the applicability of the EU legal framework in regards to privacy and data protection.
As prelude, this chapter touches on definition and indicators of a Data Protection Audit. It will then describe its legal and technical prerequisites such as auditor competence, requirements of the law, requirements of ISO standards and best practice catalogs. The next sections examine the objectives of a Data Protection Audit within the corporate development and subsequently the conception of a Data Protection Audit. The final and main section draws the attention on what I named as: “Practical Guide”—that is, how to manage a Data Protection Audit “step-by-step”.
... The Personal Data Protection Act 2010 encompasses a range of privacy protection measures and legal protocols that serve to prevent and address instances of data privacy violations (Cieh, 2013;Munir et al., 2012;Walters et al., 2019). In the context of data processing, obtaining consent was established as the primary legal foundation before the processing of health data using technological means. ...
... As per Section 40 of the PDPA 2010, which is contingent upon the provisions outlined in Section 2 and Section 5, it is prohibited for a data user to engage in the processing of sensitive personal data pertaining to a data subject, unless it aligns with the requirements specified in Section 40 (Cieh, 2013;Pointon & Phuoc, 2012). The processing of health data without obtaining authorization is strictly prohibited due to the highly sensitive nature of such information. ...
... Health data is inherently sensitive and frequently classified as a separate category of data. The scholarly literature in Malaysia does not provide any explicit definition or explanation of the concept of sensitive data (Cieh, 2013;Jahn Kassim, 2019;Munir et al., 2012;Pointon & Phuoc, 2012;Walters et al., 2019). The definition and elaboration of health data in the Personal Data Protection Act 2010 (PDPA 2010) in Malaysia are not clearly stated. ...
It is part of the legal requirement for an individual to be conferred the right to consent when it involves the processing of their health data. However, with the advent of big data in healthcare, consent principle as a lawful basis for data processing and as a tool for data privacy in healthcare is being challenged. In this article, big data refers to the processing and analysis of large data sets to find new correlations—for example, for decision-making purposes and improving health delivery of health bodies. While big data may be beneficial, it also imposes certain legal complications regarding the sufficiency of the Malaysian Personal Data Protection Act 2010 in implementing consent. This article aims to analyse consent principle under the PDPA 2010 as a tool for health data privacy and its sufficiency in big data. We adopt a doctrinal qualitative analysis as the methodology in this paper. It is found that the consent principle under the Act must be revisited because it is lacking in its suitability and functions in dealing with big data and the practical demonstration of explicit consent in protecting privacy. Therefore, it is suggested that Malaysia could look to the European’s Union General Data Protection Regulation as a potential model for enhancing its consent standards, with careful consideration of the existing constraints under the PDPA.
... These services can fulfill most computing requirements and can deliver their benefits to private and enterprise clients alike. Businesses can even integrate their public cloud services with private clouds, where they need to perform sensitive business functions, to create hybrid clouds [12]. ...
... One of the cases reported is officers from Ministry of Higher Education had sold students' personal data to private colleges to enable them to solicit students. Besides that, it was reported that a list of 1000 entries with the attributes of names, phone numbers, type of credit cards owned, issuing bank and place of work can be bought for a mere RM100.00 [2]. ...
As there are many cases on data misused, Malaysia government has enforced Personal Data Protection Act (PDPA) to regulate the processing of personal data in commercial transactions. However, it is found that many individuals have little knowledge on what PDPA is. According to literature, newspaper is the primary source for public knowledge on justice/legal affair. However, previous survey shows that16% of Malaysian individuals gained PDPA knowledge through newspapers. Each aspect in the newspaper such as news category, news source, headline, frequency of relevant news and time gap between each relevant news being published plays a major role in affecting individual knowledge acquisition. This paper presents the discovery of the PDPA publication trend from online news portal and identify the attributes of current newspaper framing that affects the dissemination of news. In our studies, a total of 830 Malaysia English news from 29 different web portals has been collected. Descriptive analysis has been performed in each news aspects. The findings of this research project show that most online news are not focused on PDPA. Moreover, the framing, agenda setting and priming of the news indicates that personal data protection information had not been disseminating effectively.
Objective: This study was conducted to determine the effect of personality, competence, objectivity, and performance on the effectiveness of internal auditors, and their impact on the quality of financial reporting in supporting the achievement of Sustainable Development Goals (SDGs). Methods: This study used a descriptive quantitative method where data were collected by circulating questionnaires to 84 state religious universities in Indonesia with a sample of 299 respondents. Data analysis was carried out using the Partial Least Square-Path Modeling (PLS-PM) approach. Results and Discussion: The results of the study prove that there is a positive and significant effect of personality, competence, objectivity and work performance on the effectiveness of internal auditors, personality is an intangible resource that can improve the function of the internal auditor framework, competent, skilled and experienced auditors can improve their audit performance and efficiency. The role of internal auditors in higher education that has been carried out so far is only as a verifier, reviewing budget absorption, reviewing the implementation of faculty and institutional activities, and has not conducted a comprehensive audit of financial statements as carried out by the inspectorate of the ministry of religion and the Supreme Audit Agency so that the achievement of Sustainable Development Goals (SDGs) cannot be maximized. Research Implications: This research is a development of knowledge that is expected to contribute to the development of Internal Audit science, especially in the public sector in this case the internal control unit of religious universities in Indonesia. Originality/Value: Personality variables are a development of Al-Bawwat at al's research (2021) where in previous researchers, Openness to experience, emotional stability, conscientiousness and extraversion became a variable while in this study each became an indicator, added with two other indicators, namely perseverance and trust (Sharma, 2018); Cherry & Susman (2023).
ResearchGate has not been able to resolve any references for this publication.