Background
The Personal Data Protection Act 2010 (Act 709) is one of the cyber laws implemented within Malaysia’s Multimedia Super Corridor (MSC) framework. It is based on the Tenth Policy Objective of the Communications and Multimedia Act 1998, which aims to ensure information security and the reliability and integrity of networks.
The Act was passed by Parliament on 5 April 2010 and received Royal Assent on 16 June 2010. Its main purpose is to regulate the processing of personal data in commercial transactions by data users while protecting the interests of citizens’ personal data.
The 7 Personal Data Protection Principles
- General Principle — a data user may not process personal data without the data subject’s consent.
- Notice and Choice Principle — a data user must inform the data subject of the purposes for which data is collected and processed.
- Disclosure Principle — personal data may not be disclosed without consent for any purpose other than the original one.
- Security Principle — a data user must take steps to protect personal data from loss, misuse, modification or unauthorised disclosure.
- Retention Principle — personal data may not be kept longer than necessary for the purpose it is processed.
- Data Integrity Principle — a data user must ensure personal data is accurate, complete, up to date and not misleading.
- Access Principle — a data subject has the right to access and correct their personal data held by a data user.
Complaint Process
If you believe an organisation has breached these seven principles, you may lodge a complaint as follows:
- Submit the complaint to the relevant organisation first.
- If not satisfied, submit it to the Personal Data Protection Department for investigation.
- If still not satisfied, appeal to the Appeals Tribunal.
Complaint details should include the organisation or individual’s name, an explanation of the issue, the organisation’s response, and copies of relevant correspondence.